Option alias '--days=NUMBER' can now be used for all other options which
indicate a validity period.
* Option: --days
This global option is an alias for one of the following:
* Expiry days for a new CA.
eg: '--days=3650 build-ca'
* Expiry days for new/renewed certificate.
eg: '--days=1095 renew server'
* Expiry days for certificate revokation list.
eg: '--days=180 gen-crl'
* Cutoff days for commands: show-expire or renewable.
eg: '--days=90 show-expire'"
The alias '--days' is now ONLY applied to the variable which requires it.
eg: If building a certificate then the appropriate variable for that type
is set. The other possible uses are not set by the same use.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Locate existing x509-types directory, after sourcing vars.
If vars is set incorrectly then this WILL over-ride vars.
Closes: #654
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 5e9609873a01dd358e3a4c6928fc553e5257d8ea
Merge: ed54b1a 42bfae4
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Aug 28 14:44:13 2022 +0100
Merge branch 'subca-default-cn' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-subca-default-cn
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 42bfae4673996307107964be0fc8b15883072d31
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Aug 27 13:20:41 2022 +0100
build-ca: Assign default sub-CA commonName and enable SSL interactive
When building a CA/SubCA, if a commonName has not been assigned by --req-cn
then assign a default commonName, of either:
* 'Easy-RSA CA' or 'Easy-RSA Sub-CA'.
If a default commonName has been assigned then use SSL interactive mode
to edit/confirm each of the subject fields individually. Otherwise, use
EasyRSA to confirm all of the subject fields with a single prompt.
Closes: #659
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Make find_x509_types_dir() a stand alone function.
When calling usage(), find_x509_types_dir() can be a soft fail.
When x509-types directory is required, this function is a hard fail.
This also simplifies install_data_to_pki(), because x509-types do not
need to be installed in the PKI.
Closes: #654
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Note: --req-cn can only be used when building a CA/subCA.
When building All other certificates --req-cn is not honoured.
Reported-in: #659
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Processing vars at init-pki was intentionally kept to minimum, due to
complications with user expectations verses Easy-RSA preferences.
This overhaul aims to finalise Easy-RSA interference with vars.
1. Prefer that vars is in the PKI but only force that at init-pki,
when no other vars files can be found. Otherwise, do not create a
template vars and leave it to the user, with appropriate messages.
2. Fail all commands, except init-pki, if more than one vars exists.
3. Take special care of 'init-pki soft'.
4. For existing PKIs, be aware that vars may NOT exist.
This patch is less complicated than it appears to be.
Most of the changes are either comments or user messages.
There are some new state flags to manage the location of vars,
which are used to decide when a new vars is created and control
user messages.
Closes: #651
New message for "Using x509-types directory: $EASYRSA_EXT_DIR"
Closes: #654
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since the introduction of 'escape_hazard()' function, all characters
except (`) backtick are supported.
This patch brings vars.example in line with the warning in easyrsa and
also only warns about backtick.
It is possible that curly brace '{}' may also cause OpenSSL to behave
strangely. However, the strange behaviour, which I previously observed,
may have been rectified by OpenSSL.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Add warning for new password status, prior to renewal.
Add reminder to replace certificate AND key files, after renewal.
Correct input check for option 'nopass'
Closes: m#644
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Previously, testing vars for unsupported characters was only done if
vars was in the PKI. This test can now be done for all vars files.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The 3 definitions of $prog_dir:
- foo -> prog_dir=/search/path ## Not $PWD
- ./foo -> prog_dir=. ## $PWD
- /full/path/foo -> prog_dir=/full/path ## Could be $PWD
'/full/path' was previously missing from the check.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since relaxing the rules concerning the location of vars file,
commit f4a604438d3ce5fe67a1f4db956dc42fc4ae5588, it is no longer
necessary to prohibit the use of --vars=file with 'init-pki'.
This initial prohibition was only a temporary measure and has
proven to be of no value.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
