File easy-rsa.changes of Package easy-rsa
-------------------------------------------------------------------
Sun Mar 15 14:49:24 UTC 2026 - ecsos <ecsos@opensuse.org>
- Update to 3.2.6:
- CI: Enable shell switch errexit in #1417
- V325 326 minor touches in #1421
- Inline sub ca v1 in #1423
- X509-Type ca: Enable 'basicConstraints = critical' for CA/subCA certificates in #1428
- Import tls key v1 in #1429
- import_tls_key(): Use set_no_clobber() to preserve existing key file in #1430
- Changes from 3.2.5:
- Replace local / global openssl-easyrsa.cnf in #1394
- init-pki: Introduce configurable cryptography in #1397
- Drop x509 type kdc built-in in #1399
- Always generate an openssl-easyrsa.cnf or x509-types tmp-file in #1401
- Libressl use $EASYRSA_FORCE_SAFE_SSL in #1402
- Update EasyRSA-Advanced.md in #1403
- source_vars(): Add grep regex for assign by equal = in #1405
- export_pkcs(), PKCS12 inline: Respect $EASYRSA_NO_INLINE in #1407
- Introduce peer-fingerprint inline lists in #1410
- help: Add '-b' alias for --batch and correct default 'vars' file in #1411
- New function ssl_cert_sig_digest(); Extract certificae digest name in #1414
- Upgrading OpenSSL for Windows to 3.6.0 in #1416
- Changes from 3.2.4:
- export-p12: Move inline file to 'inline/private' folder in #1356
- Restructure help in #1363
- New global option: --no-lockfile = env-var: $EASYRSA_NO_LOCKFILE in #1364
- Restructure verify_working_env() in #1367
- Improve verbose in #1368
- Windows easyrsa-shell-init.sh: Replace 'read -p' in #1371
- mutual_exclusions(): Include basic checks for --startdate/--enddate in #1372
- easyrsa-shell-init.sh: Allow Easy-RSA to use '\User$HOME' directory in #1374
- Remove 'easyrsa_mkdir()', use only 'mkdir' in #1376
- revoke: Archive request and private key files and expand help in #1378
- set_no_clobber(): Add simple error detection in #1379
- random: Use verify_working_env() to configure EASYRSA_OPENSSL in #1381
- self_sign(): Force use of Easy-RSA X509-type file 'selfsign' in #1383
- Changes from 3.2.3:
- Update OpenSSL to v3.5.0
- renew: Print 'unique_subject = no' to index.txt.attr in #1293
- check_serial_unique(): Check for duplicate Subject error in #1294
- Correctly define options names - Remove wild-card pattern in #1297
- Remove all references to file:easyrsa-tools.lib in #1298
- Reinstate old function as 'db_date_to_iso_8601()' [Renamed] in #1303
- expire_status_v2(): Refactor 'if' statement to capture error correctly in #1304
- source_vars() improvements in #1300
- add_critical_attrib(): Do not add 'critical' if 'critical' exists in #1308
- inline_file(): Include DH file or placeholder, for RSA Servers in #1310
- Fix shellcheck warnings in #1311
- Introduce command line options --umask|--no-umask, to set 'umask' in #1312
- Introduce "robust" lock-file mechanism in #1313
- New function set_no_clobber() in #1314
- Easyrsa mktemp v2 in #1315
- add_critical_attrib_v2(): Move file access to function in #1316
- Command 'write': Remove options 'overwrite' and 'filename' in #1318
- Introduce option --text: Create CSR files with human readable text in #1319
- will_cert_be_valid(): Remove SSL option -noout in #1321
- easyrsa_mktemp(): Remove secondary atomic operation in #1322
- easyrsa_mkdir(): Separate Windows from *nix in #1324
- Update Copyright 2025 in #1327
- inine_file(): Correct logic and add 'dh none' for DH params file in #1330
- show-expire: Move setting $pre_expire_window_s to status() in #1332
- Always export EASYRSA_SSL_CONF, when assigned (code standard) in #1334
- Unit-test: Drop old *nix test in #1335
- add_critical_attrib(): export temp-file name as input file in #1333
- Inline improvements in #1337
- Unit-test: Minimize Windows test in #1339
- PKI lock-file: Move possible creation to sub-function request_lock_file() in #1340
- forbid_selfsign(): Compare cert serial to signing cert serial in #1342
- inline_file(): Use ssl_cert_serial() in #1343
- Inline self sign improvements in #1345
- peer-fingerprint mode: Make CA mode mutually exclusive to PFP mode in #1347
- Remove init pki soft in #1351
-------------------------------------------------------------------
Sat Feb 1 14:52:28 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to 3.2.2:
* Remove redundant file: index.txt.attr
* sign-req: Allow custom X509 Types
* Add LibreSSL version 4 to supported SSL Libraries
* Revoke remove private inline
* Easyrsa disable inline
* easyrsa-tools.lib: renew SAN, remove excess word 'Address'
* easyrsa-tls.lib: renew, make sed regex for 'IP Address' greedy
* Show expire allow zero days
* easyrsa-tools.lib: New command 'renew ca'
* Improve CRL expiration details
* Tools move to easyrsa3
* vars.example: Remove $EASYRSA_PKI
* Introduce new command revoke-issued
* Bugfix renew ca and renew
* Always use locate_support_files() after secure_session()
* revoke: Make check for conflicting files less intrusive
* Forbid a self-signed certificate from being expired/renewed/revoked
* V321 minor final
* op-test.sh: Disable download ossl3 and shellcheck binaries
* Revert: Do not remove index.txt.attr
* Fold easyrsa-tools.lib into easyrsa
-------------------------------------------------------------------
Sat Nov 30 02:54:52 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
- update to 3.2.1:
* inline: Add decimal value for cert. serial
* Always exit with error for unknown command options
* ntegrate Easy-RSA TLS-Key for use with 'init-pki soft'
* easyrsa-tools.lib, show-expire: Add CA certificate to report
* inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1
* easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1
* easyrsa-tools.lib: expire_status_v2() (show-expire version 2)
* sign-req: Require 128bit serial number
* Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut
* Windows secure_session(): Ensure $secured_session dir is created
* Switch to '-f' for file existence
* inline: Move auto-inline from build_full() to sign_req()
* gen-crl: Create additional CRL in DER format
* self-sign: Allow Edwards Curve based keys
* Re-enable command 'renew' (version 2): Requires EasyRSA Tools
* bug-fix: revoke: Pass the correct certificate location
* vars.example: Add flags for auto-SAN and X509 critical attribute
* Global option --eku-crit: Mark X509 extendedKeyUsage as critical
* sign-req: Add critical and pathlen details to confirmation
* export-p12: Automatically generate inline file
* Introduce global option --auto-san, use commonName as SAN
* Introduce global option --san-crit, mark SAN critical
* Introduce new global options: --ku-crit and --bc-crit
* gen-req: Always check for existing request file
* revoke/revoke-expired/-renewed: Keep duplicate certificate
* revoke-expired/-renewed: Keep req/key files for resigning
* revoke: Add abbreviations for optional 'reason'
* build-ca: Allow use of --req-cn without batch mode
* gen-req: Re-enable use of --req-cn
* write: Change syntax, target as file, not directory
- update to 3.2.0:
* Revert ca76697: Restore escape_hazard()
* New X509 Type: 'selfsign' Internal only
* New commands: self-sign-server and self-sign-client
* build-ca: Command 'req', remove SSL option '-keyout'
* Remove escape_hazard(), obsolete
* Remove command and function display_cn(), unused
* docs: Update EasyRSA-Renew-and-Revoke.md
* Remove all 'renew' code; replaced by 'expire' code
* Introduce commands: 'expire' and 'revoke-expired'
* Keep request files [CSR] when revoking certificates
* Restrict use of --req-cn to build-ca
* Remove command 'display-san' (Code removed in 5a06f94)
* Move Status Reports to 'easyrsa-tools.lib'
* export-p12, OpenSSL v1.x: Upgrade PBE and MAC options
* LibreSSL: Add fix for missing 'x509' option '-ext'
* Variable heredoc expansion for SSL/Safe Config file
* Always use here-doc version of openssl-easyrsa.cnf
* export-p12: New command option 'legacy'. OpenSSL V3 Only
* export-p12: Always set 'friendlyName' to file-name-base
* As of Easy-RSA version 3.2.0-beta1, the configuration files
vars.example, openssl-eayrsa.cnf and all files in x509-types directory
are no longer required
* Rename X509-type file code-signing to codeSigning
* init-pki: Always write vars.example file to fresh PKI
* New command 'write': Write 'legacy' files to stdout or files
* Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf'
* New Command 'rand': Expose easyrsa_random() to the command line
* Remove function 'set_pass_legacy()'
* Remove command 'rewind-renew'
* Remove command 'rebuild'
* Remove command 'upgrade'
* Remove EASYRSA_NO_VARS; Allow graceful use without a vars file
* New diagnostic command 'display-cn'
* Expand renewable certificate types to include code-signing
- attach a source to keyring
-------------------------------------------------------------------
Tue Oct 17 06:35:16 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
- Update to 3.1.7:
* Completely Remove Upgrade Functionality
* Expand help to include undocumented commands
* Forbid "default vars in the default PKI" for all commands
* show-expire: Calculate certificate expire seconds from Database date
* Expand help to include undocumented commands
* New command: make-vars - Print vars.example (here-doc) to stdout
* gen-crl: preserve existing crl.pem ownership+mode by @Tabiskabis in #1020
* Improve vars auto load
* Replace santize_path() and ignore Windows "security" warning
* Improve select_vars() and source_vars()
* sign-req: Allow the CSR DN-field order to be preserved
* vars-file: Warn about EASYRSA_NO_VARS disabling vars-file use
* Expand default status to include vars-file and CA status
* verify_ssl_lib(): Minor style improvements
* cleanup: Rename $easyrsa_error_exit to $easyrsa_exit_with_error
-------------------------------------------------------------------
Sun Aug 6 18:54:29 UTC 2023 - Matthias Eliasson <elimat@opensuse.org>
- Update to 3.1.5:
* Build Update: script now supports signing and verifying
* Automate support-file creation (Free packaging) (#964)
* build-ca: New command option 'raw-ca', abbrevation: 'raw' (#963)
This 'raw' method, is the most reliable way to build a CA,
with a password, without writing the CA password to a temp-file.
This option completely replaces both methods below:
build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)
Option '--ca-via-stdin' offers no more security than standard method.
Easy-RSA version 3.1.4 ONLY.
build-ca: Replace password temp-files with file-descriptors (#955)
Using file-descriptors does not work in Windows.
Easy-RSA version 3.1.3 ONLY.
- update and rebase suse-packaging.patch
-------------------------------------------------------------------
Tue Jan 17 11:06:55 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
- Update to 3.1.2:
* Command 'renew': Remove option 'nopass'
* find_x509_types_dir(): Remove excess checks
* Remove function find_x509_types_dir()
* For 'init-pki hard' only, always try to create a new pki/vars file
* Introduce global option '--notext|--no-text'
* Minor style change
* Introduce command 'set-pass'
* Fix shellcheck warning for command set-pass case statement
* cleanup(): Exit correctly for SIGINT
* Update help: Standardise output; Improve code; Reprioritise options
* vars.example: Add EASYRSA_NO_PASS and wrap long lines
* Use 'unset -v', consistently
* build-ca: Improve passphrase input mechanism
* Remove global options '--verbose' and '--quiet' as not required
* Remove all prerequisite code to build a safe SSL config file
* Rename temp files to reflect the purpose
* easyrsa_openssl(): Always set OPENSSL_CONF to EasyRSA safe SSL config
* Replace SSL calls for serial number with function ssl_cert_serial()
* Introduce OpenSSL only mode: No Safe SSL Config File
* ff_date_to_cert_date(): Correct the input format for busybox date
* Re-order easyrsa_openssl() temp-file assignment
* Stop EASYRSA_DEBUG interfering with SSL output from subshells
* Status reports: Recognise Expired certificates
* New function safe_set_var(): Safe wrapper for set_var()
* Windows, build-ca: Add input password to re-open private key
* Renewal: General code improvements
* cleanup(): General improvements - Create KNOWN error exit
* build-ca: Change FATAL error to warning for old openssl-easyrsa.cnf
* Allow --fix-offset to create post-dated certificates
* Default settings: Make default Edwards curve ED25519
* cleanup(): Exit with numeric error-code only
* init-pki(): Introduce second warning before HARD removal
* build-full: Always enable inline file creation
* Global option '--passout' always take priority ONLY
* Status Reports: Set 'LC_TIME=C.UTF-8', only used for reports
* Option --fix-offset: Adjust off-by-one day
- Drop fix-747.patch
-------------------------------------------------------------------
Tue Dec 13 23:09:09 UTC 2022 - Olav Reinert <seroton10@gmail.com>
- fix for 3.1.1:
* add patch fix-747.patch from upstream
-------------------------------------------------------------------
Sat Dec 3 19:41:33 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 3.1.1:
* Remove command 'renewable' (#715)
* Expand 'show-renew', include 'renewed/certs_by_serial' (#700)
* Resolve long-standing issue with --subca-len=N (#691)
* ++ NOTICE: Add EasyRSA-Renew-and-Revoke.md (#690)
* Require 'openssl-easyrsa.cnf' is up to date (#695}
* Introduce 'renew' (version 3). Only renew cert (#688)
* Always ensure X509-types files exist (#581 #696)
* Expand alias '--days' to all suitable options with a period (#674)
* Introduce --keep-tmp, keep temp files for debugging (#667)
* Introduce Option -q|--quiet, disable information output (#703)
* Add serialNumber (OID 2.5.4.5) to DN 'org' mode (#606)
* Support ampersand and dollar-sign in vars file (#590)
* Introduce 'rewind-renew' (#579)
* Expand status reports to include checking a single cert (#577)
* Introduce 'revoke-renewed' (#547)
* update OpenSSL for Windows to 3.0.5
-------------------------------------------------------------------
Mon Sep 5 16:23:46 UTC 2022 - Florian "spirit" <packaging@sp1rit.anonaddy.me>
- Update to 3.1.0 (2022-05-18)
* Introduce basic support for OpenSSL version 3 (#492)
* Update regex in grep to be POSIX compliant (#556)
* Introduce status reporting tools (#555 & #557)
* Display certificates using UTF8 (#551)
* Allow certificates to be created with fixed date offset (#550)
* Add 'verify' to verify certificate against CA (#549)
* Add PKCS#12 alias 'friendlyName' (#544)
* Disallow use of '--vars=FILE init-pki' (#566)
* Support multiple IP-Addresses in SAN (#564)
* Add option '--renew-days=NN', custom renew grace period (#557)
* Add 'nopass' option to the 'export-pkcs' functions (#411)
* Add support for 'busybox' (#543)
* Add option '--tmp-dir=DIR' to declare Temp-dir (Commit f503a22)
-------------------------------------------------------------------
Wed Jun 15 19:12:30 UTC 2022 - Olav Reinert <seroton10@gmail.com>
- Update to 3.0.9 (2022-05-04)
* Upgrade OpenSSL from 1.1.0j to 1.1.1o (#405, #407)
- We are buliding this ourselves now.
* Fix --version so it uses EASYRSA_OPENSSL (#416)
* Use openssl rand instead of non-POSIX mktemp (#478)
* Fix paths with spaces (#443)
* Correct OpenSSL version from Homebrew on macOs (#416)
* Fix revoking a renewed certificate (Original PR #394)
* Follow-up commit: ef22701
* Introduce 'show-crl' (d199389)
* Support Windows-Git 'version of bash' (#533)
* Disallow use of single quote (') in vars file, Warning (#530)
* Creating a CA uses x509-types/ca and COMMON (#526)
* Prefer 'PKI/vars' over all other locations (#528)
* Introduce 'init-pki soft' option (#197)
* Warnings are no longer silenced by --batch (#523)
* Improve packaging options (#510)
-------------------------------------------------------------------
Wed Nov 25 16:48:19 UTC 2020 - Olav Reinert <seroton10@gmail.com>
- update to 3.0.8 (2020-09-09)
* Provide --version option (#372)
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning (#373)
* Fixed issue with ED/EC certificates were still signed by RSA (#374)
* Added support for export-p8 (#339)
* Clarified error message (#384)
* 2->3 upgrade now errors and prints message when vars isn't found (#377)
* Update OpenSSL Windows binaries to 1.1.1g
* Reverted OpenSSL back to 1.1.0j
-------------------------------------------------------------------
Tue Feb 12 12:26:17 UTC 2019 - Tuukka Pasanen <tuukka.pasanen@ilmi.fi>
- update to 3.0.6 (2019-02-01)
* Certifcates that are revoked now move to a revoked subdirectory (#63)
* EasyRSA no longer clobbers non-EASYRSA environment variables (#277)
* More sane string checking, allowingn for commas in CN (#267)
* Support for reasonCode in CRL (#280)
* Better handling for capturing passphrases (#230, others)
* Improved LibreSSL/MacOS support
* Adds support to renew certificates up to 30 days before expiration (#286)
- This changes previous behavior allowing for certificate creation using
duplicate CNs.
- update and rebase suse-packaging.patch
-------------------------------------------------------------------
Fri Nov 30 11:10:10 UTC 2018 - chris@computersalat.de
- update to 3.0.5
* Fix #17 & #58: use AES256 for CA key
* Also, don't use read -s, use stty -echo
* Fix broken "nopass" option
* Add -r to read to stop errors reported by shellcheck (and to behave)
* remove overzealous quotes around $pkcs_opts (more SC errors)
- update and rebase suse-packaging.patch
* fix: set_var EASYRSA in vars.example
- fix License
-------------------------------------------------------------------
Sun Jan 28 19:05:46 UTC 2018 - seroton10@gmail.com
- Upgrade to version 3.0.4
* Remove use of egrep (#154)
* Finally(?) fix the subjectAltName issues (really fixes #168)
- Improve RPM description
-------------------------------------------------------------------
Wed Oct 18 08:40:40 UTC 2017 - astieger@suse.com
- update release tarball instead of git snapshot
- add upstream signing keyring and verify source signature
-------------------------------------------------------------------
Mon Oct 16 06:38:49 UTC 2017 - seroton10@gmail.com
- Update to version 3.0.3
- Rename easy-rsa-packaging.patch to suse-packaging.patch
- Remove obsolete upstream patches:
* f174800.patch
* 29d4dee.patch
* b93d0a1.patch
* fb4d8d8.patch
* b75faa4.patch
* 6436eaf.patch
* e9e8e27.patch
* 534f673.patch
* d20d2b3.patch
* 4eac410.patch
* a138c0d.patch
* 83a1a21.patch
-------------------------------------------------------------------
Wed Aug 23 09:06:23 UTC 2017 - seroton10@gmail.com
- Include upstream patches:
+ 4eac410.patch
Fix string comprehension
+ a138c0d.patch
Fix incorrect "openssl rand" usage
+ 83a1a21.patch
Add --copy-ext option
-------------------------------------------------------------------
Fri Jul 28 21:27:09 UTC 2017 - seroton10@gmail.com
- Include upstream patches:
+ d20d2b3.patch
Update docs and examples to fit changes in 534f673
- Adapted easy-rsa-packaging.patch to work with upstream patch
-------------------------------------------------------------------
Mon Jul 24 23:04:34 UTC 2017 - seroton10@gmail.com
- Include upstream patches:
+ 534f673.patch
Make $PWD/pki the default PKI location
- Adapted easy-rsa-packaging.patch to work with upstream patch
- Treat /etc/easy-rsa as public default config, no default vars
-------------------------------------------------------------------
Tue Jul 18 18:32:22 UTC 2017 - seroton10@gmail.com
- Include upstream patches:
+ 6436eaf.patch
Add CN as SAN (if none requested) on server certs by default
+ e9e8e27.patch
Moved @ValdikSS's serial randomization to sign_req
-------------------------------------------------------------------
Mon Jun 5 18:38:00 UTC 2017 - seroton10@gmail.com
- Undo removal of .md suffix on markdown documentation
-------------------------------------------------------------------
Sat May 27 07:30:22 UTC 2017 - bruno@ioda-net.ch
- Add special %if for SLE11 as patch tool can't rename files.
- Include upstream patches
+ f174800.patch
Generate random serial number for all certificates
+ 29d4dee.patch
Fixes #91 basename: invalid option -- 's'
+ b93d0a1.patch
Spelling fixes and sentence structure improvements
+ fb4d8d8.patch
Fix comment indicating the end of the function verify_file()
+ b75faa4.patch
Convert README and COPYING into markdown files
- Rename openSUSE specific patch easyrsa.packaging.patch to
easy-rsa-packaging.patch
- spec-cleaner -m (Add also SUSE copyrights)
-------------------------------------------------------------------
Sat Jan 2 21:13:06 UTC 2016 - projects@localside.net
- update to version 3.0.1
* cab4a07 Fix typo: Hellman
(ljani: Github)
* 171834d Fix typo: Default
(allo-: Github)
* 8b42eea Make aes256 default, replacing 3des
(keros: Github)
* f2f4ac8 Make -utf8 default
(roubert: Github)
-------------------------------------------------------------------
Sun Apr 5 19:48:24 UTC 2015 - projects@localside.net
- initial upload: 3.0.0-rc2 (2014/07/27)
