Skip to content

Commit

Permalink
doc: Revoke and Renew, update for Easy-RSA v3.2.1
Browse files Browse the repository at this point in the history
Add available abbreviations for 'reason' codes.

Add 'renew' and 'expire/sign' details.

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Aug 26, 2024
1 parent 294c05b commit ed24175
Showing 1 changed file with 47 additions and 31 deletions.
78 changes: 47 additions & 31 deletions doc/EasyRSA-Renew-and-Revoke.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,30 +4,61 @@ Easy-RSA 3 Certificate Renewal and Revocation Documentation
This document explains how the **differing versions** of Easy-RSA 3 work
with Renewal and Revocation of Certificates and Private keys.

Reason codes available for revoke commands
------------------------------------------

The follow is an exhaustive list of available `reason` codes, with abbreviations:

- us | uns* | unspecified
- kc | key* | keyCompromise
- cc | ca* | CACompromise
- ac | aff* | affiliationChanged
- ss | sup* | superseded
- co | ces* | cessationOfOperation
- ch | cer* | certificateHold

`reason` must be one of these abbreviations/codes, otherwise not be used.


Easy-RSA version 3.2.x
----------------------
v3.2 no longer supports the `renew` command.
For **Easy-RSA Version 3.2.0**, command `renew` is NOT supported.

Please upgrade to Easy-RSA Version 3.2.1

For **Easy-RSA Version 3.2.1+**, command `renew` is supported.

The command `renew` has been rewritten and now supports the renewal of
supported attributes. During renewal, the certificate is inspected and all
supported attributes are applied to the renewed certificate, as they were
in the original.

Instead, the process is as follows:
1. Command `expire <NAME>` - This will move an existing certificate
from `pki/issued` to `pki/expired`, so that a new certificate
can be signed, using the original request.
User added attributes from `$EASYRSA_EXTRA_EXTS`, that are not supported,
are dropped.

Generally, renewing is required ONLY when a certificate is due to
expire. This means that certificates moved to `pki/expired` are
expected to be expired or to expire in the near future.
If the renewed certificate requires unsupported attibutes or changing the
`commonName` then the following process, that of expiry and then signing a
new certificate from the original request file, is required.

2. Command `sign-req <TYPE> <NAME>` - Sign a new certificate.
The expiry and signing process is as follows:
1. Command `expire <NAME>`

This allows ALL command line customisations to be used. eg: SAN.
(These customisations do not work correctly with the old `renew`)
This will move an existing certificate from `pki/issued` to `pki/expired`,
so that a new certificate can be signed, using the original request.

3. If required, Command `revoke-expired` can be used to revoke an
Generally, renewing is required ONLY when a certificate is due to expire.
This means that certificates moved to `pki/expired` are expected to be expired
or to expire in the near future, however, this is not a requirement.

2. Command `sign-req <TYPE> <NAME>`

Sign a new certificate. This allows ALL command line customisations to be used.

3. If required, command `revoke-expired` can be used to revoke an
expired certificate in the `pki/expired` directory.

This approach also allows certificates which have been edited during
`sign-req` to be edited the same way, without the need for excessive
and non-standard code. (Note: OpenSSL allows only one way for edits)
This approach allows original certificates, which have been edited during `sign-req`,
to be edited the same way.


Easy-RSA version 3.1.x
Expand Down Expand Up @@ -76,7 +107,7 @@ using command:

easyrsa rewind-renew serialNumber

Command `rewind-renew` is available since Easy-RSA version `3.1.1`
Command `rewind-renew` is only available in Easy-RSA version `3.1.1` to `3.1.7`.

Once `rewind-renew` has recovered the files, the certificate can be revoked:

Expand Down Expand Up @@ -132,21 +163,6 @@ certificate status:
`show-revoke` shows all certificates which have been revoked.


Reason codes available for revoke commands
------------------------------------------

The follow is an exhaustive list of available `reason` codes:
- `unspecified`
- `keyCompromise`
- `CACompromise`
- `affiliationChanged`
- `superseded`
- `cessationOfOperation`
- `certificateHold`

`reason` must be one of these codes, otherwise not be used.


About command `rebuild`
-----------------------

Expand Down

0 comments on commit ed24175

Please sign in to comment.