From f6c2bf55ca68f32d6b0bea476fe1b97c769491f8 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 6 Apr 2024 21:50:06 +0100 Subject: [PATCH] docs: Update EasyRSA-Renew-and-Revoke.md - 'expire` + 'revoke-expired' Signed-off-by: Richard T Bonhomme --- doc/EasyRSA-Renew-and-Revoke.md | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/doc/EasyRSA-Renew-and-Revoke.md b/doc/EasyRSA-Renew-and-Revoke.md index 7b338d089..5c26c0593 100644 --- a/doc/EasyRSA-Renew-and-Revoke.md +++ b/doc/EasyRSA-Renew-and-Revoke.md @@ -4,9 +4,34 @@ Easy-RSA 3 Certificate Renewal and Revocation Documentation This document explains how the **differing versions** of Easy-RSA 3 work with Renewal and Revocation of Certificates and Private keys. -Thanks to _good luck_, _hard work_ and _co-operation_, these version dependent -differences have been _smoothed-over_. Since version `3.1.1`, Easy-RSA has the -tools required to renew and/or revoke all verified and Valid certifiicates. +Easy-RSA version 3.2.x +---------------------- +v3.2 no longer supports the `renew` command. + +Instead, the process is as follows: +1. Command `expire ` - This will move an existing certificate + from `pki/issued` to `pki/expired`, so that a new certificate + can be signed, using the original request. + + Generally, renewing is required ONLY when a certificate is due to + expire. This means that certificates moved to `pki/expired` are + expected to be expired or to expire in the near future. + +2. Command `sign-req ` - Sign a new certificate. + + This allows ALL command line cutomisations to be used. eg: SAN. + (These customisations do not work correctly with the old `renew`) + +3. If required, Command `revoke-expired` can be used to revoke an + expired certificate in the `pki/expired` directory. + +This approach also allows certificates which have been edited during +`sign-req` to be edited the same way, without the need for excessive +and non-standard code. (Note: OpenSSL allows only one way for edits) + + +Easy-RSA version 3.1.x +---------------------- **UPDATE**: The changes noted for Easy-RSA version 3.1.2 have all been included with