Comments (18)
Please re-open this bug. Currently Easyrsa does not provide any clear and documented way to renew certificates.
Currently I need this feature, because I want to renew all HTTPS certificates so, that current Google Chrome browsers trust them. See #126
I see, that the feature can not be easily implemented in Easyrsa, because CN name is also the certificate name in Easyrsa. To distinguish older and newer certificated for the same CN we need something like a suffix (e.g. fileserver~2017, fileserver~2018) or special directories for all older certificates. I do not want to delete older certificates from the Easyrsa directories, because this makes it difficult to revoke them later (see hack https://stackoverflow.com/questions/9496698/how-to-revoke-an-openssl-certificate-when-you-dont-have-the-certificate) in general and impossible to revoke them with the Easyrsa commands.
from easy-rsa.
This should be supported.
Users are lazy.
They will instead just generate certificates with a 10 year valid period.
from easy-rsa.
@mailinglists35 you should fork it and rename it to hard-rsa
from easy-rsa.
@ecrist can you describe an EASY way to give a person a new certificate before the old one expires, without modifying anything in the configuration, just by using default easy-rsa package settings and reading it's documentation that NOWHERE says anything about how to renew a certificate?
why did you close this issue, as this is about an EASY way to perform the mentioned action? this issue is not about unique_subject
! what closing means? that you refuse to provide an EASY way to do something with a program called itself EASY ?!
from easy-rsa.
@ecrist do we have different definitions of the word "Easy"?
from easy-rsa.
@kylemanna do you understand english?
from easy-rsa.
@ecrist "Do not follow the advice of mailinglist35", excuse me, but what advice I am giving?
-=[ please reread the subject of the issue. focus on the "E" word ]=-
you do not give me the end user an EASY way to give Bob a new certificate once the old one expires (not to mention that I want almost every time Bob to have two valid certs when the old one is about to expire, to give him and me plenty of time to replace the old cert); every time I want to give Bob a new certificate, instead of typing . ./build-key bob
I must type . ./build-key bob-$some_timestamp
.
this is not the way I expected to work from a software that calls itself EASY, especially when using openssl directly I can always reissue a new cert to Bob using his private key. but wait, what's the point of calling openssl directly when I am supposed to have an EASIER tool at hand?
I really don't care what you do in the backend to achieve this - unique_subject, or else - as long as I can type renew-cert bob
it would be fine for me.
from easy-rsa.
I agree with @mailinglists35, this is very common use case and it's pity that EasyRSA doesn't provide convenient command for it.
from easy-rsa.
It is not recommended to ever manually update those files. Do not follow the advice of mailinglist35.
On Oct 21, 2015, at 10:43 AM, mailinglists35 [email protected] wrote:
advice in issue #40 is to modify openssl.conf and index.txt.attr and index.attr.old
why me as an end-user of the product I have to resort to these hacks instead of having a renew-cert tool available?
why does openssl natively allow renewing a certificate using existing key while "easy" rsa makes it anyway BUT "EASY" this process?
—
Reply to this email directly or view it on GitHub.
from easy-rsa.
You can always change the default value to something you prefer. Editing the files is not the correct way to perform the action.
Eric
On Oct 26, 2015, at 04:42:55, mailinglists35 [email protected] wrote:
@ecrist https://github.com/ecrist
what advice I am giving?-=[ please reread the subject of the issue. focus on the "E" word ]=-
you do not give me the end user an EASY way to give Bob a new certificate once the old one expires (not to mention that I want almost every time Bob to have two valid certs when the old one is about to expire, to give him and me plenty of time to replace the old cert); every time I want to give Bob a new certificate, instead of typing . ./build-key bob I must type . ./build-key bob-$some_timestamp.
this is not the way I expected to work from a software that calls itself EASY, especially when using openssl directly I can easily reissue a new cert to Bob using his private key.
—
Reply to this email directly or view it on GitHub #75 (comment).
from easy-rsa.
ok, what if instead you add a build_full() option to create a new cert for existing key?
from easy-rsa.
The solution is to add the option value mentioned earlier to your own OpenSSL.cnf file. I don't feel this is a global default I'm willing to change.
Eric
On Oct 27, 2015, at 6:16 AM, Jakub Jirutka [email protected] wrote:
I agree with @mailinglists35, this is very common use case and it's pity that EasyRSA doesn't provide convenient command for it.
—
Reply to this email directly or view it on GitHub.
from easy-rsa.
Modifying the contents of the openssl.cnf file is not considered a hack. Quite the contrary, modifications to this file are expected on a site to site basis. At this time I will not change the default value. Thanks for the feedback.
from easy-rsa.
@mailinglists35 you could always implement the much needed feature. I'd like to see such a feature.
Or you could go back to trolling and overusing bold markdown as if the world revolves around you.
kthnxbai
from easy-rsa.
@mailinglists35 And do you understand what is open-source and free software about…? ;)
from easy-rsa.
@mailinglists35 you should fork it and rename it to hard-rsa
👍
from easy-rsa.
The solution is to add the option value mentioned earlier to your own OpenSSL.cnf file. I don't feel this is a global default I'm willing to change.
Modifying the contents of the openssl.cnf file is not considered a hack. Quite the contrary, modifications to this file are expected on a site to site basis. At this time I will not change the default value. Thanks for the feedback.
@ecrist could you at least please mention this in the readme/faq, as people who are affected by this issue only find it when it's too late for them (when the s*it already hit the fan...)
from easy-rsa.
Linking: #394
from easy-rsa.
Related Issues (20)
- Command `renew`: Move current `req/crt/key` files after `renew` has succeeded
- Add equivalent of `--req-*` but for `sign-req`. HOT 3
- Move all renew code to `easyrsa-tools.lib` HOT 1
- Add `easyrsa-tool.lib` to CI HOT 1
- Review `# comments` in code
- Remove ALL `renew` commands HOT 1
- Error using --startdate/--enddate HOT 2
- Status reports: Abandon command `show-renew`
- Abandon `display_cn()` Unused
- Remove `$EASYRSA_LEGACY_SAFE_SSL` and relevant code
- Remove `init-pki soft`, badly defined
- Resolve SSL human readable text of certs/reqs for EasyRSA
- Possible candidates for `easyrsa-tools.lib`
- CA Private Key will be encrypted with des-ede3-cbc during build-ca with OpenSSL 3.x HOT 7
- Add self-signed certificates to status reports
- Typo in 'verify-cert' output HOT 1
- Fully integrate self-signed certificates
- Remove `OPENSSL_CONF=/dev/null`
- [SECURITY] Possible Code Injection Issue HOT 6
- Revert ca76697: Remove escape_hazard()
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from easy-rsa.