easy-rsa
easy-rsa copied to clipboard
OpenVPN
sign-req: Option 'comply', certificate subject will comply with CA
If a request file is received with unsuitable subject fields then force the signed certificate to comply with the subject fields of the CA certificate.
This is achieved as follows:
In DN mode 'cn_only', only the commonName can be changed. Use global option --req-cn='new-name' and sign-req command option 'comply' to force the commanName field to be changed.
In DN mode 'org', all the fields can be changed. Use global options --req-*='new value' and sign-req command option 'comply' to force all the fields to comply. All fields not explicitly specified are loaded from the vars file, which will be configured in 'org' mode.
The signed certificate output-file will retain the file-name-base of the original request-file, to maintain compatibility with the commands 'revoke' and 'renew'.
Requires thorough testing.
The signed cert. output-file could be named after the new commonName, which would require that revoke and renew either not fail for a missing request file or that the request file also be renamed.
It may also transpire that editing the request file values is not suitable for EasyRSA, in the long run, and that this functionality be rejected, in favour of creating a new and correctly configured request file in the first place .. to be decided.
This will not work for renew because the renewed cert. will have the original request values .. unless the old cert. values are extracted and set prior to signing the new renewed cert. Perhaps, renew does not have to support this function and instead instruct the user to require a new request from the source. A non-matching commonName between old cert. and original request could be used to indicate that this cert. cannot be renewed.
I am considering making comply be default and having an opt-out option.
Linking: #1089
FTR: The current unit-test vars file contains:
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY "XX"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_PROVINCE "PROV Skåne Eslöv # Doe'$ & Beer'$ # ¬!£%^*() #"
set_var EASYRSA_REQ_CITY "CITY esc: a: '\\\$a' | b: '\$b' | c: '$\c' # -_=+[]/? #"
set_var EASYRSA_REQ_ORG "ORGN Easy-RSA UT version: $ERSA_UTEST_VERSION # .> ,< |~ #"
set_var EASYRSA_REQ_OU "ORGU Skåne Eslöv # Boe'$ & Deer'$ # $ \$ __ #"
set_var EASYRSA_REQ_SERIAL "a-z,A-Z,0-9 -+/=.,?:()"
This cannot use option comply, ever.
PR #439 looks like the front runner at this time.