From 87f4abfb13ec8a7234171e8c66a4aae667c1874f Mon Sep 17 00:00:00 2001 From: Bogdan Stancescu Date: Fri, 15 Oct 2021 13:55:36 +0300 Subject: [PATCH 1/2] Basic support for IoT devices (--dn-mode=device) --- doc/EasyRSA-Advanced.md | 4 ++-- easyrsa3/easyrsa | 12 ++++++++++-- easyrsa3/openssl-easyrsa.cnf | 11 +++++++++++ easyrsa3/vars.example | 9 ++++++++- 4 files changed, 31 insertions(+), 5 deletions(-) diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md index 2ced95ff0..7d9f99013 100644 --- a/doc/EasyRSA-Advanced.md +++ b/doc/EasyRSA-Advanced.md @@ -84,8 +84,8 @@ possible terse description is shown below: * `EASYRSA_SSL_CONF` - the openssl config file to use * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, defaults to `$PWD/pki`. - * `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to - alter the fields to include in the req DN + * `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only`, `device`, or + `org` to alter the fields to include in the req DN * `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode * `EASYRSA_REQ_PROVINCE` (CLI: `--req-st`) - set the DN state/province with org mode diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 36e154d01..be6618ca8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -233,9 +233,10 @@ Certificate & Request options: (these impact cert/req field values) --days=# : sets the signing validity to the specified number of days --digest=ALG : digest to use in the requests & certificates ---dn-mode=MODE : DN mode to use (cn_only or org) +--dn-mode=MODE : DN mode to use (cn_only, device, or org) --keysize=# : size in bits of keypair to generate --req-cn=NAME : default CN to use +--req-sn=SN : default device serial number (only useful if --dn-mode=device) --subca-len=# : path length of signed intermediate CA certs; must be >= 0 if used --subject-alt-name : Add a subjectAltName. For more info and syntax, see: ./easyrsa help altname @@ -394,6 +395,7 @@ easyrsa_openssl() { -e "s\`\$EASYRSA_REQ_CITY\`$EASYRSA_REQ_CITY\`g" \ -e "s\`\$EASYRSA_REQ_ORG\`$EASYRSA_REQ_ORG\`g" \ -e "s\`\$EASYRSA_REQ_OU\`$EASYRSA_REQ_OU\`g" \ + -e "s\`\$EASYRSA_REQ_SN\`$EASYRSA_REQ_SN\`g" \ -e "s\`\$EASYRSA_REQ_CN\`$EASYRSA_REQ_CN\`g" \ -e "s\`\$EASYRSA_REQ_EMAIL\`$EASYRSA_REQ_EMAIL\`g" \ ${EASYRSA_EXTRA_EXTS:+-e "/^#%EXTRA_EXTS%/r $easyrsa_extra_exts"} \ @@ -1718,6 +1720,7 @@ Note: using Easy-RSA configuration from: $vars" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL me@example.net set_var EASYRSA_REQ_OU "My Organizational Unit" + set_var EASYRSA_REQ_SN "My device SN" set_var EASYRSA_ALGO rsa set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_CURVE secp384r1 @@ -1862,7 +1865,7 @@ up23_verify_current_pki () # This list may not be complete # Not required: DH_KEY_SIZE PKCS11_MODULE_PATH PKCS11_PIN for i in KEY_DIR KEY_SIZE KEY_COUNTRY KEY_PROVINCE \ - KEY_CITY KEY_ORG KEY_EMAIL KEY_CN KEY_NAME KEY_OU + KEY_CITY KEY_ORG KEY_EMAIL KEY_CN KEY_NAME KEY_OU KEY_SN do # Effectively, source the v2 vars file UNIQUE="set $i" @@ -1915,6 +1918,7 @@ up23_verify_current_ca () [ "$CA_localityName" = "$KEY_CITY" ] || CA_vars_match=0 [ "$CA_organizationName" = "$KEY_ORG" ] || CA_vars_match=0 [ "$CA_organizationalUnitName" = "$KEY_OU" ] || CA_vars_match=0 + [ "$CA_serialNumber" = "$KEY_SN" ] || CA_vars_match=0 [ "$CA_emailAddress" = "$KEY_EMAIL" ] || CA_vars_match=0 if [ "$CA_vars_match" -eq 1 ] @@ -2127,6 +2131,7 @@ up23_build_v3_vars () printf "%s\n" "set_var EASYRSA_REQ_ORG \"$KEY_ORG\"" printf "%s\n" "set_var EASYRSA_REQ_EMAIL \"$KEY_EMAIL\"" printf "%s\n" "set_var EASYRSA_REQ_OU \"$KEY_OU\"" + printf "%s\n" "set_var EASYRSA_REQ_SN \"$KEY_SN\"" printf "%s\n" 'set_var EASYRSA_NS_SUPPORT "yes"' printf "%s\n" 'set_var EASYRSA_DN "org"' printf "%s\n" 'set_var EASYRSA_RAND_SN "no"' @@ -2439,6 +2444,9 @@ while :; do --req-ou) empty_ok=1 export EASYRSA_REQ_OU="$val" ;; + --req-sn) + empty_ok=1 + export EASYRSA_REQ_SN="$val" ;; --ns-cert) export EASYRSA_NS_SUPPORT="$val" ;; --ns-comment) diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf index 5c4fc79e7..fb9457884 100644 --- a/easyrsa3/openssl-easyrsa.cnf +++ b/easyrsa3/openssl-easyrsa.cnf @@ -48,6 +48,7 @@ organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional +serialNumber = optional #################################################################### # Easy-RSA request handling @@ -71,6 +72,16 @@ commonName = Common Name (eg: your user, host, or server name) commonName_max = 64 commonName_default = $ENV::EASYRSA_REQ_CN +# Easy-RSA DN for IoT devices (CN + SN) +# Note that this is the Subject's SN, not the certificate's! +[ device ] +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +serialNumber = Device's serial number +serialNumber_default = $ENV::EASYRSA_REQ_SN + # Easy-RSA DN for org support: [ org ] countryName = Country Name (2 letter code) diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example index f62f4b13d..22fa318e7 100644 --- a/easyrsa3/vars.example +++ b/easyrsa3/vars.example @@ -82,11 +82,18 @@ fi # # Choices are: # cn_only - use just a CN value +# device - use a CN and a serialNumber (useful for IoT devices) # org - use the "traditional" Country/Province/City/Org/OU/email/CN format #set_var EASYRSA_DN "cn_only" -# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) +# Device fields (used with 'device' mode and ignored in 'cn_only' and +# 'org' modes.) + +# set_var EASYRSA_REQ_SN "My device SN" + +# Organizational fields (used with 'org' mode and ignored in 'cn_only' +# and 'device' mode.) # These are the default values for fields which will be placed in the # certificate. Don't leave any of these fields blank, although interactively # you may omit any specific field by typing the "." symbol (not valid for From e1a4ee7c7a1f4336cb9e9810caedd3dc7c1000ce Mon Sep 17 00:00:00 2001 From: Bogdan Stancescu Date: Fri, 15 Oct 2021 15:33:52 +0300 Subject: [PATCH 2/2] (docs) concrete ways to download --- doc/EasyRSA-Readme.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/EasyRSA-Readme.md b/doc/EasyRSA-Readme.md index 7bf236fb9..057212ba2 100644 --- a/doc/EasyRSA-Readme.md +++ b/doc/EasyRSA-Readme.md @@ -56,6 +56,13 @@ Obtaining and Using Easy-RSA You should install and run Easy-RSA as a non-root (non-Administrator) account as root access is not required. + Download the latest stable release package from the + [Easy-RSA GitHub repository](https://github.com/OpenVPN/easy-rsa/releases/latest), + or clone the live repository: + ```sh + git clone https://github.com/OpenVPN/easy-rsa.git + ``` + #### Running Easy-RSA Invoking Easy-RSA is done through your preferred shell. Under Windows, you