Basic support for IoT devices (--dn-mode=device)

doc/EasyRSA-Advanced.md

@@ -84,8 +84,8 @@ possible terse description is shown below:
  *  `EASYRSA_SSL_CONF` - the openssl config file to use
  *  `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific
     files, defaults to `$PWD/pki`.
- *  `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to
-    alter the fields to include in the req DN
+ *  `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only`, `device`, or
+    `org` to alter the fields to include in the req DN
  *  `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode
  *  `EASYRSA_REQ_PROVINCE` (CLI: `--req-st`) - set the DN state/province with
     org mode

doc/EasyRSA-Readme.md

@@ -56,6 +56,13 @@ Obtaining and Using Easy-RSA
   You should install and run Easy-RSA as a non-root (non-Administrator) account
   as root access is not required.
 
+  Download the latest stable release package from the
+  [Easy-RSA GitHub repository](https://github.com/OpenVPN/easy-rsa/releases/latest),
+  or clone the live repository:
+  ```sh
+  git clone https://github.com/OpenVPN/easy-rsa.git
+  ```
+
 #### Running Easy-RSA
 
   Invoking Easy-RSA is done through your preferred shell. Under Windows, you

easyrsa3/easyrsa

@@ -438,9 +438,10 @@ Certificate & Request options: (these impact cert/req field values)
 --days=#        : sets the signing validity to the specified number of days
 
 --digest=ALG    : digest to use in the requests & certificates
---dn-mode=MODE  : DN mode to use (cn_only or org)
+--dn-mode=MODE  : DN mode to use (cn_only, device, or org)
 --keysize=#     : size in bits of keypair to generate
 --req-cn=NAME   : default CN to use
+--req-sn=SN     : default device serial number (only useful if --dn-mode=device)
 --subca-len=#   : path length of signed intermediate CA certs; must be >= 0 if used
 --subject-alt-name
 --san           : Add a subjectAltName.
@@ -740,6 +741,8 @@ easyrsa_openssl() {
 			-e s\`'$ENV::EASYRSA_REQ_ORG'\`\""$EASYRSA_REQ_ORG"\"\`g \
 			-e s\`'$ENV::EASYRSA_REQ_OU'\`\""$EASYRSA_REQ_OU"\"\`g \
 			-e s\`'$ENV::EASYRSA_REQ_EMAIL'\`\""$EASYRSA_REQ_EMAIL"\"\`g \
+			-e s\`'$ENV::EASYRSA_REQ_SN'\`\""$EASYRSA_REQ_SN"\"\`g \
+
 				"$EASYRSA_SSL_CONF" > "$easyrsa_openssl_conf" || \
 					die "easyrsa_openssl - Failed to make temporary config (1)"
 
@@ -3528,6 +3531,7 @@ Move your vars file to your PKI folder, where it is safe!"
 	set_var EASYRSA_REQ_ORG			"Copyleft Certificate Co"
 	set_var EASYRSA_REQ_EMAIL		[email protected]
 	set_var EASYRSA_REQ_OU			"My Organizational Unit"
+	set_var EASYRSA_REQ_SN		"My device SN"
 	set_var EASYRSA_ALGO			rsa
 	set_var EASYRSA_KEY_SIZE		2048
 	set_var EASYRSA_CURVE			secp384r1
@@ -3688,7 +3692,7 @@ up23_verify_current_pki ()
 	# This list may not be complete
 	# Not required: DH_KEY_SIZE PKCS11_MODULE_PATH PKCS11_PIN
 	for i in KEY_DIR KEY_SIZE KEY_COUNTRY KEY_PROVINCE \
-	KEY_CITY KEY_ORG KEY_EMAIL KEY_CN KEY_NAME KEY_OU
+	KEY_CITY KEY_ORG KEY_EMAIL KEY_CN KEY_NAME KEY_OU KEY_SN
 	do
 		# Effectively, source the v2 vars file
 		UNIQUE="set $i"
@@ -3746,6 +3750,7 @@ up23_verify_current_ca ()
 	[ "$CA_localityName" = "$KEY_CITY" ] || CA_vars_match=0
 	[ "$CA_organizationName" = "$KEY_ORG" ] || CA_vars_match=0
 	[ "$CA_organizationalUnitName" = "$KEY_OU" ] || CA_vars_match=0
+	[ "$CA_serialNumber" = "$KEY_SN" ] || CA_vars_match=0
 	[ "$CA_emailAddress" = "$KEY_EMAIL" ] || CA_vars_match=0
 
 	if [ "$CA_vars_match" -eq 1 ]
@@ -3960,6 +3965,7 @@ up23_build_v3_vars ()
 		printf "%s\n" "set_var EASYRSA_REQ_ORG \"$KEY_ORG\""
 		printf "%s\n" "set_var EASYRSA_REQ_EMAIL \"$KEY_EMAIL\""
 		printf "%s\n" "set_var EASYRSA_REQ_OU \"$KEY_OU\""
+		printf "%s\n" "set_var EASYRSA_REQ_SN \"$KEY_SN\""
 		printf "%s\n" 'set_var EASYRSA_NS_SUPPORT "yes"'
 		printf "%s\n" 'set_var EASYRSA_DN "org"'
 		printf "%s\n" 'set_var EASYRSA_RAND_SN "no"'
@@ -4308,6 +4314,9 @@ while :; do
 	--req-ou)
 		empty_ok=1
 		export EASYRSA_REQ_OU="$val" ;;
+	--req-sn)
+		empty_ok=1
+		export EASYRSA_REQ_SN="$val" ;;
 	--ns-cert)
 		export EASYRSA_NS_SUPPORT="$val" ;;
 	--ns-comment)

easyrsa3/openssl-easyrsa.cnf

@@ -51,6 +51,7 @@ organizationalUnitName	= optional
 commonName		= supplied
 name			= optional
 emailAddress		= optional
+serialNumber		= optional
 
 ####################################################################
 # Easy-RSA request handling
@@ -74,6 +75,16 @@ commonName		= Common Name (eg: your user, host, or server name)
 commonName_max		= 64
 commonName_default	= $ENV::EASYRSA_REQ_CN
 
+# Easy-RSA DN for IoT devices (CN + SN)
+# Note that this is the Subject's SN, not the certificate's!
+[ device ]
+commonName		= Common Name (eg: your user, host, or server name)
+commonName_max		= 64
+commonName_default	= $ENV::EASYRSA_REQ_CN
+
+serialNumber		= Device's serial number
+serialNumber_default	= $ENV::EASYRSA_REQ_SN
+
 # Easy-RSA DN for org support:
 [ org ]
 countryName			= Country Name (2 letter code)

easyrsa3/vars.example

@@ -82,10 +82,15 @@ fi
 #
 # Choices are:
 #   cn_only  - use just a CN value
+#   device   - use a CN and a serialNumber (useful for IoT devices)
 #   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
 
 #set_var EASYRSA_DN	"cn_only"
 
+# Device fields (used with 'device' mode and ignored in 'cn_only' and
+# 'org' modes.)
+# set_var EASYRSA_REQ_SN	"My device SN"
+
 # Organizational fields (used with "org" mode and ignored in "cn_only" mode.)
 # These are the default values for fields which will be placed in the
 # certificate.  Do not leave any of these fields blank, although interactively