easy-rsa icon indicating copy to clipboard operation
easy-rsa copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

adjust critical extensions and key usage

Open zhangyoufu opened this issue 3 years ago • 9 comments

I would like to use easy-rsa to manage some general purpose PKI. This change makes it conform to common practice.

supersedes #187

zhangyoufu avatar Jun 25 '21 08:06 zhangyoufu

If you make all of your changes above, with the exception of the change to easyrsa, then you should get the desired result.

TinCanTech avatar Mar 24 '22 18:03 TinCanTech

If you make all of your changes above, with the exception of the change to easyrsa, then you should get the desired result.

I rebased my changes on master. And I didn't get why should I revert the change to easyrsa. Could you elaborate on that?

zhangyoufu avatar Mar 25 '22 06:03 zhangyoufu

Sorry, you misunderstand.

The x509-types files and openssl-easrsa.cnf are there for users to edit. That is what you have done, that is for your private use.

Changing easyrsa is not required.

You can build all the certificates you need with only the changes to the data files.

TinCanTech avatar Mar 25 '22 14:03 TinCanTech

Sorry, you misunderstand.

The x509-types files and openssl-easrsa.cnf are there for users to edit. That is what you have done, that is for your private use.

Changing easyrsa is not required.

You can build all the certificates you need with only the changes to the data files.

I understand that users of easy-rsa are supposed to modify openssl config files to suit their own need. I do have many changes/hacks in my local repo and working well.

I opened this PR because I think this specific change is nice to have in easy-rsa repo. Since

critical keyUsage is required by RFC5280 §4.2.1.3 critical basicConstraints (for CA) is required by RFC5280 §4.2.1.9 critical extendedKeyUsage (for code signing) is required by macOS TN2206

zhangyoufu avatar Mar 25 '22 17:03 zhangyoufu

I have a proposal:

  1. Place all these changed files into a folder named x509-alt-types in the Easy-RSA root.
  2. Introduce new option: --x509-alt Have this option point EASYRSA_EXT_DIR to x509-alt-types --x509-alt MUST point only to the alternative X509 folder. Not configurable. I can help help with this ..
  3. Test it ..

I think that should work.

Same goes for: #503

TinCanTech avatar Mar 30 '22 20:03 TinCanTech

I have a proposal:

  1. Place all these changed files into a folder named x509-alt-types in the Easy-RSA root.
  2. Introduce new option: --x509-alt Have this option point EASYRSA_EXT_DIR to x509-alt-types --x509-alt MUST point only to the alternative X509 folder. Not configurable. I can help help with this ..
  3. Test it ..

I think that should work.

Same goes for: #503

I don't agree your proposal. I don't think maintaining a separate x509-alt-types worth the effort in long term.

I don't think my changes are breaking changes. I agree that more testing is necessary. What kind of concerns do you have? (What kind of tests can convince you to leave these PRs in their current form?)

zhangyoufu avatar Mar 31 '22 12:03 zhangyoufu

I don't think maintaining a separate x509-alt-types worth the effort in long term.

We are not going to maintain it, it will be there for these changes to be staged into. If we decide in the future that these alternative x509 profiles should become the standard then we will move it to the main folder.

TinCanTech avatar Mar 31 '22 12:03 TinCanTech

Linking: #520

TinCanTech avatar Mar 31 '22 23:03 TinCanTech

Linking: #522

Note: #525 @zhangyoufu probably affects you.

TinCanTech avatar Apr 03 '22 11:04 TinCanTech

#1063

TinCanTech avatar Jan 14 '24 01:01 TinCanTech