3.2.1

Easy-RSA version 3.2.1 - Significant Changes:

Honorable Memorandum: 2024 USA Election.

Add decimal serial number value to inline files:

• For use with OpenVPN --verify-crl command.

Create OpenVPN style TLS-AUTH and TLS-Crypt keys:

• Use command gen-tls-auth-key/gen-tls-crypt-key. (TLS-Crypt-V2 is not included)

Add simple way to effectively renew an expired CA certificate:

• Use init-pki command option soft, to retain certificate signing request files. Facilitating signing old requests with a new CA. Also keep TLS-KEYS, which are known to be in use.
• Full details: doc/EasyRSA-Renew-and-Revoke.md#renew-ca-certificate

New global command options for critical X509 Attibutes:

• --bc-crit - Mark basicConstraints as critical
• --ku-crit - Mark keyUsage as critical
• --eku-crit - Mark extendedKeyUsage as critical
• --san-crit - Mark subjectAltName as critical

New global option --auto-san:

• Force automatic subjectAltName.

Command write syntax change:

• Allow specific target-file as command option.
• Reqire specific command option overwrite, to enable overwriting an existing file.

---

ChangeLog:

• inline: Add decimal value for cert. serial (Linux Only) (b33038e) (#1222)
• Always exit with error for unknown command options (Except nopass) (#1221)
  (build-ca: b2f7912); (gen-req: 07f21d3); (build_full(): 0ff7f4c);
  (export_pkcs(): 2c51288); (set-pass: 1266d4e)
• Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2) (#1220)
  Note: Inline files that contain private key data are now created in sub-dir
  'pki/inline/private'.
• easyrsa-tools.lib, show-expire: Add CA certificate to report (a36cd54) (#1215)
• inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2) (#1185)
  Note: Command inline only writes directly to inline file not stdout.
• easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 (cf0da16) (#1185)
• easyrsa-tools.lib: expire_status_v2() (show-expire version 2) (1e43bf5) (#1214)
• sign-req: Require 128bit serial number (806ee19) (#1213)
• Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut (ddbf304) (#1209)
• Windows secure_session(): Ensure $secured_session dir is created (d99b242) (#1203)
• Switch to '-f' for file existence (6ab98c9..a02f545) (#1201)
• inline: Move auto-inline from build_full() to sign_req() (823f70f) (#1201)
• gen-crl: Create additional CRL in DER format (69df0d8) (#1198)
• self-sign: Allow Edwards Curve based keys (81b749b) (#1197)
• Re-enable command 'renew' (version 2): Requires EasyRSA Tools (30fe311) (#1195)
• bug-fix: revoke: Pass the correct certificate location (24d5514)
• vars.example: Add flags for auto-SAN and X509 critical attribute (a41dfcc)
• Global option --eku-crit: Mark X509 extendedKeyUsage as critical (ca09211)
• sign-req: Add critical and pathlen details to confirmation (deae705) (#1182)
• export-p12: Automatically generate inline file (9d90370) (#1181)
• Introduce global option --auto-san, use commonName as SAN (5c36d44) (#1180)
• Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
• Introduce new global options: --ku-crit and --bc-crit (b79abee) (#1176)
• gen-req: Always check for existing request file (7eab98e) (#1177)
• revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
• revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)
• revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173)
• build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170)
• gen-req: Re-enable use of --req-cn (5cf8c46) (#1170)
• write: Change syntax, target as file, not directory (722ce54) (#1165)

What's Changed

• Use standard indentation rules for 'case' by @TinCanTech in #1142
• easyrsa_mkdir(): Remove use of 'mkdir -p', use only 'mkdir' by @TinCanTech in #1145
• Unit-test: Add Old expansion test on nix (EASYRSA_FORCE_SAFE_SSL) by @TinCanTech in #1151
• easyrsa_openssl(): Always export $OPENSSL_CONF as $EASYRSA_SSL_CONF by @TinCanTech in #1150
• easyrsa-tools.lib: Add 'locate_support-files' to recreate temp-session by @TinCanTech in #1153
• Tools lib call ssl direct by @TinCanTech in #1156
• easyrsa_mktemp(): Make variable names more unique to avoid conflicts by @TinCanTech in #1157
• Introduce Global Safe SSL config and Local SSL config by @TinCanTech in #1163
• Introduce write_legacy_file_v2() by @TinCanTech in #1165
• display_dn(): Remove excess subshell by @TinCanTech in #1166
• Fix minor typos by @NathanBaulch in #1169
• Command gen-req: Re-enable global option --req-cn - Includes build_full() by @TinCanTech in #1170
• Command revoke: Add abbreviations for optional 'reason' by @TinCanTech in #1173
• Command revoke: Add confirmation for possible misuse by @TinCanTech in #1174
• Command revoke: Do not remove duplicate certificate by serial by @TinCanTech in #1177
• Introduce new global options: --ku-crit and --bc-crit by @TinCanTech in #1176
• Introduce global option --san-crit, mark SAN critical (RFC2459) by @TinCanTech in #1179
• Introduce global option --auto-san, use commonName as SAN by @TinCanTech in #1180
• export-p12: Automatically generate inline file by @TinCanTech in #1181
• sign-req: Add critical and pathlen details to confirmation dialogue by @TinCanTech in #1182
• Auto-SAN: Correct rexeg, exclude non-numeric chars by delimiting by @TinCanTech in #1184
• Global option --eku-crit: Mark X509 extendedKeyUsage as critical by @TinCanTech in #1188
• revoke: Pass the correct certificate location to revoke function by @TinCanTech in #1191
• Rewrite renew by @TinCanTech in #1195
• self-sign: Allow Edwards Curve based keys by @TinCanTech in #1197
• gen-crl: Create additional CRL in DER format by @TinCanTech in #1198
• Inline v2 by @TinCanTech in #1201
• Windows secure_session(): Ensure $secured_session directory is created by @TinCanTech in #1203
• Windows secure_session(): Minimize and document specific race conditon by @TinCanTech in #1205
• verify_ssl_lib(): Correct verbose message by @TinCanTech in #1208
• Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut by @TinCanTech in #1209
• inline: Comment out missing files and add instructions for rebuilding by @TinCanTech in #1212
• sign-req: Require 128bit serial number by @TinCanTech in #1213
• easyrsa-tools.lib: expire_status_v2() (show-expire version 2) by @TinCanTech in #1214
• TLS key system v1 by @TinCanTech in #1185
• show-expire: Add CA certificate to report by @TinCanTech in #1215
• easyrsa-tools.lib: Rename will_cert_expire() -> is_cert_valid() by @TinCanTech in #1216
• init-pki: Add second confirmation to promote use of option 'soft' by @TinCanTech in #1217
• Minor corrections by @TinCanTech in #1218
• Integrate Easy-RSA TLS-Key for use with 'init-pki soft' by @TinCanTech in #1220
• doc: Revoke and Renew, update for Easy-RSA v3.2.1 by @TinCanTech in #1219
• V321 final touches by @TinCanTech in #1221
• inline: Add decimal value for certificate serial number (Linux Only) by @TinCanTech in #1222

New Contributors

• @NathanBaulch made their first contribution in #1169

Full Changelog: v3.2.0...v3.2.1

3.2.0

NOTICE: EasyRSA version 3.2.0 is a development snapshot.

EasyRSA v3.2.0 - Most significant changes

New commands:

• self-sign-server and self-sign-client (#1127)
  Create self-signed certificates for use with OpenVPN Peer Fingerprint mode.
  These certificates comply with other EasyRSA signing policies.

• expire (#1109)
  Selectively move certificates from the issued/ to expired/ directory.
  This allows a new certificate to be signed from the original signing request file.
  This allows all custom signing options to be applied as required.
  This replaces the old command renew, which has been removed.
  Further details: doc/EasyRSA-Renew-and-Revoke.md

• write (Commit: c814e0a)
  Create legacy support files: openssl-easyrsa.cnf, x509-types/* and vars.example.
  This allows EasyRSA to be used without having copies of the support files installed.

Removed commands:

• renew (#1109)
  Replaced by command expire, followed by command sign-req.
  This allows all custom options to be used when signing, which renew did not.

• rebuild (Commit: d6953cc) and rewind-renew (Commit: 72b4079)
  No longer required.

• upgrade (Commit: 6a88edd)
  No longer supported.

New Global Option:

• --new-subject -- Command sign-req option: newsubj (#1111)
  Edit Request Subject during command sign-req

New files:

• easyrsa-tools.lib (Commit: 214b909)
  Moved code for commands show-expire, show-revoke and show-renew to the new file.
  easyrsa-tools.lib is auto-loaded, if it is found in a supported location. eg. $pwd

---

• Revert ca76697: Restore escape_hazard() (b1e9d7a) (#1137)
• New X509 Type: 'selfsign' Internal only (999533e) (#1135)
• New commands: self-sign-server and self-sign-client (9f8a1d1) (#1127)
• build-ca: Command 'req', remove SSL option '-keyout' (4e02c8a) (#1123)
• Remove escape_hazard(), obsolete (ca76697)
• Remove command and function display_cn(), unused (be8f400) (#1114)
• Introduce Options to edit Request Subject during command 'sign-req'
  Global Option: --new-subject -- Command 'sign-req' option: 'newsubj'
  First proposed in: (#439) -- Completed: (83b81c7) (#1111)
• docs: Update EasyRSA-Renew-and-Revoke.md (f6c2bf5) (#1109)
• Remove all 'renew' code; replaced by 'expire' code (9d94207) (#1109)
• Introduce commands: 'expire' and 'revoke-expired' (a1890fa) (#1109)
• Keep request files [CSR] when revoking certificates (6d6e8d8) (#1109)
• Restrict use of --req-cn to build-ca (0a46164) (#1098)
• Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#1096)
• help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#1096)
• Allow --san to be used multiple times (5a06f94) (#1096)
• Remove default server subject alternative name (0b85a5d) (#576)
• Move Status Reports to 'easyrsa-tools.lib' (214b909) (#1080)
• export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a)
  (#1084 - Based on #1081)
• Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
• LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
• Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)

Branch-merge: v3.2.0-beta2 (#1055) 2024/01/13 Commit: d51d79b

• Always use here-doc version of openssl-easyrsa.cnf (2a8c0de)
  Only use here-doc if the current version is recognised by sha256 hash.
  The current file is NEVER deleted (60216d5). Partially revert: 2a8c0de
• export-p12: New command option 'legacy'. OpenSSL V3 Only (f8514de)
  Fallback to encryption algorithm RC2_CBC or 3DES_CBC
• export-p12: Always set 'friendlyName' to file-name-base (da9e594)
• Update OpenSSL to 3.2.0 (03e4829)

Branch-merge: v3.2.0-beta1 (#1046) 2023/12/15 Commit: 7120876

• Important note: As of Easy-RSA version 3.2.0-beta1, the configuration files
  vars.example, openssl-eayrsa.cnf and all files in x509-types directory
  are no longer required. Package maintainers can omit these files in the future.
  All files are created as required and deleted upon command completion.
  vars.example is created during init-pki and placed in the fresh PKI.
  These files will be retained for downstream packaging compatibility.

• Rename X509-type file code-signing to codeSigning (1c6b31a)
  The original file will be retained as code-signing, however, the automatic
  X509-types creation will name the file codeSigning. This effectively means
  that both are valid X509-types, until code-signing is dropped.

• init-pki: Always write vars.example file to fresh PKI (66a8f3e)

• New command 'write': Write 'legacy' files to stdout or files (c814e0a)

• Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf' (c814e0a)

• New Command 'rand': Expose easyrsa_random() to the command line (6131cbf)

• Remove function 'set_pass_legacy()' (7470c2a)

• Remove command 'rewind-renew' (72b4079)

• Remove command 'rebuild' (d6953cc)

• Remove command 'upgrade' (6a88edd)

Branch-merge: v3.2.0-alpha2 (#1043) 2023/12/7 Commit: ed0dc46

• Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (3c0ca17)

Branch-merge: v3.2.0-alpha1 (#1041) 2023/12/2 Commit: 42c2e95

• New diagnostic command 'display-cn' (#1040)
• Expand renewable certificate types to include code-signing (#1039)

What's Changed

• Command: x509-eku v2 by @TinCanTech in #1039
• v3.2.0-alpha1 by @TinCanTech in #1041
• Remove unwanted code - Minor improvements by @TinCanTech in #1036
• escape_hazarrd(): Reuse source_vars() by @TinCanTech in #1037
• v3.2.0-alpha2 by @TinCanTech in #1043
• v3.2.0-Remove-commands by @TinCanTech in #1045
• v3.2.0-beta1 by @TinCanTech in #1046
• export-p12: New command option 'legacy' by @spacefreak86 in #1057
• v3.2.0-beta2 by @TinCanTech in #1055
• Replace use of sed with heredoc expansion by @TinCanTech in #1064
• Restore 128bit-random certificate serial-number by @TinCanTech in #1070
• LibreSSL: Add band-aid fix for missing 'x509' command option '-ext' by @TinCanTech in #1071
• Windows: Introduce 'Non-Admin' mode by @TinCanTech in #1073
• export-p12, OpenSSL v1.x: Upgrade PBE and MAC options by @TinCanTech in #1084
• Completely remove status reports and date functions by @TinCanTech in #1080
• sign-req: Remove default server 'subject alternative name' SAN by @TinCanTech in #1091
• Separate SAN from DN - Refactor display_dn() by @TinCanTech in #1096
• Restrict use of --req-cn to build-ca by @TinCanTech in #1098
• New function easyrsa_mkdir_p(): Replace use of 'mkdir -p' by @TinCanTech in #1101
• Shellcheck directives and minor tweak by @TinCanTech in #1105
• easyrsa_mkdir_p(): Ignore 'mkdir.exe' error code in favor of 'test' by @TinCanTech in #1106
• Revoke keep request by @TinCanTech in #1109
• Add an option to change the subject when signing a request. V2 by @TinCanTech in #1111
• Remove command and function display_cn(), unused by @TinCanTech in #1114
• Remove escape_hazard() by @TinCanTech in #1115
• build-ca: Command 'req', remove SSL option '-keyout' by @TinCanTech in #1123
• Improve ssl_cert_x509v3_eku() by @TinCanTech in #1125
• Remove variable 'makesafeconf' as obsolete by @TinCanTech in #1126
• Introduce commands: self-sign-server and self-sign-client by @TinCanTech in #1127
• Command inline: Support self-signed certificate called from cmd-line by @TinCanTech in #1128
• self-sign: Improve default algorithm and curve selection by @TinCanTech in #1134
• self-sign: Adjust 'X509v3 Key Usage' by @TinCanTech in #1135
• Revert ca76697: Remove escape_hazard() by @TinCanTech in #1137
• LibreSSL: Ignore and discard missing config file warning by @TinCanTech in #1138
• Minor corrections and improvements by @TinCanTech in #1140
• sign-req: Improve confirmation details by @TinCanTech in #1141

New Contributors

• @spacefreak86 made their first contribution in #1057

Full Changelog: v3.1.7...v3.2.0

v3.1.7

3.1.7 (2023-10-13)

• Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md (#1029)
  Under the hood, this is a considerable change but there are no user
  noticable differences. With the exception of:
  Caveat: The default '$PWD/pki/vars' file is forbidden to change either
  EASYRSA or EASYRSA_PKI, which are both implied by default.
• EasyRSA-Advanced.md: Correct vars-auto-detect hierarchy (#1029)
  Commit: ecd6506
  EASYRSA/vars is moved to a higher priority than a default PKI.
  vars-auto-detect no longer searches 'easyrsa' program directory.
• gen-crl: preserve existing crl.pem ownership+mode (#1020)
• New command: make-vars - Print vars.example (here-doc) to stdout (#1024)
• show-expire: Calculate cert. expire seconds from DB date (#1023)
• Update OpenSSL to 3.1.2

What's Changed

• Completely Remove Upgrade Functionality by @TinCanTech in #1001
• Expand help to include undocumented commands by @TinCanTech in #1002
• Revert "Completely Remove Upgrade Functionality" by @TinCanTech in #1010
• Revert "Expand help to include undocumented commands" by @TinCanTech in #1011
• Forbid "default vars in the default PKI" for all commands by @TinCanTech in #1021
• CI: action, checkout v4 by @TinCanTech in #1016
• show-expire: Calculate certificate expire seconds from Database date by @TinCanTech in #1023
• Expand help to include undocumented commands by @TinCanTech in #1013
• New command: make-vars - Print vars.example (here-doc) to stdout by @TinCanTech in #1024
• gen-crl: preserve existing crl.pem ownership+mode by @Tabiskabis in #1020
• Improve vars auto load by @TinCanTech in #1025
• Vars hierarchy v2 by @TinCanTech in #1029
• doc: Update EasyRSA-Advanced.md environment variable list by @TinCanTech in #1030
• Replace santize_path() and ignore Windows "security" warning by @TinCanTech in #1033
• Improve select_vars() and source_vars() by @TinCanTech in #1034

New Contributors

• @Tabiskabis made their first contribution in #1020

Full Changelog: v3.1.6...v3.1.7

v3.1.6

Update: Before using v3.1.6, please see this issue #1009

What's Changed

• sign-req: Allow the CSR DN-field order to be preserved by @TinCanTech in #970
• Post version 3.1.5 refactor by @TinCanTech in #967
• set_var(): Allow empty input to return without error by @TinCanTech in #971
• vars-file: Warn about EASYRSA_NO_VARS disabling vars-file use by @TinCanTech in #972
• Expand default status to include vars-file and CA status by @TinCanTech in #973
• verify_ssl_lib(): Minor style improvements by @TinCanTech in #974
• cleanup: Rename $easyrsa_error_exit to $easyrsa_exit_with_error by @TinCanTech in #976
• Very minor changes to comments, help/msg text, wrap lines, code by @TinCanTech in #977
• Expose 'sign-req' unique, random serial number check to command line by @TinCanTech in #980
• sign-req: Major refactor by @TinCanTech in #981
• Simplify run-once control for exanding conf files by @TinCanTech in #982
• Only verify working environment for recognised commands by @TinCanTech in #985
• easyrsa_openssl: Replace variable 'has_config' with OPENSSL_CONF by @TinCanTech in #987
• Export PKCS: Expand usage for incomplete PKI by @TinCanTech in #991
• Inline v2 by @TinCanTech in #993
• set_var and force_set_var: Guard against invalid user input by @TinCanTech in #994
• verify_working_env: sanitize_path(), forbid broken values by @TinCanTech in #1000

Full Changelog: v3.1.5...v3.1.6

v3.1.5

3.1.5 (2023-06-10)

• Build Update: script now supports signing and verifying

• Automate support-file creation (Free packaging) (#964)

• build-ca: New command option 'raw-ca', abbrevation: 'raw' (#963)

  This 'raw' method, is the most reliable way to build a CA,
  with a password, without writing the CA password to a temp-file.

This option completely replaces both methods below:

• build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)
  Option '--ca-via-stdin' offers no more security than standard method.
  Easy-RSA version 3.1.4 ONLY.

• build-ca: Replace password temp-files with file-descriptors (#955)
  Using file-descriptors does not work in Windows.
  Easy-RSA version 3.1.3 ONLY.

What's Changed

• build-ca: New command option 'raw-ca', abbrevation: 'raw' by @TinCanTech in #963
• Automate support-file creation (Free packaging) by @TinCanTech in #964

Full Changelog: v3.1.4...v3.1.5

v3.1.4

3.1.4 (2023-05-23)

• build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)

• build-ca: Revert manual CA password method to temp-files (#959)
  Supersedes #955

  Release v3.1.3 was fatally flawed, it would fail to build a CA under Windows.
  Release v3.1.4 is specifically a bugfix ONLY, to resolve the Windows problem.

  See the following commits for further details:
  5d7ad13
  build-ca: Revert manual CA password method to temp-files
  c11135d
  build-ca: Use OpenSSL password I/O argument 'stdin'
  27870d6
  build-ca: Replace password temp-file method with file-descriptors
  Superseded by 5d7ad13 above.

Full Changelog: v3.1.3...v3.1.4

v3.1.3

What's Changed

• fixed_cert_dates(): Remove subshell by @TinCanTech in #849
• Add 'verify-cert' command to current 'verify' command by @TinCanTech in #850
• Re-order output messages and subsequent newlines for aesthetics by @TinCanTech in #851
• build_ca(): Wrap long lines by @TinCanTech in #852
• build-ca: Write 'unique_subject = no' to index.txt.attr file by @TinCanTech in #854
• Remove hard-coded unit-test password from build-ca by @TinCanTech in #857
• Rename safe_set_var() to force_set_var() by @TinCanTech in #858
• build-ca: Minor code reformat (aesthetics) by @TinCanTech in #860
• Wrap long lines: easyrsa_openssl(), sed command by @TinCanTech in #864
• Move calling show_host() to function die(), where it belongs by @TinCanTech in #868
• Remove ineffectual redirector by @TinCanTech in #869
• Remove redundant separator lines by @TinCanTech in #870
• Remove debug symbols by @TinCanTech in #865
• Move verify_ssl_lib() - Always verify SSL lib, for all commands by @TinCanTech in #877
• easyrsa_mktemp(): Use sequential numbered temp files by @TinCanTech in #876
• cleanup(): Only enable terminal echo when it has been disabled by @TinCanTech in #880
• set-var(): Check input, die on errors by @TinCanTech in #882
• build-ca: Manual password bug fixes by @TinCanTech in #886
• sign-req: Only create a random serial number file when expected by @TinCanTech in #896
• sign-req: Use either SSL option -days OR -startdate/-enddate by @TinCanTech in #897
• Use set_var to correctly assign EASYRSA_REQ_SERIAL by @TinCanTech in #900
• gen-crl: Minor improvements by @TinCanTech in #903
• Upgrade_23: Prioritise new PKI creation to allow temp file creation by @TinCanTech in #906
• General improvements by @TinCanTech in #908
• Status reports: Warn if given commonName is not found in database by @TinCanTech in #911
• vars_setup(): Refactor 'Sanitize vars' by @TinCanTech in #912
• Introduce option -S|--silent-ssl: Silence SSL output by @TinCanTech in #913
• CI: Update checkout to v3 by @TinCanTech in #917
• Replace fixed offset date code by @TinCanTech in #918
• vars file: Allow 'EASYRSA_VARS_FILE' to be set externally by @TinCanTech in #924
• Status reports: Leap Years, apply Day Feb-29 after Feb-28 by @TinCanTech in #928
• easyrsa_openssl(): Create a safe SSL config once per instance ONLY by @TinCanTech in #931
• Windows: Warn when using Windows default location in 'Program Files' by @TinCanTech in #937
• secure_session(): Move in verify_working_env() Remove from 'init-pki' by @TinCanTech in #938
• Introduce global option --force-safe-ssl by @TinCanTech in #935
• vars: Prohibit use of export and unset in vars file by @TinCanTech in #932
• Status reports: Additional check, Use SSL to determine expiration by @TinCanTech in #940
• import-req: Check input file exists by @TinCanTech in #945
• remove_secure_session(): Return-On-Success Only by @TinCanTech in #943
• X509-types insert markers: Move and improve by @TinCanTech in #946
• easyrsa_openssl(): makesafecnf - Copy temp-file do NOT move by @TinCanTech in #948
• mutual_exclusions(): Use of --silent and --verbose is unresolvable by @TinCanTech in #949
• Build Safe SSL config at correct stage by @TinCanTech in #954
• build-ca: Replace password temp-file method with file-descriptors by @TinCanTech in #955

Full Changelog: v3.1.2...v3.1.3

v3.1.2

What's Changed

• Command 'renew': Remove option 'nopass' by @TinCanTech in #741
• find_x509_types_dir(): Remove excess checks by @TinCanTech in #742
• Remove function find_x509_types_dir() by @TinCanTech in #743
• For 'init-pki hard' only, always try to create a new pki/vars file by @TinCanTech in #744
• Introduce global option '--notext|--no-text' by @TinCanTech in #745
• Minor style change by @TinCanTech in #746
• Introduce command 'set-pass' by @TinCanTech in #756
• Fix shellcheck warning for command set-pass case statement by @TinCanTech in #777
• cleanup(): Exit correctly for SIGINT by @TinCanTech in #775
• Update help: Standardise output; Improve code; Reprioritise options by @TinCanTech in #778
• vars.example: Add EASYRSA_NO_PASS and wrap long lines by @TinCanTech in #783
• Use 'unset -v', consistently by @TinCanTech in #784
• build-ca: Improve passphrase input mechanism by @TinCanTech in #786
• Remove global options '--verbose' and '--quiet' as not required by @TinCanTech in #789
• Remove all prerequisite code to build a safe SSL config file by @TinCanTech in #791
• Rename temp files to reflect the purpose by @TinCanTech in #793
• easyrsa_openssl(): Always set OPENSSL_CONF to EasyRSA safe SSL config by @TinCanTech in #794
• Replace SSL calls for serial number with function ssl_cert_serial() by @TinCanTech in #797
• Introduce OpenSSL only mode: No Safe SSL Config File by @TinCanTech in #800
• ff_date_to_cert_date(): Correct the input format for busybox date by @TinCanTech in #806
• Re-order easyrsa_openssl() temp-file assignment by @TinCanTech in #807
• Stop EASYRSA_DEBUG interfering with SSL output from subshells by @TinCanTech in #808
• Status reports: Recognise Expired certificates by @TinCanTech in #810
• New function safe_set_var(): Safe wrapper for set_var() by @TinCanTech in #811
• Windows, build-ca: Add input password to re-open private key by @TinCanTech in #813
• Renewal: General code improvements by @TinCanTech in #817
• cleanup(): General improvements - Create KNOWN error exit by @TinCanTech in #818
• build-ca: Change FATAL error to warning for old openssl-easyrsa.cnf by @TinCanTech in #821
• Allow --fix-offset to create post-dated certificates by @TinCanTech in #804
• Default settings: Make default Edwards curve ED25519 by @TinCanTech in #828
• cleanup(): Exit with numeric error-code only by @TinCanTech in #831
• init-pki(): Introduce second warning before HARD removal by @TinCanTech in #832
• build-full: Always enable inline file creation by @TinCanTech in #834
• Global option '--passout' always take priority ONLY by @TinCanTech in #839
• Status Reports: Set 'LC_TIME=C.UTF-8', only used for reports by @TinCanTech in #840
• Option --fix-offset: Adjust off-by-one day by @TinCanTech in #847

Full Changelog: v3.1.1...v3.1.2

v3.1.1

2022-10-14 - Signatures were corrupted on upload. Re-uploading verified sigs.

What's Changed

• Standardise all output for warn(), notice() and message():[New] by @TinCanTech in #574
• Expand status reports to include checking a single certificate by @TinCanTech in #577
• Introduce 'rewind-renew' - Recover "guineapig" renewed certificates by @TinCanTech in #579
• Improve revocation and renewal functions by @TinCanTech in #580
• Correctly quote 'sed' and auto-escape ampersand by @TinCanTech in #584
• Auto-escape '&' and '$' in 'org' mode fields - Other minor tweaks by @TinCanTech in #590
• Remove restrictive 30-day window hindering 'renew' by @TinCanTech in #594
• Replace cert dates by @TinCanTech in #595
• Introduce 'serialNumber' field for DN (OID 2.5.4.5) by @TinCanTech in #606
• Upgrade-23: Assign a secure session for temporary directory by @TinCanTech in #623
• Introduce 'renew-req': Create new CSR for an existing private key by @TinCanTech in #616
• Restore files when 'renew' fails during 'build_full()' phase by @TinCanTech in #617
• Ensure 'pki/renewed/' exist for 'rewind-renew' by @TinCanTech in #618
• Allow vars file to exist in current directory (Fix make-cadir) by @TinCanTech in #635
• gen-dh: Use temporary file by @TinCanTech in #636
• sign--req: Prohibit COMMON as a certificate type by @TinCanTech in #637
• show: Reorder parameter checks to guard against empty input by @TinCanTech in #639
• verify_ca_init: Reorder names to improve error message by @TinCanTech in #638
• Re-enable the use of --vars=file for init-pki by @TinCanTech in #640
• Expand the possible values of $prog_dir, include full path by @TinCanTech in #641
• vars_setup(): Always warn about unsupported characters in vars by @TinCanTech in #642
• renew: Improve notices and input check by @TinCanTech in #645
• Options: Check that $val is numeric when a number is expected by @TinCanTech in #646
• Unsupported characters: Correct check and warning message by @TinCanTech in #649
• sign-req: Enforce X509-type files exist and are used. (#581) by @TinCanTech in #650
• cleanup: Make "clean line" respect silent, batch and quiet modes by @TinCanTech in #652
• Overhaul vars detection by @TinCanTech in #655
• detect_host: Use SSL Library version from EasyRSA version by @TinCanTech in #656
• Options: Add '-s' to also enabe --silent mode. by @TinCanTech in #657
• Options: Rescind deprecation notice of option --req-cn by @TinCanTech in #660
• x509-types: Add x509-types location to usage() STATUS by @TinCanTech in #662
• vars_setup: Correctly locate x509-types for usage() directory STATUS by @TinCanTech in #665
• x509-types: Reset non-existent x509-types dir set by vars by @TinCanTech in #666
• fixed typo by @ashutoshojha5 in #670
• Options: Expand alias '--days' to all suitable options with a period by @TinCanTech in #674
• Options: Introduce --keep-tmp=NAME; Keep the temporary session data by @TinCanTech in #667
• Option --req-cn: Restore original behavior from v30x series by @TinCanTech in #682
• renew-req: Add command option 'nopass' by @TinCanTech in #683
• Remove renew-req by @TinCanTech in #685
• Documentation: Add EasyRSA-Renew-and-Revoke.md by @TinCanTech in #690
• X509-types: Always check SSL config file for EasyRSA insert-markers by @TinCanTech in #695
• Rename 'renew' to 'rebuild' - Introduce 'renew' version 3 by @TinCanTech in #688
• build-ca: Check x509-types 'ca' and 'COMMON' files exist by @TinCanTech in #697
• Status Report 'show-renew': Include renewed certs from /cert_by_serial by @TinCanTech in #700
• Doc-Update: Note that all changes were included with Easy-RSA v3.1.1 by @TinCanTech in #701
• ChangeLog: Final update for v3.1.1 by @TinCanTech in #702
• build_full: Remove sign_req() subshell and do full cleanup by @TinCanTech in #705
• Option --keep-tmp: Append EASYRSA_TEMP_DIR_session random number by @TinCanTech in #711
• Option --keep-tmp: Reliability improvements by @TinCanTech in #712
• Opt. --subca-len: basicConstraints CA extension, Append 'pathlen:N' by @TinCanTech in #706
• Refactor Netscape support by @TinCanTech in #710
• help: Document supported certificate X509 types by @TinCanTech in #704
• Remove obsolete command 'renewable' by @TinCanTech in #715
• Doc: EasyRSA-Contributing.md - Update by @TinCanTech in #719
• init-pki soft: Include delete of revoked and renewed sub-directories by @TinCanTech in #720

New Contributors

• @ashutoshojha5 made their first contribution in #670

Full Changelog: v3.1.0...v3.1.1

EasyRSA 3.1.0

NOTICE

This version of EasyRSA introduces OpenSSL 3 (3.0.3). Effectively, v3.1.0 is nearly identical to v3.0.9, but we ship different binaries in the Windows package. @TinCanTech has put a ton of work in to support for the new OpenSSL, but there may be bugs. We intend to make big changes early in the v3.1.x branch and only back-port bug fixes to v3.0.x going forward.

What's Changed

• Add 'verify' - SSL Verify certificate against CA by @TinCanTech in #549
• Release/3.0 by @ecrist in #558
• Backport patch for #559 to 3.0 by @ecrist in #563
• Always respect --vars=file by @nkakouros in #562
• Introduce extensible PKI reporting tool framework by @TinCanTech in #557
• Add command for testing which certificates are eligible for renewal by @AndersBlomdell in #555
• update ChangeLog for v3.0.9 final release by @ecrist in #570
• update python call, remove test pki on build by @ecrist in #575

New Contributors

• @ecrist made their first contribution in #558

Full Changelog: v3.0.9...v3.1.0

Our ChangeLog

3.1.0 (2022-05-18)
   * Introduce basic support for OpenSSL version 3 (#492)
   * Update regex in grep to be POSIX compliant (#556)
   * Introduce status reporting tools (#555 & #557)
   * Display certificates using UTF8 (#551)
   * Allow certificates to be created with fixed date offset (#550)
   * Add 'verify' to verify certificate against CA (#549)
   * Add PKCS#12 alias 'friendlyName' (#544)
   * Disallow use of '--vars=FILE init-pki' (#566)
   * Support multiple IP-Addresses in SAN (#564)
   * Add option '--renew-days=NN', custom renew grace period (#557)
   * Add 'nopass' option to the 'export-pkcs' functions (#411)
   * Add support for 'busybox' (#543)
   * Add option '--tmp-dir=DIR' to declare Temp-dir (Commit f503a22)