Skip to content

peer-fingerprint mode: Make CA mode mutually exclusive to PFP mode #1347

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 8, 2025
Merged

peer-fingerprint mode: Make CA mode mutually exclusive to PFP mode #1347

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8c1c435
peer-fingerprint mode: Make CA mode mutually exclusive to PFP mode
TinCanTech Jun 8, 2025
0225241
ChangeLog: peer-fingerprint: Make CA mutually exclusive to PFP mode
TinCanTech Jun 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog

3.2.3 (TBD)

* peer-fingerprint mode: Make CA mode mutually exclusive to PFP mode (8c1c435) (#1347)
* TLS key generation: Allow 'gen-tls-auth/crypt-key' without a CA Cert (2580dc2) (#1345)
* Inline_file(): Improvements self-signed integration (bc72a21) (#1345)
* verify_pki_init(): Always create 'issued' dir (f7e1b79) (#1343)
Expand All @@ -10,7 +11,7 @@ Easy-RSA 3 ChangeLog
* Unit-test: Minimize Windows test (dc60c8b) (#1339)
* ssl_cert_x509v3_eku(): Localize variables and minor improvements (8c19a95) (#1337)
* inline_file(): Always use ssl_cert_x509v3_eku() to set $inline_crt_type (e1a2880) (#1337)
* sig-req: Disable inline for certificate type 'ca' (sub-ca) (f1252a3) (#1337)
* sign-req: Disable inline for certificate type 'ca' (sub-ca) (f1252a3) (#1337)
* inline_file(): Localize variables $inline_crt_type & $inline_crt_CN (692e20a) (#1337)
* add_critical_attrib(): export temp-file name as input file (e5b8d97) (#1333)
* Unit-test: Drop old *nix test (63f3869) (#1335)
Expand Down
17 changes: 17 additions & 0 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1644,6 +1644,11 @@ get_passphrase() {

# build-ca backend:
build_ca() {
# Only allow if peer-fingerprint mode file does not exist
if [ -f "$EASYRSA_PKI"/peer-fp.mode ]; then
user_error "Cannot create CA in a peer-fingerprint PKI"
fi

cipher="-aes256"
unset -v sub_ca date_stamp x509 error_info \
ca_password_via_cmdline
Expand Down Expand Up @@ -2005,6 +2010,13 @@ Build-ca completed successfully."

# Build self signed key pair
self_sign() {
# Only allow if CA does not exist
if [ -f "$EASYRSA_PKI"/ca.crt ] || \
[ -f "$EASYRSA_PKI"/private/ca.key ]
then
user_error "Cannot create self-signed certificate in a CA."
fi

# Define x509 type
case "$1" in
server)
Expand Down Expand Up @@ -2187,6 +2199,11 @@ self-sign: Use ALGO:'$EASYRSA_ALGO' / CURVE:'$EASYRSA_CURVE'"
# inline key/cert/fingerprint
inline_file "$file_name_base"

# Mark PKI as self-signed only
pfp_data='peer-fp-mode - Please DO NOT DELETE this file'
print "$pfp_data" > "$EASYRSA_PKI"/peer-fp.mode || \
die "Failed to setup peer-fingerprint mode."

# User info
notice "\
Self-signed '$EASYRSA_ALGO/$EASYRSA_CURVE' \
Expand Down