dekeonus

You could run `openssl x509 -in /.crt -out /.crt` this will remove the text. _I_ **_WANT_** _the plain text output in those issued certs in the pki directory_ It seems...

I'm not sure overloading the [private].key file is the correct approach: I'd propose using something like [private].pk11 or [private].hsm and rather than a fork to grep, test presence of the...

I'm not a fan of the logic of using `--x509-alt` to select an alternate folder. To my mind `x509-types/*` is a per pki configuration source, albeit with a fallback/default to...

I have patched 3.0.8 (was looking at migrating this forward to 3.1.0) for more robust ANY cert type (well not the kdc type) renewals based just upon the existing req...

@TinCanTech fair enough, delete away. The gist of my comments are relevant to this this thread: A means to renew based upon the existing CSR. I am curious to the...

> Looks like amplification to me, although, Indeed, but `renew()` needs a lot of work to be functional. Luckily openssl will only keep the last encountered *extension = value* it...

I note in the *server* and *serverClient* type cases the ordering is safe due to the sAN coming before EASYRSA_EXTRA_EXTS https://github.com/OpenVPN/easy-rsa/blob/8ebb013339dd921156ea687e3fa49b107dbd6774/easyrsa3/easyrsa#L1737-L1749

> But ironically classic addons which could make full use of this are gone. so is that a won't implement? If so can you add a means (to the TB...

> @JulienVdG Can you explain what value there is to you by stripping the certificate text output ? Some software will fail to read the certificate if there is anything...

> > Adding a single option to building a certificate **without** the **public/human readable** text appears to be the most logical solution. > > Due to `renew` and _all that_,...