Skip to content

3.2.0

Compare
Choose a tag to compare
@ecrist ecrist released this 18 May 12:19
· 347 commits to master since this release
76115cc

NOTICE: EasyRSA version 3.2.0 is a development snapshot.

EasyRSA v3.2.0 - Most significant changes

New commands:

  • self-sign-server and self-sign-client (#1127)
    Create self-signed certificates for use with OpenVPN Peer Fingerprint mode.
    These certificates comply with other EasyRSA signing policies.

  • expire (#1109)
    Selectively move certificates from the issued/ to expired/ directory.
    This allows a new certificate to be signed from the original signing request file.
    This allows all custom signing options to be applied as required.
    This replaces the old command renew, which has been removed.
    Further details: doc/EasyRSA-Renew-and-Revoke.md

  • write (Commit: c814e0a)
    Create legacy support files: openssl-easyrsa.cnf, x509-types/* and vars.example.
    This allows EasyRSA to be used without having copies of the support files installed.

Removed commands:

  • renew (#1109)
    Replaced by command expire, followed by command sign-req.
    This allows all custom options to be used when signing, which renew did not.

  • rebuild (Commit: d6953cc) and rewind-renew (Commit: 72b4079)
    No longer required.

  • upgrade (Commit: 6a88edd)
    No longer supported.

New Global Option:

  • --new-subject -- Command sign-req option: newsubj (#1111)
    Edit Request Subject during command sign-req

New files:

  • easyrsa-tools.lib (Commit: 214b909)
    Moved code for commands show-expire, show-revoke and show-renew to the new file.
    easyrsa-tools.lib is auto-loaded, if it is found in a supported location. eg. $pwd

  • Revert ca76697: Restore escape_hazard() (b1e9d7a) (#1137)
  • New X509 Type: 'selfsign' Internal only (999533e) (#1135)
  • New commands: self-sign-server and self-sign-client (9f8a1d1) (#1127)
  • build-ca: Command 'req', remove SSL option '-keyout' (4e02c8a) (#1123)
  • Remove escape_hazard(), obsolete (ca76697)
  • Remove command and function display_cn(), unused (be8f400) (#1114)
  • Introduce Options to edit Request Subject during command 'sign-req'
    Global Option: --new-subject -- Command 'sign-req' option: 'newsubj'
    First proposed in: (#439) -- Completed: (83b81c7) (#1111)
  • docs: Update EasyRSA-Renew-and-Revoke.md (f6c2bf5) (#1109)
  • Remove all 'renew' code; replaced by 'expire' code (9d94207) (#1109)
  • Introduce commands: 'expire' and 'revoke-expired' (a1890fa) (#1109)
  • Keep request files [CSR] when revoking certificates (6d6e8d8) (#1109)
  • Restrict use of --req-cn to build-ca (0a46164) (#1098)
  • Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#1096)
  • help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#1096)
  • Allow --san to be used multiple times (5a06f94) (#1096)
  • Remove default server subject alternative name (0b85a5d) (#576)
  • Move Status Reports to 'easyrsa-tools.lib' (214b909) (#1080)
  • export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a)
    (#1084 - Based on #1081)
  • Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
  • LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
  • Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)

Branch-merge: v3.2.0-beta2 (#1055) 2024/01/13 Commit: d51d79b

  • Always use here-doc version of openssl-easyrsa.cnf (2a8c0de)
    Only use here-doc if the current version is recognised by sha256 hash.
    The current file is NEVER deleted (60216d5). Partially revert: 2a8c0de
  • export-p12: New command option 'legacy'. OpenSSL V3 Only (f8514de)
    Fallback to encryption algorithm RC2_CBC or 3DES_CBC
  • export-p12: Always set 'friendlyName' to file-name-base (da9e594)
  • Update OpenSSL to 3.2.0 (03e4829)

Branch-merge: v3.2.0-beta1 (#1046) 2023/12/15 Commit: 7120876

  • Important note: As of Easy-RSA version 3.2.0-beta1, the configuration files
    vars.example, openssl-eayrsa.cnf and all files in x509-types directory
    are no longer required. Package maintainers can omit these files in the future.
    All files are created as required and deleted upon command completion.
    vars.example is created during init-pki and placed in the fresh PKI.
    These files will be retained for downstream packaging compatibility.

  • Rename X509-type file code-signing to codeSigning (1c6b31a)
    The original file will be retained as code-signing, however, the automatic
    X509-types creation will name the file codeSigning. This effectively means
    that both are valid X509-types, until code-signing is dropped.

  • init-pki: Always write vars.example file to fresh PKI (66a8f3e)

  • New command 'write': Write 'legacy' files to stdout or files (c814e0a)

  • Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf' (c814e0a)

  • New Command 'rand': Expose easyrsa_random() to the command line (6131cbf)

  • Remove function 'set_pass_legacy()' (7470c2a)

  • Remove command 'rewind-renew' (72b4079)

  • Remove command 'rebuild' (d6953cc)

  • Remove command 'upgrade' (6a88edd)

Branch-merge: v3.2.0-alpha2 (#1043) 2023/12/7 Commit: ed0dc46

  • Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (3c0ca17)

Branch-merge: v3.2.0-alpha1 (#1041) 2023/12/2 Commit: 42c2e95

  • New diagnostic command 'display-cn' (#1040)
  • Expand renewable certificate types to include code-signing (#1039)

What's Changed

New Contributors

Full Changelog: v3.1.7...v3.2.0