From ecd65065e3303da78811278a154ef7a969c2777b Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 24 Sep 2023 16:30:43 +0100 Subject: [PATCH] Advanced.md: Correct auto-load order and Remove program location Correct auto-load order: The previous order was to search the default PKI before EASYRSA. Change: EASYRSA is moved to a higher priority than a default PKI. Remove 'program location' as a valid target for auto-loading vars. Keeping writable data files in the same folder as executable code is not necessary. If it is required then use of other options is preferred. eg: --vars= or $EASYRSA Add additional information regarding use of default PKI. Add section to advise the preferred use of --pki over --vars. Signed-off-by: Richard T Bonhomme --- doc/EasyRSA-Advanced.md | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md index 4517ce6a4..65c729507 100644 --- a/doc/EasyRSA-Advanced.md +++ b/doc/EasyRSA-Advanced.md @@ -33,14 +33,27 @@ Configuration Reference 1. The file referenced by the `--vars` CLI option 2. The file referenced by the env-var named `EASYRSA_VARS_FILE` - 3. The directory referenced by the `EASYRSA_PKI` env-var - 4. The default PKI directory at `$PWD/pki` - 4. The directory referenced by the `EASYRSA` env-var - 5. The directory containing the easyrsa program + 3. The directory referenced by the `--pki` CLI option (Recommended) + 4. The directory referenced by the `EASYRSA_PKI` env-var + 5. The directory referenced by the `EASYRSA` env-var + 6. The default PKI directory at `$PWD/pki` (See note below) + 7. The default working directory at `$PWD` Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars file in all cases, including defining it subsequently as a global option. + Note: If the vars file `$PWD/pki/vars` is sourced then it is forbidden from + setting/changing the current PKI, as defined by `EASYRSA_PKI` env-var. + +#### Use of `--pki` verses `--vars` + + It is recommended to use option `--pki=DIR` to define your PKI at runtime. + This method will always auto-load the `vars` file found in defined PKI. + + In a multi-PKI installation, use of `--vars` can potentially lead to + a vars file that is configured to set a PKI which cannot be verified + as the expected PKI. Use of `--vars` is not recommended. + #### OpenSSL Config Easy-RSA is tightly coupled to the OpenSSL config file (.cnf) for the