From 81256ce75833cf55a143b9237c85779f57ac4842 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Mon, 29 Jul 2024 19:39:57 +0100
Subject: [PATCH] renew: Move SAN critical into SAN detected step

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 dev/easyrsa-tools.lib | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib
index c788b3aa..0a961888 100644
--- a/dev/easyrsa-tools.lib
+++ b/dev/easyrsa-tools.lib
@@ -1007,14 +1007,6 @@ Cannot renew this certificate, a conflicting file exists:
 	# Extract certificate usage from old cert
 	ssl_cert_x509v3_eku "$crt_in" cert_type
 
-	# --san-crit
-	unset -v EASYRSA_SAN_CRIT
-	if grep -q 'X509v3 Subject Alternative Name: critical' "$crt_in"
-	then
-		export EASYRSA_SAN_CRIT='critical,'
-		verbose "renew: --san-crit ENABLED"
-	fi
-
 	# Use SAN from old cert ONLY
 	if grep 'X509v3 Subject Alternative Name' "$crt_in"; then
 		EASYRSA_SAN="$(
@@ -1025,6 +1017,15 @@ Cannot renew this certificate, a conflicting file exists:
 		)" || die "renew - EASYRSA_SAN: easyrsa_openssl subshell"
 		verbose "renew: EASYRSA_SAN: ${EASYRSA_SAN}"
 
+		# --san-crit
+		unset -v EASYRSA_SAN_CRIT
+		if grep -q 'X509v3 Subject Alternative Name: critical' \
+			"$crt_in"
+		then
+			export EASYRSA_SAN_CRIT='critical,'
+			verbose "renew: --san-crit ENABLED"
+		fi
+
 		export EASYRSA_EXTRA_EXTS="\
 $EASYRSA_EXTRA_EXTS
 subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"