Set env:var:
EASYRSA_EXTRA_EXTS="-addext foo,a:b -addext bah,c:d -addext baz e:f,g"
The value of EASYRSA_EXTRA_EXTS is passed as-is to the SSL command.
Creating a CA does not allow for an arbitrary extensions file, therefore
extensions must be added via the config file (#526) or via SSL Library
option '-addext' (Can be specified to SSL multiple times).
Option '-addext' is allowed to be specified multiple times to SSL,
therefore, this string must be syntactically correct for SSL not EasyRSA.
Finally, rename EASYRSA_EXTRA_EXTS to EASYRSA_CA_EXTRA_EXTS to avoid
triggering EASYRSA_EXTRA_EXTS code buried inside of easyrsa_openssl().
Closes: #54
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
To sign a request, easyrsa uses 'openssl ca', which does support -extfile.
To create a CA, easyrsa uses 'openssl req', which does not support -extfile.
Therefore, the x509-types 'ca' and COMMON files cannot be specified using
-extfile to create a CA. Instead, they must be included within the SSL
config file, which 'openssl req' does support.
Using the same awk script from gen_req(), with New Token '#%X509_TYPES%',
the x509-types files 'ca' and COMMON are inserted into the SSL config file.
Closes: #525
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
All requests now have the specified commonName <FILE_NAME_BASE>
Changes:
* Separate EASYRSA_BATCH from internal SSL -batch option.
This makes the code easier to understand.
* If both EASYRSA_BATCH and openssl_batch are unset then full
inter-active mode is enabled. The user can verify the input.
Otherwise SSL interactive is disabled and no user interaction
is required.
In either case, all DN fields are fully populated, depending on
EASYRSA_DN mode ('org' or 'cn_only').
Closes: #456
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Introduce EASYRSA_SILENT to enhance the use of EASYRSA_BATCH.
Effected functions: warn()
The change in behaviour is that warn() can ONLY be silenced by
option --silent. Batch-mode is still respected but silence is not.
For scripts which rely on EasyRSA, if they use option --batch then
the change to restore prevous bevaviour is to use option --sbatch.
Otherwise, export EASYRSA_SILENT=1.
This is a minimal change that preserves batch-mode functionality but
also heeds Warnings, unless NEW option --sbatch is specifcally used.
Warnings should not be silenced by batch-mode.
Closes: #512
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Bug: '$1' is not cleared, therefore 'pki/vars' was always created.
Explicitly require 'context:$1' (init-pki or vars-setup), otherwise die.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Thanks to excellent community feedback, this patch forces a single,
reliable list of sources for EasyRSA data-files.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The purpose here is to force EasyRSA find the required data-files:
* 'openssl-easyrsa.cnf' MUST be found.
* 'x509-types' MUST be found.
* 'vars.example' should be found.
* 'vars'
The 'vars' file is more complicated due to user expectations.
This patch does not copy 'vars', the code is included but DISABED.
The reasons are:
* Allow running 'easyrsa' from PATH.
* Make standard packaging work correctly.
Bug fixes:
* #499 and associated issues with missing files.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Changes made by a0dbc346bd92088ee481f5488ac53a7537b32073 result in
'ossl_major=2' and LibreSSL 2.x not being recognised.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
