Comments (5)
QueuingKoala
commented on July 30, 2024
Good point, thanks for the report.
I think the way to resolve this is to use the already-existing x509-types/ dir layout (which defaults to the currently supplied options in the .cnf file for the 'ca' type) and use the -extfile flag to the x509 command. The idea here is to make the CA signing process more like how sign_req() works currently, supporting both x509-types/ and env-var additions to the certificate extensions.
For sites that wish to use different options for a self-signed CA verses signing other sub-CA requests, the default 'ca' file under x509-types/ can be copied to a sub_ca extensions file, or the equivalent approach used with env-vars.
from easy-rsa.
TinCanTech
commented on July 30, 2024
This essentially boils down to build-ca supporting EASYRSA_EXTRA_EXTS.
Linking: #525
Solution:
- add:
nameConstraints=permitted;DNS:example.comtox509-types/ca - Pending #526
There is no env:vars solution, at this time.
from easy-rsa.
TinCanTech
commented on July 30, 2024
There is also another problem:
Lines 379 to 388 in 9970d62
req_extensions do not fly for CAs.
@luizluca EASYRSA_EXTRA_EXTS may not belong inside of easyrsa_openssl()
from easy-rsa.
TinCanTech
commented on July 30, 2024
The bottom_line is:
EASYRSA_EXTRA_EXTSis not the variable to use for CA extensions.
PRs welcome.
Easy fix..
EASYRSA_CA_EXTRA_EXTS="$EASYRSA_EXTRA_EXTS"
unset -v EASYRSA_EXTRA_EXTS
from easy-rsa.
TinCanTech
commented on July 30, 2024
Feedback welcome.
from easy-rsa.
Related Issues (20)
- Add `easyrsa-tool.lib` to CI HOT 1
- Review `# comments` in code
- Remove ALL `renew` commands HOT 1
- Error using --startdate/--enddate HOT 2
- Status reports: Abandon command `show-renew`
- Abandon `display_cn()` Unused
- Remove `$EASYRSA_LEGACY_SAFE_SSL` and relevant code
- Remove `init-pki soft`, badly defined
- Resolve SSL human readable text of certs/reqs for EasyRSA
- Possible candidates for `easyrsa-tools.lib`
- CA Private Key will be encrypted with des-ede3-cbc during build-ca with OpenSSL 3.x HOT 7
- Add self-signed certificates to status reports
- Typo in 'verify-cert' output HOT 1
- Fully integrate self-signed certificates
- Remove `OPENSSL_CONF=/dev/null`
- [SECURITY] Possible Code Injection Issue HOT 6
- Revert ca76697: Remove escape_hazard()
- Add CA certificate to expiry report `show-expire`
- Revert changes made for Windows 10/11 `mkdir -p` failure
- `dev/easyrsa-tools.lib` missing in release build HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from easy-rsa.