From 3a689c11014b32d707040816387cb57ee47d4d8c Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Dec 2024 18:47:09 +0000 Subject: [PATCH 1/4] help: Add 'renew-ca' details Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 432167dc..0ff4aeca 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -40,6 +40,7 @@ A list of commands is shown below: build-serverClient-full [ cmd-opts ] inline expire + renew-ca renew revoke [ cmd-opts ] #(DEPRECATED) revoke-issued [ cmd-opts ] #(REPLACEMENT) @@ -259,6 +260,16 @@ REQUIRED COMMANDS: to the 'pki/expired' directory. Allows an existing request to be signed again." + ;; + renew-ca) + text=" +* renew-ca + + Renew CA certificate. + + This will build a new CA certificate and archive the old one. + Before changes are made to the current PKI, user confirmation + is required." ;; renew) text=" From 204ea0c147e0290f469391ca2e9436d463a73951 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Dec 2024 19:55:19 +0000 Subject: [PATCH 2/4] expire: Improve conflicting file error message, add instructions Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0ff4aeca..d64dcbd1 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3445,8 +3445,10 @@ Run easyrsa without commands for usage and command help." # Do not over write existing cert if [ -f "$crt_out" ]; then user_error "\ -Existing file must be revoked: -* $crt_out" +Cannot expire this certificate, a conflicting file exists: +* certificate: $crt_out + +Use command 'revoke-exired' to revoke this certificate." fi # deprecate ALL options From b47d2af4b0c266f297836e0dfe7f58ddb9a14691 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Dec 2024 20:02:58 +0000 Subject: [PATCH 3/4] easyrsa-tools.lib: renew, use temp-file to extract full metadata Extract full certificate metadata to a temp-file for inspection. Use this temp-file to configure attributes that will be renewed. Also, allow use of EASYRSA_CP_EXTS. The original request may have been signed with unknown extensions, that have been copied. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa-tools.lib | 45 ++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/easyrsa3/easyrsa-tools.lib b/easyrsa3/easyrsa-tools.lib index 740804ec..d92cad86 100644 --- a/easyrsa3/easyrsa-tools.lib +++ b/easyrsa3/easyrsa-tools.lib @@ -772,26 +772,34 @@ Missing request file: crt_out="$out_dir/issued/${file_name_base}.crt" # NEVER over-write a renewed cert, revoke it first - deny_msg="\ + if [ -f "$crt_out" ]; then + user_error "\ Cannot renew this certificate, a conflicting file exists: -*" - [ -f "$crt_out" ] && \ - user_error "$deny_msg certificate: $crt_out" - unset -v deny_msg +* certificate: $crt_out - # Make inline directory - [ -d "$EASYRSA_PKI/inline" ] || \ - mkdir -p "$EASYRSA_PKI/inline" || \ - die "Failed to create inline directoy." +Use command 'revoke-renewed' to revoke this certificate." + fi # Extract certificate usage from old cert ssl_cert_x509v3_eku "$crt_in" cert_type + # create temp-file for full cert text + full_crt_tmp= + easyrsa_mktemp full_crt_tmp || \ + die "easyrsa_mktemp full_crt_tmp" + + # write full cert text tempfile data + "$EASYRSA_OPENSSL" x509 -in "$crt_in" \ + -noout -text > "$full_crt_tmp" || \ + die "write full cert text" + # Use SAN from old cert ONLY - if grep 'X509v3 Subject Alternative Name' "$crt_in"; then + if grep -q 'X509v3 Subject Alternative Name' \ + "$full_crt_tmp" + then EASYRSA_SAN="$( - "$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -text | \ - grep -A 1 'X509v3 Subject Alternative Name' | \ + grep -A 1 'X509v3 Subject Alternative Name' \ + "$full_crt_tmp" | \ sed -e s/'^\ *'// \ -e /'X509v3 Subject Alternative Name'/d \ -e s/'IP Address:'/'IP:'/g @@ -801,7 +809,7 @@ Cannot renew this certificate, a conflicting file exists: # --san-crit unset -v EASYRSA_SAN_CRIT if grep -q 'X509v3 Subject Alternative Name: critical' \ - "$crt_in" + "$full_crt_tmp" then export EASYRSA_SAN_CRIT='critical,' verbose "renew: --san-crit ENABLED" @@ -814,28 +822,31 @@ subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}" fi # --bc-crit - if grep -q 'X509v3 Basic Constraints: critical' "$crt_in" + if grep -q 'X509v3 Basic Constraints: critical' \ + "$full_crt_tmp" then export EASYRSA_BC_CRIT=1 verbose "renew: --bc-crit ENABLED" fi # --ku-crit - if grep -q 'X509v3 Key Usage: critical' "$crt_in" + if grep -q 'X509v3 Key Usage: critical' \ + "$full_crt_tmp" then export EASYRSA_KU_CRIT=1 verbose "renew: --ku-crit ENABLED" fi # --eku-crit - if grep -q 'X509v3 Extended Key Usage: critical' "$crt_in" + if grep -q 'X509v3 Extended Key Usage: critical' \ + "$full_crt_tmp" then export EASYRSA_EKU_CRIT=1 verbose "renew: --eku-crit ENABLED" fi # Disable options not supported by renew - unset -v EASYRSA_CP_EXTS EASYRSA_AUTO_SAN EASYRSA_NEW_SUBJECT + unset -v EASYRSA_AUTO_SAN EASYRSA_NEW_SUBJECT # confirm operation by displaying Warning confirm "Continue with 'renew' ? " yes "\ From 8d6051ad87e3e9b36f5dc9dc03aa7e2d4da450f7 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Dec 2024 20:19:32 +0000 Subject: [PATCH 4/4] ChangeLog: bugfix: easyrsa-tools.lib: renew, write metadata to temp-file Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index a3f59bae..91c0c800 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.2 (TBD) + * bugfix: easyrsa-tools.lib: renew, write full metadata to temp-file (b47d2af) (#1267) * Introduce new command 'revoke-issued' (38bf2d8) (#1266) Commands 'revoke' and 'revoke-issued' are identical. Command 'revoke' can ONLY be used in batch mode.