Easy-RSA 3.0 Development Direction

Support forum for Easy-RSA certificate management suite.
Post Reply
User avatar
ecrist
Forum Team
Posts: 265
Joined: Wed Nov 26, 2008 10:33 pm
Location: Minneapolis, MN
Contact:

Easy-RSA 3.0 Development Direction

Post by ecrist » Fri Oct 05, 2012 3:40 am

As the current maintainer of Easy-RSA, I'm curious as to where people would like to see Easy-RSA 3.0 go. One thing I'd like to see is a single script with proper command line argument parsing. I'd like to move the project forward.

If you're interested in helping, or just want to track where things are going, the project is located on GitHub.
OpenVPN Community Administrator
IRC: #openvpn, #openvpn-devel Twitter: @ecrist
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN

hkais
OpenVpn Newbie
Posts: 13
Joined: Mon Jan 16, 2012 7:56 am

Re: Easy-RSA 3.0 Development Direction

Post by hkais » Sat Jun 22, 2013 7:42 pm

Hi ecrist,

I am using easy-rsa for a long period. Many thanks for the easy tool for openssl. The learning curve for SSL certs is much lower with your tool, and people aren't afraid of doing SSL with your tool!
So a really nice job, thank you.

I tried to figure out, how to pass a feature request. But I couldn't find it. So I am using your thread for it. I hope it is okay.

easy-rsa is missing a check for duplicate common names. Before creating a new cert easy-rsa should check if the CN is already existing AND is not revoked. If so, exit with a user readable messeage like:
"common name /CN=....... is currently active with the serial number 911 and the fingerprint abcdef01234..., revoke it first or use a different common name"
This feature should be configurable, if someone needs the old behaviour.

Right now sometimes certificates get generated with identical CNs, this is really stupid since openVPN server itself does not provide any further informations, which of the duplicate CN certificate is currently really active.
In my case, this happend multiple times accidentially, since the users have same names, typos, and so on. So if you try to revoke one of the duplicate CN certificates, which one, if you have no access to the users/client certificates?

bye

Post Reply