a0dbc346bd
Required changes: * Use 'verify_ssl_lib()' to determine SSL Library version. Returns '1', '3' OR error. Sets 'no_password' to either '-nodes' (SSLv1) or '-noenc' (SSLv3) * Replace OpenSSL paramater '-nodes' [DEPRECATED], with '-noenc'. Ref: https://www.openssl.org/docs/man3.0/man1/openssl-req.html This effects All Easy-RSA CAs built using OpenSSL version 3. * Replace OpenSSL command 'genrsa' [DEPRECATED], with 'genpkey'. Ref: https://www.openssl.org/docs/man3.0/man1/openssl-genrsa.html This effects Easy-RSA 'RSA' CAs built using OpenSSL version 3. OpenSSL advises using 'genpkey' over 'genrsa'. * OpenSSL 'genpkey' does not accept the parameters defined by easyrsa $opts and $no_password when generating CA private keys. Do not use these variables for OpenSSL-v3 'genpkey'. Optional changes: * Use 'easyrsa_openssl()' wrapper function to build All CAs. * Add 'genpkey' to easyrsa_openssl() wrapper, to include using the EasyRSA/OpenSSL Configuration file $EASYRSA_SAFE_CONF. * Change EasyRSA Elliptic Curve (ec) CA's to also use OpenSSL 'genpkey', instead of OpenSSL 'ec'. This change is not required, however, this means that all EasyRSA CA Private keys are created using 'genpkey' with OpenSSL v3. * EasyRSA 'gen_req()' is the only other code which uses OpenSSL '-nodes'. Make 'gen_req()' aware of the SSL Library version and therefore the correct parameter for an unencrypted private key. (-noenc vs -nodes) Note: OpenSSL '-nodes' is only deprecated not removed. * Indent OpenSSL version 1 code block to match. No functional changes. Tests Passed: Full extended unit tests, with both OpenSSL version 1.1.x and 3.0.1 (Includes standard test for Edwards Curve PKI) Manual building of All OpenSSL *v3* CAs with passwords and subsequent building and signing of a server or client certificate. Manual building of OpenSSL *v1* EC CA with password and subsequent building and signing of a server or client certificate. Tested due to changing CA key from OpenSSL 'ec' to 'genpkey'. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Overview
easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).
Downloads
If you are looking for release downloads, please see the releases section on GitHub. Releases are also available as source checkouts using named tags.
Documentation
For 3.x project documentation and usage, see the README.quickstart.md file or the more detailed docs under the doc/ directory. The .md files are in Markdown format and can be converted to html files as desired for release packages, or read as-is in plaintext.
Getting help using easy-rsa
Currently, Easy-RSA development co-exists with OpenVPN even though they are separate projects. The following resources are good places as of this writing to seek help using Easy-RSA:
The openvpn-users mailing list is a good place to post usage or help questions.
You can also try IRC at Freenode/#openvpn for general support or Freenode/#easyrsa for development discussion.
Branch structure
The easy-rsa master branch is currently tracking development for the 3.x release cycle. Please note that, at any given time, master may be broken. Feel free to create issues against master, but have patience when using the master branch. It is recommended to use a release, and priority will be given to bugs identified in the most recent release.
The prior 2.x and 1.x versions are available as release branches for tracking and possible back-porting of relevant fixes. Branch layout is:
master <- 3.x, at present
v3.x.x pre-release branches, used for staging branches
release/2.x
release/1.x
LICENSING info for 3.x is in the COPYING.md file
Code style, standards
We are attempting to adhere to the POSIX standard, which can be found here: