Log message:
easy-rsa: updated to 3.1.7

3.1.7 (2023-10-13)

Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md
Under the hood, this is a considerable change but there are no user
noticable differences. With the exception of:
Caveat: The default '$PWD/pki/vars' file is forbidden to change either
EASYRSA or EASYRSA_PKI, which are both implied by default.
EasyRSA-Advanced.md: Correct vars-auto-detect hierarchy
Commit: ecd6506
EASYRSA/vars is moved to a higher priority than a default PKI.
vars-auto-detect no longer searches 'easyrsa' program directory.
gen-crl: preserve existing crl.pem ownership+mode
New command: make-vars - Print vars.example (here-doc) to stdout
show-expire: Calculate cert. expire seconds from DB date
Update OpenSSL to 3.1.2

Log message:
easy-rsa: updated to 3.1.6

3.1.6 (2023-07-18)
* New commands: 'inline' and 'x509-eku'
  inline: Build an inline file for a commonName
  x509-eku: Extract X509v3 extended key usage from a certificate
* Expose serial-check, display-dn, display-san and default-san to
  command line.
* Expand default status to include vars-file and CA status
* sign-req: Allow the CSR DN-field order to be preserved

Log message:
easy-rsa: updated to 3.1.5

3.1.5 (2023-06-10)

Build Update: script now supports signing and verifying

Automate support-file creation (Free packaging)

build-ca: New command option 'raw-ca', abbrevation: 'raw'

This 'raw' method, is the most reliable way to build a CA,
with a password, without writing the CA password to a temp-file.

This option completely replaces both methods below:

build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin'
Option '--ca-via-stdin' offers no more security than standard method.
Easy-RSA version 3.1.4 ONLY.

build-ca: Replace password temp-files with file-descriptors
Using file-descriptors does not work in Windows.
Easy-RSA version 3.1.3 ONLY.

Log message:
easyrsa: Update to 3.1.4

3.1.4
-----
   * build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin'
   * build-ca: Revert manual CA password method to temp-files

     Release v3.1.3 was fatally flawed, it would fail to build a CA under Windows.
     Release v3.1.4 is specifically a bugfix ONLY, to resolve the Windows problem.

     See the following commits for further details:
     5d7ad1306d5ebf1588aef77eb3445e70cf5b4ebc
         build-ca: Revert manual CA password method to temp-files
     c11135d19b2e7e7385d28abb1132978c849dfa74
         build-ca: Use OpenSSL password I/O argument 'stdin'
     27870d695a324e278854146afdac5d6bdade9bba
         build-ca: Replace password temp-file method with file-descriptors
         Superseded by 5d7ad13 above.

3.1.3
-----
   * build-ca: Replace password temp-files with file-descriptors
   * Replace --fix-offset with --startdate, --enddate
   * Introduce option -S|--silent-ssl: Silence SSL output
   * Only create a random serial number file when expected
   * Always verify SSL lib, for all commands
   * Option --fix-offset: Adjust off-by-one day
   * Update OpenSSL to v3.0.8

3.1.2
-----
   * build-full: Always enable inline file creation
   * Make default Edwards curve ED25519
   * Allow --fix-offset to create post-dated certificates
   * Introduce command 'set-pass'
   * Introduce global option '--nopass|--no-pass'
   * Introduce global option '--notext|--no-text'
   * Command 'help': For unknown command, exit with error
   * Find data-files in the correct order
   * Update OpenSSL to 3.0.7 for Windows distribution

3.1.1
-----
   * Remove command 'renewable' (#715)
   * Expand 'show-renew', include 'renewed/certs_by_serial'
   * Resolve long-standing issue with --subca-len=N
   *  ++ NOTICE: Add EasyRSA-Renew-and-Revoke.md
   * Require 'openssl-easyrsa.cnf' is up to date
   * Introduce 'renew' (version 3). Only renew cert
   * Always ensure X509-types files exist
   * Expand alias '--days' to all suitable options with a period
   * Introduce --keep-tmp, keep temp files for debugging
   * Add serialNumber (OID 2.5.4.5) to DN 'org' mode
   * Support ampersand and dollar-sign in vars file
   * Introduce 'rewind-renew'
   * Expand status reports to include checking a single cert
   * Introduce 'revoke-renewed'
   * update OpenSSL for Windows to 3.0.5

3.1.0
-----
   * Introduce basic support for OpenSSL version 3
   * Update regex in grep to be POSIX compliant
   * Introduce status reporting tools
   * Display certificates using UTF8
   * Allow certificates to be created with fixed date offset
   * Add 'verify' to verify certificate against CA
   * Add PKCS#12 alias 'friendlyName'
   * Support multiple IP-Addresses in SAN
   * Add option '--renew-days=NN', custom renew grace period
   * Add 'nopass' option to the 'export-pkcs' functions
   * Add support for 'busybox'
   * Add option '--tmp-dir=DIR' to declare Temp-dir

3.0.9
-----
   * Upgrade OpenSSL from 1.1.0j to 1.1.1o
      - We are buliding this ourselves now.
   * Fix --version so it uses EASYRSA_OPENSSL
   * Use openssl rand instead of non-POSIX mktemp
   * Fix paths with spaces
   * Correct OpenSSL version from Homebrew on macOs
   * Fix revoking a renewed certificate
     Follow-up commit: ef22701878bb10df567d60f2ac50dce52a82c9ee
   * Introduce 'show-crl'
   * Support Windows-Git 'version of bash'
   * Disallow use of single quote (') in vars file, Warning
   * Creating a CA uses x509-types/ca and COMMON
   * Prefer 'PKI/vars' over all other locations
   * Introduce 'init-pki soft' option
   * Warnings are no longer silenced by --batch
   * Improve packaging options
   * Update regex for POSIX compliance
   * Correct date format for Darwin/BSD

Log message:
easy-rsa: Add some portability fixes

Gracefully handle date(1) calls on NetBSD and stick with POSIX "basic" \ 
regular
expression when using sed(1).

(Not shared upstream because probably both of these problems are solved
by a quick code skim.)

PKGREVISION++

Log message:
security: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo \ 
cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2

Log message:
security: Remove SHA1 hashes for distfiles

Log message:
easy-rsa: updated to 3.0.8

3.0.8 (2020-09-09)
* Provide --version option
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning
* Fixed issue with ED/EC certificates were still signed by RSA
* Added support for export-p8
* Clarified error message
* 2->3 upgrade now errors and prints message when vars isn't found
* Update OpenSSL Windows binaries to 1.1.1g

Log message:
easy-rsa: updated to 3.0.7

3.0.7:
Include OpenSSL libs and binary for Windows 1.1.0j
Remove RANDFILE environment variable
Workaround for bug in win32 mktemp
Handle IP address in SAN and renewals
Workaround for ash and no set -o echo
Shore up windows testing framework
Provide upgrade mechanism for older versions of EasyRSA
Add support for KDC certificates
Add support for Edward Curves
Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars
Add support for RID to SAN

Log message:
easy-rsa: updated to 3.0.6

3.0.6:
Certifcates that are revoked now move to a revoked subdirectory
EasyRSA no longer clobbers non-EASYRSA environment variables
More sane string checking, allowingn for commas in CN
Support for reasonCode in CRL
Better handling for capturing passphrases
Improved LibreSSL/MacOS support
Adds support to renew certificates up to 30 days before expiration
This changes previous behavior allowing for certificate creation using
duplicate CNs.