Skip to content

Use x509-types 'ca' and COMMON when building a CA #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
TinCanTech merged 2 commits into from
Apr 5, 2022
Merged

Use x509-types 'ca' and COMMON when building a CA #526

TinCanTech merged 2 commits into from
Apr 5, 2022

Conversation

@TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Apr 2, 2022

To sign a request, easyrsa uses 'openssl ca', which does support -extfile.

To create a CA, easyrsa uses 'openssl req', which does not support -extfile.

Therefore, the x509-types 'ca' and COMMON files cannot be specified using
-extfile to create a CA. Instead, they must be included within the SSL
config file, which 'openssl req' does support.

Using the same awk script from gen_req(), with New Token '#%X509_TYPES%',
the x509-types files 'ca' and COMMON are inserted into the SSL config file.

Closes: #525

Signed-off-by: Richard T Bonhomme tincantech@protonmail.com

@TinCanTech
Use x509-types 'ca' and COMMON when building a CA
bce4dad 
To sign a request, easyrsa uses 'openssl ca', which does support -extfile.

To create a CA, easyrsa uses 'openssl req', which does not support -extfile.

Therefore, the x509-types 'ca' and COMMON files cannot be specified using
-extfile to create a CA. Instead, they must be included within the SSL
config file, which 'openssl req' does support.

Using the same awk script from gen_req(), with New Token '#%X509_TYPES%',
the x509-types files 'ca' and COMMON are inserted into the SSL config file.

Closes: #525

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech self-assigned this Apr 2, 2022
@TinCanTech TinCanTech added this to the v3.0.9 milestone Apr 2, 2022
@TinCanTech TinCanTech mentioned this pull request Apr 2, 2022
Closed
@TinCanTech
Allow build_ca() to accept OpenSSL '-addext' as raw data
6f138ab 
Set env:var:
EASYRSA_EXTRA_EXTS="-addext foo,a:b -addext bah,c:d -addext baz e:f,g"

The value of EASYRSA_EXTRA_EXTS is passed as-is to the SSL command.

Creating a CA does not allow for an arbitrary extensions file, therefore
extensions must be added via the config file (#526) or via SSL Library
option '-addext' (Can be specified to SSL multiple times).

Option '-addext' is allowed to be specified multiple times to SSL,
therefore, this string must be syntactically correct for SSL not EasyRSA.

Finally, rename EASYRSA_EXTRA_EXTS to EASYRSA_CA_EXTRA_EXTS to avoid
triggering EASYRSA_EXTRA_EXTS code buried inside of easyrsa_openssl().

Closes: #54

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech added a commit that referenced this pull request Apr 3, 2022
@TinCanTech
Merge branch 'TinCanTech-copy-x509-types-ca' (#526)
6603cf0 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Apr 3, 2022

Merged in testing branch available: https://github.com/OpenVPN/easy-rsa/tree/testing

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Apr 5, 2022

Also closes #54

@TinCanTech TinCanTech merged commit 283d4f7 into OpenVPN:master Apr 5, 2022
@TinCanTech TinCanTech deleted the copy-x509-types-ca branch April 5, 2022 22:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@TinCanTech TinCanTech

Labels

BUG-FIX documentation Full-Approval Merge is imminent MAJOR CHANGE Priority Acknowledged priority URGENT BLOCKER: Line in the Sand

Projects

None yet

Milestone

v3.1.0

Development

Successfully merging this pull request may close these issues.

x509-types/ca is never used

1 participant

@TinCanTech