Skip to content

Commit

Permalink
Advanced.md: Correct auto-load order and Remove program location
Browse files Browse the repository at this point in the history 
Correct auto-load order:
The previous order was to search the default PKI before EASYRSA.
Change: EASYRSA is moved to a higher priority than a default PKI.

Remove 'program location' as a valid target for auto-loading vars.
Keeping writable data files in the same folder as executable code
is not necessary.  If it is required then use of other options is
preferred. eg: --vars=<FILE> or $EASYRSA

Add additional information regarding use of default PKI.
Add section to advise the preferred use of --pki over --vars.

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
@TinCanTech
TinCanTech committed Sep 24, 2023
1 parent 060299f commit ecd6506
Showing 1 changed file with 17 additions and 4 deletions.
21 changes: 17 additions & 4 deletions doc/EasyRSA-Advanced.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,27 @@ Configuration Reference

1. The file referenced by the `--vars` CLI option
2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
3. The directory referenced by the `EASYRSA_PKI` env-var
4. The default PKI directory at `$PWD/pki`
4. The directory referenced by the `EASYRSA` env-var
5. The directory containing the easyrsa program
3. The directory referenced by the `--pki` CLI option (Recommended)
4. The directory referenced by the `EASYRSA_PKI` env-var
5. The directory referenced by the `EASYRSA` env-var
6. The default PKI directory at `$PWD/pki` (See note below)
7. The default working directory at `$PWD`

Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
file in all cases, including defining it subsequently as a global option.

Note: If the vars file `$PWD/pki/vars` is sourced then it is forbidden from
setting/changing the current PKI, as defined by `EASYRSA_PKI` env-var.

#### Use of `--pki` verses `--vars`

It is recommended to use option `--pki=DIR` to define your PKI at runtime.
This method will always auto-load the `vars` file found in defined PKI.

In a multi-PKI installation, use of `--vars` can potentially lead to
a vars file that is configured to set a PKI which cannot be verified
as the expected PKI. Use of `--vars` is not recommended.

#### OpenSSL Config

Easy-RSA is tightly coupled to the OpenSSL config file (.cnf) for the
Expand Down

0 comments on commit ecd6506

Please sign in to comment.