Skip to content

3.2.1

Latest
Compare
Choose a tag to compare
@ecrist ecrist released this 13 Sep 18:10
· 67 commits to master since this release
3f60a68

Easy-RSA version 3.2.1 - Significant Changes:

Honorable Memorandum: 2024 USA Election.

Add decimal serial number value to inline files:

  • For use with OpenVPN --verify-crl command.

Create OpenVPN style TLS-AUTH and TLS-Crypt keys:

  • Use command gen-tls-auth-key/gen-tls-crypt-key. (TLS-Crypt-V2 is not included)

Add simple way to effectively renew an expired CA certificate:

New global command options for critical X509 Attibutes:

  • --bc-crit - Mark basicConstraints as critical
  • --ku-crit - Mark keyUsage as critical
  • --eku-crit - Mark extendedKeyUsage as critical
  • --san-crit - Mark subjectAltName as critical

New global option --auto-san:

  • Force automatic subjectAltName.

Command write syntax change:

  • Allow specific target-file as command option.
  • Reqire specific command option overwrite, to enable overwriting an existing file.

ChangeLog:

  • inline: Add decimal value for cert. serial (Linux Only) (b33038e) (#1222)
  • Always exit with error for unknown command options (Except nopass) (#1221)
    (build-ca: b2f7912); (gen-req: 07f21d3); (build_full(): 0ff7f4c);
    (export_pkcs(): 2c51288); (set-pass: 1266d4e)
  • Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2) (#1220)
    Note: Inline files that contain private key data are now created in sub-dir
    'pki/inline/private'.
  • easyrsa-tools.lib, show-expire: Add CA certificate to report (a36cd54) (#1215)
  • inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2) (#1185)
    Note: Command inline only writes directly to inline file not stdout.
  • easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 (cf0da16) (#1185)
  • easyrsa-tools.lib: expire_status_v2() (show-expire version 2) (1e43bf5) (#1214)
  • sign-req: Require 128bit serial number (806ee19) (#1213)
  • Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut (ddbf304) (#1209)
  • Windows secure_session(): Ensure $secured_session dir is created (d99b242) (#1203)
  • Switch to '-f' for file existence (6ab98c9..a02f545) (#1201)
  • inline: Move auto-inline from build_full() to sign_req() (823f70f) (#1201)
  • gen-crl: Create additional CRL in DER format (69df0d8) (#1198)
  • self-sign: Allow Edwards Curve based keys (81b749b) (#1197)
  • Re-enable command 'renew' (version 2): Requires EasyRSA Tools (30fe311) (#1195)
  • bug-fix: revoke: Pass the correct certificate location (24d5514)
  • vars.example: Add flags for auto-SAN and X509 critical attribute (a41dfcc)
  • Global option --eku-crit: Mark X509 extendedKeyUsage as critical (ca09211)
  • sign-req: Add critical and pathlen details to confirmation (deae705) (#1182)
  • export-p12: Automatically generate inline file (9d90370) (#1181)
  • Introduce global option --auto-san, use commonName as SAN (5c36d44) (#1180)
  • Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
  • Introduce new global options: --ku-crit and --bc-crit (b79abee) (#1176)
  • gen-req: Always check for existing request file (7eab98e) (#1177)
  • revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
  • revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)
  • revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173)
  • build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170)
  • gen-req: Re-enable use of --req-cn (5cf8c46) (#1170)
  • write: Change syntax, target as file, not directory (722ce54) (#1165)

What's Changed

New Contributors

Full Changelog: v3.2.0...v3.2.1