Merge branch 'TinCanTech-revoke-keep-request'

Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Apr 8, 2024 · 2d941ba · 2d941ba
2 parents 3e81a57 + 6111169
commit 2d941ba
Show file tree

Hide file tree

Showing 3 changed files with 130 additions and 449 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,10 @@ Easy-RSA 3 ChangeLog
 
 3.2.0 (TBD)
 
+   * docs: Update EasyRSA-Renew-and-Revoke.md (f6c2bf5) (#1109)
+   * Remove all 'renew' code; replaced by 'expire' code (9d94207) (#1109)
+   * Introduce commands: 'expire' and 'revoke-expired' (a1890fa) (#1109)
+   * Keep request files [CSR] when revoking certificates (6d6e8d8) (#1109)
    * Restrict use of --req-cn to build-ca (0a46164) (#1098)
    * Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#1096)
    * help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#1096)

diff --git a/doc/EasyRSA-Renew-and-Revoke.md b/doc/EasyRSA-Renew-and-Revoke.md
@@ -4,9 +4,34 @@ Easy-RSA 3 Certificate Renewal and Revocation Documentation
 This document explains how the **differing versions** of Easy-RSA 3 work
 with Renewal and Revocation of Certificates and Private keys.
 
-Thanks to _good luck_, _hard work_ and _co-operation_, these version dependent
-differences have been _smoothed-over_. Since version `3.1.1`, Easy-RSA has the
-tools required to renew and/or revoke all verified and Valid certifiicates.
+Easy-RSA version 3.2.x
+----------------------
+v3.2 no longer supports the `renew` command.
+
+Instead, the process is as follows:
+1. Command `expire <NAME>` - This will move an existing certificate
+   from `pki/issued` to `pki/expired`, so that a new certificate
+   can be signed, using the original request.
+
+   Generally, renewing is required ONLY when a certificate is due to
+   expire. This means that certificates moved to `pki/expired` are
+   expected to be expired or to expire in the near future.
+
+2. Command `sign-req <TYPE> <NAME>` - Sign a new certificate.
+
+   This allows ALL command line cutomisations to be used. eg: SAN.
+   (These customisations do not work correctly with the old `renew`)
+
+3. If required, Command `revoke-expired` can be used to revoke an
+   expired certificate in the `pki/expired` directory.
+
+This approach also allows certificates which have been edited during
+`sign-req` to be edited the same way, without the need for excessive
+and non-standard code. (Note: OpenSSL allows only one way for edits)
+
+
+Easy-RSA version 3.1.x
+----------------------
 
 **UPDATE**:
 The changes noted for Easy-RSA version 3.1.2 have all been included with