Rename 'renew' to 'rebuild' - Introduce 'renew' version 3 #688
Conversation
The old 'renew' always created a new private key at the CA signing side. This forces the entity private key to be exposed, unnecessarily. Only certificates expire, therefore, only certificates can be renewed. For those reasons, the old 'renew' has been renamed to 'rebuild'. The new 'renew' creates a new certificate only from the existing CSR. The existing CSR will always exist, allowing a certificate to be renewed indefinitely. Both 'rebuild' and 'renew' use the renewed/ folders to temporarily store the old certificate, where it can be revoked with 'revoke-renewed' command. Manually tested. Closes: OpenVPN#684 Notes: * renew version 1 did not have a command to revoke old certificates. * renew version 2 allowed old certificates to be revoked via command 'revoke-renewed'. * renew version 3 only renews the certificate. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
added
enhancement
Full-Approval
|
The renew() backend still has the second major problem the (renamed) rebuild() backend has: lack of generic certificate type support - only server / client / serverClient types are currently supported. I suggest that renew() should be renamed something like renew_as() and take an additional mandatory argument of crt_type. |
| else | ||
| san="$( | ||
| easyrsa_openssl x509 -in "$crt_in" -noout -text | sed -n \ | ||
| "/X509v3 Subject Alternative Name:/{n;s/IP Address:/IP:/g;s/ //g;p;}" |
There was a problem hiding this comment.
this (and the same in renew() above) should be updated to include the 's/RegisteredID/RID/;' sed substitution as seen in display_san()
There was a problem hiding this comment.
Resolved: lack of generic certificate type support via #694
include the 's/RegisteredID/RID will require a new issue.
The old 'renew' always created a new private key at the CA signing side.
This forces the entity private key to be exposed, unnecessarily.
Only certificates expire, therefore, only certificates can be renewed.
For those reasons, the old 'renew' has been renamed to 'rebuild'.
The new 'renew' creates a new certificate only from the existing CSR.
The existing CSR will always exist, allowing a certificate to be renewed
indefinitely.
Both 'rebuild' and 'renew' use the renewed/ folders to temporarily store
the old certificate, where it can be revoked with 'revoke-renewed' command.
Manually tested.
Closes: #684
Notes:
'revoke-renewed'.
Signed-off-by: Richard T Bonhomme [email protected]