3.2.1

Easy-RSA version 3.2.1 - Significant Changes:

Honorable Memorandum: 2024 USA Election.

Add decimal serial number value to inline files:

• For use with OpenVPN --verify-crl command.

Create OpenVPN style TLS-AUTH and TLS-Crypt keys:

• Use command gen-tls-auth-key/gen-tls-crypt-key. (TLS-Crypt-V2 is not included)

Add simple way to effectively renew an expired CA certificate:

• Use init-pki command option soft, to retain certificate signing request files. Facilitating signing old requests with a new CA. Also keep TLS-KEYS, which are known to be in use.
• Full details: doc/EasyRSA-Renew-and-Revoke.md#renew-ca-certificate

New global command options for critical X509 Attibutes:

• --bc-crit - Mark basicConstraints as critical
• --ku-crit - Mark keyUsage as critical
• --eku-crit - Mark extendedKeyUsage as critical
• --san-crit - Mark subjectAltName as critical

New global option --auto-san:

• Force automatic subjectAltName.

Command write syntax change:

• Allow specific target-file as command option.
• Reqire specific command option overwrite, to enable overwriting an existing file.

---

ChangeLog:

• inline: Add decimal value for cert. serial (Linux Only) (b33038e) (#1222)
• Always exit with error for unknown command options (Except nopass) (#1221)
  (build-ca: b2f7912); (gen-req: 07f21d3); (build_full(): 0ff7f4c);
  (export_pkcs(): 2c51288); (set-pass: 1266d4e)
• Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2) (#1220)
  Note: Inline files that contain private key data are now created in sub-dir
  'pki/inline/private'.
• easyrsa-tools.lib, show-expire: Add CA certificate to report (a36cd54) (#1215)
• inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2) (#1185)
  Note: Command inline only writes directly to inline file not stdout.
• easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 (cf0da16) (#1185)
• easyrsa-tools.lib: expire_status_v2() (show-expire version 2) (1e43bf5) (#1214)
• sign-req: Require 128bit serial number (806ee19) (#1213)
• Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut (ddbf304) (#1209)
• Windows secure_session(): Ensure $secured_session dir is created (d99b242) (#1203)
• Switch to '-f' for file existence (6ab98c9..a02f545) (#1201)
• inline: Move auto-inline from build_full() to sign_req() (823f70f) (#1201)
• gen-crl: Create additional CRL in DER format (69df0d8) (#1198)
• self-sign: Allow Edwards Curve based keys (81b749b) (#1197)
• Re-enable command 'renew' (version 2): Requires EasyRSA Tools (30fe311) (#1195)
• bug-fix: revoke: Pass the correct certificate location (24d5514)
• vars.example: Add flags for auto-SAN and X509 critical attribute (a41dfcc)
• Global option --eku-crit: Mark X509 extendedKeyUsage as critical (ca09211)
• sign-req: Add critical and pathlen details to confirmation (deae705) (#1182)
• export-p12: Automatically generate inline file (9d90370) (#1181)
• Introduce global option --auto-san, use commonName as SAN (5c36d44) (#1180)
• Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
• Introduce new global options: --ku-crit and --bc-crit (b79abee) (#1176)
• gen-req: Always check for existing request file (7eab98e) (#1177)
• revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
• revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)
• revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173)
• build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170)
• gen-req: Re-enable use of --req-cn (5cf8c46) (#1170)
• write: Change syntax, target as file, not directory (722ce54) (#1165)

What's Changed

• Use standard indentation rules for 'case' by @TinCanTech in #1142
• easyrsa_mkdir(): Remove use of 'mkdir -p', use only 'mkdir' by @TinCanTech in #1145
• Unit-test: Add Old expansion test on nix (EASYRSA_FORCE_SAFE_SSL) by @TinCanTech in #1151
• easyrsa_openssl(): Always export $OPENSSL_CONF as $EASYRSA_SSL_CONF by @TinCanTech in #1150
• easyrsa-tools.lib: Add 'locate_support-files' to recreate temp-session by @TinCanTech in #1153
• Tools lib call ssl direct by @TinCanTech in #1156
• easyrsa_mktemp(): Make variable names more unique to avoid conflicts by @TinCanTech in #1157
• Introduce Global Safe SSL config and Local SSL config by @TinCanTech in #1163
• Introduce write_legacy_file_v2() by @TinCanTech in #1165
• display_dn(): Remove excess subshell by @TinCanTech in #1166
• Fix minor typos by @NathanBaulch in #1169
• Command gen-req: Re-enable global option --req-cn - Includes build_full() by @TinCanTech in #1170
• Command revoke: Add abbreviations for optional 'reason' by @TinCanTech in #1173
• Command revoke: Add confirmation for possible misuse by @TinCanTech in #1174
• Command revoke: Do not remove duplicate certificate by serial by @TinCanTech in #1177
• Introduce new global options: --ku-crit and --bc-crit by @TinCanTech in #1176
• Introduce global option --san-crit, mark SAN critical (RFC2459) by @TinCanTech in #1179
• Introduce global option --auto-san, use commonName as SAN by @TinCanTech in #1180
• export-p12: Automatically generate inline file by @TinCanTech in #1181
• sign-req: Add critical and pathlen details to confirmation dialogue by @TinCanTech in #1182
• Auto-SAN: Correct rexeg, exclude non-numeric chars by delimiting by @TinCanTech in #1184
• Global option --eku-crit: Mark X509 extendedKeyUsage as critical by @TinCanTech in #1188
• revoke: Pass the correct certificate location to revoke function by @TinCanTech in #1191
• Rewrite renew by @TinCanTech in #1195
• self-sign: Allow Edwards Curve based keys by @TinCanTech in #1197
• gen-crl: Create additional CRL in DER format by @TinCanTech in #1198
• Inline v2 by @TinCanTech in #1201
• Windows secure_session(): Ensure $secured_session directory is created by @TinCanTech in #1203
• Windows secure_session(): Minimize and document specific race conditon by @TinCanTech in #1205
• verify_ssl_lib(): Correct verbose message by @TinCanTech in #1208
• Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut by @TinCanTech in #1209
• inline: Comment out missing files and add instructions for rebuilding by @TinCanTech in #1212
• sign-req: Require 128bit serial number by @TinCanTech in #1213
• easyrsa-tools.lib: expire_status_v2() (show-expire version 2) by @TinCanTech in #1214
• TLS key system v1 by @TinCanTech in #1185
• show-expire: Add CA certificate to report by @TinCanTech in #1215
• easyrsa-tools.lib: Rename will_cert_expire() -> is_cert_valid() by @TinCanTech in #1216
• init-pki: Add second confirmation to promote use of option 'soft' by @TinCanTech in #1217
• Minor corrections by @TinCanTech in #1218
• Integrate Easy-RSA TLS-Key for use with 'init-pki soft' by @TinCanTech in #1220
• doc: Revoke and Renew, update for Easy-RSA v3.2.1 by @TinCanTech in #1219
• V321 final touches by @TinCanTech in #1221
• inline: Add decimal value for certificate serial number (Linux Only) by @TinCanTech in #1222

New Contributors

• @NathanBaulch made their first contribution in #1169

Full Changelog: v3.2.0...v3.2.1