diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a1f34967a..828336a47 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -749,6 +749,7 @@ easyrsa_openssl() { -e s\`'$ENV::EASYRSA_REQ_ORG'\`\""$EASYRSA_REQ_ORG"\"\`g \ -e s\`'$ENV::EASYRSA_REQ_OU'\`\""$EASYRSA_REQ_OU"\"\`g \ -e s\`'$ENV::EASYRSA_REQ_EMAIL'\`\""$EASYRSA_REQ_EMAIL"\"\`g \ + -e s\`'$ENV::EASYRSA_REQ_SERIAL'\`\""$EASYRSA_REQ_SERIAL"\"\`g \ "$EASYRSA_SSL_CONF" > "$easyrsa_openssl_conf" || \ die "easyrsa_openssl - Failed to make temporary config (1)" @@ -1192,10 +1193,46 @@ current CA keypair. If you intended to start a new CA, run init-pki first." printf "" > "$EASYRSA_PKI/index.txt.attr" || die "$err_file" printf '%s\n' "01" > "$EASYRSA_PKI/serial" || die "$err_file" - # Default CN only when not in global EASYRSA_BATCH mode: - [ "$EASYRSA_BATCH" ] && ssl_batch=1 + # Default CA commonName [ "$EASYRSA_REQ_CN" = ChangeMe ] && export EASYRSA_REQ_CN="Easy-RSA CA" + # Do not use prompting from SSL config + ssl_batch=1 + + # Get user confirmation here, not while in SSL + if [ "$EASYRSA_BATCH" ]; then + : # ok + else + case "$EASYRSA_DN" in + cn_only) + confirm " + Create CA certificate with these DN settings ? " yes "\ +EasyRSA DN 'commonName-Only' mode (cn_only) + +* Current CA Distinguished Name fields: + + commonName = $EASYRSA_REQ_CN" + ;; + org) + confirm " + Create CA certificate with these DN settings ? " yes "\ +EasyRSA DN 'Organisation' mode (org) + +* Current CA Distinguished Name fields: + + commonName = $EASYRSA_REQ_CN + countryName = $EASYRSA_REQ_COUNTRY + stateOrProvinceName = $EASYRSA_REQ_PROVINCE + localityName = $EASYRSA_REQ_CITY + organizationName = $EASYRSA_REQ_ORG + 0.organizationalUnitName = $EASYRSA_REQ_OU + emailAddress = $EASYRSA_REQ_EMAIL${EASYRSA_REQ_SERIAL:+" + serialNumber = $EASYRSA_REQ_SERIAL"}" + ;; + *) die "Unrecognised DN mode: $EASYRSA_DN" + esac + fi + out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temp-key file" out_file_tmp="$(easyrsa_mktemp)" || die "Failed to create temp-cert file" @@ -4509,6 +4546,9 @@ while :; do --req-ou) empty_ok=1 export EASYRSA_REQ_OU="$val" ;; + --req-serial) + empty_ok=1 + export EASYRSA_REQ_SERIAL="$val" ;; --ns-cert) export EASYRSA_NS_SUPPORT="$val" ;; --ns-comment) diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf index 928b19568..f637147f4 100644 --- a/easyrsa3/openssl-easyrsa.cnf +++ b/easyrsa3/openssl-easyrsa.cnf @@ -13,9 +13,9 @@ crl_dir = $dir # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/certs_by_serial # default place for new certs. -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL private_key = $dir/private/ca.key # The private key RANDFILE = $dir/.rand # private random number file @@ -49,15 +49,15 @@ localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied -name = optional emailAddress = optional +serialNumber = optional #################################################################### # Easy-RSA request handling # We key off $DN_MODE to determine how to format the DN [ req ] default_bits = $ENV::EASYRSA_KEY_SIZE -default_keyfile = privkey.pem +default_keyfile = privkey.pem default_md = $ENV::EASYRSA_DIGEST distinguished_name = $ENV::EASYRSA_DN x509_extensions = easyrsa_ca # The extensions to add to the self signed cert @@ -101,6 +101,9 @@ emailAddress = Email Address emailAddress_default = $ENV::EASYRSA_REQ_EMAIL emailAddress_max = 64 +serialNumber = Serial-number (eg, device serial-number) +serialNumber_default = $ENV::EASYRSA_REQ_SERIAL + #################################################################### # Easy-RSA cert extension handling