OpenVPN/easy-rsa v3.2.0

3.2.0

on GitHub

EasyRSA v3.2.0 - Most significant changes

New commands:

• self-sign-server and self-sign-client (#1127)
  Create self-signed certificates for use with OpenVPN Peer Fingerprint mode.
  These certificates comply with other EasyRSA signing policies.

• expire (#1109)
  Selectively move certificates from the issued/ to expired/ directory.
  This allows a new certificate to be signed from the original signing request file.
  This allows all custom signing options to be applied as required.
  This replaces the old command renew, which has been removed.
  Further details: doc/EasyRSA-Renew-and-Revoke.md

• write (Commit: c814e0a)
  Create legacy support files: openssl-easyrsa.cnf, x509-types/* and vars.example.
  This allows EasyRSA to be used without having copies of the support files installed.

Removed commands:

• renew (#1109)
  Replaced by command expire, followed by command sign-req.
  This allows all custom options to be used when signing, which renew did not.

• rebuild (Commit: d6953cc) and rewind-renew (Commit: 72b4079)
  No longer required.

• upgrade (Commit: 6a88edd)
  No longer supported.

New Global Option:

• --new-subject -- Command sign-req option: newsubj (#1111)
  Edit Request Subject during command sign-req

New files:

• easyrsa-tools.lib (Commit: 214b909)
  Moved code for commands show-expire, show-revoke and show-renew to the new file.
  easyrsa-tools.lib is auto-loaded, if it is found in a supported location. eg. $pwd

• Revert ca76697: Restore escape_hazard() (b1e9d7a) (#1137)
• New X509 Type: 'selfsign' Internal only (999533e) (#1135)
• New commands: self-sign-server and self-sign-client (9f8a1d1) (#1127)
• build-ca: Command 'req', remove SSL option '-keyout' (4e02c8a) (#1123)
• Remove escape_hazard(), obsolete (ca76697)
• Remove command and function display_cn(), unused (be8f400) (#1114)
• Introduce Options to edit Request Subject during command 'sign-req'
  Global Option: --new-subject -- Command 'sign-req' option: 'newsubj'
  First proposed in: (#439) -- Completed: (83b81c7) (#1111)
• docs: Update EasyRSA-Renew-and-Revoke.md (f6c2bf5) (#1109)
• Remove all 'renew' code; replaced by 'expire' code (9d94207) (#1109)
• Introduce commands: 'expire' and 'revoke-expired' (a1890fa) (#1109)
• Keep request files [CSR] when revoking certificates (6d6e8d8) (#1109)
• Restrict use of --req-cn to build-ca (0a46164) (#1098)
• Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#1096)
• help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#1096)
• Allow --san to be used multiple times (5a06f94) (#1096)
• Remove default server subject alternative name (0b85a5d) (#576)
• Move Status Reports to 'easyrsa-tools.lib' (214b909) (#1080)
• export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a)
  (#1084 - Based on #1081)
• Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
• LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
• Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)

Branch-merge: v3.2.0-beta2 (#1055) 2024/01/13 Commit: d51d79b

• Always use here-doc version of openssl-easyrsa.cnf (2a8c0de)
  Only use here-doc if the current version is recognised by sha256 hash.
  The current file is NEVER deleted (60216d5). Partially revert: 2a8c0de
• export-p12: New command option 'legacy'. OpenSSL V3 Only (f8514de)
  Fallback to encryption algorithm RC2_CBC or 3DES_CBC
• export-p12: Always set 'friendlyName' to file-name-base (da9e594)
• Update OpenSSL to 3.2.0 (03e4829)

Branch-merge: v3.2.0-beta1 (#1046) 2023/12/15 Commit: 7120876

• Important note: As of Easy-RSA version 3.2.0-beta1, the configuration files
  vars.example, openssl-eayrsa.cnf and all files in x509-types directory
  are no longer required. Package maintainers can omit these files in the future.
  All files are created as required and deleted upon command completion.
  vars.example is created during init-pki and placed in the fresh PKI.
  These files will be retained for downstream packaging compatibility.

• Rename X509-type file code-signing to codeSigning (1c6b31a)
  The original file will be retained as code-signing, however, the automatic
  X509-types creation will name the file codeSigning. This effectively means
  that both are valid X509-types, until code-signing is dropped.

• init-pki: Always write vars.example file to fresh PKI (66a8f3e)

• New command 'write': Write 'legacy' files to stdout or files (c814e0a)

• Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf' (c814e0a)

• New Command 'rand': Expose easyrsa_random() to the command line (6131cbf)

• Remove function 'set_pass_legacy()' (7470c2a)

• Remove command 'rewind-renew' (72b4079)

• Remove command 'rebuild' (d6953cc)

• Remove command 'upgrade' (6a88edd)

Branch-merge: v3.2.0-alpha2 (#1043) 2023/12/7 Commit: ed0dc46

• Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (3c0ca17)

Branch-merge: v3.2.0-alpha1 (#1041) 2023/12/2 Commit: 42c2e95

• New diagnostic command 'display-cn' (#1040)
• Expand renewable certificate types to include code-signing (#1039)

What's Changed

• Command: x509-eku v2 by @TinCanTech in #1039
• v3.2.0-alpha1 by @TinCanTech in #1041
• Remove unwanted code - Minor improvements by @TinCanTech in #1036
• escape_hazarrd(): Reuse source_vars() by @TinCanTech in #1037
• v3.2.0-alpha2 by @TinCanTech in #1043
• v3.2.0-Remove-commands by @TinCanTech in #1045
• v3.2.0-beta1 by @TinCanTech in #1046
• export-p12: New command option 'legacy' by @spacefreak86 in #1057
• v3.2.0-beta2 by @TinCanTech in #1055
• Replace use of sed with heredoc expansion by @TinCanTech in #1064
• Restore 128bit-random certificate serial-number by @TinCanTech in #1070
• LibreSSL: Add band-aid fix for missing 'x509' command option '-ext' by @TinCanTech in #1071
• Windows: Introduce 'Non-Admin' mode by @TinCanTech in #1073
• export-p12, OpenSSL v1.x: Upgrade PBE and MAC options by @TinCanTech in #1084
• Completely remove status reports and date functions by @TinCanTech in #1080
• sign-req: Remove default server 'subject alternative name' SAN by @TinCanTech in #1091
• Separate SAN from DN - Refactor display_dn() by @TinCanTech in #1096
• Restrict use of --req-cn to build-ca by @TinCanTech in #1098
• New function easyrsa_mkdir_p(): Replace use of 'mkdir -p' by @TinCanTech in #1101
• Shellcheck directives and minor tweak by @TinCanTech in #1105
• easyrsa_mkdir_p(): Ignore 'mkdir.exe' error code in favor of 'test' by @TinCanTech in #1106
• Revoke keep request by @TinCanTech in #1109
• Add an option to change the subject when signing a request. V2 by @TinCanTech in #1111
• Remove command and function display_cn(), unused by @TinCanTech in #1114
• Remove escape_hazard() by @TinCanTech in #1115
• build-ca: Command 'req', remove SSL option '-keyout' by @TinCanTech in #1123
• Improve ssl_cert_x509v3_eku() by @TinCanTech in #1125
• Remove variable 'makesafeconf' as obsolete by @TinCanTech in #1126
• Introduce commands: self-sign-server and self-sign-client by @TinCanTech in #1127
• Command inline: Support self-signed certificate called from cmd-line by @TinCanTech in #1128
• self-sign: Improve default algorithm and curve selection by @TinCanTech in #1134
• self-sign: Adjust 'X509v3 Key Usage' by @TinCanTech in #1135
• Revert ca76697: Remove escape_hazard() by @TinCanTech in #1137
• LibreSSL: Ignore and discard missing config file warning by @TinCanTech in #1138
• Minor corrections and improvements by @TinCanTech in #1140
• sign-req: Improve confirmation details by @TinCanTech in #1141

New Contributors

• @spacefreak86 made their first contribution in #1057

Full Changelog: v3.1.7...v3.2.0