easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms,
2024-09-23 10:17:24 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
easy-rsa: updated to 3.2.1
3.2.1
* inline: Add decimal value for cert. serial (Linux Only) (b33038e)
* Always exit with error for unknown command options (Except nopass)
(build-ca: b2f7912); (gen-req: 07f21d3); (build_full(): 0ff7f4c);
(export_pkcs(): 2c51288); (set-pass: 1266d4e)
* Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2)
Note: Inline files that contain private key data are now created in sub-dir
'pki/inline/private'.
* easyrsa-tools.lib, show-expire: Add CA certificate to report (a36cd54)
* inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2)
Note: Command inline only writes directly to inline file not stdout.
* easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 (cf0da16)
* easyrsa-tools.lib: expire_status_v2() (show-expire version 2) (1e43bf5)
* sign-req: Require 128bit serial number (806ee19)
* Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut (ddbf304)
* Windows secure_session(): Ensure $secured_session dir is created (d99b242)
* Switch to '-f' for file existence (6ab98c9..a02f545)
* inline: Move auto-inline from build_full() to sign_req() (823f70f)
* gen-crl: Create additional CRL in DER format (69df0d8)
* self-sign: Allow Edwards Curve based keys (81b749b)
* Re-enable command 'renew' (version 2): Requires EasyRSA Tools (30fe311)
* bug-fix: revoke: Pass the correct certificate location (24d5514)
* vars.example: Add flags for auto-SAN and X509 critical attribute (a41dfcc)
* Global option --eku-crit: Mark X509 extendedKeyUsage as critical (ca09211)
* sign-req: Add critical and pathlen details to confirmation (deae705)
* export-p12: Automatically generate inline file (9d90370)
* Introduce global option --auto-san, use commonName as SAN (5c36d44)
* Introduce global option --san-crit, mark SAN critical (dd69f50)
* Introduce new global options: --ku-crit and --bc-crit (b79abee)
* gen-req: Always check for existing request file (7eab98e)
* revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66)
* revoke-expired/-renewed: Keep req/key files for resigning (4537ae7)
* revoke: Add abbreviations for optional 'reason' (a88ccc7)
* build-ca: Allow use of --req-cn without batch mode (b77a0fb)
* gen-req: Re-enable use of --req-cn (5cf8c46)
* write: Change syntax, target as file, not directory
|
2024-06-08 09:14:37 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
easy-rsa: updated to 3.2.0
EasyRSA v3.2.0 - Most significant changes
New commands:
self-sign-server and self-sign-client
Create self-signed certificates for use with OpenVPN Peer Fingerprint mode.
These certificates comply with other EasyRSA signing policies.
expire
Selectively move certificates from the issued/ to expired/ directory.
This allows a new certificate to be signed from the original signing request file.
This allows all custom signing options to be applied as required.
This replaces the old command renew, which has been removed.
Further details: doc/EasyRSA-Renew-and-Revoke.md
write
Create legacy support files: openssl-easyrsa.cnf, x509-types/* and vars.example.
This allows EasyRSA to be used without having copies of the support files installed.
Removed commands:
renew
Replaced by command expire, followed by command sign-req.
This allows all custom options to be used when signing, which renew did not.
rebuild and rewind-renew
No longer required.
upgrade
No longer supported.
New Global Option:
--new-subject -- Command sign-req option: newsubj
Edit Request Subject during command sign-req
New files:
easyrsa-tools.lib
Moved code for commands show-expire, show-revoke and show-renew to the new file.
easyrsa-tools.lib is auto-loaded, if it is found in a supported location. eg. $pwd
|
2023-12-05 19:29:16 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
easy-rsa: updated to 3.1.7
3.1.7 (2023-10-13)
Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md
Under the hood, this is a considerable change but there are no user
noticable differences. With the exception of:
Caveat: The default '$PWD/pki/vars' file is forbidden to change either
EASYRSA or EASYRSA_PKI, which are both implied by default.
EasyRSA-Advanced.md: Correct vars-auto-detect hierarchy
Commit: ecd6506
EASYRSA/vars is moved to a higher priority than a default PKI.
vars-auto-detect no longer searches 'easyrsa' program directory.
gen-crl: preserve existing crl.pem ownership+mode
New command: make-vars - Print vars.example (here-doc) to stdout
show-expire: Calculate cert. expire seconds from DB date
Update OpenSSL to 3.1.2
|
2023-09-06 22:13:08 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
easy-rsa: updated to 3.1.6
3.1.6 (2023-07-18)
* New commands: 'inline' and 'x509-eku'
inline: Build an inline file for a commonName
x509-eku: Extract X509v3 extended key usage from a certificate
* Expose serial-check, display-dn, display-san and default-san to
command line.
* Expand default status to include vars-file and CA status
* sign-req: Allow the CSR DN-field order to be preserved
|
2023-08-05 09:11:08 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
easy-rsa: updated to 3.1.5
3.1.5 (2023-06-10)
Build Update: script now supports signing and verifying
Automate support-file creation (Free packaging)
build-ca: New command option 'raw-ca', abbrevation: 'raw'
This 'raw' method, is the most reliable way to build a CA,
with a password, without writing the CA password to a temp-file.
This option completely replaces both methods below:
build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin'
Option '--ca-via-stdin' offers no more security than standard method.
Easy-RSA version 3.1.4 ONLY.
build-ca: Replace password temp-files with file-descriptors
Using file-descriptors does not work in Windows.
Easy-RSA version 3.1.3 ONLY.
|
2023-06-07 13:10:38 by Leonardo Taccari | Files touched by this commit (5) | |
Log message:
easyrsa: Update to 3.1.4
3.1.4
-----
* build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin'
* build-ca: Revert manual CA password method to temp-files
Release v3.1.3 was fatally flawed, it would fail to build a CA under Windows.
Release v3.1.4 is specifically a bugfix ONLY, to resolve the Windows problem.
See the following commits for further details:
5d7ad1306d5ebf1588aef77eb3445e70cf5b4ebc
build-ca: Revert manual CA password method to temp-files
c11135d19b2e7e7385d28abb1132978c849dfa74
build-ca: Use OpenSSL password I/O argument 'stdin'
27870d695a324e278854146afdac5d6bdade9bba
build-ca: Replace password temp-file method with file-descriptors
Superseded by 5d7ad13 above.
3.1.3
-----
* build-ca: Replace password temp-files with file-descriptors
* Replace --fix-offset with --startdate, --enddate
* Introduce option -S|--silent-ssl: Silence SSL output
* Only create a random serial number file when expected
* Always verify SSL lib, for all commands
* Option --fix-offset: Adjust off-by-one day
* Update OpenSSL to v3.0.8
3.1.2
-----
* build-full: Always enable inline file creation
* Make default Edwards curve ED25519
* Allow --fix-offset to create post-dated certificates
* Introduce command 'set-pass'
* Introduce global option '--nopass|--no-pass'
* Introduce global option '--notext|--no-text'
* Command 'help': For unknown command, exit with error
* Find data-files in the correct order
* Update OpenSSL to 3.0.7 for Windows distribution
3.1.1
-----
* Remove command 'renewable' (#715)
* Expand 'show-renew', include 'renewed/certs_by_serial'
* Resolve long-standing issue with --subca-len=N
* ++ NOTICE: Add EasyRSA-Renew-and-Revoke.md
* Require 'openssl-easyrsa.cnf' is up to date
* Introduce 'renew' (version 3). Only renew cert
* Always ensure X509-types files exist
* Expand alias '--days' to all suitable options with a period
* Introduce --keep-tmp, keep temp files for debugging
* Add serialNumber (OID 2.5.4.5) to DN 'org' mode
* Support ampersand and dollar-sign in vars file
* Introduce 'rewind-renew'
* Expand status reports to include checking a single cert
* Introduce 'revoke-renewed'
* update OpenSSL for Windows to 3.0.5
3.1.0
-----
* Introduce basic support for OpenSSL version 3
* Update regex in grep to be POSIX compliant
* Introduce status reporting tools
* Display certificates using UTF8
* Allow certificates to be created with fixed date offset
* Add 'verify' to verify certificate against CA
* Add PKCS#12 alias 'friendlyName'
* Support multiple IP-Addresses in SAN
* Add option '--renew-days=NN', custom renew grace period
* Add 'nopass' option to the 'export-pkcs' functions
* Add support for 'busybox'
* Add option '--tmp-dir=DIR' to declare Temp-dir
3.0.9
-----
* Upgrade OpenSSL from 1.1.0j to 1.1.1o
- We are buliding this ourselves now.
* Fix --version so it uses EASYRSA_OPENSSL
* Use openssl rand instead of non-POSIX mktemp
* Fix paths with spaces
* Correct OpenSSL version from Homebrew on macOs
* Fix revoking a renewed certificate
Follow-up commit: ef22701878bb10df567d60f2ac50dce52a82c9ee
* Introduce 'show-crl'
* Support Windows-Git 'version of bash'
* Disallow use of single quote (') in vars file, Warning
* Creating a CA uses x509-types/ca and COMMON
* Prefer 'PKI/vars' over all other locations
* Introduce 'init-pki soft' option
* Warnings are no longer silenced by --batch
* Improve packaging options
* Update regex for POSIX compliance
* Correct date format for Darwin/BSD
|
2023-06-06 18:15:25 by Leonardo Taccari | Files touched by this commit (3) |
Log message:
easy-rsa: Add some portability fixes
Gracefully handle date(1) calls on NetBSD and stick with POSIX "basic" \
regular
expression when using sed(1).
(Not shared upstream because probably both of these problems are solved
by a quick code skim.)
PKGREVISION++
|
2021-10-26 13:18:07 by Nia Alarie | Files touched by this commit (605) |
Log message:
security: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo \
cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
|