Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign-req: Option 'comply', certificate subject will comply with CA #995

Closed
wants to merge 1 commit into from
Closed

sign-req: Option 'comply', certificate subject will comply with CA #995

wants to merge 1 commit into from

Conversation

TinCanTech
Copy link
Collaborator

If a request file is received with unsuitable subject fields then force the signed certificate to comply with the subject fields of the CA certificate.

This is achieved as follows:

In DN mode 'cn_only', only the commonName can be changed. Use global option --req-cn='new-name' and sign-req command option 'comply' to force the commanName field to be changed.

In DN mode 'org', all the fields can be changed. Use global options --req-*='new value' and sign-req command option 'comply' to force all the fields to comply. All fields not explicitly specified are loaded from the vars file, which will be configured in 'org' mode.

The signed certificate output-file will retain the file-name-base of the original request-file, to maintain compatibility with the commands 'revoke' and 'renew'.

@TinCanTech
sign-req: Option 'comply', certificate subject will comply with CA
4266f06 
If a request file is received with unsuitable subject fields then
force the signed certificate to comply with the subject fields of
the CA certificate.

This is achieved as follows:

In DN mode 'cn_only', only the commonName can be changed. Use global
option --req-cn='new-name' and sign-req command option 'comply' to
force the commanName field to be changed.

In DN mode 'org', all the fields can be changed. Use global options
--req-*='new value' and sign-req command option 'comply' to force
all the fields to comply.  All fields not explicitly specified are
loaded from the vars file, which will be configured in 'org' mode.

The signed certificate output-file will retain the file-name-base
of the original request-file, to maintain compatibility with the
commands 'revoke' and 'renew'.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech self-assigned this Aug 7, 2023
@TinCanTech TinCanTech added this to the v3.1.6 milestone Aug 7, 2023
@TinCanTech
Copy link
Collaborator Author

This PR potentially supersedes #439

@TinCanTech TinCanTech mentioned this pull request Aug 7, 2023
Closed
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Aug 7, 2023
edited
Loading

Requires thorough testing.

The signed cert. output-file could be named after the new commonName, which would require that revoke and renew either not fail for a missing request file or that the request file also be renamed.

It may also transpire that editing the request file values is not suitable for EasyRSA, in the long run, and that this functionality be rejected, in favour of creating a new and correctly configured request file in the first place .. to be decided.

This will not work for renew because the renewed cert. will have the original request values .. unless the old cert. values are extracted and set prior to signing the new renewed cert. Perhaps, renew does not have to support this function and instead instruct the user to require a new request from the source. A non-matching commonName between old cert. and original request could be used to indicate that this cert. cannot be renewed.

@TinCanTech TinCanTech removed this from the v3.1.6 milestone Aug 7, 2023
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Mar 8, 2024
edited
Loading

Linking: #1087 #1089

@TinCanTech TinCanTech mentioned this pull request Mar 10, 2024
Closed
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Mar 10, 2024
edited
Loading

I am considering making comply be default and having an opt-out option.

Linking: #1089

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Mar 26, 2024
edited
Loading

FTR: The current unit-test vars file contains:

set_var EASYRSA_DN				"org"
set_var EASYRSA_REQ_COUNTRY		"XX"
set_var EASYRSA_REQ_EMAIL     "[email protected]"
set_var EASYRSA_REQ_PROVINCE	"PROV Skåne Eslöv # Doe'$ & Beer'$   # ¬!£%^*() #"
set_var EASYRSA_REQ_CITY		"CITY esc: a: '\\\$a' | b: '\$b' | c: '$\c' # -_=+[]/? #"
set_var EASYRSA_REQ_ORG			"ORGN Easy-RSA UT version: $ERSA_UTEST_VERSION      # .> ,< |~ #"
set_var EASYRSA_REQ_OU			"ORGU Skåne Eslöv # Boe'$ & Deer'$   # $ \$ __   #"
set_var EASYRSA_REQ_SERIAL		"a-z,A-Z,0-9 -+/=.,?:()"

This cannot use option comply, ever.

PR #439 looks like the front runner at this time.

@TinCanTech TinCanTech mentioned this pull request Mar 30, 2024
Closed
@TinCanTech
Copy link
Collaborator Author

Superseded-by: #1111

@TinCanTech TinCanTech closed this Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
ChangeLog Item development Possible changes documentation enhancement Feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@TinCanTech