Ensure that declaration of file-names which are from serial-numbers
are declared after the serial-number has been extracted.
Move confirmation prompts to the last point before action.
Correct and improve #comments, "prompts" and "error messages".
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
When easyrsa "renews" a certificate, the current certificate is moved
to a sub-directory for renewed certificates and renamed to the serial
number of the certificate.
This makes it difficult to subsequently revoke the old certificate.
The new behaviour is for easyrsa to move the certificate without
renaming the file. This means the certificate can be revoked by name.
Once a renewed certificate is revoked, it is moved to the 'revoked'
sub-directory, along with all other revoked certificates.
The same mechanism also manages keys, requests, PKCS and inline files.
Behaviour summary:
* revoke moves certificates to 'revoked' - Unchanged
Rename the certificate to its serial number - Unchanged
* renew moves certificates to 'renewed' - Unchanged
renew does not rename the certificate to its serial number - Changed
Important:
Only one certificate of a specific name (eg. john) can be renewed
at the same time.
To renew another certificate called 'john' the first MUST be revoked.
* revoke-renewed:
takes the certificate from 'renewed' - Changed
moves the certifiate to 'revoked' - Changed
renames the certificate to its serial number - Unchanged
* All revoked certificates are moved to the 'revoked' sub-directory.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Plus a minor correction to white-space.
Closes: #411
Original commit:
commit e93af47b0112b13e221a1bf28d36afaf5f5719df
Author: itaru2622 <itaru2622@gmaiil.com>
Date: Wed Oct 7 20:47:26 2020 +0900
supporting nopass option for export-p12
usage:
easyrsa export-p12 EntityName nopass
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Move the 'fi' below the output, restore old behaviour.
Minor improvments to readability:
* Make "No Safe SSL config-file" the default.
OpenSSL does not require a "Safe" config-file, only LibreSSL does.
Change from $no_safe_ssl_conf to $require_safe_ssl_conf.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
EasyRSA requires the output of the 'rand' command, not a file.
When EASYRSA_DEBUG is enabled the dubug output interferes with
easyrsa random requirements.
Also, disable using easyrsa_openssl() for rand.
Also, always die on SSL errors for random number generation.
Also, minor improvements to error messages.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Add new 'date' test to identify a working command.
Also:
Remove the '-n' "no clobber" option from 'cp' in install_data_to_pki().
Rely on the shell to determine if 'vars' exists.
Closes: #543
Also:
Correctly quote related expansions.
Also:
Minor improvements to host detection.
Unit test completed on Alpine Linux with Busybox v1.34.1
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
$EASYRSA_DUBUG must be deliberately set outside of easyrsa.
'--verbose' mode was a bad hack.
$EASYRSA_DUBUG is also broken from the start but it is the simplest way
to verify what data is being fed to SSL.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
In the context of 'vars-setup', install_data_to_pki() will only copy
the example vars file to a live vars file in the event that no other
vars file exists. This final check will never over-write vars file
which is in the PKI.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The only option which is not SSL version independent is:
-nodes (version 1)
-noenc (version 3)
This is managed via $no_password, which is set by verify_ssl_lib().
* Use SSL 'genpkey' to create All CA private keys.
'genpkey' options are SSL version independent.
* Use SSL 'req' to create All CA certificate/key pairs.
'req' options are SSL version independent.
* Replace $opts, $crypto and $crypto_opts with individual variables
for each purpose.
* '$opts' usage:
-x509 - Replaced by $x509
-date - Replaced by $date_stamp ($date would be too common)
-batch - Replaced by $ssl_batch
* '$crypto' usage:
-aes256 - Replaced by $cipher
* '$crypto_opts' usage:
-aes256 - Replaced by $cipher (2nd layer of unnecessary complexity)
-nodes/-noenc - Replaced by $no_password
* Additional variable $digest for SSL 'req' - Defaults to '-sha256'
Insert $EASYRSA_EXTRA_EXTS into the config file along with x509-types
files 'ca' and COMMON. Replaces the previous method of passing SSL
option '-addext foo:bar' directly to SSL command.
Create new EasyRSA option '--verbose'. This prints the command passed
to the SSL library by easyrsa_openssl().
Add a shellcheck directive to install_data_to_pki().
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
