diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md index f9c818bb8..05d9385fc 100644 --- a/doc/EasyRSA-Advanced.md +++ b/doc/EasyRSA-Advanced.md @@ -84,8 +84,8 @@ possible terse description is shown below: * `EASYRSA_SSL_CONF` - the openssl config file to use * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, defaults to `$PWD/pki`. - * `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to - alter the fields to include in the req DN + * `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only`, `device`, or + `org` to alter the fields to include in the req DN * `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode * `EASYRSA_REQ_PROVINCE` (CLI: `--req-st`) - set the DN state/province with org mode diff --git a/doc/EasyRSA-Readme.md b/doc/EasyRSA-Readme.md index 49e9cda4e..63dc3e215 100644 --- a/doc/EasyRSA-Readme.md +++ b/doc/EasyRSA-Readme.md @@ -56,6 +56,13 @@ Obtaining and Using Easy-RSA You should install and run Easy-RSA as a non-root (non-Administrator) account as root access is not required. + Download the latest stable release package from the + [Easy-RSA GitHub repository](https://github.com/OpenVPN/easy-rsa/releases/latest), + or clone the live repository: + ```sh + git clone https://github.com/OpenVPN/easy-rsa.git + ``` + #### Running Easy-RSA Invoking Easy-RSA is done through your preferred shell. Under Windows, you diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 8418d8289..f06bfc88d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -438,9 +438,10 @@ Certificate & Request options: (these impact cert/req field values) --days=# : sets the signing validity to the specified number of days --digest=ALG : digest to use in the requests & certificates ---dn-mode=MODE : DN mode to use (cn_only or org) +--dn-mode=MODE : DN mode to use (cn_only, device, or org) --keysize=# : size in bits of keypair to generate --req-cn=NAME : default CN to use +--req-sn=SN : default device serial number (only useful if --dn-mode=device) --subca-len=# : path length of signed intermediate CA certs; must be >= 0 if used --subject-alt-name --san : Add a subjectAltName. @@ -740,6 +741,8 @@ easyrsa_openssl() { -e s\`'$ENV::EASYRSA_REQ_ORG'\`\""$EASYRSA_REQ_ORG"\"\`g \ -e s\`'$ENV::EASYRSA_REQ_OU'\`\""$EASYRSA_REQ_OU"\"\`g \ -e s\`'$ENV::EASYRSA_REQ_EMAIL'\`\""$EASYRSA_REQ_EMAIL"\"\`g \ + -e s\`'$ENV::EASYRSA_REQ_SN'\`\""$EASYRSA_REQ_SN"\"\`g \ + "$EASYRSA_SSL_CONF" > "$easyrsa_openssl_conf" || \ die "easyrsa_openssl - Failed to make temporary config (1)" @@ -3528,6 +3531,7 @@ Move your vars file to your PKI folder, where it is safe!" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL me@example.net set_var EASYRSA_REQ_OU "My Organizational Unit" + set_var EASYRSA_REQ_SN "My device SN" set_var EASYRSA_ALGO rsa set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_CURVE secp384r1 @@ -3688,7 +3692,7 @@ up23_verify_current_pki () # This list may not be complete # Not required: DH_KEY_SIZE PKCS11_MODULE_PATH PKCS11_PIN for i in KEY_DIR KEY_SIZE KEY_COUNTRY KEY_PROVINCE \ - KEY_CITY KEY_ORG KEY_EMAIL KEY_CN KEY_NAME KEY_OU + KEY_CITY KEY_ORG KEY_EMAIL KEY_CN KEY_NAME KEY_OU KEY_SN do # Effectively, source the v2 vars file UNIQUE="set $i" @@ -3746,6 +3750,7 @@ up23_verify_current_ca () [ "$CA_localityName" = "$KEY_CITY" ] || CA_vars_match=0 [ "$CA_organizationName" = "$KEY_ORG" ] || CA_vars_match=0 [ "$CA_organizationalUnitName" = "$KEY_OU" ] || CA_vars_match=0 + [ "$CA_serialNumber" = "$KEY_SN" ] || CA_vars_match=0 [ "$CA_emailAddress" = "$KEY_EMAIL" ] || CA_vars_match=0 if [ "$CA_vars_match" -eq 1 ] @@ -3960,6 +3965,7 @@ up23_build_v3_vars () printf "%s\n" "set_var EASYRSA_REQ_ORG \"$KEY_ORG\"" printf "%s\n" "set_var EASYRSA_REQ_EMAIL \"$KEY_EMAIL\"" printf "%s\n" "set_var EASYRSA_REQ_OU \"$KEY_OU\"" + printf "%s\n" "set_var EASYRSA_REQ_SN \"$KEY_SN\"" printf "%s\n" 'set_var EASYRSA_NS_SUPPORT "yes"' printf "%s\n" 'set_var EASYRSA_DN "org"' printf "%s\n" 'set_var EASYRSA_RAND_SN "no"' @@ -4308,6 +4314,9 @@ while :; do --req-ou) empty_ok=1 export EASYRSA_REQ_OU="$val" ;; + --req-sn) + empty_ok=1 + export EASYRSA_REQ_SN="$val" ;; --ns-cert) export EASYRSA_NS_SUPPORT="$val" ;; --ns-comment) diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf index 928b19568..0604eb8e5 100644 --- a/easyrsa3/openssl-easyrsa.cnf +++ b/easyrsa3/openssl-easyrsa.cnf @@ -51,6 +51,7 @@ organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional +serialNumber = optional #################################################################### # Easy-RSA request handling @@ -74,6 +75,16 @@ commonName = Common Name (eg: your user, host, or server name) commonName_max = 64 commonName_default = $ENV::EASYRSA_REQ_CN +# Easy-RSA DN for IoT devices (CN + SN) +# Note that this is the Subject's SN, not the certificate's! +[ device ] +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +serialNumber = Device's serial number +serialNumber_default = $ENV::EASYRSA_REQ_SN + # Easy-RSA DN for org support: [ org ] countryName = Country Name (2 letter code) diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example index 54e679bf7..64db94559 100644 --- a/easyrsa3/vars.example +++ b/easyrsa3/vars.example @@ -82,10 +82,15 @@ fi # # Choices are: # cn_only - use just a CN value +# device - use a CN and a serialNumber (useful for IoT devices) # org - use the "traditional" Country/Province/City/Org/OU/email/CN format #set_var EASYRSA_DN "cn_only" +# Device fields (used with 'device' mode and ignored in 'cn_only' and +# 'org' modes.) +# set_var EASYRSA_REQ_SN "My device SN" + # Organizational fields (used with "org" mode and ignored in "cn_only" mode.) # These are the default values for fields which will be placed in the # certificate. Do not leave any of these fields blank, although interactively