Skip to content

Releases: OpenVPN/easy-rsa

3.2.1

13 Sep 18:10
3f60a68
Compare
Choose a tag to compare

Easy-RSA version 3.2.1 - Significant Changes:

Honorable Memorandum: 2024 USA Election.

Add decimal serial number value to inline files:

  • For use with OpenVPN --verify-crl command.

Create OpenVPN style TLS-AUTH and TLS-Crypt keys:

  • Use command gen-tls-auth-key/gen-tls-crypt-key. (TLS-Crypt-V2 is not included)

Add simple way to effectively renew an expired CA certificate:

New global command options for critical X509 Attibutes:

  • --bc-crit - Mark basicConstraints as critical
  • --ku-crit - Mark keyUsage as critical
  • --eku-crit - Mark extendedKeyUsage as critical
  • --san-crit - Mark subjectAltName as critical

New global option --auto-san:

  • Force automatic subjectAltName.

Command write syntax change:

  • Allow specific target-file as command option.
  • Reqire specific command option overwrite, to enable overwriting an existing file.

ChangeLog:

  • inline: Add decimal value for cert. serial (Linux Only) (b33038e) (#1222)
  • Always exit with error for unknown command options (Except nopass) (#1221)
    (build-ca: b2f7912); (gen-req: 07f21d3); (build_full(): 0ff7f4c);
    (export_pkcs(): 2c51288); (set-pass: 1266d4e)
  • Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2) (#1220)
    Note: Inline files that contain private key data are now created in sub-dir
    'pki/inline/private'.
  • easyrsa-tools.lib, show-expire: Add CA certificate to report (a36cd54) (#1215)
  • inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2) (#1185)
    Note: Command inline only writes directly to inline file not stdout.
  • easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 (cf0da16) (#1185)
  • easyrsa-tools.lib: expire_status_v2() (show-expire version 2) (1e43bf5) (#1214)
  • sign-req: Require 128bit serial number (806ee19) (#1213)
  • Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut (ddbf304) (#1209)
  • Windows secure_session(): Ensure $secured_session dir is created (d99b242) (#1203)
  • Switch to '-f' for file existence (6ab98c9..a02f545) (#1201)
  • inline: Move auto-inline from build_full() to sign_req() (823f70f) (#1201)
  • gen-crl: Create additional CRL in DER format (69df0d8) (#1198)
  • self-sign: Allow Edwards Curve based keys (81b749b) (#1197)
  • Re-enable command 'renew' (version 2): Requires EasyRSA Tools (30fe311) (#1195)
  • bug-fix: revoke: Pass the correct certificate location (24d5514)
  • vars.example: Add flags for auto-SAN and X509 critical attribute (a41dfcc)
  • Global option --eku-crit: Mark X509 extendedKeyUsage as critical (ca09211)
  • sign-req: Add critical and pathlen details to confirmation (deae705) (#1182)
  • export-p12: Automatically generate inline file (9d90370) (#1181)
  • Introduce global option --auto-san, use commonName as SAN (5c36d44) (#1180)
  • Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
  • Introduce new global options: --ku-crit and --bc-crit (b79abee) (#1176)
  • gen-req: Always check for existing request file (7eab98e) (#1177)
  • revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
  • revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)
  • revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173)
  • build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170)
  • gen-req: Re-enable use of --req-cn (5cf8c46) (#1170)
  • write: Change syntax, target as file, not directory (722ce54) (#1165)

What's Changed

New Contributors

Full Changelog: v3.2.0...v3.2.1

3.2.0

18 May 12:19
76115cc
Compare
Choose a tag to compare

NOTICE: EasyRSA version 3.2.0 is a development snapshot.

EasyRSA v3.2.0 - Most significant changes

New commands:

  • self-sign-server and self-sign-client (#1127)
    Create self-signed certificates for use with OpenVPN Peer Fingerprint mode.
    These certificates comply with other EasyRSA signing policies.

  • expire (#1109)
    Selectively move certificates from the issued/ to expired/ directory.
    This allows a new certificate to be signed from the original signing request file.
    This allows all custom signing options to be applied as required.
    This replaces the old command renew, which has been removed.
    Further details: doc/EasyRSA-Renew-and-Revoke.md

  • write (Commit: c814e0a)
    Create legacy support files: openssl-easyrsa.cnf, x509-types/* and vars.example.
    This allows EasyRSA to be used without having copies of the support files installed.

Removed commands:

  • renew (#1109)
    Replaced by command expire, followed by command sign-req.
    This allows all custom options to be used when signing, which renew did not.

  • rebuild (Commit: d6953cc) and rewind-renew (Commit: 72b4079)
    No longer required.

  • upgrade (Commit: 6a88edd)
    No longer supported.

New Global Option:

  • --new-subject -- Command sign-req option: newsubj (#1111)
    Edit Request Subject during command sign-req

New files:

  • easyrsa-tools.lib (Commit: 214b909)
    Moved code for commands show-expire, show-revoke and show-renew to the new file.
    easyrsa-tools.lib is auto-loaded, if it is found in a supported location. eg. $pwd

  • Revert ca76697: Restore escape_hazard() (b1e9d7a) (#1137)
  • New X509 Type: 'selfsign' Internal only (999533e) (#1135)
  • New commands: self-sign-server and self-sign-client (9f8a1d1) (#1127)
  • build-ca: Command 'req', remove SSL option '-keyout' (4e02c8a) (#1123)
  • Remove escape_hazard(), obsolete (ca76697)
  • Remove command and function display_cn(), unused (be8f400) (#1114)
  • Introduce Options to edit Request Subject during command 'sign-req'
    Global Option: --new-subject -- Command 'sign-req' option: 'newsubj'
    First proposed in: (#439) -- Completed: (83b81c7) (#1111)
  • docs: Update EasyRSA-Renew-and-Revoke.md (f6c2bf5) (#1109)
  • Remove all 'renew' code; replaced by 'expire' code (9d94207) (#1109)
  • Introduce commands: 'expire' and 'revoke-expired' (a1890fa) (#1109)
  • Keep request files [CSR] when revoking certificates (6d6e8d8) (#1109)
  • Restrict use of --req-cn to build-ca (0a46164) (#1098)
  • Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#1096)
  • help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#1096)
  • Allow --san to be used multiple times (5a06f94) (#1096)
  • Remove default server subject alternative name (0b85a5d) (#576)
  • Move Status Reports to 'easyrsa-tools.lib' (214b909) (#1080)
  • export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a)
    (#1084 - Based on #1081)
  • Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
  • LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
  • Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)

Branch-merge: v3.2.0-beta2 (#1055) 2024/01/13 Commit: d51d79b

  • Always use here-doc version of openssl-easyrsa.cnf (2a8c0de)
    Only use here-doc if the current version is recognised by sha256 hash.
    The current file is NEVER deleted (60216d5). Partially revert: 2a8c0de
  • export-p12: New command option 'legacy'. OpenSSL V3 Only (f8514de)
    Fallback to encryption algorithm RC2_CBC or 3DES_CBC
  • export-p12: Always set 'friendlyName' to file-name-base (da9e594)
  • Update OpenSSL to 3.2.0 (03e4829)

Branch-merge: v3.2.0-beta1 (#1046) 2023/12/15 Commit: 7120876

  • Important note: As of Easy-RSA version 3.2.0-beta1, the configuration files
    vars.example, openssl-eayrsa.cnf and all files in x509-types directory
    are no longer required. Package maintainers can omit these files in the future.
    All files are created as required and deleted upon command completion.
    vars.example is created during init-pki and placed in the fresh PKI.
    These files will be retained for downstream packaging compatibility.

  • Rename X509-type file code-signing to codeSigning (1c6b31a)
    The original file will be retained as code-signing, however, the automatic
    X509-types creation will name the file codeSigning. This effectively means
    that both are valid X509-types, until code-signing is dropped.

  • init-pki: Always write vars.example file to fresh PKI (66a8f3e)

  • New command 'write': Write 'legacy' files to stdout or files (c814e0a)

  • Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf' (c814e0a)

  • New Command 'rand': Expose easyrsa_random() to the command line (6131cbf)

  • Remove function 'set_pass_legacy()' (7470c2a)

  • Remove command 'rewind-renew' (72b4079)

  • Remove command 'rebuild' (d6953cc)

  • Remove command 'upgrade' (6a88edd)

Branch-merge: v3.2.0-alpha2 (#1043) 2023/12/7 Commit: ed0dc46

  • Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (3c0ca17)

Branch-merge: v3.2.0-alpha1 (#1041) 2023/12/2 Commit: 42c2e95

  • New diagnostic command 'display-cn' (#1040)
  • Expand renewable certificate types to include code-signing (#1039)

What's Changed

New Contributors

Full Changelog: v3.1.7...v3.2.0

v3.1.7

13 Oct 22:34
3c233d2
Compare
Choose a tag to compare

3.1.7 (2023-10-13)

  • Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md (#1029)
    Under the hood, this is a considerable change but there are no user
    noticable differences. With the exception of:
    Caveat: The default '$PWD/pki/vars' file is forbidden to change either
    EASYRSA or EASYRSA_PKI, which are both implied by default.
  • EasyRSA-Advanced.md: Correct vars-auto-detect hierarchy (#1029)
    Commit: ecd6506
    EASYRSA/vars is moved to a higher priority than a default PKI.
    vars-auto-detect no longer searches 'easyrsa' program directory.
  • gen-crl: preserve existing crl.pem ownership+mode (#1020)
  • New command: make-vars - Print vars.example (here-doc) to stdout (#1024)
  • show-expire: Calculate cert. expire seconds from DB date (#1023)
  • Update OpenSSL to 3.1.2

What's Changed

New Contributors

Full Changelog: v3.1.6...v3.1.7

v3.1.6

18 Aug 14:29
9850ced
Compare
Choose a tag to compare

Update: Before using v3.1.6, please see this issue #1009

What's Changed

Full Changelog: v3.1.5...v3.1.6

v3.1.5

10 Jun 14:03
a8d43bc
Compare
Choose a tag to compare

3.1.5 (2023-06-10)

  • Build Update: script now supports signing and verifying

  • Automate support-file creation (Free packaging) (#964)

  • build-ca: New command option 'raw-ca', abbrevation: 'raw' (#963)

    This 'raw' method, is the most reliable way to build a CA,
    with a password, without writing the CA password to a temp-file.

This option completely replaces both methods below:

  • build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)
    Option '--ca-via-stdin' offers no more security than standard method.
    Easy-RSA version 3.1.4 ONLY.

  • build-ca: Replace password temp-files with file-descriptors (#955)
    Using file-descriptors does not work in Windows.
    Easy-RSA version 3.1.3 ONLY.

What's Changed

  • build-ca: New command option 'raw-ca', abbrevation: 'raw' by @TinCanTech in #963
  • Automate support-file creation (Free packaging) by @TinCanTech in #964

Full Changelog: v3.1.4...v3.1.5

v3.1.4

24 May 12:07
a7284a1
Compare
Choose a tag to compare

3.1.4 (2023-05-23)

  • build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)

  • build-ca: Revert manual CA password method to temp-files (#959)
    Supersedes #955

    Release v3.1.3 was fatally flawed, it would fail to build a CA under Windows.
    Release v3.1.4 is specifically a bugfix ONLY, to resolve the Windows problem.

    See the following commits for further details:
    5d7ad13
    build-ca: Revert manual CA password method to temp-files
    c11135d
    build-ca: Use OpenSSL password I/O argument 'stdin'
    27870d6
    build-ca: Replace password temp-file method with file-descriptors
    Superseded by 5d7ad13 above.

Full Changelog: v3.1.3...v3.1.4

v3.1.3

19 May 12:59
3fa9cd8
Compare
Choose a tag to compare

What's Changed

Full Changelog: v3.1.2...v3.1.3

v3.1.2

13 Jan 21:59
354c20d
Compare
Choose a tag to compare

What's Changed

Full Changelog: v3.1.1...v3.1.2

v3.1.1

13 Oct 11:42
2083fb2
Compare
Choose a tag to compare

2022-10-14 - Signatures were corrupted on upload. Re-uploading verified sigs.

What's Changed

  • Standardise all output for warn(), notice() and message():[New] by @TinCanTech in #574
  • Expand status reports to include checking a single certificate by @TinCanTech in #577
  • Introduce 'rewind-renew' - Recover "guineapig" renewed certificates by @TinCanTech in #579
  • Improve revocation and renewal functions by @TinCanTech in #580
  • Correctly quote 'sed' and auto-escape ampersand by @TinCanTech in #584
  • Auto-escape '&' and '$' in 'org' mode fields - Other minor tweaks by @TinCanTech in #590
  • Remove restrictive 30-day window hindering 'renew' by @TinCanTech in #594
  • Replace cert dates by @TinCanTech in #595
  • Introduce 'serialNumber' field for DN (OID 2.5.4.5) by @TinCanTech in #606
  • Upgrade-23: Assign a secure session for temporary directory by @TinCanTech in #623
  • Introduce 'renew-req': Create new CSR for an existing private key by @TinCanTech in #616
  • Restore files when 'renew' fails during 'build_full()' phase by @TinCanTech in #617
  • Ensure 'pki/renewed/' exist for 'rewind-renew' by @TinCanTech in #618
  • Allow vars file to exist in current directory (Fix make-cadir) by @TinCanTech in #635
  • gen-dh: Use temporary file by @TinCanTech in #636
  • sign--req: Prohibit COMMON as a certificate type by @TinCanTech in #637
  • show: Reorder parameter checks to guard against empty input by @TinCanTech in #639
  • verify_ca_init: Reorder names to improve error message by @TinCanTech in #638
  • Re-enable the use of --vars=file for init-pki by @TinCanTech in #640
  • Expand the possible values of $prog_dir, include full path by @TinCanTech in #641
  • vars_setup(): Always warn about unsupported characters in vars by @TinCanTech in #642
  • renew: Improve notices and input check by @TinCanTech in #645
  • Options: Check that $val is numeric when a number is expected by @TinCanTech in #646
  • Unsupported characters: Correct check and warning message by @TinCanTech in #649
  • sign-req: Enforce X509-type files exist and are used. (#581) by @TinCanTech in #650
  • cleanup: Make "clean line" respect silent, batch and quiet modes by @TinCanTech in #652
  • Overhaul vars detection by @TinCanTech in #655
  • detect_host: Use SSL Library version from EasyRSA version by @TinCanTech in #656
  • Options: Add '-s' to also enabe --silent mode. by @TinCanTech in #657
  • Options: Rescind deprecation notice of option --req-cn by @TinCanTech in #660
  • x509-types: Add x509-types location to usage() STATUS by @TinCanTech in #662
  • vars_setup: Correctly locate x509-types for usage() directory STATUS by @TinCanTech in #665
  • x509-types: Reset non-existent x509-types dir set by vars by @TinCanTech in #666
  • fixed typo by @ashutoshojha5 in #670
  • Options: Expand alias '--days' to all suitable options with a period by @TinCanTech in #674
  • Options: Introduce --keep-tmp=NAME; Keep the temporary session data by @TinCanTech in #667
  • Option --req-cn: Restore original behavior from v30x series by @TinCanTech in #682
  • renew-req: Add command option 'nopass' by @TinCanTech in #683
  • Remove renew-req by @TinCanTech in #685
  • Documentation: Add EasyRSA-Renew-and-Revoke.md by @TinCanTech in #690
  • X509-types: Always check SSL config file for EasyRSA insert-markers by @TinCanTech in #695
  • Rename 'renew' to 'rebuild' - Introduce 'renew' version 3 by @TinCanTech in #688
  • build-ca: Check x509-types 'ca' and 'COMMON' files exist by @TinCanTech in #697
  • Status Report 'show-renew': Include renewed certs from /cert_by_serial by @TinCanTech in #700
  • Doc-Update: Note that all changes were included with Easy-RSA v3.1.1 by @TinCanTech in #701
  • ChangeLog: Final update for v3.1.1 by @TinCanTech in #702
  • build_full: Remove sign_req() subshell and do full cleanup by @TinCanTech in #705
  • Option --keep-tmp: Append EASYRSA_TEMP_DIR_session random number by @TinCanTech in #711
  • Option --keep-tmp: Reliability improvements by @TinCanTech in #712
  • Opt. --subca-len: basicConstraints CA extension, Append 'pathlen:N' by @TinCanTech in #706
  • Refactor Netscape support by @TinCanTech in #710
  • help: Document supported certificate X509 types by @TinCanTech in #704
  • Remove obsolete command 'renewable' by @TinCanTech in #715
  • Doc: EasyRSA-Contributing.md - Update by @TinCanTech in #719
  • init-pki soft: Include delete of revoked and renewed sub-directories by @TinCanTech in #720

New Contributors

Full Changelog: v3.1.0...v3.1.1

EasyRSA 3.1.0

19 May 02:00
1600b3f
Compare
Choose a tag to compare

NOTICE

This version of EasyRSA introduces OpenSSL 3 (3.0.3). Effectively, v3.1.0 is nearly identical to v3.0.9, but we ship different binaries in the Windows package. @TinCanTech has put a ton of work in to support for the new OpenSSL, but there may be bugs. We intend to make big changes early in the v3.1.x branch and only back-port bug fixes to v3.0.x going forward.

What's Changed

New Contributors

Full Changelog: v3.0.9...v3.1.0

Our ChangeLog

3.1.0 (2022-05-18)
   * Introduce basic support for OpenSSL version 3 (#492)
   * Update regex in grep to be POSIX compliant (#556)
   * Introduce status reporting tools (#555 & #557)
   * Display certificates using UTF8 (#551)
   * Allow certificates to be created with fixed date offset (#550)
   * Add 'verify' to verify certificate against CA (#549)
   * Add PKCS#12 alias 'friendlyName' (#544)
   * Disallow use of '--vars=FILE init-pki' (#566)
   * Support multiple IP-Addresses in SAN (#564)
   * Add option '--renew-days=NN', custom renew grace period (#557)
   * Add 'nopass' option to the 'export-pkcs' functions (#411)
   * Add support for 'busybox' (#543)
   * Add option '--tmp-dir=DIR' to declare Temp-dir (Commit f503a22)