easy-rsa icon indicating copy to clipboard operation
easy-rsa copied to clipboard
verified publisher icon OpenVPN

Ending support for certificate `file_name_base` disconnect from `commonName`

Open TinCanTech opened this issue 1 year ago • 0 comments

Effects use of global option: --req-cn

Currently, the only commands which support --req-cn are:

  • build-ca: --req-cn allows changing the default CA commonName from Easy-RSA CA (or Easy-RSA Sub-CA) to a user defined value. This is required because the CA certificate is always named pki/ca.crt.

  • gen-req: --req-cn allows disconnecting the commonName from file_name_base. This is unnecessary.

In future, Easy-RSA will enforce file_name_base to commonName parity. The only exception being the CA certificate, as explained previously.

However, it is suitable for sign-req to use --req-cn.

If a CSR is received with unsuitable details then a CA administrator needs a way to be able to change those details, when signing the request.

For --dn-mode=cn_only, only the commonName field needs to be changed. This can be done by using --req-cn=<NEW-CN>, to replace the CSR commonName.

For --dn-mode=org, all the subject fields need to be replaced with the values defined in the CA certificate. And also change the CSR commonName.

The CSR commonName can be replaced by --req-cn=<NEW-CN> and the other subject fields can be forced to comply with the CA subject fields, automatically.

Replacing the CSR commonName this way will result in a signed certificate with a different file_name_base to the CSR file name.

However, the file_name_base to signed certificate commonName parity will be maintained. All signed certificate commonName fields will match the certificate file_name_base.

TinCanTech avatar Mar 11 '24 22:03 TinCanTech