1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
|
Easy-RSA 3 ChangeLog
3.2.5 (2025-12-13)
* ssl_cert_digest(): Support Edwards curve with LibreSSL (1eaa31e) (#1415)
* New function ssl_cert_sig_digest() (f9d2b49) (#1414)
* Add '-b' alias for --batch (575a964) (#1411)
* Introduce peer-fingerprint inline lists (94c3690) (#1410)
* Create new inline file type 'pfp', peer-fingerprint (353adc5) (#1407)
* export_pkcs(), PKCS12 inline: Respect $EASYRSA_NO_INLINE (35d7ad3) (#1407)
Original bug report: Sébastien Luttringer (#1406)
* Introduce global option --force-vars (5560d3c) (#1405)
* source_vars(): Add 'set -e' to dry-run, sub-shell sourcing vars (6598711) (#1405)
* source_vars(): Add grep check for assignment by '=' (fc36545) (#1405)
* Update EasyRSA-Advanced.md (276eaa5) (#1403)
* Introduce global option --no-inline (75e52f7) (#1403)
* Replace $ignore_vars with $EASYRSA_NO_VARS (Revert 3c0ca17) (5879488) (#1403)
* Libressl: Use ONLY $EASYRSA_FORCE_SAFE_SSL (25b7485) (#1402)
* select_x509_type_tmp(): This compliments select_ssl_cnf_tmp() (dc754e4) (#1401)
* select_ssl_cnf_tmp(): Replace provide_EASYRSA_SSL_CONF_tmp() (538ad3d) (#1401)
* inline_file(): Make unknown certificate type non-fatal (b2373e2) (#1399)
* Remove 'kdc' as a 'built-in' X509-type (13e37d9) (#1399)
* peer-fingerprint: Allow 'show-cert' to be used (7cf55e0) (#1397)
* init-pki: Introduce configurable cryptography (a8da392) (#1397)
* Update OpenSSL for Windows to 3.6.0 (62a0cea)
* Replace "local" openssl-easyrsa.cnf (80702d6..b31443d) (#1394)
Original bug report: #1390 'OpenBSD/LibreSSL failure'
With these changes, Easy-RSA now does the following:
Create a global safe SSL config file exactly as before and export it
to $OPENSSL_CONF, for use by any SSL library. This file is specifically
required by check_serial_unique(), which must have the Easy-RSA CA
configured file.
Use either an existing openssl-easyrsa.cnf file OR provide a default,
unexpanded tmp-file, which is exported to $EASYRSA_SSL_CONF, for use
ONLY by Easy-RSA. This must be unexpanded to allow $EASYRSA_REQ_CN to
be configured by the Easy-RSA command in use (eg. sign-req) once the
Easy-RSA command line has been fully parsed.
When calling easyrsa_openssl(), for LibreSSL or --force-safe-ssl,
expand the current $EASYRSA_SSL_CONF and export that to $OPENSSL_CONF,
for use by the called SSL command. Otherwise, use the current, unexpanded
file and export that.
3.2.4 (2025-08-27)
* build-ca: get_passphrase(), write passphrase directly to temp-file (0cb9cdd)
* create_legacy_stream(): Designate 'selfsign' as NOT user configurable (f564b1c) (#1383)
* self_sign(): awk action, correct comment and reduce script (8e23ba3) (#1383)
* forbid_selfsign(): Allow issuer certificate serial to be absent (09dffec) (#1383)
Original bug report: github-user topical (#1382)
* self_sign(): Force use of Easy-RSA X509-type file 'selfsign' (7e39cc6) (#1383)
* random: Use verify_working_env() to configure EASYRSA_OPENSSL (32eb73d) (#1381)
* set_no_clobber(): Add simple error detection (0f93880) (#1379)
* revoke: Archive request and private key files and expand help (79754da) (#1378)
Original bug report: github-user spacefreak86 (#1377)
* Remove 'easyrsa_mkdir()', use only 'mkdir' (5738f3d) (#1376)
* help: Correct build-ca 'rawca' command option (0447f42) (#1374)
* Windows easyrsa-shell-init.sh: Modernize prompt (5bf2e99) (#1374)
* Windows UT: Update 'wop-test.sh' to latest 'easyrsa-shell-init.sh' (ea5b168) (#1374)
* verify_openvpn(): Convert Windows path '\' to *nix path '/' (75a8fdd) (#1374)
* verify_openvpn(): Windows, add check for 'openvpn.exe' (10c6267) (#1374)
* gen-crl: Replace file-move with file-copy-preserve-attribs (4cc1d48) (#1374)
* Windows easyrsa-shell-init.sh: Add non-fatal check for 'openvpn.exe' (bb78615) (#1374)
* Windows easyrsa-shell-init.sh: Require confirmation for User-Home mode (bfa6cfd) (#1374)
* Windows easyrsa-shell-init.sh: Allow Easy-RSA to use '\User\$HOME' (f194da5) (#1374)
* mutual_exclusions(): Include basic checks for --startdate/--enddate (e1478c3) (#1372)
* Windows easyrsa-shell-init.sh: Replace 'read -p' (49b2181) (#1371)
* inline: Include missing OpenVPN TLS key to cause INCOMPLETE warning (d98eee6) (#1368)
* Verbose: Make verbose messages command and function aware (7634b94) (#1368)
* CI: Add OpenSSL-3.5.1-LTS and LibreSSL-4.1.0 to private test suite
* secure_session(): Remove unnecessary check for existing directory (1322177) (#1367)
* all_legacy_files_v2(): Do not create PKI directory (b0260da) (#1367)
* Replace PKI and CA initialisation flags with command switch flags (2bdf582) (#1367)
* verify_working_env(): Move lock-file request to after PKI check (071405d) (#1367)
* Move basic sanity checks to verify_working_env() (509a36e) (#1367)
* New global option: --no-lockfile = env-var: $EASYRSA_NO_LOCKFILE (46c8647) (#1364)
* default_overview(): Add peer-fingerprint mode PKI identification (c9a0152) (#1363)
* help: Add in use algorithm and key-size/curve to top level status (10778cc) (#1363)
* help: Move 'utils' to command list and detailed help (e965234) (#1363)
* Restructure help (65c2bce) (#1363)
* export-p12: Split $p12_cipher_opts into respective parts (48bb8ee) (#1356)
* export-p12: Move inline file to 'inline/private' folder (22cabcb) (#1356)
* export-p12: Rename inline file extension to '.inline-p12' (22cabcb) (#1356)
3.2.3 (2025-06-12)
* build-ca: Remove TLS Key processing (c1c2a06) (#1351)
* init-pki: Remove option 'soft' and TLS Key processing (976f864) (#1351)
* peer-fingerprint mode: Make CA mode mutually exclusive to PFP mode (8c1c435) (#1347)
* TLS key generation: Allow 'gen-tls-auth/crypt-key' without a CA Cert (2580dc2) (#1345)
* Inline_file(): Improvements self-signed integration (bc72a21) (#1345)
* verify_pki_init(): Always create 'issued' dir (f7e1b79) (#1343)
* inline_file(): Use ssl_cert_serial() (c0d2e82) (#1343)
* forbid_selfsign(): Compare cert serial to signing cert serial (29b2779) (#1342)
* Unit-test: Minimize Windows test (dc60c8b) (#1339)
* ssl_cert_x509v3_eku(): Localize variables and minor improvements (8c19a95) (#1337)
* inline_file(): Always use ssl_cert_x509v3_eku() to set $inline_crt_type (e1a2880) (#1337)
* sign-req: Disable inline for certificate type 'ca' (sub-ca) (f1252a3) (#1337)
* inline_file(): Localize variables $inline_crt_type & $inline_crt_CN (692e20a) (#1337)
* add_critical_attrib(): export temp-file name as input file (e5b8d97) (#1333)
* Unit-test: Drop old *nix test (63f3869) (#1335)
* Always export EASYRSA_SSL_CONF, when assigned (code standard) (e77240d) (#1334)
* show-expire: Move setting $pre_expire_window_s to status() (4b05181) (#1332)
Original bug report: Antonio Gurgel (#1331)
* inine_file(): Correct logic and add 'dh none' for DH params file (7d5c52e) (#1330)
* Update Copyright 2025 (8586bcf) (#1327)
* secure_session(): Use new easyrsa_mkdir() to create session dir (41c154c) (#1324)
* easyrsa_mkdir(): Separate Windows from *nix (7c76540) (#1324)
* easyrsa_mktemp(): Remove secondary atomic operation (1a44c33) (#1322)
* will_cert_be_valid(): Remove SSL option -noout (9c8465e) (#1321)
* New option --text: Create CSR files with human readable text (c152118) (#1319)
* Command 'write': Remove options 'overwrite' and 'filename' (153ec6f) (#1318)
* easyrsa_mktemp(): Change usage to not check for errors (64c201a) (#1315)
* New function set_no_clobber() (e4c229c) (#1314)
* Introduce "robust" lock-file mechanism (ff22f82) (#1313)
Original bug report: ARNOLD Somogyi (#1279)
* Introduce command line options --umask|--no-umask (d1b030d) (#1312)
* Fix shellcheck warnings:
(e28a35c) (6082f6f) (e0ec835) (e0e798a) (85b1086) (#1311)
* inline_file(): Include DH file or placeholder, for RSA Servers (8a7b1fa) (#1310)
* add_critical_attrib(): Do not add 'critical' if it exists (cdfaf61) (#1308)
Original bug report: Dmitry Kononov (#1306)
* select_vars(): Minor improvements (12ecc1a) (#1300)
* expire_status_v2(): Refactor 'if' to capture -date error (52dafed) (#1304)
* Reinstate old function as 'db_date_to_iso_8601()' (0444ad3) (#1303)
* Remove all references to file:easyrsa-tools.lib (e1c8386) (#1298)
* Correctly define options names - Remove wild-card pattern (d145504) (#1297)
* check_serial_unique(): Check for duplicate Subject error (be8467f) (#1294)
* renew: Print 'unique_subject = no' to index.txt.attr (857a4e7) (#1293)
* Update OpenSSL to 3.4.0 (d020b66)
* Update OpenSSL to 3.5.0 (bcc2d33)
3.2.2 (2025-02-01)
* Fold easyrsa-tools.lib into easyrsa (56cfa0c) (#1288)
* Revert da3c249: Do not remove index.txt.attr (a236b97) (#1287)
* Windows: Remove mktemp binary and text files (135f642) (#1285)
* op-test.sh: Disable download ossl3 and shellcheck binaries (473c43b) (#1284)
* Forbid self-signed certificate from being expired/renewed/revoked (ab45ae7) (#1274)
* Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf (c788423) (#1270)
* bugfix: Save and Restore $EASYRSA_SSL_CONF for compound commands (7cdb14d) (#1270)
* bugfix: Always use locate_support_files() after secure_session() (d530bc3) (#1270)
* bugfix: easyrsa-tools.lib: renew, write full metadata to temp-file (b47d2af) (#1267)
* Introduce new command 'revoke-issued' (38bf2d8) (#1266)
Commands 'revoke' and 'revoke-issued' are identical.
Command 'revoke' can ONLY be used in batch mode.
* vars.example: Remove $EASYRSA_PKI (8ee8dcf) (#1262)
There is no effect on existing 'vars' files.
* easyrsa-tools.lib: Move to 'easyrsa3' directory (d30b688) (#1259)
This now includes 'easyrsa-tools.lib' in the distribution tarballs.
* Upgrade easyrsa-tools.lib to version 322 - As of command 'renew-ca'
* easyrsa-tools.lib: Introduce new command 'renew-ca' (ba32b0d) (#1255)
* easyrsa-tools.lib: show-expire, allow --days to be zero (a1033a5) (#1254)
* Command 'help': Ignore EASYRSA_SILENT (8804d6b) (#1249)
* bugfix: easyrsa-tools.lib: renew SAN, remove excess word 'Address' (af17492) (#1251)
* New global variable 'EASYRSA_DISABLE_INLINE' (ad257ab) (#1245)
* bugfix: revoke, renew: Remove pki/inline/private/$file.inline (febef85) (#1244)
Initial bug report #1242 (Minor)
Stop removing old credentials file pki/$file.creds (a871e9c)
* Add LibreSSL version 4 to supported SSL Libraries (7df616b) (#1240)
* sign-req: Allow custom X509 Types (2ee08cc) (#1238)
* Remove redundant file index.txt.attr (da3c249) (#1233)
3.2.1 (2024-09-13)
* inline: Add decimal value for cert. serial (Linux Only) (b33038e) (#1222)
* Always exit with error for unknown command options (Except nopass) (#1221)
(build-ca: b2f7912); (gen-req: 07f21d3); (build_full(): 0ff7f4c);
(export_pkcs(): 2c51288); (set-pass: 1266d4e)
* Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2) (#1220)
Note: Inline files that contain private key data are now created in sub-dir
'pki/inline/private'.
* easyrsa-tools.lib, show-expire: Add CA certificate to report (a36cd54) (#1215)
* inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2) (#1185)
Note: Command inline only writes directly to inline file not stdout.
* easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 (cf0da16) (#1185)
* easyrsa-tools.lib: expire_status_v2() (show-expire version 2) (1e43bf5) (#1214)
* sign-req: Require 128bit serial number (806ee19) (#1213)
* Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut (ddbf304) (#1209)
* Windows secure_session(): Ensure $secured_session dir is created (d99b242) (#1203)
* Switch to '-f' for file existence (6ab98c9..a02f545) (#1201)
* inline: Move auto-inline from build_full() to sign_req() (823f70f) (#1201)
* gen-crl: Create additional CRL in DER format (69df0d8) (#1198)
* self-sign: Allow Edwards Curve based keys (81b749b) (#1197)
* Re-enable command 'renew' (version 2): Requires EasyRSA Tools (30fe311) (#1195)
* bug-fix: revoke: Pass the correct certificate location (24d5514)
* vars.example: Add flags for auto-SAN and X509 critical attribute (a41dfcc)
* Global option --eku-crit: Mark X509 extendedKeyUsage as critical (ca09211)
* sign-req: Add critical and pathlen details to confirmation (deae705) (#1182)
* export-p12: Automatically generate inline file (9d90370) (#1181)
* Introduce global option --auto-san, use commonName as SAN (5c36d44) (#1180)
* Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
* Introduce new global options: --ku-crit and --bc-crit (b79abee) (#1176)
* gen-req: Always check for existing request file (7eab98e) (#1177)
* revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
* revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)
* revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173)
* build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170)
* gen-req: Re-enable use of --req-cn (5cf8c46) (#1170)
* write: Change syntax, target as file, not directory (722ce54) (#1165)
3.2.0 (2024-05-18)
* Revert ca76697: Restore escape_hazard() (b1e9d7a) (#1137)
* New X509 Type: 'selfsign' Internal only (999533e) (#1135)
* New commands: self-sign-server and self-sign-client (9f8a1d1) (#1127)
* build-ca: Command 'req', remove SSL option '-keyout' (4e02c8a) (#1123)
Resolve CVE-2024-13454 - Original bug report: Marcus Stoegbauer (#1122)
https://community.openvpn.net/Security%20Announcements/CVE-2024-13454
* Remove escape_hazard(), obsolete (ca76697)
* Remove command and function display_cn(), unused (be8f400) (#1114)
* Introduce Options to edit Request Subject during command 'sign-req'
Global Option: --new-subject -- Command 'sign-req' option: 'newsubj'
First proposed in: (#439) -- Completed: (83b81c7) (#1111)
* docs: Update EasyRSA-Renew-and-Revoke.md (f6c2bf5) (#1109)
* Remove all 'renew' code; replaced by 'expire' code (9d94207) (#1109)
* Introduce commands: 'expire' and 'revoke-expired' (a1890fa) (#1109)
* Keep request files [CSR] when revoking certificates (6d6e8d8) (#1109)
* Restrict use of --req-cn to build-ca (0a46164) (#1098)
* Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#1096)
* help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#1096)
* Allow --san to be used multiple times (5a06f94) (#1096)
* Remove default server subject alternative name (0b85a5d) (#576)
* Move Status Reports to 'easyrsa-tools.lib' (214b909) (#1080)
* export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a)
(#1084 - Based on #1081)
* Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
* LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
* Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)
Branch-merge: v3.2.0-beta2 (#1055) 2024/01/13 Commit: d51d79b
* Always use here-doc version of openssl-easyrsa.cnf (2a8c0de)
Only use here-doc if the current version is recognised by sha256 hash.
The current file is NEVER deleted (60216d5). Partially revert: 2a8c0de
* export-p12: New command option 'legacy'. OpenSSL V3 Only (f8514de)
Fallback to encryption algorithm RC2_CBC or 3DES_CBC
* export-p12: Always set 'friendlyName' to file-name-base (da9e594)
* Update OpenSSL to 3.2.0 (03e4829)
Branch-merge: v3.2.0-beta1 (#1046) 2023/12/15 Commit: 7120876
* Important note: As of Easy-RSA version 3.2.0-beta1, the configuration files
`vars.example`, `openssl-easyrsa.cnf` and all files in `x509-types` directory
are no longer required. Package maintainers can omit these files in the future.
All files are created as required and deleted upon command completion.
`vars.example` is created during `init-pki` and placed in the fresh PKI.
These files will be retained for downstream packaging compatibility.
* Rename X509-type file `code-signing` to `codeSigning` (1c6b31a)
The original file will be retained as `code-signing`, however, the automatic
X509-types creation will name the file `codeSigning`. This effectively means
that both are valid X509-types, until `code-signing` is dropped.
* init-pki: Always write vars.example file to fresh PKI (66a8f3e)
* New command 'write': Write 'legacy' files to stdout or files (c814e0a)
* Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf' (c814e0a)
* New Command 'rand': Expose easyrsa_random() to the command line (6131cbf)
* Remove function 'set_pass_legacy()' (7470c2a)
* Remove command 'rewind-renew' (72b4079)
* Remove command 'rebuild' (d6953cc)
* Remove command 'upgrade' (6a88edd)
Branch-merge: v3.2.0-alpha2 (#1043) 2023/12/7 Commit: ed0dc46
* Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (3c0ca17)
Branch-merge: v3.2.0-alpha1 (#1041) 2023/12/2 Commit: 42c2e95
* New diagnostic command 'display-cn' (#1040)
* Expand renewable certificate types to include code-signing (#1039)
3.1.7 (2023-10-13)
* Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md (#1029)
Under the hood, this is a considerable change but there are no user
noticeable differences. With the exception of:
Caveat: The default '$PWD/pki/vars' file is forbidden to change either
EASYRSA or EASYRSA_PKI, which are both implied by default.
* EasyRSA-Advanced.md: Correct vars-auto-detect hierarchy (#1029)
Commit: ecd65065e3303da78811278a154ef7a969c2777b
EASYRSA/vars is moved to a higher priority than a default PKI.
vars-auto-detect no longer searches 'easyrsa' program directory.
* gen-crl: preserve existing crl.pem ownership+mode (#1020)
* New command: make-vars - Print vars.example (here-doc) to stdout (#1024)
* show-expire: Calculate cert. expire seconds from DB date (#1023)
* Update OpenSSL to 3.1.2
3.1.6 (2023-07-18)
* New commands: 'inline' and 'x509-eku' (#993)
inline: Build an inline file for a commonName
x509-eku: Extract X509v3 extended key usage from a certificate
* Expose serial-check, display-dn, display-san and default-san to
command line. (#980) (Debugging functions, which remain undocumented)
* Expand default status to include vars-file and CA status (#973)
* sign-req: Allow the CSR DN-field order to be preserved (#970)
3.1.5 (2023-06-10)
* Build Update: script now supports signing and verifying
* Automate support-file creation (Free packaging) (#964)
* build-ca: New command option 'raw-ca', abbreviation: 'raw' (#963)
This 'raw' method, is the most reliable way to build a CA,
with a password, without writing the CA password to a temp-file.
This option completely replaces both methods below:
* build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)
Option '--ca-via-stdin' offers no more security than standard method.
Easy-RSA version 3.1.4 ONLY.
* build-ca: Replace password temp-files with file-descriptors (#955)
Using file-descriptors does not work in Windows.
Easy-RSA version 3.1.3 ONLY.
3.1.4 (2023-05-23)
* build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)
* build-ca: Revert manual CA password method to temp-files (#959)
Supersedes #955
Release v3.1.3 was fatally flawed, it would fail to build a CA under Windows.
Release v3.1.4 is specifically a bugfix ONLY, to resolve the Windows problem.
See the following commits for further details:
5d7ad1306d5ebf1588aef77eb3445e70cf5b4ebc
build-ca: Revert manual CA password method to temp-files
c11135d19b2e7e7385d28abb1132978c849dfa74
build-ca: Use OpenSSL password I/O argument 'stdin'
27870d695a324e278854146afdac5d6bdade9bba
build-ca: Replace password temp-file method with file-descriptors
Superseded by 5d7ad13 above.
3.1.3 (2023-05-19)
* build-ca: Replace password temp-files with file-descriptors (#955)
Superseded by #959
* Replace --fix-offset with --startdate, --enddate (#918)
* Introduce option -S|--silent-ssl: Silence SSL output (#913)
* Only create a random serial number file when expected (#896)
* Always verify SSL lib, for all commands (#877)
* Option --fix-offset: Adjust off-by-one day (#847) Superseded (#918)
* Update OpenSSL to v3.0.8
3.1.2 (2023-01-13)
* build-full: Always enable inline file creation (#834)
* Make default Edwards curve ED25519 (#828)
* Allow --fix-offset to create post-dated certificates (#804) Superseded (#918)
* Introduce command 'set-pass' (#756)
* Introduce global option '--nopass|--no-pass' (#752)
* Introduce global option '--notext|--no-text' (#745)
* Command 'help': For unknown command, exit with error (#737)
* Find data-files in the correct order (#727 - Reported #725)
* Update OpenSSL to 3.0.7 for Windows distribution
3.1.1 (2022-10-13)
* Remove command 'renewable' (#715)
* Expand 'show-renew', include 'renewed/certs_by_serial' (#700)
* Resolve long-standing issue with --subca-len=N (#691)
* ++ NOTICE: Add EasyRSA-Renew-and-Revoke.md (#690)
* Require 'openssl-easyrsa.cnf' is up to date (#695}
* Introduce 'renew' (version 3). Only renew cert (#688)
* Always ensure X509-types files exist (#581 #696)
* Expand alias '--days' to all suitable options with a period (#674)
* Introduce --keep-tmp, keep temp files for debugging (#667)
* Add serialNumber (OID 2.5.4.5) to DN 'org' mode (#606)
* Support ampersand and dollar-sign in vars file (#590)
* Introduce 'rewind-renew' (#579)
* Expand status reports to include checking a single cert (#577)
* Introduce 'revoke-renewed' (#547)
* update OpenSSL for Windows to 3.0.5
3.1.0 (2022-05-18)
* Introduce basic support for OpenSSL version 3 (#492)
* Update regex in grep to be POSIX compliant (#556)
* Introduce status reporting tools (#555 & #557)
* Display certificates using UTF8 (#551)
* Allow certificates to be created with fixed date offset (#550)
* Add 'verify' to verify certificate against CA (#549)
* Add PKCS#12 alias 'friendlyName' (#544)
* Support multiple IP-Addresses in SAN (#564)
* Add option '--renew-days=NN', custom renew grace period (#557)
* Add 'nopass' option to the 'export-pkcs' functions (#411)
* Add support for 'busybox' (#543)
* Add option '--tmp-dir=DIR' to declare Temp-dir (Commit f503a22)
3.0.9 (2022-05-17)
* Upgrade OpenSSL from 1.1.0j to 1.1.1o (#405, #407)
- We are building this ourselves now.
* Fix --version so it uses EASYRSA_OPENSSL (#416)
* Use openssl rand instead of non-POSIX mktemp (#478)
* Fix paths with spaces (#443)
* Correct OpenSSL version from Homebrew on macOs (#416)
* Fix revoking a renewed certificate (Original PR #394)
Follow-up commit: ef22701878bb10df567d60f2ac50dce52a82c9ee
* Introduce 'show-crl' (d1993892178c5219f4a38d50db3b53d1a972b36c)
* Support Windows-Git 'version of bash' (#533)
* Disallow use of single quote (') in vars file, Warning (#530)
* Creating a CA uses x509-types/ca and COMMON (#526)
* Prefer 'PKI/vars' over all other locations (#528)
* Introduce 'init-pki soft' option (#197)
* Warnings are no longer silenced by --batch (#523)
* Improve packaging options (#510)
* Update regex for POSIX compliance (#556)
* Correct date format for Darwin/BSD (#559)
3.0.8 (2020-09-09)
* Provide --version option (#372)
* Version information now within generated certificates like on *nix
* Fixed issue where gen-dh overwrote existing files without warning (#373)
* Fixed issue with ED/EC certificates were still signed by RSA (#374)
* Added support for export-p8 (#339)
* Clarified error message (#384)
* 2->3 upgrade now errors and prints message when vars isn't found (#377)
3.0.7 (2020-03-30)
* Include OpenSSL libs and binary for Windows 1.1.0j
* Remove RANDFILE environment variable (#261)
* Workaround for bug in win32 mktemp (#247, #305, PR #312)
* Handle IP address in SAN and renewals (#317)
* Workaround for ash and no set -o echo (#319)
* Shore up windows testing framework (#314)
* Provide upgrade mechanism for older versions of EasyRSA (#349)
* Add support for KDC certificates (#322)
* Add support for Edward Curves (#354, #350)
* Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars (#368)
* Add support for RID to SAN (#362)
3.0.6 (2019-02-01)
* Certificates that are revoked now move to a revoked subdirectory (#63)
* EasyRSA no longer clobbers non-EASYRSA environment variables (#277)
* More sane string checking, allowing for commas in CN (#267)
* Support for reasonCode in CRL (#280)
* Better handling for capturing passphrases (#230, others)
* Improved LibreSSL/MacOS support
* Adds support to renew certificates up to 30 days before expiration (#286)
- This changes previous behavior allowing for certificate creation using
duplicate CNs.
3.0.5 (2018-09-15)
* Fix #17 & #58: use AES256 for CA key
* Also, don't use read -s, use stty -echo
* Fix broken "nopass" option
* Add -r to read to stop errors reported by shellcheck (and to behave)
* Remove overzealous quotes around $pkcs_opts (more SC errors)
* Support for LibreSSL
* EasyRSA version will be reported in certificate comments
* Client certificates now expire in 3 year (1080 days) by default
3.0.4 (2018-01-21)
* Remove use of egrep (#154)
* Integrate with Travis-CI (#165)
* Remove "local" from variable assignment (#165)
* Other changes related to Travis-CI fixes
* Assign values to variables defined previously w/local
* Finally(?) fix the subjectAltName issues I presented earlier (really
fixes #168)
3.0.3 (2017-08-22)
* Include mktemp windows binary
* copy CSR extensions into signed certificate
3.0.2 (2017-08-21)
* Add missing windows binaries
3.0.1 (2015-10-25)
* Correct some packaging errors
3.0.0 (2015-09-07)
* cab4a07 Fix typo: Hellman
(ljani: Github)
* 171834d Fix typo: Default
(allo-: Github)
* 8b42eea Make aes256 default, replacing 3des
(keros: Github)
* f2f4ac8 Make -utf8 default
(roubert: Github)
3.0.0-rc2 (2014/07/27)
* 1551e5f docs: fix typo
(Josh Cepek <josh.cepek@usa.net>)
* 7ae44b3 Add KNOWN_ISSUES to stage next -rc release
(Josh Cepek <josh.cepek@usa.net>)
* a0d58b2 Update documentation
(Josh Cepek <josh.cepek@usa.net>)
* 5758825 Fix vars.example with proper path to extensions.temp
(Josh Cepek <josh.cepek@usa.net>)
* 89f369c Add support to change private key passphrases
(Josh Cepek <josh.cepek@usa.net>)
* 49d7c10 Improve docs: add Upgrade-Notes; add online support refs
(Josh Cepek <josh.cepek@usa.net>)
* fcc4547 Add build-dist packaging script; update Building docs
(Josh Cepek <josh.cepek@usa.net>)
* f74d08e docs: update Hacking.md with layout & git conventions
(Josh Cepek <josh.cepek@usa.net>)
* 0754f23 Offload temp file removal to a clean_temp() function
(Josh Cepek <josh.cepek@usa.net>)
* 1c90df9 Fix incorrect handling of invalid --use-algo option
(Josh Cepek <josh.cepek@usa.net>)
* c86289b Fix batch-mode handling with changes in e75ad75
(Josh Cepek <josh.cepek@usa.net>)
* e75ad75 refine how booleans are evaluated
(Eric F Crist <ecrist@secure-computing.net>)
* cc19823 Merge PKCS#7 feature from pull req #14
(Author: Luiz Angelo Daros de Luca <luizluca@tre-sc.gov.br>)
(Modified-By: Josh Cepek <josh.cepek@usa.net>)
* 8b1fe01 Support OpenSSL-0.9.8 with the EXTRA_EXTS feature
(Josh Cepek <josh.cepek@usa.net>)
* d5516d5 Windows: make builds easier by using a matching dir structure
(Josh Cepek <josh.cepek@usa.net>)
* dc2e6dc Windows: improve external checks and env-var help
(Josh Cepek <josh.cepek@usa.net>)
3.0.0-rc1 (2013/12/01)
* The 3.x release is a nearly complete re-write of the 2.x codebase
* Initial 3.x series code by Josh Cepek <josh.cepek@usa.net> -- continuing
maintenance by the OpenVPN community development team and associated
contributors
* Add ECDSA (elliptic curve) support, thanks to Steffan Karger
<steffan@karger.me>
|
