easy-rsa
easy-rsa copied to clipboard
OpenVPN
certificate and private_key settings in openssl-easyrsa.cnf ignored by build-ca
I set the certificate and private_key settings in openssl-easyrsa.cnf to non-default values before calling ./easyrsa init-pki.
Still ./easyrsa build-ca created ca.crt and private/ca.key files instead of files with the names I set.
Shouldn't build-ca respect openssl-easyrsa.cnf's certificate and private_key settings?
What values did you try to set, and in what section of the configuration file?
I changed the certificate and private_key settings in the [ CA_default ] section in openssl-easyrsa.cnf.
Yeah, this appears to be a much bigger bug than it appears, or I don't understand some of the mechanics of @TinCanTech's safessl-easyrsa.cnf file. None of the settings in openssl-easyrsa.cnf appear to be honored. This includes the crl_dir values reported in bug #367.
This will get fixed before I release v3.0.8. Thanks for the clarification.
Yeah, this appears to be a much bigger bug than it appears, or I don't understand some of the mechanics of @TinCanTech's safessl-easyrsa.cnf file. None of the settings in openssl-easyrsa.cnf appear to be honored. This includes the crl_dir values reported in bug #367.
mktemp makes it much harder to debug.
@rs-fabrica It would help if we knew which version of easyrsa and what actual change was made.
This is safessl-easyrsa.cnf generated moments ago, all ENV::VARS have been expanded:
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /home/tct/git/tct/easy-rsa/master/easyrsa3/pki # Where everything is kept
certs = /home/tct/git/tct/easy-rsa/master/easyrsa3/pki # Where the issued certs are kept
crl_dir = /home/tct/git/tct/easy-rsa/master/easyrsa3/pki # Where the issued crl are kept
database = /home/tct/git/tct/easy-rsa/master/easyrsa3/pki/index.txt # database index file.
new_certs_dir = /home/tct/git/tct/easy-rsa/master/easyrsa3/pki/certs_by_serial # default place for new certs.
certificate = /home/tct/git/tct/easy-rsa/master/easyrsa3/pki/ca.crt # The CA certificate
serial = /home/tct/git/tct/easy-rsa/master/easyrsa3/pki/serial # The current serial number
crl = /home/tct/git/tct/easy-rsa/master/easyrsa3/pki/crl.pem # The current CRL
private_key = /home/tct/git/tct/easy-rsa/master/easyrsa3/pki/private/ca.key # The private key
RANDFILE = /home/tct/git/tct/easy-rsa/master/easyrsa3/pki/.rand # private random number file
x509_extensions = basic_exts # The extensions to add to the cert
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
crl_extensions = crl_ext
default_days = 825 # how long to certify for
default_crl_days= 180 # how long before next CRL
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
# This allows to renew certificates which have not been revoked
unique_subject = no
# A few different ways of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
# Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = cn_only
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
# A placeholder to handle the $EXTRA_EXTS feature:
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
####################################################################
# Easy-RSA DN (Subject) handling
# Easy-RSA DN for cn_only support:
[ cn_only ]
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = ChangeMe
# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = Locality Name (eg, city)
localityName_default = San Francisco
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Copyleft Certificate Co
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = My Organizational Unit
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = ChangeMe
emailAddress = Email Address
emailAddress_default = [email protected]
emailAddress_max = 64
####################################################################
# Easy-RSA cert extension handling
# This section is effectively unused as the main script sets extensions
# dynamically. This core section is left to support the odd usecase where
# a user calls openssl directly.
[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# The Easy-RSA CA extensions
[ easyrsa_ca ]
# PKIX recommendations:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This could be marked critical, but it's nice to support reading by any
# broken clients who attempt to do so.
basicConstraints = CA:true
# Limit key usage to CA tasks. If you really want to use the generated pair as
# a self-signed cert, comment this out.
keyUsage = cRLSign, keyCertSign
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
# nsCertType = sslCA
# CRL extensions.
[ crl_ext ]
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
This is the openssl-easyrsa.cnf used as the template:
# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = $ENV::EASYRSA_PKI # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs_by_serial # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/.rand # private random number file
x509_extensions = basic_exts # The extensions to add to the cert
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
crl_extensions = crl_ext
default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL
default_md = $ENV::EASYRSA_DIGEST # use public key default MD
preserve = no # keep passed DN ordering
# This allows to renew certificates which have not been revoked
unique_subject = no
# A few different ways of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
name = optional
emailAddress = optional
####################################################################
# Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN
[ req ]
default_bits = $ENV::EASYRSA_KEY_SIZE
default_keyfile = privkey.pem
default_md = $ENV::EASYRSA_DIGEST
distinguished_name = $ENV::EASYRSA_DN
x509_extensions = easyrsa_ca # The extensions to add to the self signed cert
# A placeholder to handle the $EXTRA_EXTS feature:
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it
####################################################################
# Easy-RSA DN (Subject) handling
# Easy-RSA DN for cn_only support:
[ cn_only ]
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
localityName = Locality Name (eg, city)
localityName_default = $ENV::EASYRSA_REQ_CITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::EASYRSA_REQ_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::EASYRSA_REQ_OU
commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN
emailAddress = Email Address
emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
emailAddress_max = 64
####################################################################
# Easy-RSA cert extension handling
# This section is effectively unused as the main script sets extensions
# dynamically. This core section is left to support the odd usecase where
# a user calls openssl directly.
[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
# The Easy-RSA CA extensions
[ easyrsa_ca ]
# PKIX recommendations:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This could be marked critical, but it's nice to support reading by any
# broken clients who attempt to do so.
basicConstraints = CA:true
# Limit key usage to CA tasks. If you really want to use the generated pair as
# a self-signed cert, comment this out.
keyUsage = cRLSign, keyCertSign
# nsCertType omitted by default. Let's try to let the deprecated stuff die.
# nsCertType = sslCA
# CRL extensions.
[ crl_ext ]
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
@TinCanTech , I believe it is version 3.0.6 as it was the newest one at the time I downloaded it but I not sure as I can't find a version number anywhere in EasyRSA files. Where can I check it to be sure?
In openssl-easyrsa.cnf I only changed the 2 settings below:
[ CA_default ] certificate = $dir/ca-2020-03-14.crt # The CA certificate private_key = $dir/private/ca-2020-03-14.key # The private key
but the new ca names I set where ignored during ca creation.
Ok. But not honoring them is a feature or a bug?
To have them in a file named openssl-easyrsa.cnf and not honoring parts of it is quite misleading.
If really there is no intention of honoring some option there, I believe this should, at least, be mentioned in openssl-easyrsa.cnf.
This is a bug. Those options should be honored. I'll be digging into this before v3.0.8 is released. Seems a lot of tickets are related to this.