From 5720ae4a607d6020a2683a06f536ab127da93386 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 30 Aug 2024 13:16:40 +0100 Subject: [PATCH] doc: Revoke and Renew, update for Easy-RSA v3.2.1 - Partial renew CA Signed-off-by: Richard T Bonhomme --- doc/EasyRSA-Renew-and-Revoke.md | 73 +++++++++++++++++++++++++++++---- 1 file changed, 65 insertions(+), 8 deletions(-) diff --git a/doc/EasyRSA-Renew-and-Revoke.md b/doc/EasyRSA-Renew-and-Revoke.md index c4a0b025..e48659e6 100644 --- a/doc/EasyRSA-Renew-and-Revoke.md +++ b/doc/EasyRSA-Renew-and-Revoke.md @@ -6,7 +6,7 @@ with regard to Renewal and Revocation of Certificates. ## In summary: - **Easy-RSA Version 3.1.7** provides the most flexible support of renewal. +**Easy-RSA Version 3.1.7** provides the most flexible support of renewal. This includes command `rewind-renew`, which is required to recover certificates renewed by `renew` command version 1. However, this does **not** include renewing any supported certificate attributes. @@ -33,7 +33,7 @@ The follow is an exhaustive list of available `reason` codes, with abbreviations ---- Easy-RSA version 3.2.x ----------------------- +====================== For **Easy-RSA Version 3.2.0**, command `renew` is NOT supported. Please upgrade to Easy-RSA Version 3.2.1 @@ -75,11 +75,7 @@ to be edited the same way. ---- Easy-RSA version 3.1.x ----------------------- - -**UPDATE**: -The changes noted for Easy-RSA version 3.1.2 have all been included with -Easy-RSA version 3.1.1 - See https://github.com/OpenVPN/easy-rsa/pull/688 +====================== Command Details: `renew` ------------------------ @@ -190,4 +186,65 @@ an old certificate/key pair, which has been _rebuilt_ by command `rebuild`. Renew CA Certificate ==================== -TBD +Easy-RSA Version 3.2.1+ supports a simple way to effectively renew a CA Certificate. + +**Preamble** - Specifically for use with OpenVPN: + +When a CA certificate expires it must be replaced, this is unavoidable. +No matter what method is used to create a new or renewed CA certificate, +that CA certificate must be distributed to all of your servers and clients. + +Please consider the method outlined here, which requires very little work: + +1. **Before you do anything else -- Make a BACKUP of your current PKI.** + +2. Use command `init-pki soft` + + This will reset your current PKI but will keep your `vars` setting file + and your current Request files [CSR], in the `pki/reqs` directory. + + If you have an Easy-RSA generated TLS key for OpenVPN, that will also be + preserved. However, it will NOT be used for new `inline` files. The file + `pki/private/easyrsa-tls.key` will be moved to `pki/easyrsa-tls.key-safe`, + for safe keeping. Easy-RSA will display a warning that this key is still + valid and possibly in use, before allowing another TLS key to be generated. + +3. Use command `build-ca` + + (With or without password and other preferences) + + This will build a completely new CA Certificate and private key. + + Use option `--days` to extend the lifetime of your new CA. + +4. Use command `sign-req ` + + (With or without other preferences, password is not relavent) + + This will use an existing Request to sign a new Certificate. + + This will NOT generate a new Private Key for each new Certificate. + + This will generate new `inline` files that can be distributed publicly. + These `inline` files will not contain any security sensitive data. + + This means that you will have a new CA certificate and private key. + And signed certificates for all of your users, including servers. + +5. Distribute the new `inline` files to all members of your PKI/VPN. + + These new `inline` files will not contain the user private key or the + OpenVPN Pre-shared TLS key. + + These new `inline` files can be used by OpenVPN, examples below: + + * specify: `--config ` in the OpenVPN user config file. + * Use copy/paste to add the new details to the OpenVPN user config file. + * Use `cat` to append the `inline` file to the OpenVPN user config file. + + Note: + `inline` files in the `pki/inline/private` directory include security keys, + which MUST only be transmitted over a secure connection, such as `https`. + + As of Easy-RSA Version 3.2.1, this is the only supported way to renew an + expired CA certificate.