Re-arranging the p12 command to follow the standard:
- In file
- out file
Followed by
- Conditional: -nokeys
- Unconditional: -inkey file
This is a reminder that '-inkey' is subordinate to '-nokeys' but
is ALWAYS required.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The current export functions only allow use on a complete PKI, with CA.
This change allows the following:
* Server - Export P12/P7 without client key
* Client - Export P12/P7 without CA, P8/P1 without PKI
Due to the relative obscurity of the command options 'noca' and 'nokey',
exporting P12/P7 with incorrect options can be adjusted on-the-fly with
confirmation from the user.
Correct behaviour of export-p1 with OpenSSL v3 by using -legacy option.
Otherwise, OpenSSL v3 outputs a PKCS#8 format file.
Minor improvements to comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This applies to all direct calls using EASYRSA_OPENSSL (Default: 'openssl'),
which bypass using easyrsa_openssl() wrapper function.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Variable 'has_config' was a way to minimize the need to fully expand the
SSL config file (ENV:OPENSSL_CONF) for use by LibreSSL. IE. Only expand
the SSL config file when the SSL command requires a config file.
LibreSSL Always requires the config file to be expanded, even when it
is Not used.
OpenSSL Never requires the config file to be expanded.
Changes follow.
The first part:
* Disable expanding the SSL config file for OpenSSL.
* Require expanding the SSL config file for LibreSSL.
LibreSSL will use the run-once mechanism to expand the SSL config file.
The second part:
Replace the use of SSL option '-config', by Always configuring the SSL
environment variable OPENSSL_CONF to point to the Easy-RSA generated
config file. This is supported by LibreSSL and OpenSSL.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Otherwise, unrecognised commands trigger missing PKI and CA errors,
instead of the correct 'unrecognised command' error.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Set run-once after if condition, otherwise Forced execution does not
set run-once.
Use "local" variable 'makesafeconf' to force a new safe ssl config.
Remove variable require_safe_ssl_conf, partially replaced by makesafeconf.
Add 'make-safe-ssl' command to the list which does not require a CA.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Move extension data preparation to before printing extension temp-file.
This allows the { extensions output command group } to always complete,
without error.
Consolidate create_x509_type_*() functions in one single function.
create_x509_type_easyrsa() remains as a separate function.
This file does not exist in x509-types directory. It is similar to the
COMMON x509-type; The details are the common extensions shared by x509
types: serverClient, server and client. Not suitable for x509-type ca.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Problem:
EasyRSA uses SSL CA command parameter '-serial $serial_number',
to check if a serial-number exists within the database.
The primary function of the SSL CA command parameter '-serial'
is to check if a certificate is Valid or has been Revoked.
EasyRSA abuses the SSL output to infer that a serial-number must
be unique because that output contains the text 'not present in db'.
SSL CA command parameter '-serial' ALWAYS returns an error,
reagrdless of what-ever check it does. Likely, an SSL bug.
As a step-in-the-right direction:
To ease this needless-headache, expose the unique, random
serial-number check to the command line.
This helps to understand what is going on under-the-hood.
The command 'sign-req' remains the same; except the unique, random
serial-number check is moved to a separate, stand-alone function,
which is also exposed to the command line for validation.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
