I can't easily renew certificate for any user. What's the point of "EASY" in the name of this product? about easy-rsa HOT 18 CLOSED

Please re-open this bug. Currently Easyrsa does not provide any clear and documented way to renew certificates.

Currently I need this feature, because I want to renew all HTTPS certificates so, that current Google Chrome browsers trust them. See #126

I see, that the feature can not be easily implemented in Easyrsa, because CN name is also the certificate name in Easyrsa. To distinguish older and newer certificated for the same CN we need something like a suffix (e.g. fileserver~2017, fileserver~2018) or special directories for all older certificates. I do not want to delete older certificates from the Easyrsa directories, because this makes it difficult to revoke them later (see hack https://stackoverflow.com/questions/9496698/how-to-revoke-an-openssl-certificate-when-you-dont-have-the-certificate) in general and impossible to revoke them with the Easyrsa commands.

from easy-rsa.

This should be supported.

Users are lazy.

They will instead just generate certificates with a 10 year valid period.

from easy-rsa.

@mailinglists35 you should fork it and rename it to hard-rsa

from easy-rsa.

@ecrist can you describe an EASY way to give a person a new certificate before the old one expires, without modifying anything in the configuration, just by using default easy-rsa package settings and reading it's documentation that NOWHERE says anything about how to renew a certificate?

why did you close this issue, as this is about an EASY way to perform the mentioned action? this issue is not about unique_subject! what closing means? that you refuse to provide an EASY way to do something with a program called itself EASY ?!

from easy-rsa.

@ecrist do we have different definitions of the word "Easy"?

from easy-rsa.

@kylemanna do you understand english?

from easy-rsa.

@ecrist "Do not follow the advice of mailinglist35", excuse me, but what advice I am giving?

-=[ please reread the subject of the issue. focus on the "E" word ]=-

you do not give me the end user an EASY way to give Bob a new certificate once the old one expires (not to mention that I want almost every time Bob to have two valid certs when the old one is about to expire, to give him and me plenty of time to replace the old cert); every time I want to give Bob a new certificate, instead of typing . ./build-key bob I must type . ./build-key bob-$some_timestamp.

this is not the way I expected to work from a software that calls itself EASY, especially when using openssl directly I can always reissue a new cert to Bob using his private key. but wait, what's the point of calling openssl directly when I am supposed to have an EASIER tool at hand?

I really don't care what you do in the backend to achieve this - unique_subject, or else - as long as I can type renew-cert bob it would be fine for me.

from easy-rsa.

I agree with @mailinglists35, this is very common use case and it's pity that EasyRSA doesn't provide convenient command for it.

from easy-rsa.

It is not recommended to ever manually update those files. Do not follow the advice of mailinglist35.

On Oct 21, 2015, at 10:43 AM, mailinglists35 [email protected] wrote:

advice in issue #40 is to modify openssl.conf and index.txt.attr and index.attr.old

why me as an end-user of the product I have to resort to these hacks instead of having a renew-cert tool available?

why does openssl natively allow renewing a certificate using existing key while "easy" rsa makes it anyway BUT "EASY" this process?

—
Reply to this email directly or view it on GitHub.

from easy-rsa.

You can always change the default value to something you prefer. Editing the files is not the correct way to perform the action.

Eric

On Oct 26, 2015, at 04:42:55, mailinglists35 [email protected] wrote:

@ecrist https://github.com/ecrist
what advice I am giving?

-=[ please reread the subject of the issue. focus on the "E" word ]=-

you do not give me the end user an EASY way to give Bob a new certificate once the old one expires (not to mention that I want almost every time Bob to have two valid certs when the old one is about to expire, to give him and me plenty of time to replace the old cert); every time I want to give Bob a new certificate, instead of typing . ./build-key bob I must type . ./build-key bob-$some_timestamp.

this is not the way I expected to work from a software that calls itself EASY, especially when using openssl directly I can easily reissue a new cert to Bob using his private key.

—
Reply to this email directly or view it on GitHub #75 (comment).

from easy-rsa.

ok, what if instead you add a build_full() option to create a new cert for existing key?

from easy-rsa.

The solution is to add the option value mentioned earlier to your own OpenSSL.cnf file. I don't feel this is a global default I'm willing to change.

Eric

On Oct 27, 2015, at 6:16 AM, Jakub Jirutka [email protected] wrote:

I agree with @mailinglists35, this is very common use case and it's pity that EasyRSA doesn't provide convenient command for it.

—
Reply to this email directly or view it on GitHub.

from easy-rsa.

Modifying the contents of the openssl.cnf file is not considered a hack. Quite the contrary, modifications to this file are expected on a site to site basis. At this time I will not change the default value. Thanks for the feedback.

from easy-rsa.

@mailinglists35 you could always implement the much needed feature. I'd like to see such a feature.

Or you could go back to trolling and overusing bold markdown as if the world revolves around you.

kthnxbai

from easy-rsa.

@mailinglists35 And do you understand what is open-source and free software about…? ;)

from easy-rsa.

@mailinglists35 you should fork it and rename it to hard-rsa

👍

from easy-rsa.

The solution is to add the option value mentioned earlier to your own OpenSSL.cnf file. I don't feel this is a global default I'm willing to change.

Modifying the contents of the openssl.cnf file is not considered a hack. Quite the contrary, modifications to this file are expected on a site to site basis. At this time I will not change the default value. Thanks for the feedback.

@ecrist could you at least please mention this in the readme/faq, as people who are affected by this issue only find it when it's too late for them (when the s*it already hit the fan...)

from easy-rsa.

Linking: #394

from easy-rsa.