./security/easy-rsa, CLI utility to build and manage a PKI CA

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 3.2.1, Package name: easy-rsa-3.2.1, Maintainer: pkgsrc-users

easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms,
this means to create a root certificate authority, and request and sign
certificates, including sub-CAs and certificate revokation lists (CRL).


Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 78.044 KB

Version history: (Expand)


CVS history: (Expand)


   2023-12-05 19:29:16 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
easy-rsa: updated to 3.1.7

3.1.7 (2023-10-13)

Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md
Under the hood, this is a considerable change but there are no user
noticable differences. With the exception of:
Caveat: The default '$PWD/pki/vars' file is forbidden to change either
EASYRSA or EASYRSA_PKI, which are both implied by default.
EasyRSA-Advanced.md: Correct vars-auto-detect hierarchy
Commit: ecd6506
EASYRSA/vars is moved to a higher priority than a default PKI.
vars-auto-detect no longer searches 'easyrsa' program directory.
gen-crl: preserve existing crl.pem ownership+mode
New command: make-vars - Print vars.example (here-doc) to stdout
show-expire: Calculate cert. expire seconds from DB date
Update OpenSSL to 3.1.2
   2023-09-06 22:13:08 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
easy-rsa: updated to 3.1.6

3.1.6 (2023-07-18)
* New commands: 'inline' and 'x509-eku'
  inline: Build an inline file for a commonName
  x509-eku: Extract X509v3 extended key usage from a certificate
* Expose serial-check, display-dn, display-san and default-san to
  command line.
* Expand default status to include vars-file and CA status
* sign-req: Allow the CSR DN-field order to be preserved
   2023-08-05 09:11:08 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
easy-rsa: updated to 3.1.5

3.1.5 (2023-06-10)

Build Update: script now supports signing and verifying

Automate support-file creation (Free packaging)

build-ca: New command option 'raw-ca', abbrevation: 'raw'

This 'raw' method, is the most reliable way to build a CA,
with a password, without writing the CA password to a temp-file.

This option completely replaces both methods below:

build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin'
Option '--ca-via-stdin' offers no more security than standard method.
Easy-RSA version 3.1.4 ONLY.

build-ca: Replace password temp-files with file-descriptors
Using file-descriptors does not work in Windows.
Easy-RSA version 3.1.3 ONLY.
   2023-06-07 13:10:38 by Leonardo Taccari | Files touched by this commit (5) | Package updated
Log message:
easyrsa: Update to 3.1.4

3.1.4
-----
   * build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin'
   * build-ca: Revert manual CA password method to temp-files

     Release v3.1.3 was fatally flawed, it would fail to build a CA under Windows.
     Release v3.1.4 is specifically a bugfix ONLY, to resolve the Windows problem.

     See the following commits for further details:
     5d7ad1306d5ebf1588aef77eb3445e70cf5b4ebc
         build-ca: Revert manual CA password method to temp-files
     c11135d19b2e7e7385d28abb1132978c849dfa74
         build-ca: Use OpenSSL password I/O argument 'stdin'
     27870d695a324e278854146afdac5d6bdade9bba
         build-ca: Replace password temp-file method with file-descriptors
         Superseded by 5d7ad13 above.

3.1.3
-----
   * build-ca: Replace password temp-files with file-descriptors
   * Replace --fix-offset with --startdate, --enddate
   * Introduce option -S|--silent-ssl: Silence SSL output
   * Only create a random serial number file when expected
   * Always verify SSL lib, for all commands
   * Option --fix-offset: Adjust off-by-one day
   * Update OpenSSL to v3.0.8

3.1.2
-----
   * build-full: Always enable inline file creation
   * Make default Edwards curve ED25519
   * Allow --fix-offset to create post-dated certificates
   * Introduce command 'set-pass'
   * Introduce global option '--nopass|--no-pass'
   * Introduce global option '--notext|--no-text'
   * Command 'help': For unknown command, exit with error
   * Find data-files in the correct order
   * Update OpenSSL to 3.0.7 for Windows distribution

3.1.1
-----
   * Remove command 'renewable' (#715)
   * Expand 'show-renew', include 'renewed/certs_by_serial'
   * Resolve long-standing issue with --subca-len=N
   *  ++ NOTICE: Add EasyRSA-Renew-and-Revoke.md
   * Require 'openssl-easyrsa.cnf' is up to date
   * Introduce 'renew' (version 3). Only renew cert
   * Always ensure X509-types files exist
   * Expand alias '--days' to all suitable options with a period
   * Introduce --keep-tmp, keep temp files for debugging
   * Add serialNumber (OID 2.5.4.5) to DN 'org' mode
   * Support ampersand and dollar-sign in vars file
   * Introduce 'rewind-renew'
   * Expand status reports to include checking a single cert
   * Introduce 'revoke-renewed'
   * update OpenSSL for Windows to 3.0.5

3.1.0
-----
   * Introduce basic support for OpenSSL version 3
   * Update regex in grep to be POSIX compliant
   * Introduce status reporting tools
   * Display certificates using UTF8
   * Allow certificates to be created with fixed date offset
   * Add 'verify' to verify certificate against CA
   * Add PKCS#12 alias 'friendlyName'
   * Support multiple IP-Addresses in SAN
   * Add option '--renew-days=NN', custom renew grace period
   * Add 'nopass' option to the 'export-pkcs' functions
   * Add support for 'busybox'
   * Add option '--tmp-dir=DIR' to declare Temp-dir

3.0.9
-----
   * Upgrade OpenSSL from 1.1.0j to 1.1.1o
      - We are buliding this ourselves now.
   * Fix --version so it uses EASYRSA_OPENSSL
   * Use openssl rand instead of non-POSIX mktemp
   * Fix paths with spaces
   * Correct OpenSSL version from Homebrew on macOs
   * Fix revoking a renewed certificate
     Follow-up commit: ef22701878bb10df567d60f2ac50dce52a82c9ee
   * Introduce 'show-crl'
   * Support Windows-Git 'version of bash'
   * Disallow use of single quote (') in vars file, Warning
   * Creating a CA uses x509-types/ca and COMMON
   * Prefer 'PKI/vars' over all other locations
   * Introduce 'init-pki soft' option
   * Warnings are no longer silenced by --batch
   * Improve packaging options
   * Update regex for POSIX compliance
   * Correct date format for Darwin/BSD
   2023-06-06 18:15:25 by Leonardo Taccari | Files touched by this commit (3)
Log message:
easy-rsa: Add some portability fixes

Gracefully handle date(1) calls on NetBSD and stick with POSIX "basic" \ 
regular
expression when using sed(1).

(Not shared upstream because probably both of these problems are solved
by a quick code skim.)

PKGREVISION++
   2021-10-26 13:18:07 by Nia Alarie | Files touched by this commit (605)
Log message:
security: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo \ 
cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
   2021-10-07 16:54:50 by Nia Alarie | Files touched by this commit (606)
Log message:
security: Remove SHA1 hashes for distfiles
   2020-11-17 13:14:17 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
easy-rsa: updated to 3.0.8

3.0.8 (2020-09-09)
* Provide --version option
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning
* Fixed issue with ED/EC certificates were still signed by RSA
* Added support for export-p8
* Clarified error message
* 2->3 upgrade now errors and prints message when vars isn't found
* Update OpenSSL Windows binaries to 1.1.1g