File tree Expand file tree Collapse file tree 2 files changed +19
-1
lines changed Expand file tree Collapse file tree 2 files changed +19
-1
lines changed Original file line number Diff line number Diff line change @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog
22
333.2.3 (TBD)
44
5+ * peer-fingerprint mode: Make CA mode mutually exclusive to PFP mode (8c1c435) (#1347)
56 * TLS key generation: Allow 'gen-tls-auth/crypt-key' without a CA Cert (2580dc2) (#1345)
67 * Inline_file(): Improvements self-signed integration (bc72a21) (#1345)
78 * verify_pki_init(): Always create 'issued' dir (f7e1b79) (#1343)
@@ -10,7 +11,7 @@ Easy-RSA 3 ChangeLog
1011 * Unit-test: Minimize Windows test (dc60c8b) (#1339)
1112 * ssl_cert_x509v3_eku(): Localize variables and minor improvements (8c19a95) (#1337)
1213 * inline_file(): Always use ssl_cert_x509v3_eku() to set $inline_crt_type (e1a2880) (#1337)
13- * sig -req: Disable inline for certificate type 'ca' (sub-ca) (f1252a3) (#1337)
14+ * sign -req: Disable inline for certificate type 'ca' (sub-ca) (f1252a3) (#1337)
1415 * inline_file(): Localize variables $inline_crt_type & $inline_crt_CN (692e20a) (#1337)
1516 * add_critical_attrib(): export temp-file name as input file (e5b8d97) (#1333)
1617 * Unit-test: Drop old *nix test (63f3869) (#1335)
Original file line number Diff line number Diff line change @@ -1644,6 +1644,11 @@ get_passphrase() {
16441644
16451645# build-ca backend:
16461646build_ca() {
1647+ # Only allow if peer-fingerprint mode file does not exist
1648+ if [ -f "$EASYRSA_PKI"/peer-fp.mode ]; then
1649+ user_error "Cannot create CA in a peer-fingerprint PKI"
1650+ fi
1651+
16471652 cipher="-aes256"
16481653 unset -v sub_ca date_stamp x509 error_info \
16491654 ca_password_via_cmdline
@@ -2005,6 +2010,13 @@ Build-ca completed successfully."
20052010
20062011# Build self signed key pair
20072012self_sign() {
2013+ # Only allow if CA does not exist
2014+ if [ -f "$EASYRSA_PKI"/ca.crt ] || \
2015+ [ -f "$EASYRSA_PKI"/private/ca.key ]
2016+ then
2017+ user_error "Cannot create self-signed certificate in a CA."
2018+ fi
2019+
20082020 # Define x509 type
20092021 case "$1" in
20102022 server)
@@ -2187,6 +2199,11 @@ self-sign: Use ALGO:'$EASYRSA_ALGO' / CURVE:'$EASYRSA_CURVE'"
21872199 # inline key/cert/fingerprint
21882200 inline_file "$file_name_base"
21892201
2202+ # Mark PKI as self-signed only
2203+ pfp_data='peer-fp-mode - Please DO NOT DELETE this file'
2204+ print "$pfp_data" > "$EASYRSA_PKI"/peer-fp.mode || \
2205+ die "Failed to setup peer-fingerprint mode."
2206+
21902207 # User info
21912208 notice "\
21922209Self-signed '$EASYRSA_ALGO/$EASYRSA_CURVE' \
You can’t perform that action at this time.
0 commit comments