3.2.4

What's Changed

• export-p12: Move inline file to 'inline/private' folder by @TinCanTech in #1356
• Restructure help by @TinCanTech in #1363
• New global option: --no-lockfile = env-var: $EASYRSA_NO_LOCKFILE by @TinCanTech in #1364
• Restructure verify_working_env() by @TinCanTech in #1367
• Improve verbose by @TinCanTech in #1368
• Windows easyrsa-shell-init.sh: Replace 'read -p' by @TinCanTech in #1371
• mutual_exclusions(): Include basic checks for --startdate/--enddate by @TinCanTech in #1372
• easyrsa-shell-init.sh: Allow Easy-RSA to use '\User$HOME' directory by @TinCanTech in #1374
• Remove 'easyrsa_mkdir()', use only 'mkdir' by @TinCanTech in #1376
• revoke: Archive request and private key files and expand help by @TinCanTech in #1378
• set_no_clobber(): Add simple error detection by @TinCanTech in #1379
• random: Use verify_working_env() to configure EASYRSA_OPENSSL by @TinCanTech in #1381
• self_sign(): Force use of Easy-RSA X509-type file 'selfsign' by @TinCanTech in #1383

Full Changelog: v3.2.3...v3.2.4

3.2.3

What's Changed

• Update OpenSSL to v3.5.0
• renew: Print 'unique_subject = no' to index.txt.attr by @TinCanTech in #1293
• check_serial_unique(): Check for duplicate Subject error by @TinCanTech in #1294
• Correctly define options names - Remove wild-card pattern by @TinCanTech in #1297
• Remove all references to file:easyrsa-tools.lib by @TinCanTech in #1298
• Reinstate old function as 'db_date_to_iso_8601()' [Renamed] by @TinCanTech in #1303
• expire_status_v2(): Refactor 'if' statement to capture error correctly by @TinCanTech in #1304
• source_vars() improvements by @TinCanTech in #1300
• add_critical_attrib(): Do not add 'critical' if 'critical' exists by @TinCanTech in #1308
• inline_file(): Include DH file or placeholder, for RSA Servers by @TinCanTech in #1310
• Fix shellcheck warnings by @TinCanTech in #1311
• Introduce command line options --umask|--no-umask, to set 'umask' by @TinCanTech in #1312
• Introduce "robust" lock-file mechanism by @TinCanTech in #1313
• New function set_no_clobber() by @TinCanTech in #1314
• Easyrsa mktemp v2 by @TinCanTech in #1315
• add_critical_attrib_v2(): Move file access to function by @TinCanTech in #1316
• Command 'write': Remove options 'overwrite' and 'filename' by @TinCanTech in #1318
• Introduce option --text: Create CSR files with human readable text by @TinCanTech in #1319
• will_cert_be_valid(): Remove SSL option -noout by @TinCanTech in #1321
• easyrsa_mktemp(): Remove secondary atomic operation by @TinCanTech in #1322
• easyrsa_mkdir(): Separate Windows from *nix by @TinCanTech in #1324
• Update Copyright 2025 by @TinCanTech in #1327
• inine_file(): Correct logic and add 'dh none' for DH params file by @TinCanTech in #1330
• show-expire: Move setting $pre_expire_window_s to status() by @TinCanTech in #1332
• Always export EASYRSA_SSL_CONF, when assigned (code standard) by @TinCanTech in #1334
• Unit-test: Drop old *nix test by @TinCanTech in #1335
• add_critical_attrib(): export temp-file name as input file by @TinCanTech in #1333
• Inline improvements by @TinCanTech in #1337
• Unit-test: Minimize Windows test by @TinCanTech in #1339
• PKI lock-file: Move possible creation to sub-function request_lock_file() by @TinCanTech in #1340
• forbid_selfsign(): Compare cert serial to signing cert serial by @TinCanTech in #1342
• inline_file(): Use ssl_cert_serial() by @TinCanTech in #1343
• Inline self sign improvements by @TinCanTech in #1345
• peer-fingerprint mode: Make CA mode mutually exclusive to PFP mode by @TinCanTech in #1347
• Remove init pki soft by @TinCanTech in #1351

Full Changelog: v3.2.2...v3.2.3

3.2.2

Easy-RSA v3.2.2 most significant changes:

• New command renew-ca: Basic CA renewal.
• New command revoke-issued: This is to ensure that the correct certificate is selected for revocation.
• Fold easyrsa-tools.lib into easyrsa: This marks the end of the existence of the tools library.

---

What's Changed

• Bugfix-v321-01 by @TinCanTech in #1229
• Remove redundant file: index.txt.attr by @TinCanTech in #1233
• sign-req: Allow custom X509 Types by @TinCanTech in #1238
• Add LibreSSL version 4 to supported SSL Libraries by @TinCanTech in #1240
• Revoke remove private inline by @TinCanTech in #1244
• Easyrsa disable inline by @TinCanTech in #1245
• easyrsa-tools.lib: renew SAN, remove excess word 'Address' by @TinCanTech in #1251
• easyrsa-tls.lib: renew, make sed regex for 'IP Address' greedy by @TinCanTech in #1253
• Show expire allow zero days by @TinCanTech in #1254
• easyrsa-tools.lib: New command 'renew ca' by @TinCanTech in #1255
• Improve CRL expiration details by @TinCanTech in #1257
• Tools move to easyrsa3 by @TinCanTech in #1260
• vars.example: Remove $EASYRSA_PKI by @TinCanTech in #1262
• Introduce new command revoke-issued by @TinCanTech in #1266
• Bugfix renew ca and renew by @TinCanTech in #1267
• Always use locate_support_files() after secure_session() by @TinCanTech in #1270
• revoke: Make check for conflicting files less intrusive by @TinCanTech in #1272
• Forbid a self-signed certificate from being expired/renewed/revoked by @TinCanTech in #1274
• V321 minor final by @TinCanTech in #1275
• op-test.sh: Disable download ossl3 and shellcheck binaries by @TinCanTech in #1284
• Windows: Remove mktemp binary and text files by @TinCanTech in #1285
• Revert da3c249: Do not remove index.txt.attr by @TinCanTech in #1287
• Fold easyrsa-tools.lib into easyrsa by @TinCanTech in #1288

Full Changelog: v3.2.1...v3.2.2

3.2.1

Easy-RSA version 3.2.1 - Significant Changes:

Honorable Memorandum: 2024 USA Election.

Add decimal serial number value to inline files:

• For use with OpenVPN --verify-crl command.

Create OpenVPN style TLS-AUTH and TLS-Crypt keys:

• Use command gen-tls-auth-key/gen-tls-crypt-key. (TLS-Crypt-V2 is not included)

Add simple way to effectively renew an expired CA certificate:

• Use init-pki command option soft, to retain certificate signing request files. Facilitating signing old requests with a new CA. Also keep TLS-KEYS, which are known to be in use.
• Full details: doc/EasyRSA-Renew-and-Revoke.md#renew-ca-certificate

New global command options for critical X509 Attibutes:

• --bc-crit - Mark basicConstraints as critical
• --ku-crit - Mark keyUsage as critical
• --eku-crit - Mark extendedKeyUsage as critical
• --san-crit - Mark subjectAltName as critical

New global option --auto-san:

• Force automatic subjectAltName.

Command write syntax change:

• Allow specific target-file as command option.
• Reqire specific command option overwrite, to enable overwriting an existing file.

---

ChangeLog:

• inline: Add decimal value for cert. serial (Linux Only) (b33038e) (#1222)
• Always exit with error for unknown command options (Except nopass) (#1221)
  (build-ca: b2f7912); (gen-req: 07f21d3); (build_full(): 0ff7f4c);
  (export_pkcs(): 2c51288); (set-pass: 1266d4e)
• Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2) (#1220)
  Note: Inline files that contain private key data are now created in sub-dir
  'pki/inline/private'.
• easyrsa-tools.lib, show-expire: Add CA certificate to report (a36cd54) (#1215)
• inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2) (#1185)
  Note: Command inline only writes directly to inline file not stdout.
• easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 (cf0da16) (#1185)
• easyrsa-tools.lib: expire_status_v2() (show-expire version 2) (1e43bf5) (#1214)
• sign-req: Require 128bit serial number (806ee19) (#1213)
• Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut (ddbf304) (#1209)
• Windows secure_session(): Ensure $secured_session dir is created (d99b242) (#1203)
• Switch to '-f' for file existence (6ab98c9..a02f545) (#1201)
• inline: Move auto-inline from build_full() to sign_req() (823f70f) (#1201)
• gen-crl: Create additional CRL in DER format (69df0d8) (#1198)
• self-sign: Allow Edwards Curve based keys (81b749b) (#1197)
• Re-enable command 'renew' (version 2): Requires EasyRSA Tools (30fe311) (#1195)
• bug-fix: revoke: Pass the correct certificate location (24d5514)
• vars.example: Add flags for auto-SAN and X509 critical attribute (a41dfcc)
• Global option --eku-crit: Mark X509 extendedKeyUsage as critical (ca09211)
• sign-req: Add critical and pathlen details to confirmation (deae705) (#1182)
• export-p12: Automatically generate inline file (9d90370) (#1181)
• Introduce global option --auto-san, use commonName as SAN (5c36d44) (#1180)
• Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
• Introduce new global options: --ku-crit and --bc-crit (b79abee) (#1176)
• gen-req: Always check for existing request file (7eab98e) (#1177)
• revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
• revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)
• revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173)
• build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170)
• gen-req: Re-enable use of --req-cn (5cf8c46) (#1170)
• write: Change syntax, target as file, not directory (722ce54) (#1165)

What's Changed

• Use standard indentation rules for 'case' by @TinCanTech in #1142
• easyrsa_mkdir(): Remove use of 'mkdir -p', use only 'mkdir' by @TinCanTech in #1145
• Unit-test: Add Old expansion test on nix (EASYRSA_FORCE_SAFE_SSL) by @TinCanTech in #1151
• easyrsa_openssl(): Always export $OPENSSL_CONF as $EASYRSA_SSL_CONF by @TinCanTech in #1150
• easyrsa-tools.lib: Add 'locate_support-files' to recreate temp-session by @TinCanTech in #1153
• Tools lib call ssl direct by @TinCanTech in #1156
• easyrsa_mktemp(): Make variable names more unique to avoid conflicts by @TinCanTech in #1157
• Introduce Global Safe SSL config and Local SSL config by @TinCanTech in #1163
• Introduce write_legacy_file_v2() by @TinCanTech in #1165
• display_dn(): Remove excess subshell by @TinCanTech in #1166
• Fix minor typos by @NathanBaulch in #1169
• Command gen-req: Re-enable global option --req-cn - Includes build_full() by @TinCanTech in #1170
• Command revoke: Add abbreviations for optional 'reason' by @TinCanTech in #1173
• Command revoke: Add confirmation for possible misuse by @TinCanTech in #1174
• Command revoke: Do not remove duplicate certificate by serial by @TinCanTech in #1177
• Introduce new global options: --ku-crit and --bc-crit by @TinCanTech in #1176
• Introduce global option --san-crit, mark SAN critical (RFC2459) by @TinCanTech in #1179
• Introduce global option --auto-san, use commonName as SAN by @TinCanTech in #1180
• export-p12: Automatically generate inline file by @TinCanTech in #1181
• sign-req: Add critical and pathlen details to confirmation dialogue by @TinCanTech in #1182
• Auto-SAN: Correct rexeg, exclude non-numeric chars by delimiting by @TinCanTech in #1184
• Global option --eku-crit: Mark X509 extendedKeyUsage as critical by @TinCanTech in #1188
• revoke: Pass the correct certificate location to revoke function by @TinCanTech in #1191
• Rewrite renew by @TinCanTech in #1195
• self-sign: Allow Edwards Curve based keys by @TinCanTech in #1197
• gen-crl: Create additional CRL in DER format by @TinCanTech in #1198
• Inline v2 by @TinCanTech in #1201
• Windows secure_session(): Ensure $secured_session directory is created by @TinCanTech in #1203
• Windows secure_session(): Minimize and document specific race conditon by @TinCanTech in #1205
• verify_ssl_lib(): Correct verbose message by @TinCanTech in #1208
• Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut by @TinCanTech in #1209
• inline: Comment out missing files and add instructions for rebuilding by @TinCanTech in #1212
• sign-req: Require 128bit serial number by @TinCanTech in #1213
• easyrsa-tools.lib: expire_status_v2() (show-expire version 2) by @TinCanTech in #1214
• TLS key system v1 by @TinCanTech in #1185
• show-expire: Add CA certificate to report by @TinCanTech in #1215
• easyrsa-tools.lib: Rename will_cert_expire() -> is_cert_valid() by @TinCanTech in #1216
• init-pki: Add second confirmation to promote use of option 'soft' by @TinCanTech in #1217
• Minor corrections by @TinCanTech in #1218
• Integrate Easy-RSA TLS-Key for use with 'init-pki soft' by @TinCanTech in #1220
• doc: Revoke and Renew, update for Easy-RSA v3.2.1 by @TinCanTech in #1219
• V321 final touches by @TinCanTech in #1221
• inline: Add decimal value for certificate serial number (Linux Only) by @TinCanTech in #1222

New Contributors

• @NathanBaulch made their first contribution in #1169

Full Changelog: v3.2.0...v3.2.1

3.2.0

NOTICE: EasyRSA version 3.2.0 is a development snapshot.

EasyRSA v3.2.0 - Most significant changes

New commands:

• self-sign-server and self-sign-client (#1127)
  Create self-signed certificates for use with OpenVPN Peer Fingerprint mode.
  These certificates comply with other EasyRSA signing policies.

• expire (#1109)
  Selectively move certificates from the issued/ to expired/ directory.
  This allows a new certificate to be signed from the original signing request file.
  This allows all custom signing options to be applied as required.
  This replaces the old command renew, which has been removed.
  Further details: doc/EasyRSA-Renew-and-Revoke.md

• write (Commit: c814e0a)
  Create legacy support files: openssl-easyrsa.cnf, x509-types/* and vars.example.
  This allows EasyRSA to be used without having copies of the support files installed.

Removed commands:

• renew (#1109)
  Replaced by command expire, followed by command sign-req.
  This allows all custom options to be used when signing, which renew did not.

• rebuild (Commit: d6953cc) and rewind-renew (Commit: 72b4079)
  No longer required.

• upgrade (Commit: 6a88edd)
  No longer supported.

New Global Option:

• --new-subject -- Command sign-req option: newsubj (#1111)
  Edit Request Subject during command sign-req

New files:

• easyrsa-tools.lib (Commit: 214b909)
  Moved code for commands show-expire, show-revoke and show-renew to the new file.
  easyrsa-tools.lib is auto-loaded, if it is found in a supported location. eg. $pwd

---

• Revert ca76697: Restore escape_hazard() (b1e9d7a) (#1137)
• New X509 Type: 'selfsign' Internal only (999533e) (#1135)
• New commands: self-sign-server and self-sign-client (9f8a1d1) (#1127)
• build-ca: Command 'req', remove SSL option '-keyout' (4e02c8a) (#1123)
• Remove escape_hazard(), obsolete (ca76697)
• Remove command and function display_cn(), unused (be8f400) (#1114)
• Introduce Options to edit Request Subject during command 'sign-req'
  Global Option: --new-subject -- Command 'sign-req' option: 'newsubj'
  First proposed in: (#439) -- Completed: (83b81c7) (#1111)
• docs: Update EasyRSA-Renew-and-Revoke.md (f6c2bf5) (#1109)
• Remove all 'renew' code; replaced by 'expire' code (9d94207) (#1109)
• Introduce commands: 'expire' and 'revoke-expired' (a1890fa) (#1109)
• Keep request files [CSR] when revoking certificates (6d6e8d8) (#1109)
• Restrict use of --req-cn to build-ca (0a46164) (#1098)
• Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#1096)
• help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#1096)
• Allow --san to be used multiple times (5a06f94) (#1096)
• Remove default server subject alternative name (0b85a5d) (#576)
• Move Status Reports to 'easyrsa-tools.lib' (214b909) (#1080)
• export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a)
  (#1084 - Based on #1081)
• Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
• LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
• Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)

Branch-merge: v3.2.0-beta2 (#1055) 2024/01/13 Commit: d51d79b

• Always use here-doc version of openssl-easyrsa.cnf (2a8c0de)
  Only use here-doc if the current version is recognised by sha256 hash.
  The current file is NEVER deleted (60216d5). Partially revert: 2a8c0de
• export-p12: New command option 'legacy'. OpenSSL V3 Only (f8514de)
  Fallback to encryption algorithm RC2_CBC or 3DES_CBC
• export-p12: Always set 'friendlyName' to file-name-base (da9e594)
• Update OpenSSL to 3.2.0 (03e4829)

Branch-merge: v3.2.0-beta1 (#1046) 2023/12/15 Commit: 7120876

• Important note: As of Easy-RSA version 3.2.0-beta1, the configuration files
  vars.example, openssl-eayrsa.cnf and all files in x509-types directory
  are no longer required. Package maintainers can omit these files in the future.
  All files are created as required and deleted upon command completion.
  vars.example is created during init-pki and placed in the fresh PKI.
  These files will be retained for downstream packaging compatibility.

• Rename X509-type file code-signing to codeSigning (1c6b31a)
  The original file will be retained as code-signing, however, the automatic
  X509-types creation will name the file codeSigning. This effectively means
  that both are valid X509-types, until code-signing is dropped.

• init-pki: Always write vars.example file to fresh PKI (66a8f3e)

• New command 'write': Write 'legacy' files to stdout or files (c814e0a)

• Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf' (c814e0a)

• New Command 'rand': Expose easyrsa_random() to the command line (6131cbf)

• Remove function 'set_pass_legacy()' (7470c2a)

• Remove command 'rewind-renew' (72b4079)

• Remove command 'rebuild' (d6953cc)

• Remove command 'upgrade' (6a88edd)

Branch-merge: v3.2.0-alpha2 (#1043) 2023/12/7 Commit: ed0dc46

• Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (3c0ca17)

Branch-merge: v3.2.0-alpha1 (#1041) 2023/12/2 Commit: 42c2e95

• New diagnostic command 'display-cn' (#1040)
• Expand renewable certificate types to include code-signing (#1039)

What's Changed

• Command: x509-eku v2 by @TinCanTech in #1039
• v3.2.0-alpha1 by @TinCanTech in #1041
• Remove unwanted code - Minor improvements by @TinCanTech in #1036
• escape_hazarrd(): Reuse source_vars() by @TinCanTech in #1037
• v3.2.0-alpha2 by @TinCanTech in #1043
• v3.2.0-Remove-commands by @TinCanTech in #1045
• v3.2.0-beta1 by @TinCanTech in #1046
• export-p12: New command option 'legacy' by @spacefreak86 in #1057
• v3.2.0-beta2 by @TinCanTech in #1055
• Replace use of sed with heredoc expansion by @TinCanTech in #1064
• Restore 128bit-random certificate serial-number by @TinCanTech in #1070
• LibreSSL: Add band-aid fix for missing 'x509' command option '-ext' by @TinCanTech in #1071
• Windows: Introduce 'Non-Admin' mode by @TinCanTech in #1073
• export-p12, OpenSSL v1.x: Upgrade PBE and MAC options by @TinCanTech in #1084
• Completely remove status reports and date functions by @TinCanTech in #1080
• sign-req: Remove default server 'subject alternative name' SAN by @TinCanTech in #1091
• Separate SAN from DN - Refactor display_dn() by @TinCanTech in #1096
• Restrict use of --req-cn to build-ca by @TinCanTech in #1098
• New function easyrsa_mkdir_p(): Replace use of 'mkdir -p' by @TinCanTech in #1101
• Shellcheck directives and minor tweak by @TinCanTech in #1105
• easyrsa_mkdir_p(): Ignore 'mkdir.exe' error code in favor of 'test' by @TinCanTech in #1106
• Revoke keep request by @TinCanTech in #1109
• Add an option to change the subject when signing a request. V2 by @TinCanTech in #1111
• Remove command and function display_cn(), unused by @TinCanTech in #1114
• Remove escape_hazard() by @TinCanTech in #1115
• build-ca: Command 'req', remove SSL option '-keyout' by @TinCanTech in #1123
• Improve ssl_cert_x509v3_eku() by @TinCanTech in #1125
• Remove variable 'makesafeconf' as obsolete by @TinCanTech in #1126
• Introduce commands: self-sign-server and self-sign-client by @TinCanTech in #1127
• Command inline: Support self-signed certificate called from cmd-line by @TinCanTech in #1128
• self-sign: Improve default algorithm and curve selection by @TinCanTech in #1134
• self-sign: Adjust 'X509v3 Key Usage' by @TinCanTech in #1135
• Revert ca76697: Remove escape_hazard() by @TinCanTech in #1137
• LibreSSL: Ignore and discard missing config file warning by @TinCanTech in #1138
• Minor corrections and improvements by @TinCanTech in #1140
• sign-req: Improve confirmation details by @TinCanTech in #1141

New Contributors

• @spacefreak86 made their first contribution in #1057

Full Changelog: v3.1.7...v3.2.0

v3.1.7

3.1.7 (2023-10-13)

• Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md (#1029)
  Under the hood, this is a considerable change but there are no user
  noticable differences. With the exception of:
  Caveat: The default '$PWD/pki/vars' file is forbidden to change either
  EASYRSA or EASYRSA_PKI, which are both implied by default.
• EasyRSA-Advanced.md: Correct vars-auto-detect hierarchy (#1029)
  Commit: ecd6506
  EASYRSA/vars is moved to a higher priority than a default PKI.
  vars-auto-detect no longer searches 'easyrsa' program directory.
• gen-crl: preserve existing crl.pem ownership+mode (#1020)
• New command: make-vars - Print vars.example (here-doc) to stdout (#1024)
• show-expire: Calculate cert. expire seconds from DB date (#1023)
• Update OpenSSL to 3.1.2

What's Changed

• Completely Remove Upgrade Functionality by @TinCanTech in #1001
• Expand help to include undocumented commands by @TinCanTech in #1002
• Revert "Completely Remove Upgrade Functionality" by @TinCanTech in #1010
• Revert "Expand help to include undocumented commands" by @TinCanTech in #1011
• Forbid "default vars in the default PKI" for all commands by @TinCanTech in #1021
• CI: action, checkout v4 by @TinCanTech in #1016
• show-expire: Calculate certificate expire seconds from Database date by @TinCanTech in #1023
• Expand help to include undocumented commands by @TinCanTech in #1013
• New command: make-vars - Print vars.example (here-doc) to stdout by @TinCanTech in #1024
• gen-crl: preserve existing crl.pem ownership+mode by @Tabiskabis in #1020
• Improve vars auto load by @TinCanTech in #1025
• Vars hierarchy v2 by @TinCanTech in #1029
• doc: Update EasyRSA-Advanced.md environment variable list by @TinCanTech in #1030
• Replace santize_path() and ignore Windows "security" warning by @TinCanTech in #1033
• Improve select_vars() and source_vars() by @TinCanTech in #1034

New Contributors

• @Tabiskabis made their first contribution in #1020

Full Changelog: v3.1.6...v3.1.7

v3.1.6

Update: Before using v3.1.6, please see this issue #1009

What's Changed

• sign-req: Allow the CSR DN-field order to be preserved by @TinCanTech in #970
• Post version 3.1.5 refactor by @TinCanTech in #967
• set_var(): Allow empty input to return without error by @TinCanTech in #971
• vars-file: Warn about EASYRSA_NO_VARS disabling vars-file use by @TinCanTech in #972
• Expand default status to include vars-file and CA status by @TinCanTech in #973
• verify_ssl_lib(): Minor style improvements by @TinCanTech in #974
• cleanup: Rename $easyrsa_error_exit to $easyrsa_exit_with_error by @TinCanTech in #976
• Very minor changes to comments, help/msg text, wrap lines, code by @TinCanTech in #977
• Expose 'sign-req' unique, random serial number check to command line by @TinCanTech in #980
• sign-req: Major refactor by @TinCanTech in #981
• Simplify run-once control for exanding conf files by @TinCanTech in #982
• Only verify working environment for recognised commands by @TinCanTech in #985
• easyrsa_openssl: Replace variable 'has_config' with OPENSSL_CONF by @TinCanTech in #987
• Export PKCS: Expand usage for incomplete PKI by @TinCanTech in #991
• Inline v2 by @TinCanTech in #993
• set_var and force_set_var: Guard against invalid user input by @TinCanTech in #994
• verify_working_env: sanitize_path(), forbid broken values by @TinCanTech in #1000

Full Changelog: v3.1.5...v3.1.6

v3.1.5

3.1.5 (2023-06-10)

• Build Update: script now supports signing and verifying

• Automate support-file creation (Free packaging) (#964)

• build-ca: New command option 'raw-ca', abbrevation: 'raw' (#963)

  This 'raw' method, is the most reliable way to build a CA,
  with a password, without writing the CA password to a temp-file.

This option completely replaces both methods below:

• build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)
  Option '--ca-via-stdin' offers no more security than standard method.
  Easy-RSA version 3.1.4 ONLY.

• build-ca: Replace password temp-files with file-descriptors (#955)
  Using file-descriptors does not work in Windows.
  Easy-RSA version 3.1.3 ONLY.

What's Changed

• build-ca: New command option 'raw-ca', abbrevation: 'raw' by @TinCanTech in #963
• Automate support-file creation (Free packaging) by @TinCanTech in #964

Full Changelog: v3.1.4...v3.1.5

v3.1.4

3.1.4 (2023-05-23)

• build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)

• build-ca: Revert manual CA password method to temp-files (#959)
  Supersedes #955

  Release v3.1.3 was fatally flawed, it would fail to build a CA under Windows.
  Release v3.1.4 is specifically a bugfix ONLY, to resolve the Windows problem.

  See the following commits for further details:
  5d7ad13
  build-ca: Revert manual CA password method to temp-files
  c11135d
  build-ca: Use OpenSSL password I/O argument 'stdin'
  27870d6
  build-ca: Replace password temp-file method with file-descriptors
  Superseded by 5d7ad13 above.

Full Changelog: v3.1.3...v3.1.4

v3.1.3

What's Changed

• fixed_cert_dates(): Remove subshell by @TinCanTech in #849
• Add 'verify-cert' command to current 'verify' command by @TinCanTech in #850
• Re-order output messages and subsequent newlines for aesthetics by @TinCanTech in #851
• build_ca(): Wrap long lines by @TinCanTech in #852
• build-ca: Write 'unique_subject = no' to index.txt.attr file by @TinCanTech in #854
• Remove hard-coded unit-test password from build-ca by @TinCanTech in #857
• Rename safe_set_var() to force_set_var() by @TinCanTech in #858
• build-ca: Minor code reformat (aesthetics) by @TinCanTech in #860
• Wrap long lines: easyrsa_openssl(), sed command by @TinCanTech in #864
• Move calling show_host() to function die(), where it belongs by @TinCanTech in #868
• Remove ineffectual redirector by @TinCanTech in #869
• Remove redundant separator lines by @TinCanTech in #870
• Remove debug symbols by @TinCanTech in #865
• Move verify_ssl_lib() - Always verify SSL lib, for all commands by @TinCanTech in #877
• easyrsa_mktemp(): Use sequential numbered temp files by @TinCanTech in #876
• cleanup(): Only enable terminal echo when it has been disabled by @TinCanTech in #880
• set-var(): Check input, die on errors by @TinCanTech in #882
• build-ca: Manual password bug fixes by @TinCanTech in #886
• sign-req: Only create a random serial number file when expected by @TinCanTech in #896
• sign-req: Use either SSL option -days OR -startdate/-enddate by @TinCanTech in #897
• Use set_var to correctly assign EASYRSA_REQ_SERIAL by @TinCanTech in #900
• gen-crl: Minor improvements by @TinCanTech in #903
• Upgrade_23: Prioritise new PKI creation to allow temp file creation by @TinCanTech in #906
• General improvements by @TinCanTech in #908
• Status reports: Warn if given commonName is not found in database by @TinCanTech in #911
• vars_setup(): Refactor 'Sanitize vars' by @TinCanTech in #912
• Introduce option -S|--silent-ssl: Silence SSL output by @TinCanTech in #913
• CI: Update checkout to v3 by @TinCanTech in #917
• Replace fixed offset date code by @TinCanTech in #918
• vars file: Allow 'EASYRSA_VARS_FILE' to be set externally by @TinCanTech in #924
• Status reports: Leap Years, apply Day Feb-29 after Feb-28 by @TinCanTech in #928
• easyrsa_openssl(): Create a safe SSL config once per instance ONLY by @TinCanTech in #931
• Windows: Warn when using Windows default location in 'Program Files' by @TinCanTech in #937
• secure_session(): Move in verify_working_env() Remove from 'init-pki' by @TinCanTech in #938
• Introduce global option --force-safe-ssl by @TinCanTech in #935
• vars: Prohibit use of export and unset in vars file by @TinCanTech in #932
• Status reports: Additional check, Use SSL to determine expiration by @TinCanTech in #940
• import-req: Check input file exists by @TinCanTech in #945
• remove_secure_session(): Return-On-Success Only by @TinCanTech in #943
• X509-types insert markers: Move and improve by @TinCanTech in #946
• easyrsa_openssl(): makesafecnf - Copy temp-file do NOT move by @TinCanTech in #948
• mutual_exclusions(): Use of --silent and --verbose is unresolvable by @TinCanTech in #949
• Build Safe SSL config at correct stage by @TinCanTech in #954
• build-ca: Replace password temp-file method with file-descriptors by @TinCanTech in #955

Full Changelog: v3.1.2...v3.1.3