EasyRSA 3.1.2 incomplete handling of .cnf spcifications

Support forum for Easy-RSA certificate management suite.
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Thu Jan 26, 2023 3:44 pm

EasyRSA 3.1.2 incomplete handling of .cnf spcifications

Post by Chris-L » Thu Jan 26, 2023 4:16 pm

Hi Community members,

I've been using EasyRSA and OpenSLL on windows for years now, initially with the purpose of enabling OpenVPN on my PCs

I did hat historcally with Easy RSA 3.0.3 and got no problem to setup my PKI, Root CA, Server and User certificate.
Easy RSA and OpenVPN are working like a charm.

First thanks to the technical team working on it.

For now one week, I've been fighting with EasyRSA 3.1.2 that I decided to use to renew my old PKI and extending/renewing my existing certificate preserving my Root CA and my existing certificates.

Here, I implemented the vars file and updated my openssl-1.0.cnf files to be aligned with the current template;

I had then several issues that I wasn't able to solve (probably I missed some documentation or information that I did get in the forums)

1) Init-PKI never accepted to create the PKI in another dir as long as I hadn't set the .bat file the 2 environment variables

set EASYRSA_PKI=C:/Users/XXXX/Documents/PKI
set EASYRSA_SSL_CONF=C:/Users/XXXX/Documents/PKI/openssl-easyrsa.cnf

It was always building the PKI under the EasyRA directory despite the value set in the vars file

set_var EASYRSA_PKI "C:/Users/XXXX/Documents/PKI"

2) build-ca doesn't create a root CA changing the name and location based on the value certificate set in the openssl-easyrsa.cnf

dir = $ENV::EASYRSA_PKI # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
certificate = $certs/Home-CA.crt # The CA certificate

It always creat a ca.crt in the root directory of the PKI and put the private key ca.key in the private directory (which is normal)
No way to get a Home-CA.crt and .key here except moving it and renaming it.

After that, the easyrsa build-client-full does the trick finding effectively the root CA in the proper directory with the proper name


3) Unlike EasyRSA 3.0.3, EasyRSA 3.1.2 doesn't propose during the certificate creation t change the proposed default values set in the var file using the

set_var EASYRSA_REQ_CITY "Town"
set_var EASYRSA_REQ_ORG "Home and Cie"
set_var EASYRSA_REQ_EMAIL "just_me@yahoo.com"
set_var EASYRSA_REQ_OU "At home"

Instead in set by force all the values to that defaults even not proposing to alter the defaults at creation time like before.
This below section doesn't seem to be taken into account to interactively query the values from the user input

# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE

localityName = Locality Name (eg, city)
localityName_default = $ENV::EASYRSA_REQ_CITY

0.organizationName = Organization Name (eg, company)
0.organizationName_default = $ENV::EASYRSA_REQ_ORG

organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $ENV::EASYRSA_REQ_OU

commonName = Common Name (eg: your user, host, or server name)
commonName_max = 64
commonName_default = $ENV::EASYRSA_REQ_CN

emailAddress = Email Address
emailAddress_default = $ENV::EASYRSA_REQ_EMAIL
emailAddress_max = 64

serialNumber = Serial-number (eg, device serial-number)
serialNumber_default = $ENV::EASYRSA_REQ_SERIAL

Due to that the requester email has to be changed each time in the cars file

Did I miss something, is it a EasyRSA problem or OpenSSL-Win64 one?
I'm using now Win64OpenSSL-3_0_7.msi

Except this configuration issues I succeeded managing the changes to rebuild the PKI but I'm not confortable with the things I should I missed here.

Great great thanks for your help.


User avatar
Forum Team
Posts: 1195
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: EasyRSA 3.1.2 incomplete handling of .cnf spcifications

Post by Pippin » Sun Jan 29, 2023 10:27 am


I'm going to point you here:
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

Post Reply