Since EasyRSA version 3.1 there is a NEW insert-marker for X509 type 'ca'.
* New insert-marker: '^#%CA_X509_TYPES_EXTRA_EXTS%' [BRE]
This is only required to build a new CA or Sub-CA. However, without this
check, an old version of openssl-easyrsa.cnf will silently FAIL to include
the X509 types for 'ca' and 'COMMON', when builing a new CA.
EasyRSA 'init-pki soft' does leave 'openssl-easyrsa.cnf' in place, which
means that this is a known possible failure.
For consistency, check for All EasyRSA insert-markers, when used.
* Standard insert-markers: '^#%EXTRA_EXTS%' and '^#%COPY_EXTS%' [BRE]
Tested manually.
Closes: #693
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Document the various EasyRSA version differences of renewal and revocation.
Closes: #626
Authors comment:
It has taken good luck, hard work and co-operation to save
EasyRSA "renewal and revocation".
I am pleased to have provided the solution presented here.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The extentions temp-file is part of the session temp-dir and is otherwise
removed by cleanup() on successful completion.
Part-of: #667Closes: #676
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Due to my previous misunderstanding of the intended use of --req-cn,
it is no longer possible to set commonName for command gen-req.
Ref: #524#456
This commit restores v30x series behavior:
* --req-cn can only be used in batch mode.
* --req-cn can only be used by commands build-ca and gen-req.
* SSL layer prompts are restored to original behavior.
Important: The use of internal batch mode is no longer required
for command sign_req(), when called by build_full(). This code
has been disabled but remains in place. This is a considerable
change under the hood but there is no user observable difference.
Also, minor improvements to help and EasyRSA-Advanced.md
Tested manually and thoroughly.
Closes: #668
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Option alias '--days=NUMBER' can now be used for all other options which
indicate a validity period.
* Option: --days
This global option is an alias for one of the following:
* Expiry days for a new CA.
eg: '--days=3650 build-ca'
* Expiry days for new/renewed certificate.
eg: '--days=1095 renew server'
* Expiry days for certificate revokation list.
eg: '--days=180 gen-crl'
* Cutoff days for commands: show-expire or renewable.
eg: '--days=90 show-expire'"
The alias '--days' is now ONLY applied to the variable which requires it.
eg: If building a certificate then the appropriate variable for that type
is set. The other possible uses are not set by the same use.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
--keep-tmp=NAME : Keep the original temporary session by name: NAME
NAME is a sub-directory of the dir declared by --tmp-dir
This option ALWAYS over-writes a sub-dir of the same name.
Closes: #610
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Locate existing x509-types directory, after sourcing vars.
If vars is set incorrectly then this WILL over-ride vars.
Closes: #654
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 5e9609873a01dd358e3a4c6928fc553e5257d8ea
Merge: ed54b1a 42bfae4
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Aug 28 14:44:13 2022 +0100
Merge branch 'subca-default-cn' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-subca-default-cn
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 42bfae4673996307107964be0fc8b15883072d31
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Aug 27 13:20:41 2022 +0100
build-ca: Assign default sub-CA commonName and enable SSL interactive
When building a CA/SubCA, if a commonName has not been assigned by --req-cn
then assign a default commonName, of either:
* 'Easy-RSA CA' or 'Easy-RSA Sub-CA'.
If a default commonName has been assigned then use SSL interactive mode
to edit/confirm each of the subject fields individually. Otherwise, use
EasyRSA to confirm all of the subject fields with a single prompt.
Closes: #659
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Make find_x509_types_dir() a stand alone function.
When calling usage(), find_x509_types_dir() can be a soft fail.
When x509-types directory is required, this function is a hard fail.
This also simplifies install_data_to_pki(), because x509-types do not
need to be installed in the PKI.
Closes: #654
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Note: --req-cn can only be used when building a CA/subCA.
When building All other certificates --req-cn is not honoured.
Reported-in: #659
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
