easyrsa

#!/bin/sh

# Easy-RSA 3 -- A Shell-based CA Utility
#
# Copyright (C) 2018 by the Open-Source OpenVPN development community.
# A full list of contributors can be found in the ChangeLog.
#
# This code released under version 2 of the GNU GPL; see COPYING and the
# Licensing/ directory of this project for full licensing details.

# Help/usage output to stdout
usage() {
	# command help:
	print "
Easy-RSA 3 usage and overview

USAGE: easyrsa [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, run:
  ./easyrsa help COMMAND

For a listing of options that can be supplied before the command, use:
  ./easyrsa help options

Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.

  init-pki
  build-ca [ cmd-opts ]
  gen-dh
  gen-req <filename_base> [ cmd-opts ]
  sign-req <type> <filename_base>
  build-client-full <filename_base> [ cmd-opts ]
  build-server-full <filename_base> [ cmd-opts ]
  revoke <filename_base> [cmd-opts]
  renew <filename_base> [cmd-opts]
  build-serverClient-full <filename_base> [ cmd-opts ]
  gen-crl
  update-db
  show-req <filename_base> [ cmd-opts ]
  show-cert <filename_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  import-req <request_file_path> <short_basename>
  export-p7 <filename_base> [ cmd-opts ]
  export-p8 <filename_base> [ cmd-opts ]
  export-p12 <filename_base> [ cmd-opts ]
  set-rsa-pass <filename_base> [ cmd-opts ]
  set-ec-pass <filename_base> [ cmd-opts ]
  upgrade <type>
"

	# collect/show dir status:
	err_source="Not defined: vars autodetect failed and no value provided"
	work_dir="${EASYRSA:-$err_source}"
	pki_dir="${EASYRSA_PKI:-$err_source}"
	print "\
DIRECTORY STATUS (commands would take effect on these locations)
  EASYRSA: $work_dir
      PKI: $pki_dir
"
} # => usage()

# Detailed command help
# When called with no args, calls usage(), otherwise shows help for a command
cmd_help() {
	text=""
	opts=""
	case "$1" in
		init-pki|clean-all) text="
  init-pki [ cmd-opts ]
      Removes & re-initializes the PKI dir for a clean PKI" ;;
		build-ca) text="
  build-ca [ cmd-opts ]
      Creates a new CA"
      			opts="
        nopass  - do not encrypt the CA key (default is encrypted)
        subca   - create an intermediate CA keypair and request (default is a root CA)
        intca   - alias to the above" ;;
		gen-dh) text="
  gen-dh
      Generates DH (Diffie-Hellman) parameters" ;;
		gen-req) text="
  gen-req <filename_base> [ cmd-opts ]
      Generate a standalone keypair and request (CSR)

      This request is suitable for sending to a remote CA for signing."
      			opts="
        nopass  - do not encrypt the private key (default is encrypted)" ;;
		sign|sign-req) text="
  sign-req <type> <filename_base>
      Sign a certificate request of the defined type. <type> must be a known
      type such as 'client', 'server', 'serverClient', or 'ca' (or a user-added type.)

      This request file must exist in the reqs/ dir and have a .req file
      extension. See import-req below for importing reqs from other sources." ;;
		build|build-client-full|build-server-full|build-serverClient-full) text="
  build-client-full <filename_base> [ cmd-opts ]
  build-server-full <filename_base> [ cmd-opts ]
  build-serverClient-full <filename_base> [ cmd-opts ]
      Generate a keypair and sign locally for a client and/or server

      This mode uses the <filename_base> as the X509 CN."
			opts="
        nopass  - do not encrypt the private key (default is encrypted)
        inline  - create an inline credentials file for this node" ;;
		revoke) text="
  revoke <filename_base> [reason]
      Revoke a certificate specified by the filename_base, with an optional
      revocation reason that is one of:
        unspecified
        keyCompromise
        CACompromise
        affiliationChanged
        superseded
        cessationOfOperation
        certificateHold";;
		renew) text="
  renew <filename_base> [ cmd-opts ]
      Renew a certificate specified by the filename_base"
				opts="
        nopass  - do not encrypt the private key (default is encrypted)" ;;
		gen-crl) text="
  gen-crl
      Generate a CRL" ;;
		update-db) text="
  update-db
      Update the index.txt database

      This command will use the system time to update the status of issued
      certificates." ;;
      		show-req|show-cert) text="
  show-req  <filename_base> [ cmd-opts ]
  show-cert <filename_base> [ cmd-opts ]
      Shows details of the req or cert referenced by filename_base

      Human-readable output is shown, including any requested cert options when
      showing a request."
      			opts="
          full   - show full req/cert info, including pubkey/sig data" ;;
		show-ca) text="
  show-ca [ cmd-opts ]
      Shows details of the CA cert

      Human-readable output is shown."
			opts="
          full   - show full cert info, including pubkey/sig data" ;;
		import-req) text="
  import-req <request_file_path> <short_basename>
      Import a certificate request from a file

      This will copy the specified file into the reqs/ dir in
      preparation for signing.
      The <short_basename> is the filename base to create.

      Example usage:
        import-req /some/where/bob_request.req bob" ;;
		export-p12) text="
  export-p12 <filename_base> [ cmd-opts ]
      Export a PKCS#12 file with the keypair specified by <filename_base>"
			opts="
        noca  - do not include the ca.crt file in the PKCS12 output
        nokey - do not include the private key in the PKCS12 output" ;;
		export-p7) text="
  export-p7 <filename_base> [ cmd-opts ]
      Export a PKCS#7 file with the pubkey specified by <filename_base>"
			opts="
        noca  - do not include the ca.crt file in the PKCS7 output" ;;
		export-p8) text="
  export-p8 <filename_base> [ cmd-opts ]
      Export a PKCS#8 file with the private key specified by <filename_base>"
			opts="
        noca  - do not include the ca.crt file in the PKCS7 output" ;;
		set-rsa-pass|set-ec-pass) text="
  set-rsa-pass <filename_base> [ cmd-opts ]
  set-ec-pass <filename_base> [ cmd-opts ]
      Set a new passphrase on an RSA or EC key for the listed <filename_base>."
                        opts="
        nopass - use no password and leave the key unencrypted
        file   - (advanced) treat the file as a raw path, not a short-name" ;;
		upgrade) text="
  upgrade <type>
      Upgrade EasyRSA PKI and/or CA. <type> must be one of:
        pki - Upgrade EasyRSA v2.x PKI to EasyRSA v3.x PKI (includes CA below)
        ca  - Upgrade EasyRSA v3.0.5 CA or older to EasyRSA v3.0.6 CA or later." ;;
		altname|subjectaltname|san) text="
  --subject-alt-name=SAN_FORMAT_STRING
      This global option adds a subjectAltName to the request or issued
      certificate. It MUST be in a valid format accepted by openssl or
      req/cert generation will fail. Note that including multiple such names
      requires them to be comma-separated; further invocations of this
      option will REPLACE the value.

      Examples of the SAN_FORMAT_STRING shown below:
        DNS:alternate.example.net
        DNS:primary.example.net,DNS:alternate.example.net
        IP:203.0.113.29
        email:alternate@example.net" ;;
		options)
			opt_usage ;;
		"")
			usage ;;
		*) text="
  Unknown command: '$1' (try without commands for a list of commands)" ;;
	esac

	# display the help text
	print "$text"
	[ -n "$opts" ] && print "
      cmd-opts is an optional set of command options from this list:
$opts"
} # => cmd_help()

# Options usage
opt_usage() {
	print "
Easy-RSA Global Option Flags

The following options may be provided before the command. Options specified
at runtime override env-vars and any 'vars' file in use. Unless noted,
non-empty values to options are mandatory.

General options:

--batch         : set automatic (no-prompts when possible) mode
--passin=ARG    : set -passin ARG for openssl
--passout=ARG   : set -passout ARG for openssl
--pki-dir=DIR   : declares the PKI directory
--vars=FILE     : define a specific 'vars' file to use for Easy-RSA config
--version       : prints EasyRSA version and build information, then exits

Certificate & Request options: (these impact cert/req field values)

--days=#        : sets the signing validity to the specified number of days
--digest=ALG    : digest to use in the requests & certificates
--dn-mode=MODE  : DN mode to use (cn_only or org)
--keysize=#     : size in bits of keypair to generate
--req-cn=NAME   : default CN to use
--subca-len=#   : path length of signed intermediate CA certs; must be >= 0 if used
--subject-alt-name : Add a subjectAltName. For more info and syntax, see:
                     ./easyrsa help altname
--use-algo=ALG  : crypto alg to use: choose rsa (default), ec or ed
--curve=NAME    : for elliptic curve, sets the named curve to use
--copy-ext      : Copy included request X509 extensions (namely subjAltName

Organizational DN options: (only used with the 'org' DN mode)
  (values may be blank for org DN options)

--req-c=CC        : country code (2-letters)
--req-st=NAME     : State/Province
--req-city=NAME   : City/Locality
--req-org=NAME    : Organization
--req-email=NAME  : Email addresses
--req-ou=NAME     : Organizational Unit

Deprecated features:

--ns-cert=YESNO       : yes or no to including deprecated NS extensions
--ns-comment=COMMENT  : NS comment to include (value may be blank)
"
} # => opt_usage()

# Wrapper around printf - clobber print since it's not POSIX anyway
# shellcheck disable=SC1117
print() { printf "%s\n" "$*" || exit 1; }

# Exit fatally with a message to stderr
# present even with EASYRSA_BATCH as these are fatal problems
die() {
	print "
Easy-RSA error:

$1" 1>&2
	exit "${2:-1}"
} # => die()

# non-fatal warning output
warn() {
	[ ! "$EASYRSA_BATCH" ] && \
		print "
$1" 1>&2

	return 0
} # => warn()

# informational notices to stdout
notice() {
	[ ! "$EASYRSA_BATCH" ] && \
		print "
$1"

	return 0
} # => notice()

# yes/no case-insensitive match (operates on stdin pipe)
# Returns 0 when input contains yes, 1 for no, 2 for no match
# If both strings are present, returns 1; first matching line returns.
awk_yesno() {
	#shellcheck disable=SC2016
	awkscript='
BEGIN {IGNORECASE=1; r=2}
{       if(match($0,"no")) {r=1; exit}
        if(match($0,"yes")) {r=0; exit}
} END {exit r}'
	awk "$awkscript"
} # => awk_yesno()

# intent confirmation helper func
# returns without prompting in EASYRSA_BATCH
confirm() {
	[ "$EASYRSA_BATCH" ] && return
	prompt="$1"
	value="$2"
	msg="$3"
	input=""
	print "
$msg

Type the word '$value' to continue, or any other input to abort."
	printf %s "  $prompt"
	#shellcheck disable=SC2162
	read input
	[ "$input" = "$value" ] && return
	notice "Aborting without confirmation."
	exit 9
} # => confirm()

# mktemp wrapper
easyrsa_mktemp() {
	[ -n "$EASYRSA_TEMP_DIR_session" ] || die "EASYRSA_TEMP_DIR_session not initialized!"
	[ -d "$EASYRSA_TEMP_DIR_session" ] || mkdir -p "$EASYRSA_TEMP_DIR_session" ||
		die "Could not create temporary directory '$EASYRSA_TEMP_DIR_session'. Permission or concurrency problem?"
	[ -d "$EASYRSA_TEMP_DIR_session" ] || die "Temporary directory '$EASYRSA_TEMP_DIR_session' does not exist"

	tempfile="$EASYRSA_TEMP_DIR_session/tmp.$($EASYRSA_OPENSSL rand -hex 3)" || return
	printf "" > "$tempfile" || return
	
	echo "$tempfile"
} # => easyrsa_mktemp

# remove temp files and do terminal cleanups
cleanup() {
	[ -z "$EASYRSA_TEMP_DIR_session" ] || rm -rf "$EASYRSA_TEMP_DIR_session"
	# shellcheck disable=SC2039
	(stty echo 2>/dev/null) || { (set -o echo 2>/dev/null) && set -o echo; }
	echo "" # just to get a clean line
} # => cleanup()

easyrsa_openssl() {
	openssl_command=$1; shift

	case $openssl_command in
		makesafeconf) has_config=true;;
		ca|req|srp|ts) has_config=true;;
		*) has_config=false;;
	esac

	case "$osslv_major" in
	3)
		case $openssl_command in
		genpkey) has_config=true;;
		*) : ;; # ok
		esac
	;;
	1|2)	: ;; # ok - LibreSSL 2.x
	'')	: ;; # Unset then this is init-pki
	*)	die "Unsupported openssl version: $osslv_major"
	esac

	if ! $has_config; then
		"$EASYRSA_OPENSSL" "$openssl_command" "$@"
		return
	fi

	easyrsa_openssl_conf=$(easyrsa_mktemp) || die "Failed to create temporary file"
	easyrsa_extra_exts=
	if [ -n "$EASYRSA_EXTRA_EXTS" ]; then
		easyrsa_extra_exts=$(easyrsa_mktemp) || die "Failed to create temporary file"
		cat >"$easyrsa_extra_exts" <<-EOF
			req_extensions = req_extra
			[ req_extra ]
			$EASYRSA_EXTRA_EXTS
		EOF
	fi

	# Make LibreSSL safe config file from OpenSSL config file
	sed \
		-e "s\`ENV::EASYRSA\`EASYRSA\`g" \
		-e "s\`\$dir\`$EASYRSA_PKI\`g" \
		-e "s\`\$EASYRSA_PKI\`$EASYRSA_PKI\`g" \
		-e "s\`\$EASYRSA_CERT_EXPIRE\`$EASYRSA_CERT_EXPIRE\`g" \
		-e "s\`\$EASYRSA_CRL_DAYS\`$EASYRSA_CRL_DAYS\`g" \
		-e "s\`\$EASYRSA_DIGEST\`$EASYRSA_DIGEST\`g" \
		-e "s\`\$EASYRSA_KEY_SIZE\`$EASYRSA_KEY_SIZE\`g" \
		-e "s\`\$EASYRSA_DIGEST\`$EASYRSA_DIGEST\`g" \
		-e "s\`\$EASYRSA_DN\`$EASYRSA_DN\`g" \
		-e "s\`\$EASYRSA_REQ_COUNTRY\`$EASYRSA_REQ_COUNTRY\`g" \
		-e "s\`\$EASYRSA_REQ_PROVINCE\`$EASYRSA_REQ_PROVINCE\`g" \
		-e "s\`\$EASYRSA_REQ_CITY\`$EASYRSA_REQ_CITY\`g" \
		-e "s\`\$EASYRSA_REQ_ORG\`$EASYRSA_REQ_ORG\`g" \
		-e "s\`\$EASYRSA_REQ_OU\`$EASYRSA_REQ_OU\`g" \
		-e "s\`\$EASYRSA_REQ_CN\`$EASYRSA_REQ_CN\`g" \
		-e "s\`\$EASYRSA_REQ_EMAIL\`$EASYRSA_REQ_EMAIL\`g" \
		${EASYRSA_EXTRA_EXTS:+-e "/^#%EXTRA_EXTS%/r $easyrsa_extra_exts"} \
		"$EASYRSA_SSL_CONF" > "$easyrsa_openssl_conf" ||
		die "Failed to update $easyrsa_openssl_conf"

	if [ "$openssl_command" = "makesafeconf" ]; then
		cp "$easyrsa_openssl_conf" "$EASYRSA_SAFE_CONF"
		err=$?
	else
		"$EASYRSA_OPENSSL" "$openssl_command" -config "$easyrsa_openssl_conf" "$@"
		err=$?
	fi

	rm -f "$easyrsa_openssl_conf"
	rm -f "$easyrsa_extra_exts"
	return $err
} # => easyrsa_openssl

vars_source_check() {
	# Check for defined EASYRSA_PKI
	[ -n "$EASYRSA_PKI" ] || die "\
EASYRSA_PKI env-var undefined"
} # => vars_source_check()

# Verify supplied curve exists and generate curve file if needed
verify_curve_ec() {
	if ! "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" > /dev/null; then
		die "\
Curve $EASYRSA_CURVE not found. Run openssl ecparam -list_curves to show a
list of supported curves."
	fi

	# Check that the ecparams dir exists
	[ -d "$EASYRSA_EC_DIR" ] || mkdir "$EASYRSA_EC_DIR" || die "\
Failed creating ecparams dir (permissions?) at:
$EASYRSA_EC_DIR"

	# Check that the required ecparams file exists
	out="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem"
	[ -f "$out" ] && return 0
	"$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" -out "$out" || die "\
Failed to generate ecparam file (permissions?) when writing to:
$out"

	# Explicitly return success for caller
	return 0
}

# Verify if Edward Curve exists
verify_curve_ed() {
	easyrsa_openssl genpkey -algorithm "$EASYRSA_CURVE" > /dev/null && return 0
	die "Edward Curve $EASYRSA_CURVE not found."
}

verify_ssl_lib () {
	# Verify EASYRSA_OPENSSL command gives expected output
	if [ -z "$EASYRSA_SSL_OK" ]; then
		val="$("$EASYRSA_OPENSSL" version)"
		case "${val%% *}" in
			OpenSSL|LibreSSL)
				osslv_major="${val#* }"
				osslv_major="${osslv_major%%.*}"
				case "$osslv_major" in
					1) no_password='-nodes' ;;
					2) no_password='-nodes' ;; # LibreSSL Only
					3) no_password='-noenc' ;;
					*) die "Unsupported SSL library: $osslv_major"
				esac
				print "\
Using SSL: $EASYRSA_OPENSSL $("$EASYRSA_OPENSSL" version)" ;;
			*) die "\
Missing or invalid OpenSSL
Expected to find openssl command at: $EASYRSA_OPENSSL" ;;
		esac
	fi
	EASYRSA_SSL_OK=1

	# Verify EASYRSA_SSL_CONF file exists
	[ -f "$EASYRSA_SSL_CONF" ] || die "\
The OpenSSL config file cannot be found.
Expected location: $EASYRSA_SSL_CONF"
} # => verify_ssl_lib ()

# Basic sanity-check of PKI init and complain if missing
verify_pki_init() {
	help_note="Run easyrsa without commands for usage and command help."

	# check that the pki dir exists
	vars_source_check
	[ -d "$EASYRSA_PKI" ] || die "\
EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
Expected to find the EASYRSA_PKI at: $EASYRSA_PKI
$help_note"

	# verify expected dirs present:
	for i in private reqs; do
		[ -d "$EASYRSA_PKI/$i" ] || die "\
Missing expected directory: $i (perhaps you need to run init-pki?)
$help_note"
	done

	# verify ssl lib
	verify_ssl_lib
} # => verify_pki_init()

# Verify core CA files present
verify_ca_init() {
	help_note="Run without commands for usage and command help."

	# First check the PKI has been initialized
	verify_pki_init

	# Verify expected files are present. Allow files to be regular files
	# (or symlinks), but also pipes, for flexibility with ca.key
	for i in serial index.txt index.txt.attr ca.crt private/ca.key; do
		if [ ! -f "$EASYRSA_PKI/$i" ] && [ ! -p "$EASYRSA_PKI/$i" ]; then
			[ "$1" = "test" ] && return 1
			die "\
Missing expected CA file: $i (perhaps you need to run build-ca?)
$help_note"
		fi
	done

	# When operating in 'test' mode, return success.
	# test callers don't care about CA-specific dir structure
	[ "$1" = "test" ] && return 0

	# verify expected CA-specific dirs:
	for i in issued certs_by_serial
	do
		[ -d "$EASYRSA_PKI/$i" ] || die "\
Missing expected CA dir: $i (perhaps you need to run build-ca?)
$help_note"
	done

	# explicitly return success for callers
	return 0

} # => verify_ca_init()

# init-pki backend:
init_pki() {

	# If EASYRSA_PKI exists, confirm before we rm -rf (skipped with EASYRSA_BATCH)
	if [ -e "$EASYRSA_PKI" ]; then
		confirm "Confirm removal: " "yes" "
WARNING!!!

You are about to remove the EASYRSA_PKI at: $EASYRSA_PKI
and initialize a fresh PKI here."
		# now remove it:
		rm -rf "$EASYRSA_PKI" || die "Removal of PKI dir failed. Check/correct errors above"
	fi

	# new dirs:
	for i in private reqs; do
		mkdir -p "$EASYRSA_PKI/$i" || die "Failed to create PKI file structure (permissions?)"
	done

	# Install data-files into ALL new PKIs
	install_data_to_pki || die "Failed to install required data-files to PKI."

	# Verify that $EASYRSA_SAFE_CONF exists ($OPENSSL_CONF)
	# Prevents bogus warnings (especially useful on win32)
	if [ -n "$EASYRSA_SAFE_CONF" ] && [ -e "$EASYRSA_SAFE_CONF" ]; then
		: # ok
	else
		die "init-pki failed to create safe SSL conf: $EASYRSA_SAFE_CONF"
	fi

	notice "\
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: $EASYRSA_PKI
"
	return 0
} # => init_pki()

# Copy data-files from various sources
install_data_to_pki () {
#
# This function is here to explicitly copy data-files to the PKI.
# During 'init-pki' this is the new default.
# During all other functions these requirements are tested for and
# files will be copied to the PKI, if they do not already exist there.
#
# One of the reasons for this change is to make packing EasyRSA work.
# This function searches favoured and then common 'areas' for the
#   EasyRSA data-files(A):
#     'openssl-easyrsa.cnf' 'x509-types':(folder).
#
# These files MUST be found in at least one location and will be copied
# to the current PKI, if they do not already exist there.
#
#
# Other EasyRSA data-files(B): it is not crucial that these are found
# but if they are then they are also copied to the PKI.
#   'vars' 'vars.example'
#
#
# For 'vars' consideration must be given to:
#   "Where the user expects to find vars!"
#
# Currently, *if* 'vars' is copied to the PKI then the PKI 'vars' will take
# priority over './vars'. But it will not be updated if './vars' is changed.
#
# Copying 'vars' to the PKI is complicated, code is included but DISABLED.

	# Set required sources
	vars_file='vars'
	vars_file_example='vars.example'
	ssl_cnf_file='openssl-easyrsa.cnf'
	x509_types_dir='x509-types'

	# Only use if required
	# Omit 'vars' - [ -e "${EASYRSA_PKI}/${vars_file}" ] &&
	if [ -e "$EASYRSA_SAFE_CONF" ] && \
		[ -e "${EASYRSA_PKI}/${vars_file_example}" ] && \
		[ -e "${EASYRSA_PKI}/${ssl_cnf_file}" ] && \
		[ -e "${EASYRSA_PKI}/${x509_types_dir}" ]
	then
		return 0
	fi

	# PWD covers EasyRSA-Windows installed by OpenVPN, and git forks
	area_pwd="$PWD"
	# Old way
	area_prog="${0%/*}"
	# Sensible default - Includes: Arch-Linux
	area_etc='/etc/easy-rsa'
	# Expandable distros
	area_ubuntu='/usr/share/easy-rsa'
	# Add more distros here

	# Find and copy data-files, in specific order
	for area in \
		"$area_pwd" \
		"$area_prog" \
		"$area_etc" \
		"$area_ubuntu" \
		# EOL - # Add more distros here
	do
		# Omitting "$vars_file"
		for source in \
			"$vars_file_example" \
			"$ssl_cnf_file" \
			# EOL - Do x509-types separately
		do
			# Find each item
			[ -e "${area}/${source}" ] || continue

			# If the item does not exist in the PKI then copy it.
			if [ -e "${EASYRSA_PKI}/${source}" ]; then
				continue
			else
				copy_data_to_pki "${area}/${source}" || return
			fi
		done

		# Find x509-types
		[ -e "${area}/${x509_types_dir}" ] || continue

		# If x509-types does not exist in the PKI then copy it.
		if [ -e "${EASYRSA_PKI}/${x509_types_dir}" ]; then
			continue
		else
			copy_data_to_pki "${area}/${x509_types_dir}" recurse || return
		fi
	done

	# Check PKI is updated - Omit 'vars' and example.
	#[ -e "${EASYRSA_PKI}/${vars_file}" ] || return
	#[ -e "${EASYRSA_PKI}/${vars_file_example}" ] || return
	[ -e "${EASYRSA_PKI}/${ssl_cnf_file}" ] || return
	[ -e "${EASYRSA_PKI}/${x509_types_dir}" ] || return

	# Complete or error
	[ -e "$EASYRSA_SAFE_CONF" ] || easyrsa_openssl makesafeconf
} # => install_data_to_pki ()

# Copy the source to the PKI
copy_data_to_pki () {
	cp ${2:+-R} "$1" "$EASYRSA_PKI"
} # => copy_data_to_pki ()

# Disable terminal echo, if possible, otherwise warn
hide_read_pass()
{
	# shellcheck disable=SC2039
	if stty -echo 2>/dev/null; then
		read -r "$@"
		stty echo
	elif (set +o echo 2>/dev/null); then
		set +o echo
		read -r "$@"
		set -o echo
	elif (echo | read -r -s 2>/dev/null) ; then
		read -r -s "$@"
	else
		warn "Could not disable echo. Password will be shown on screen!"
		read -r "$@"
	fi
} # => hide_read_pass()

# build-ca backend:
build_ca() {
	opts=""
	sub_ca=""
	nopass=""
	crypto="-aes256"
	while [ -n "$1" ]; do
		case "$1" in
			intca) sub_ca=1 ;;
			subca) sub_ca=1 ;;
			nopass) nopass=1 ;;
			*) warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	verify_pki_init
	[ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec
	[ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed

	# setup for the simpler intermediate CA situation and overwrite with root-CA if needed:
	out_file="$EASYRSA_PKI/reqs/ca.req"
	out_key="$EASYRSA_PKI/private/ca.key"
	if [ ! $sub_ca ]; then
		out_file="$EASYRSA_PKI/ca.crt"
		opts="$opts -x509 -days $EASYRSA_CA_EXPIRE "
	fi

	# Test for existing CA, and complain if already present
	if verify_ca_init test; then
		die "\
Unable to create a CA as you already seem to have one set up.
If you intended to start a new CA, run init-pki first."
	fi
	# If a private key exists here, a intermediate ca was created but not signed.
	# Notify the user and require a signed ca.crt or a init-pki:
	[ -f "$out_key" ] && \
		die "\
A CA private key exists but no ca.crt is found in your PKI dir of:
$EASYRSA_PKI
Refusing to create a new CA keypair as this operation would overwrite your
current CA keypair. If you intended to start a new CA, run init-pki first."

	# create necessary files and dirs:
	err_file="Unable to create necessary PKI files (permissions?)"
	for i in issued certs_by_serial \
		 revoked/certs_by_serial revoked/private_by_serial revoked/reqs_by_serial \
		 renewed/certs_by_serial renewed/private_by_serial renewed/reqs_by_serial;
	do
		mkdir -p "$EASYRSA_PKI/$i" || die "$err_file"
	done
	printf "" > "$EASYRSA_PKI/index.txt" || die "$err_file"
	printf "" > "$EASYRSA_PKI/index.txt.attr" || die "$err_file"
	print "01" > "$EASYRSA_PKI/serial" || die "$err_file"

	# Default CN only when not in global EASYRSA_BATCH mode:
	# shellcheck disable=SC2015
	[ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"

	out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
	out_file_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
	# Get password from user if necessary
	if [ ! $nopass ] && ( [ -z "$EASYRSA_PASSOUT" ] || [ -z "$EASYRSA_PASSIN" ] ); then
		out_key_pass_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
		echo
		printf "Enter New CA Key Passphrase: "
		hide_read_pass kpass
		echo
		printf "Re-Enter New CA Key Passphrase: "
		hide_read_pass kpass2
		echo
		# shellcheck disable=2154
		if [ "$kpass" = "$kpass2" ];
		then
			printf "%s" "$kpass" > "$out_key_pass_tmp"
		else
			die "Passphrases do not match."
		fi
	fi

	# Choose SSL Library version (1 or 3) and build CA
	case "$osslv_major" in # => BEGIN SSL lib version

	# BEGIN SSL V3
	3)
		# If encrypted then create the CA key using AES256 cipher ($crypto)
		# 'genpkey' requires '-pass'
		crypto_opts=""
		if [ ! $nopass ]; then
			crypto_opts="$crypto"
			if [ -z "$EASYRSA_PASSOUT" ]; then
				crypto_opts="$crypto_opts -pass file:$out_key_pass_tmp"
			fi
		fi

		# Generate CA Key - OpenSSL v3 'genpkey' is not compatible
		# with easyrsa $opts and $no_password, do NOT use them here
		# shellcheck disable=SC2086 # Ignore unquoted variables
		case "$EASYRSA_ALGO" in
		rsa)
			# OpenSSL v3: 'genrsa' is deprecate, use 'genpkey'
			easyrsa_openssl genpkey -algorithm "$EASYRSA_ALGO" \
				-out "$out_key_tmp" ${crypto_opts} \
				-pkeyopt rsa_keygen_bits:"$EASYRSA_ALGO_PARAMS" \
				${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \
					die "Failed create CA private key"
		;;
		ec)
			easyrsa_openssl genpkey -paramfile "$EASYRSA_ALGO_PARAMS" \
				-out "$out_key_tmp" ${crypto_opts} \
				${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \
					die "Failed create CA private key"
		;;
		ed)
			case "$EASYRSA_CURVE" in
			[eE][dD]25519|[eE][dD]448)
				easyrsa_openssl genpkey -algorithm "$EASYRSA_CURVE" \
					-out "$out_key_tmp" ${crypto_opts} \
					${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \
						die "Failed create CA private key" ;;
			*)	die "Unknown curve: $EASYRSA_CURVE"
			esac
		;;
		*)
			die "Unknown algorithm: $EASYRSA_ALGO"
		esac

		# Private key encryption password or use no_password
		# 'req' requires '-passin'
		crypto_opts=""
		if [ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ]; then
			crypto_opts="-passin file:$out_key_pass_tmp"
		else
			crypto_opts="$no_password"
		fi

		# create the CA keypair:
		# shellcheck disable=SC2086
		easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
			-out "$out_file_tmp" ${opts} ${crypto_opts} \
			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \
				die "Failed to build the CA"
	;;
	# END SSL V3

	# BEGIN SSL V1 - Includes LibreSSL 2.x
	1|2)
		# If encrypted then create the CA key using AES256 cipher ($crypto)
		crypto_opts=""
		if [ ! $nopass ]; then
			crypto_opts="$crypto"
			if [ -z "$EASYRSA_PASSOUT" ]; then
				if [ "ed" = "$EASYRSA_ALGO" ]; then
					crypto_opts="$crypto_opts -pass file:$out_key_pass_tmp"
				else
					crypto_opts="$crypto_opts -passout file:$out_key_pass_tmp"
				fi
			fi
		fi

		# create the CA key
		#shellcheck disable=SC2086
		case "$EASYRSA_ALGO" in
		rsa)
			"$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts \
				${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} \
				"$EASYRSA_ALGO_PARAMS" || \
					die "Failed create CA private key"
		;;
		ec)
			"$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \
				"$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts \
					${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || \
						die "Failed create CA private key"
		;;
		ed)
			case "$EASYRSA_CURVE" in
			[eE][dD]25519|[eE][dD]448)
				"$EASYRSA_OPENSSL" genpkey -algorithm "$EASYRSA_CURVE" \
					-out "$out_key_tmp" $crypto_opts \
					${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \
						die "Failed create CA private key" ;;
			*)	die "Unknown curve: $EASYRSA_CURVE"
			esac
		;;
		*)	die "Unknown algorithm: $EASYRSA_ALGO"
		esac

		# create the CA keypair:
		crypto_opts=""
		if [ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ]; then
			crypto_opts="-passin file:$out_key_pass_tmp"
		else
			crypto_opts="$no_password"

		fi

		#shellcheck disable=SC2086
		easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
			-keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \
			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \
				die "Failed to build the CA"
	;;
	# END SSL V1

	*)	die "build-ca ssl lib: $osslv_major"
	esac # => END SSL lib version

	mv "$out_key_tmp" "$out_key"
	mv "$out_file_tmp" "$out_file"
	[ -f "$out_key_pass_tmp" ] && rm "$out_key_pass_tmp"

	# Success messages
	if [ $sub_ca ]; then
		notice "\
NOTE: Your intermediate CA request is at $out_file
and now must be sent to your parent CA for signing. Place your resulting cert
at $EASYRSA_PKI/ca.crt prior to signing operations.
"
	else	notice "\
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
$out_file
"
	fi
	return 0
} # => build_ca()

# gen-dh backend:
gen_dh() {
	verify_pki_init

	out_file="$EASYRSA_PKI/dh.pem"

	# check to see if we already have a dh parameters file
	if [ -e "$EASYRSA_PKI/dh.pem" ]; then
		if [ "$EASYRSA_BATCH" = "1" ]; then
			# if batch is enabled, die
			die "file $EASYRSA_PKI/dh.pem already exists!"
		else
			# warn the user, give them a chance to force overwrite
			confirm "Overwrite?  " "yes" "*** File $EASYRSA_PKI/dh.pem already exists! ***"
		fi
	fi

	"$EASYRSA_OPENSSL" dhparam -out "$out_file" "$EASYRSA_KEY_SIZE" || \
		die "Failed to build DH params"
	notice "\
DH parameters of size $EASYRSA_KEY_SIZE created at $out_file
"
	return 0
} # => gen_dh()

# gen-req backend:
gen_req() {
	# pull filename base and use as default interactive CommonName:
	[ -n "$1" ] || die "\
Error: gen-req must have a file base as the first argument.
Run easyrsa without commands for usage and commands."
	key_out="$EASYRSA_PKI/private/$1.key"
	req_out="$EASYRSA_PKI/reqs/$1.req"
	[ ! "$EASYRSA_BATCH" ] && EASYRSA_REQ_CN="$1"
	shift

	# Require SSL Lib version for 'nopass' -> $no_password
	verify_pki_init

	# function opts support
	opts=
	while [ -n "$1" ]; do
		case "$1" in
			nopass) opts="$opts $no_password" ;;
			# batch flag supports internal callers needing silent operation
			batch) EASYRSA_BATCH=1 ;;
			*) warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	[ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec
	[ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed

	# don't wipe out an existing private key without confirmation
	[ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\

WARNING!!!

An existing private key was found at $key_out
Continuing with key generation will replace this key."

	# When EASYRSA_EXTRA_EXTS is defined, append it to openssl's [req] section:
	if [ -n "$EASYRSA_EXTRA_EXTS" ]; then
		# Setup & insert the extra ext data keyed by a magic line
		extra_exts="
req_extensions = req_extra
[ req_extra ]
$EASYRSA_EXTRA_EXTS"
		#shellcheck disable=SC2016
		awkscript='
{if ( match($0, "^#%EXTRA_EXTS%") )
	{ while ( getline<"/dev/stdin" ) {print} next }
 {print}
}'
		conf_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
		print "$extra_exts" | \
			awk "$awkscript" "$EASYRSA_SSL_CONF" \
			> "$conf_tmp" \
			|| die "Copying SSL config to temp file failed"
		# Use this new SSL config for the rest of this function
		EASYRSA_SSL_CONF="$conf_tmp"
	fi

	key_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
	req_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
	# generate request
	[ $EASYRSA_BATCH ] && opts="$opts -batch"
	# shellcheck disable=2086,2148
	algo_opts=""
	if [ "ed" = "$EASYRSA_ALGO" ]; then
		algo_opts="$EASYRSA_CURVE"
	else
		algo_opts="$EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS"
	fi
	easyrsa_openssl req -utf8 -new -newkey "$algo_opts" \
		-keyout "$key_out_tmp" -out "$req_out_tmp" $opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} \
		|| die "Failed to generate request"
	mv "$key_out_tmp" "$key_out"
	mv "$req_out_tmp" "$req_out"
	notice "\
Keypair and certificate request completed. Your files are:
req: $req_out
key: $key_out
"
	return 0
} # => gen_req()

# common signing backend
sign_req() {
	crt_type="$1"
	opts=""
	req_in="$EASYRSA_PKI/reqs/$2.req"
	crt_out="$EASYRSA_PKI/issued/$2.crt"

	# Randomize Serial number
	if [ "$EASYRSA_RAND_SN" != "no" ];
	then
		i=""
		serial=""
		check_serial=""
		for i in 1 2 3 4 5; do
			"$EASYRSA_OPENSSL" rand -hex -out "$EASYRSA_PKI/serial" 16
			serial="$(cat "$EASYRSA_PKI/serial")"
			check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
			case "$check_serial" in
				*"not present in db"*) break ;;
				*) continue ;;
			esac
		done
	fi

	# Support batch by internal caller:
	[ "$3" = "batch" ] && EASYRSA_BATCH=1

	verify_ca_init

	# Check argument sanity:
	[ -n "$2" ] || die "\
Incorrect number of arguments provided to sign-req:
expected 2, got $# (see command help for usage)"

	# Cert type must exist under the EASYRSA_EXT_DIR
	[ -r "$EASYRSA_EXT_DIR/$crt_type" ] || die "\
Unknown cert type '$crt_type'"

	# Request file must exist
	[ -f "$req_in" ] || die "\
No request found for the input: '$2'
Expected to find the request at: $req_in"

	# Confirm input is a cert req
	verify_file req "$req_in" || die "\
The certificate request file is not in a valid X509 request format.
File Path: $req_in"

	# Display the request subject in an easy-to-read format
	# Confirm the user wishes to sign this request
	confirm "Confirm request details: " "yes" "
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:

$(display_dn req "$req_in")
"	# => confirm end

	# Generate the extensions file for this cert:
	ext_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
	{
		# Append first any COMMON file (if present) then the cert-type extensions
		cat "$EASYRSA_EXT_DIR/COMMON"
		cat "$EASYRSA_EXT_DIR/$crt_type"
		# copy req extensions
		[ "$EASYRSA_CP_EXT" ] && print "copy_extensions = copy"

		# Support a dynamic CA path length when present:
		[ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \
			print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBCA_LEN"

		# Deprecated Netscape extension support, if enabled
		if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then
			[ -n "$EASYRSA_NS_COMMENT" ] && \
				print "nsComment = \"$EASYRSA_NS_COMMENT\""
			case "$crt_type" in
				serverClient)	print "nsCertType = serverClient" ;;
				server)		print "nsCertType = server" ;;
				client)		print "nsCertType = client" ;;
				ca)		print "nsCertType = sslCA" ;;
			esac
		fi

		# If type is server and no subjectAltName was requested,
		# add one to the extensions file
		if [ "$crt_type" = 'server' ] || [ "$crt_type" = 'serverClient' ];
		then
			echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName
			if [ $? -ne 0 ];
			then
				san=$(display_san req "$req_in")

				if [ -n "$san" ];
				then
					print "subjectAltName = $san"
				else
					default_server_san "$req_in"
				fi
			fi
		fi

		# Add any advanced extensions supplied by env-var:
		[ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"

		: # needed to keep die from inheriting the above test
	} > "$ext_tmp" || die "\
Failed to create temp extension file (bad permissions?) at:
$ext_tmp"

	# sign request
	crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
	easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \
		-extfile "$ext_tmp" -days "$EASYRSA_CERT_EXPIRE" -batch $opts ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
		|| die "signing failed (openssl output above may have more detail)"
	mv "$crt_out_tmp" "$crt_out"
	rm -f "$ext_tmp"
	notice "\
Certificate created at: $crt_out
"
	return 0
} # => sign_req()

# common build backend
# used to generate+sign in 1 step
build_full() {
	verify_ca_init

	# pull filename base:
	[ -n "$2" ] || die "\
Error: didn't find a file base name as the first argument.
Run easyrsa without commands for usage and commands."
	crt_type="$1" name="$2"
	req_out="$EASYRSA_PKI/reqs/$2.req"
	key_out="$EASYRSA_PKI/private/$2.key"
	crt_out="$EASYRSA_PKI/issued/$2.crt"
	shift 2

	# function opts support
	req_opts=
	while [ -n "$1" ]; do
		case "$1" in
			nopass) req_opts="$req_opts nopass" ;;
			inline) EASYRSA_INLINE=1 ;;
			*) warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	# abort on existing req/key/crt files
	err_exists="\
file already exists. Aborting build to avoid overwriting this file.
If you wish to continue, please use a different name or remove the file.
Matching file found at: "
	[ -f "$req_out" ] && die "Request $err_exists $req_out"
	[ -f "$key_out" ] && die "Key $err_exists $key_out"
	[ -f "$crt_out" ] && die "Certificate $err_exists $crt_out"

	# create request
	EASYRSA_REQ_CN="$name"
	#shellcheck disable=SC2086
	gen_req "$name" batch $req_opts

	# Sign it
	( sign_req "$crt_type" "$name" batch ) || {
		rm -f "$req_out" "$key_out"
		die "Failed to sign '$name'"
	}

	# inline it
	if [ $EASYRSA_INLINE ]; then
		inline_creds
	fi
} # => build_full()

# Create inline credentials file for this node
inline_creds ()
{
	[ -f "$EASYRSA_PKI/$EASYRSA_REQ_CN.creds" ] \
	&& die "Inline file exists: $EASYRSA_PKI/$EASYRSA_REQ_CN.creds"
	{
		printf "%s\n" "# $crt_type: $EASYRSA_REQ_CN"
		printf "%s\n" ""
		printf "%s\n" "<ca>"
		cat "$EASYRSA_PKI/ca.crt"
		printf "%s\n" "</ca>"
		printf "%s\n" ""
		printf "%s\n" "<cert>"
		cat "$crt_out"
		printf "%s\n" "</cert>"
		printf "%s\n" ""
		printf "%s\n" "<key>"
		cat "$key_out"
		printf "%s\n" "</key>"
		printf "%s\n" ""
	} > "$EASYRSA_PKI/$EASYRSA_REQ_CN.creds"
} # => inline_creds ()

# revoke backend
revoke() {
	verify_ca_init

	# pull filename base:
	[ -n "$1" ] || die "\
Error: didn't find a file base name as the first argument.
Run easyrsa without commands for usage and command help."
	crt_in="$EASYRSA_PKI/issued/$1.crt"

	opts=""
	if [ "$2" ]; then
		opts="$opts -crl_reason $2"
	fi

	verify_file x509 "$crt_in" || die "\
Unable to revoke as the input file is not a valid certificate. Unexpected
input in file: $crt_in"

	# confirm operation by displaying DN:
	confirm "Continue with revocation: " "yes" "
Please confirm you wish to revoke the certificate with the following subject:

$(display_dn x509 "$crt_in")
"	# => confirm end

	# referenced cert must exist:
	[ -f "$crt_in" ] || die "\
Unable to revoke as no certificate was found. Certificate was expected
at: $crt_in"

	# shellcheck disable=SC2086
	easyrsa_openssl ca -utf8 -revoke "$crt_in" ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} $opts || die "\
Failed to revoke certificate: revocation command failed."

	# move revoked files so we can reissue certificates with the same name
	move_revoked "$1"

	notice "\
IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
"	# => notice end
	return 0
} #= revoke()

# move-revoked
# moves revoked certificates to an alternative folder
# allows reissuing certificates with the same name
move_revoked() {
	verify_ca_init

	[ -n "$1" ] || die "\
Error: didn't find a file base name as the first argument.
Run easyrsa without commands for usage and command help."

	crt_in="$EASYRSA_PKI/issued/$1.crt"
	key_in="$EASYRSA_PKI/private/$1.key"
	req_in="$EASYRSA_PKI/reqs/$1.req"

	verify_file x509 "$crt_in" || die "\
Unable to move revoked input file. The file is not a valid certificate. Unexpected
input in file: $crt_in"

	if [ -e "$req_in" ]
	then
		verify_file req "$req_in" || die "\
Unable to move request. The file is not a valid request. Unexpected
input in file: $req_in"
	fi

	# get the serial number of the certificate -> serial=XXXX
	cert_serial="$(easyrsa_openssl x509 -in "$crt_in" -noout -serial)"
	# remove the serial= part -> we only need the XXXX part
	cert_serial=${cert_serial##*=}

	crt_by_serial="$EASYRSA_PKI/certs_by_serial/$cert_serial.pem"
	crt_by_serial_revoked="$EASYRSA_PKI/revoked/certs_by_serial/$cert_serial.crt"
	key_by_serial_revoked="$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.key"
	req_by_serial_revoked="$EASYRSA_PKI/revoked/reqs_by_serial/$cert_serial.req"

	# make sure revoked dirs exist
	[ -d "$EASYRSA_PKI/revoked" ] || mkdir "$EASYRSA_PKI/revoked"
	[ -d "$EASYRSA_PKI/revoked/certs_by_serial" ] || mkdir "$EASYRSA_PKI/revoked/certs_by_serial"
	[ -d "$EASYRSA_PKI/revoked/private_by_serial" ] || mkdir "$EASYRSA_PKI/revoked/private_by_serial"
	[ -d "$EASYRSA_PKI/revoked/reqs_by_serial" ] || mkdir "$EASYRSA_PKI/revoked/reqs_by_serial"

	# move crt, key and req file to revoked folders
	mv "$crt_in" "$crt_by_serial_revoked"

	# only move the req if we have it
	[ -e "$req_in" ] && mv "$req_in" "$req_by_serial_revoked"

	# only move the key if we have it
	[ -e "$key_in" ] && mv "$key_in" "$key_by_serial_revoked"

	# move the rest of the files (p12, p7, ...)
	for file in "$EASYRSA_PKI/private/$1"\.???
	do
		# get file extension
		file_ext="${file##*.}"

		[ -f "$file" ] && mv "$file" "$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.$file_ext"
	done

	# remove the duplicate certificate in the certs_by_serial folder
	rm "$crt_by_serial"

	return 0

} #= move_revoked()

# renew backend
renew() {
	verify_ca_init

	# pull filename base:
	[ -n "$1" ] || die "\
Error: didn't find a file base name as the first argument.
Run easyrsa without commands for usage and command help."
	crt_in="$EASYRSA_PKI/issued/$1.crt"

	opts=""
	if [ "$2" ]; then
		opts="$2"
	fi

	verify_file x509 "$crt_in" || die "\
Unable to renew as the input file is not a valid certificate. Unexpected
input in file: $crt_in"

	# confirm operation by displaying DN:
	confirm "Continue with renew: " "yes" "
Please confirm you wish to renew the certificate with the following subject:

$(display_dn x509 "$crt_in")
"	# => confirm end

	# referenced cert must exist:
	[ -f "$crt_in" ] || die "\
Unable to renew as no certificate was found. Certificate was expected
at: $crt_in"

	# Check if old cert is expired or expires within 30 days
	expire_date=$(
		easyrsa_openssl x509 -in "$crt_in" -noout -enddate |
		sed 's/^notAfter=//'
		)
		case $(uname 2>/dev/null) in
			"Darwin"|*"BSD")
				expire_date=$(date -j -f '%b %d %T %Y %Z' "$expire_date" +%s)
				allow_renew_date=$(date -j -v"+${EASYRSA_CERT_RENEW}d" +%s)
				;;
			*)
				# This works on Windows, too, since uname doesn't exist and this is catch-all
				expire_date=$(date -d "$expire_date" +%s)
				allow_renew_date=$(date -d "+${EASYRSA_CERT_RENEW}day" +%s)
				;;
		esac

	[ "$expire_date" -lt "$allow_renew_date" ] || die "\
Certificate expires in more than $EASYRSA_CERT_RENEW days.
Renewal not allowed."

	# Extract certificate usage from old cert
	cert_ext_key_usage=$(
		easyrsa_openssl x509 -in "$crt_in" -noout -text |
		sed -n "/X509v3 Extended Key Usage:/{n;s/^ *//g;p;}"
		)
	case $cert_ext_key_usage in
		"TLS Web Client Authentication")
			cert_type=client
			;;
		"TLS Web Server Authentication")
			cert_type=server
			;;
		"TLS Web Server Authentication, TLS Web Client Authentication")
			cert_type=serverClient
			;;
	esac

	# Use SAN from --subject-alt-name if set else use SAN from old cert
	echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName || \
	{
		san=$(
			easyrsa_openssl x509 -in "$crt_in" -noout -text |
			sed -n "/X509v3 Subject Alternative Name:/{n;s/IP Address:/IP:/;s/ //g;p;}"
			)
		[ -n "$san" ] && export EASYRSA_EXTRA_EXTS="\
$EASYRSA_EXTRA_EXTS
subjectAltName = $san"
	}

	# move renewed files so we can reissue certificate with the same name
	# FIXME: Modify revoke() to also work on the renewed certs subdir
	move_renewed "$1"

	# renew certificate
	# shellcheck disable=SC2086
	build_full $cert_type "$1" $opts || die "\
Failed to renew certificate: renew command failed."

	notice "\
IMPORTANT!!!

Renew was successful.
You may want to revoke the old certificate once the new one has been deployed.
"	# => notice end
	return 0
} #= renew()

# move-renewed
# moves renewed certificates to an alternative folder
# allows reissuing certificates with the same name
move_renewed() {
	verify_ca_init

	[ -n "$1" ] || die "\
Error: didn't find a file base name as the first argument.
Run easyrsa without commands for usage and command help."

	crt_in="$EASYRSA_PKI/issued/$1.crt"
	key_in="$EASYRSA_PKI/private/$1.key"
	req_in="$EASYRSA_PKI/reqs/$1.req"

	verify_file x509 "$crt_in" || die "\
Unable to move renewed input file. The file is not a valid certificate. Unexpected
input in file: $crt_in"

	if [ -e "$req_in" ]
	then
		verify_file req "$req_in" || die "\
Unable to move request. The file is not a valid request. Unexpected
input in file: $req_in"
	fi

	# get the serial number of the certificate -> serial=XXXX
	cert_serial="$(easyrsa_openssl x509 -in "$crt_in" -noout -serial)"
	# remove the serial= part -> we only need the XXXX part
	cert_serial=${cert_serial##*=}

	crt_by_serial="$EASYRSA_PKI/certs_by_serial/$cert_serial.pem"
	crt_by_serial_renewed="$EASYRSA_PKI/renewed/certs_by_serial/$cert_serial.crt"
	key_by_serial_renewed="$EASYRSA_PKI/renewed/private_by_serial/$cert_serial.key"
	req_by_serial_renewed="$EASYRSA_PKI/renewed/reqs_by_serial/$cert_serial.req"

	# make sure renewed dirs exist
	[ -d "$EASYRSA_PKI/renewed" ] || mkdir "$EASYRSA_PKI/renewed"
	[ -d "$EASYRSA_PKI/renewed/certs_by_serial" ] || mkdir "$EASYRSA_PKI/renewed/certs_by_serial"
	[ -d "$EASYRSA_PKI/renewed/private_by_serial" ] || mkdir "$EASYRSA_PKI/renewed/private_by_serial"
	[ -d "$EASYRSA_PKI/renewed/reqs_by_serial" ] || mkdir "$EASYRSA_PKI/renewed/reqs_by_serial"

	# move crt, key and req file to renewed folders
	mv "$crt_in" "$crt_by_serial_renewed"

	# only move the req if we have it
	[ -e "$req_in" ] && mv "$req_in" "$req_by_serial_renewed"

	# only move the key if we have it
	[ -e "$key_in" ] && mv "$key_in" "$key_by_serial_renewed"

	# move the rest of the files (p12, p7, ...)
	for file in "$EASYRSA_PKI/private/$1"\.???
	do
		# get file extension
		file_ext="${file##*.}"

		[ -f "$file" ] && mv "$file" "$EASYRSA_PKI/renewed/private_by_serial/$cert_serial.$file_ext"
	done

	# remove the duplicate certificate in the certs_by_serial folder
	rm "$crt_by_serial"

	return 0

} #= move_renewed()

# gen-crl backend
gen_crl() {
	verify_ca_init

	out_file="$EASYRSA_PKI/crl.pem"
	out_file_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
	easyrsa_openssl ca -utf8 -gencrl -out "$out_file_tmp" ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\
CRL Generation failed.
"
	mv "$out_file_tmp" "$out_file"

	notice "\
An updated CRL has been created.
CRL file: $out_file
"
	return 0
} # => gen_crl()

# import-req backend
import_req() {
	verify_pki_init

	# pull passed paths
	in_req="$1" short_name="$2"
	out_req="$EASYRSA_PKI/reqs/$2.req"

	[ -n "$short_name" ] || die "\
Unable to import: incorrect command syntax.
Run easyrsa without commands for usage and command help."

	verify_file req "$in_req" || die "\
The input file does not appear to be a certificate request. Aborting import.
File Path: $in_req"

	# destination must not exist
	[ -f "$out_req" ] && die "\
Unable to import the request as the destination file already exists.
Please choose a different name for your imported request file.
Existing file at: $out_req"

	# now import it
	cp "$in_req" "$out_req"

	notice "\
The request has been successfully imported with a short name of: $short_name
You may now use this name to perform signing operations on this request.
"
	return 0
} # => import_req()

# export pkcs#12 or pkcs#7
export_pkcs() {
	pkcs_type="$1"
	shift

	[ -n "$1" ] || die "\
Unable to export p12: incorrect command syntax.
Run easyrsa without commands for usage and command help."

	short_name="$1"
	crt_in="$EASYRSA_PKI/issued/$1.crt"
	key_in="$EASYRSA_PKI/private/$1.key"
	crt_ca="$EASYRSA_PKI/ca.crt"
	shift

	verify_pki_init

	# opts support
	want_ca=1
	want_key=1
	want_pass=1
	while [ -n "$1" ]; do
		case "$1" in
			noca) want_ca="" ;;
			nokey) want_key="" ;;
			nopass) want_pass="" ;;
			*) warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	pkcs_opts=
	pkcs_certfile_path=
	if [ $want_ca ]; then
		verify_file x509 "$crt_ca" || die "\
Unable to include CA cert in the $pkcs_type output (missing file, or use noca option.)
Missing file expected at: $crt_ca"
		pkcs_certfile_path="$crt_ca"
	fi

	# input files must exist
	verify_file x509 "$crt_in" || die "\
Unable to export $pkcs_type for short name '$short_name' without the certificate.
Missing cert expected at: $crt_in"

	case "$pkcs_type" in
	p12)
		pkcs_out="$EASYRSA_PKI/private/$short_name.p12"

		if [ $want_key ]; then
			[ -f "$key_in" ] || die "\
Unable to export p12 for short name '$short_name' without the key
(if you want a p12 without the private key, use nokey option.)
Missing key expected at: $key_in"
		else
			pkcs_opts="-nokeys"
		fi

		# export the p12:
		# shellcheck disable=SC2086
		easyrsa_openssl pkcs12 -in "$crt_in" -inkey "$key_in" -export \
			-out "$pkcs_out" $pkcs_opts ${pkcs_certfile_path:+-certfile "$pkcs_certfile_path"} \
			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || die "\
Export of p12 failed: see above for related openssl errors."
	;;
	p7)
		pkcs_out="$EASYRSA_PKI/issued/$short_name.p7b"

		# export the p7:
		# shellcheck disable=SC2086
		easyrsa_openssl crl2pkcs7 -nocrl -certfile "$crt_in" \
			-out "$pkcs_out" ${pkcs_certfile_path:+-certfile "$pkcs_certfile_path"} \
			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || die "\
Export of p7 failed: see above for related openssl errors."
	;;
	p8)
		if [ -z $want_pass ]; then
			pkcs_opts="-nocrypt"
		fi
		pkcs_out="$EASYRSA_PKI/private/$short_name.p8"

		# export the p8:
		# shellcheck disable=SC2086
		easyrsa_openssl pkcs8 -in "$key_in" -topk8 \
			-out "$pkcs_out" $pkcs_opts ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || die "\
Export of p8 failed: see above for related openssl errors."
      ;;
esac

	notice "\
Successful export of $pkcs_type file. Your exported file is at the following
location: $pkcs_out
"
	return 0
} # => export_pkcs()

# set-pass backend
set_pass() {
	verify_pki_init

	# key type, supplied internally from frontend command call (rsa/ec)
	key_type="$1"

	# values supplied by the user:
	raw_file="$2"
	file="$EASYRSA_PKI/private/$raw_file.key"
	[ -n "$raw_file" ] || die "\
Missing argument to 'set-$key_type-pass' command: no name/file supplied.
See help output for usage details."

	# parse command options
	shift 2
	crypto="-aes256"
	while [ -n "$1" ]; do
		case "$1" in
			nopass)	crypto="" ;;
			file)	file="$raw_file" ;;
			*)	warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	[ -f "$file" ] || die "\
Missing private key: expected to find the private key component at:
$file"

	notice "\
If the key is currently encrypted you must supply the decryption passphrase.
${crypto:+You will then enter a new PEM passphrase for this key.$NL}"

	out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
	easyrsa_openssl "$key_type" -in "$file" -out "$out_key_tmp" $crypto ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || die "\
Failed to change the private key passphrase. See above for possible openssl
error messages."

	mv "$out_key_tmp" "$file" || die "\
Failed to change the private key passphrase. See above for error messages."

	notice "Key passphrase successfully changed"

	return 0
} # => set_pass()

# update-db backend
update_db() {
	verify_ca_init

	easyrsa_openssl ca -utf8 -updatedb ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\
Failed to perform update-db: see above for related openssl errors."
	return 0
} # => update_db()

display_san() {
	format="$1" path="$2"

	echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName

	if [ $? -eq 0 ]; then
		print "$(echo "$EASYRSA_EXTRA_EXTS" | grep subjectAltName | sed 's/^\s*subjectAltName\s*=\s*//')"
	else
		san=$(
			"$EASYRSA_OPENSSL" "$format" -in "$path" -noout -text |
			sed -n "/X509v3 Subject Alternative Name:/{n;s/ //g;s/IPAddress:/IP:/g;s/RegisteredID/RID/;p;}"
			)

		[ -n "$san" ] && print "$san"
	fi
}

# display cert DN info on a req/X509, passed by full pathname
display_dn() {
	format="$1" path="$2"
	print "$("$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject -nameopt multiline)"
	san=$(display_san "$1" "$2")
	if [ -n "$san" ]; then
		print ""
		print "X509v3 Subject Alternative Name:"
		print "    $san"
	fi

} # => display_dn()

# generate default SAN from req/X509, passed by full pathname
default_server_san() {
	path="$1"
	cn=$(
		easyrsa_openssl req -in "$path" -noout -subject -nameopt sep_multiline |
		awk -F'=' '/^  *CN=/{print $2}'
		)
	echo "$cn" | grep -E -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
	#shellcheck disable=SC2181
	if [ $? -eq 0 ]; then
		print "subjectAltName = IP:$cn"
	else
		print "subjectAltName = DNS:$cn"
	fi
} # => default_server_san()

# verify a file seems to be a valid req/X509
verify_file() {
	format="$1"
	path="$2"
	easyrsa_openssl "$format" -in "$path" -noout 2>/dev/null || return 1
	return 0
} # => verify_file()

# show-* command backend
# Prints req/cert details in a readable format
show() {
	type="$1"
	name="$2"
	in_file=""
	format=""
	[ -n "$name" ] || die "\
Missing expected filename_base argument.
Run easyrsa without commands for usage help."
	shift 2

	# opts support
	opts="-${type}opt no_pubkey,no_sigdump"
	while [ -n "$1" ]; do
		case "$1" in
			full)
				opts=""
				;;
			*)
				warn "Ignoring unknown command option: '$1'"
				;;
		esac
		shift
	done

	# Determine cert/req type
	if [ "$type" = "cert" ]; then
		verify_ca_init
		in_file="$EASYRSA_PKI/issued/${name}.crt"
		format="x509"
	else
		verify_pki_init
		in_file="$EASYRSA_PKI/reqs/${name}.req"
		format="req"
	fi

	# Verify file exists and is of the correct type
	[ -f "$in_file" ] || die "\
No such $type file with a basename of '$name' is present.
Expected to find this file at:
$in_file"
	verify_file $format "$in_file" || die "\
This file is not a valid $type file:
$in_file"

	notice "\
Showing $type details for '$name'.
This file is stored at:
$in_file
"
	easyrsa_openssl $format -in "$in_file" -noout -text\
		-nameopt multiline $opts || die "\
OpenSSL failure to process the input"
} # => show()

# show-ca command backend
# Prints CA cert details in a readable format
show_ca() {
	# opts support
	opts="-certopt no_pubkey,no_sigdump"
	while [ -n "$1" ]; do
		case "$1" in
			full) opts= ;;
			*) warn "Ignoring unknown command option: '$1'" ;;
		esac
		shift
	done

	verify_ca_init
	in_file="$EASYRSA_PKI/ca.crt"
	format="x509"

	# Verify file exists and is of the correct type
	[ -f "$in_file" ] || die "\
No such $type file with a basename of '$name' is present.
Expected to find this file at:
$in_file"
	verify_file $format "$in_file" || die "\
This file is not a valid $type file:
$in_file"

	notice "\
Showing $type details for 'ca'.
This file is stored at:
$in_file
"
	easyrsa_openssl $format -in "$in_file" -noout -text\
		-nameopt multiline $opts || die "\
OpenSSL failure to process the input"
} # => show_ca()

# vars setup
# Here sourcing of 'vars' if present occurs. If not present, defaults are used
# to support running without a sourced config format
vars_setup() {
	# Try to locate a 'vars' file in order of location preference.
	# If one is found, source it
	vars=

	# set up program path
	prog_file="$0"
	prog_file2="$(which -- "$prog_file" 2>/dev/null)" && prog_file="$prog_file2"
	prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" && prog_file="$prog_file2"
	prog_dir="${prog_file%/*}"
	prog_vars="${prog_dir}/vars"
	# set up PKI path
	pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"

	# command-line path:
	if [ ! -z "$EASYRSA_VARS_FILE" ]; then
	  if [ ! -f "$EASYRSA_VARS_FILE" ]; then
		  # If the --vars option does not point to a file, show helpful error.
			die "The file '$EASYRSA_VARS_FILE' was not found."
		fi
		vars="$EASYRSA_VARS_FILE"
	# PKI location, if present:
	elif [ -f "$pki_vars" ]; then
		vars="$pki_vars"
	# EASYRSA, if defined:
	elif [ -n "$EASYRSA" ] && [ -f "$EASYRSA/vars" ]; then
		vars="$EASYRSA/vars"
	# program location:
	elif [ -f "$prog_vars" ]; then
		vars="$prog_vars"
	fi

	# If a vars file was located, source it
	# If $EASYRSA_NO_VARS is defined (not blank) this is skipped
	if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
		if grep -Eq 'EASYRSA_PASSIN|EASYRSA_PASSOUT' "$vars"; then
			die "\
Variable EASYRSA_PASSIN or EASYRSA_PASSOUT has been found in the configuration \
file. Storing sensitive information in the configuration file is not \
recommended - please remove it from there before continuing."
		fi
		#shellcheck disable=SC2034
		EASYRSA_CALLER=1
		# shellcheck disable=SC1090
		. "$vars"
		notice "\
Note: using Easy-RSA configuration from: $vars"
	fi

	# Set defaults, preferring existing env-vars if present
	set_var EASYRSA		"$PWD"
	set_var EASYRSA_OPENSSL	openssl
	set_var EASYRSA_PKI	"$PWD/pki"
	set_var EASYRSA_DN	cn_only
	set_var EASYRSA_REQ_COUNTRY	"US"
	set_var EASYRSA_REQ_PROVINCE	"California"
	set_var EASYRSA_REQ_CITY	"San Francisco"
	set_var EASYRSA_REQ_ORG		"Copyleft Certificate Co"
	set_var EASYRSA_REQ_EMAIL	me@example.net
	set_var EASYRSA_REQ_OU		"My Organizational Unit"
	set_var EASYRSA_ALGO		rsa
	set_var EASYRSA_KEY_SIZE	2048
	set_var EASYRSA_CURVE		secp384r1
	set_var EASYRSA_EC_DIR		"$EASYRSA_PKI/ecparams"
	set_var EASYRSA_CA_EXPIRE	3650
	set_var EASYRSA_CERT_EXPIRE	825 # new default of 36 months
	set_var EASYRSA_CERT_RENEW	30
	set_var EASYRSA_CRL_DAYS	180
	set_var EASYRSA_NS_SUPPORT	no
	set_var EASYRSA_NS_COMMENT	"Easy-RSA (~VER~) Generated Certificate"
	set_var EASYRSA_TEMP_DIR	"$EASYRSA_PKI"
	set_var EASYRSA_REQ_CN		ChangeMe
	set_var EASYRSA_DIGEST		sha256
	set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-easyrsa.cnf"
	set_var EASYRSA_SAFE_CONF	"$EASYRSA_PKI/safessl-easyrsa.cnf"
	set_var EASYRSA_KDC_REALM	"CHANGEME.EXAMPLE.COM"

	# EASYRSA_ALGO_PARAMS must be set depending on selected algo
	case "$EASYRSA_ALGO" in
	ec)		EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" ;;
	rsa)	EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}" ;;
	ed)		: ;; # ok
	*)		die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed' "
	esac

	# Assign value to $EASYRSA_TEMP_DIR_session
	# and work-around Windows mktemp bug when parent dir is missing
	#
	# Bug: When the parent-dir is missing Windows'mktemp -du' fails.
	# The work-around is to create the parent-dir, if it does not exist.
	# The reason it does not exist is because 'init-pki' has not been run.
	# Use the same gaurd against a missing PKI; Only set variables which
	# require a PKI, eg '$EASYRSA_PKI', if there is a PKI !
	#
	# Also, integrate a partial 'init-pki' by using 'install_data_to_pki()'
	#
	if [ -z "$EASYRSA_TEMP_DIR_session" ]; then
		if [ -d "$EASYRSA_TEMP_DIR" ]; then
			EASYRSA_TEMP_DIR_session="$(
					mktemp -du "$EASYRSA_TEMP_DIR/easy-rsa-$$.XXXXXX"
				)"

			# Same as above for the x509-types extensions dir
			if [ -d "$EASYRSA_PKI/x509-types" ]; then
				set_var EASYRSA_EXT_DIR		"$EASYRSA_PKI/x509-types"
			else

			#TODO: This should be removed.  Not really suitable for packaging.
			#set_var EASYRSA_EXT_DIR		"$EASYRSA/x509-types"

			# Hard break from 'old' Easy-RSA, see obsolete comment above.
				# Install data-files into ALL PKIs
				install_data_to_pki || die "Failed to install new required data-dir to PKI."
				set_var EASYRSA_EXT_DIR		"$EASYRSA_PKI/x509-types"
			fi

			# Setting EasyRSA specific OPENSSL_CONF to sanatized safe conf
			if [ -e "$EASYRSA_SAFE_CONF" ]; then
				export OPENSSL_CONF="$EASYRSA_SAFE_CONF"
			else
				# Install data-files into ALL PKIs
				install_data_to_pki || die "Failed to install new required data-files to PKI."
				# EASYRSA_SAFE_CONF is output by
				# 'install_data_to_pki()' via 'easyrsa_openssl() makesafeconf'
				export OPENSSL_CONF="$EASYRSA_SAFE_CONF"
			fi

			# Upgrade to 306: Create $EASYRSA_SSL_CONF if it does not exist
			# but only if $EASYRSA_PKI exists.
			if [ ! -f "$EASYRSA_SSL_CONF" ] && \
				[ -f "$EASYRSA/openssl-easyrsa.cnf" ] && [ -d "$EASYRSA_PKI" ];
			then
				cp "$EASYRSA/openssl-easyrsa.cnf" "$EASYRSA_SSL_CONF"
				easyrsa_openssl makesafeconf
			fi

		else
			# If the directory does not exist then we have not run init-pki
			mkdir -p "$EASYRSA_TEMP_DIR" || \
				die "Cannot create $EASYRSA_TEMP_DIR (permission?)"
			EASYRSA_TEMP_DIR_session="$(
					mktemp -du "$EASYRSA_TEMP_DIR/easy-rsa-$$.XXXXXX"
				)"
			rm -rf "$EASYRSA_TEMP_DIR"
		fi
	fi

} # vars_setup()

# variable assignment by indirection when undefined; merely exports
# the variable when it is already defined (even if currently null)
# Sets $1 as the value contained in $2 and exports (may be blank)
set_var() {
	var=$1
	shift
	value="$*"
	eval "export $var=\"\${$var-$value}\""
} #=> set_var()


############################################################################
# Upgrade v2 PKI to v3 PKI

# You can report problems on the normal openvpn support channels:
# --------------------------------------------------------------------------
#   1. The Openvpn Forum: https://forums.openvpn.net/viewforum.php?f=31
#   2. The #easyrsa IRC channel at libera.chat
#   3. Info: https://community.openvpn.net/openvpn/wiki/easyrsa-upgrade
# --------------------------------------------------------------------------
#

up23_fail_upgrade ()
{
	# Replace die()
	unset EASYRSA_BATCH
	notice "
============================================================================
The update has failed but NOTHING has been lost.

ERROR: $1
----------------------------------------------------------------------------

Further info:
* https://community.openvpn.net/openvpn/wiki/easyrsa-upgrade#ersa-up23-fails

Easyrsa3 upgrade FAILED
============================================================================
"
	exit 9
} #=> up23_fail_upgrade ()

up23_verbose ()
{
	[ "$VERBOSE" ] || return 0
	printf "%s\n" "$1"
} #=> up23_verbose ()

up23_verify_new_pki ()
{
	# Fail now, before any changes are made

	up23_verbose "> Verify DEFAULT NEW PKI does not exist .."
	EASYRSA_NEW_PKI="$EASYRSA/pki"
	[ -d "$EASYRSA_NEW_PKI" ] \
	&& up23_fail_upgrade "DEFAULT NEW PKI exists: $EASYRSA_NEW_PKI"

	up23_verbose "> Verify VERY-SAFE-PKI does not exist .."
	EASYRSA_SAFE_PKI="$EASYRSA/VERY-SAFE-PKI"
	[ -d "$EASYRSA_SAFE_PKI" ] \
	&& up23_fail_upgrade "VERY-SAFE-PKI exists: $EASYRSA_SAFE_PKI"

	up23_verbose "> Verify openssl-easyrsa.cnf does exist .."
	EASYRSA_SSL_CNFFILE="$EASYRSA/openssl-easyrsa.cnf"
	[ -f "$EASYRSA_SSL_CNFFILE" ] \
	|| up23_fail_upgrade "cannot find $EASYRSA_SSL_CNFFILE"

	up23_verbose "> Verify vars.example does exist .."
	EASYRSA_VARSV3_EXMP="$EASYRSA/vars.example"
	[ -f "$EASYRSA_VARSV3_EXMP" ] \
	|| up23_fail_upgrade "cannot find $EASYRSA_VARSV3_EXMP"

	up23_verbose "> OK"
	up23_verbose "  Initial dirs & files are in a workable state."
} #=> up23_verify_new_pki ()

up23_verify_current_pki ()
{
	up23_verbose "> Verify CURRENT PKI vars .."

	# This can probably be improved
	EASYRSA_NO_REM="$(grep '^set ' "$EASYRSA_VER2_VARSFILE")"

	# This list may not be complete
	# Not required: DH_KEY_SIZE PKCS11_MODULE_PATH PKCS11_PIN
	for i in KEY_DIR KEY_SIZE KEY_COUNTRY KEY_PROVINCE \
	KEY_CITY KEY_ORG KEY_EMAIL KEY_CN KEY_NAME KEY_OU
	do
		# Effectively, source the v2 vars file
		UNIQUE="set $i"
		KEY_grep="$(printf "%s\n" "$EASYRSA_NO_REM" | grep "$UNIQUE")"
		KEY_value="${KEY_grep##*=}"
		set_var $i "$KEY_value"
	done

	[ -d "$KEY_DIR" ] || up23_fail_upgrade "Cannot find CURRENT PKI KEY_DIR: $KEY_DIR"

	up23_verbose "> OK"
	up23_verbose "  Current CURRENT PKI vars uses PKI in: $KEY_DIR"
} #=> up23_verify_current_pki ()

up23_verify_current_ca ()
{
	up23_verbose "> Find CA .."
	# $KEY_DIR is assigned in up23_verify_current_pki ()
	[ -f "$KEY_DIR/ca.crt" ] \
	|| up23_fail_upgrade "Cannot find current ca.crt: $KEY_DIR/ca.crt"
	up23_verbose "> OK"

	# If CA is already verified then return
	in_file="$KEY_DIR/ca.crt"
	[ "$CURRENT_CA_IS_VERIFIED" = "$in_file" ] && return 0
	format="x509"

	# Current CA is unverified
	# Extract the current CA details
	CA_SUBJECT="$(easyrsa_openssl $format -in "$in_file" -subject -noout -nameopt multiline)"

	# Extract individual elements
	CA_countryName="$(printf "%s\n" "$CA_SUBJECT" \
	| grep countryName | sed "s\`^.*=\ \`\`g")"
	CA_stateOrProvinceName="$(printf "%s\n" "$CA_SUBJECT" \
	| grep stateOrProvinceName | sed "s\`^.*=\ \`\`g")"
	CA_localityName="$(printf "%s\n" "$CA_SUBJECT" \
	| grep localityName | sed "s\`^.*=\ \`\`g")"
	CA_organizationName="$(printf "%s\n" "$CA_SUBJECT" \
	| grep organizationName | sed "s\`^.*=\ \`\`g")"
	CA_organizationalUnitName="$(printf "%s\n" "$CA_SUBJECT" \
	| grep organizationalUnitName | sed "s\`^.*=\ \`\`g")"
	CA_emailAddress="$(printf "%s\n" "$CA_SUBJECT" \
	| grep emailAddress | sed "s\`^.*=\ \`\`g")"

	# Match the current CA elements to the vars file settings
	CA_vars_match=1
	[ "$CA_countryName" = "$KEY_COUNTRY" ] || CA_vars_match=0
	[ "$CA_stateOrProvinceName" = "$KEY_PROVINCE" ] || CA_vars_match=0
	[ "$CA_localityName" = "$KEY_CITY" ] || CA_vars_match=0
	[ "$CA_organizationName" = "$KEY_ORG" ] || CA_vars_match=0
	[ "$CA_organizationalUnitName" = "$KEY_OU" ] || CA_vars_match=0
	[ "$CA_emailAddress" = "$KEY_EMAIL" ] || CA_vars_match=0

	if [ "$CA_vars_match" -eq 1 ]
	then
		CURRENT_CA_IS_VERIFIED="partially"
	else
		up23_fail_upgrade "CA certificate does not match vars file settings"
	fi

	opts="-certopt no_pubkey,no_sigdump"
	if [ ! "$EASYRSA_BATCH" ]
	then
		up23_show_current_ca
	elif [ "$VERBOSE" ]
	then
		up23_show_current_ca
	fi
	confirm "* Confirm CA shown above is correct: " "yes" \
	"Found current CA at: $KEY_DIR/ca.crt"
	CURRENT_CA_IS_VERIFIED="$in_file"
} #=> up23_verify_current_ca ()

up23_show_current_ca ()
{
	printf "%s\n" "-------------------------------------------------------------------------"
	# $opts is always set here
	# shellcheck disable=SC2086
	easyrsa_openssl $format -in "$in_file" -noout -text\
	-nameopt multiline $opts || die "\
	OpenSSL failure to process the input CA certificate: $in_file"
	printf "%s\n" "-------------------------------------------------------------------------"
} #=> up23_show_current_ca ()

up23_backup_current_pki ()
{
	up23_verbose "> Backup current PKI .."

	mkdir -p "$EASYRSA_SAFE_PKI" \
	|| up23_fail_upgrade "Failed to create safe PKI dir: $EASYRSA_SAFE_PKI"

	cp -r "$KEY_DIR" "$EASYRSA_SAFE_PKI" \
	|| up23_fail_upgrade "Failed to copy $KEY_DIR to $EASYRSA_SAFE_PKI"

	# EASYRSA_VER2_VARSFILE is either version 2 *nix ./vars or Win vars.bat
	cp "$EASYRSA_VER2_VARSFILE" "$EASYRSA_SAFE_PKI" \
	|| up23_fail_upgrade "Failed to copy $EASYRSA_VER2_VARSFILE to EASYRSA_SAFE_PKI"

	up23_verbose "> OK"
	up23_verbose "  Current PKI backup created in: $EASYRSA_SAFE_PKI"
} #=> up23_backup_current_pki ()

up23_create_new_pki ()
{
	# Dirs: renewed and revoked are created when used.
	up23_verbose "> Create NEW PKI .."
	up23_verbose ">> Create NEW PKI dirs .."
	for i in private reqs issued certs_by_serial
	do
		mkdir -p "$EASYRSA_PKI/$i" \
		|| up23_fail_upgrade "Failed to Create NEW PKI dir: $EASYRSA_PKI/$i"
	done
	up23_verbose ">> OK"

	up23_verbose ">> Copy database to NEW PKI .."
	# Failure for these is not optional
	# Files ignored: index.txt.old serial.old
	for i in index.txt serial ca.crt index.txt.attr
	do
		cp "$KEY_DIR/$i" "$EASYRSA_PKI" \
		|| up23_fail_upgrade "Failed to copy $KEY_DIR/$i to $EASYRSA_PKI"
	done
	up23_verbose ">> OK"

	up23_verbose ">> Copy current PKI to NEW PKI .."
	for i in "csr.reqs" "pem.certs_by_serial" "crt.issued" "key.private" \
	"p12.private" "p8.private" "p7b.issued"
	do
		FILE_EXT="${i%%.*}"
		DEST_DIR="${i##*.}"
		if ls "$KEY_DIR/"*".$FILE_EXT" > /dev/null 2>&1; then
			cp "$KEY_DIR/"*".$FILE_EXT" "$EASYRSA_PKI/$DEST_DIR" \
			|| up23_fail_upgrade "Failed to copy .$FILE_EXT"
		else
			up23_verbose "   Note: No .$FILE_EXT files found"
		fi
	done
	up23_verbose ">> OK"
	up23_verbose "> OK"

	# Todo: CRL - Or generate a new CRL on completion
	up23_verbose "  New PKI created in: $EASYRSA_PKI"
} #=> up23_create_new_pki ()

up23_upgrade_ca ()
{
	[ -d "$EASYRSA_PKI" ] || return 0
	up23_verbose "> Confirm that index.txt.attr exists and 'unique_subject = no'"
	if [ -f "$EASYRSA_PKI/index.txt.attr" ]
	then
		if grep -q 'unique_subject = no' "$EASYRSA_PKI/index.txt.attr"
		then
			# If index.txt.attr exists and "unique_suject = no" then do nothing
			return 0
		fi
	else
		# If index.txt.attr does not exists then do nothing
		return 0
	fi

	# Otherwise this is required for all easyrsa v3
	#confirm "Set 'unique_subject = no' in index.txt.attr for your current CA: " \
	#"yes" "This version of easyrsa requires that 'unique_subject = no' is set correctly"

	printf "%s\n" "unique_subject = no" > "$EASYRSA_PKI/index.txt.attr"
	up23_verbose "> OK"
	up23_verbose "  Upgraded index.txt.attr to v306+"
} #=> up23_upgrade_index_txt_attr ()

up23_create_openssl_cnf ()
{
	up23_verbose "> OpenSSL config .."
	EASYRSA_PKI_SSL_CNFFILE="$EASYRSA_PKI/openssl-easyrsa.cnf"
	EASYRSA_PKI_SAFE_CNFFILE="$EASYRSA_PKI/safessl-easyrsa.cnf"
	cp "$EASYRSA_SSL_CNFFILE" "$EASYRSA_PKI_SSL_CNFFILE" \
	|| up23_fail_upgrade "create $EASYRSA_PKI_SSL_CNFFILE"
	up23_verbose "> OK"
	up23_verbose "  New OpenSSL config file created in: $EASYRSA_PKI_SSL_CNFFILE"

	# Create $EASYRSA_PKI/safessl-easyrsa.cnf
	easyrsa_openssl makesafeconf
	if [ -f "$EASYRSA_PKI_SAFE_CNFFILE" ]
	then
		up23_verbose "  New SafeSSL config file created in: $EASYRSA_PKI_SAFE_CNFFILE"
	else
		up23_verbose "  FAILED to create New SafeSSL config file in: $EASYRSA_PKI_SAFE_CNFFILE"
	fi
} #=> up23_create_openssl_cnf ()

up23_move_easyrsa2_programs ()
{
	# These files may not exist here
	up23_verbose "> Move easyrsa2 programs to SAFE PKI .."
	for i in build-ca build-dh build-inter build-key build-key-pass \
	build-key-pkcs12 build-key-server build-req build-req-pass \
	clean-all inherit-inter list-crl pkitool revoke-full sign-req \
	whichopensslcnf build-ca-pass build-key-server-pass init-config \
	make-crl revoke-crt openssl-0.9.6.cnf openssl-0.9.8.cnf \
	openssl-1.0.0.cnf openssl.cnf README.txt index.txt.start \
	vars.bat.sample serial.start
	do
		# Although unlikely, both files could exist
		# EG: ./build-ca and ./build-ca.bat
		NIX_FILE="$EASYRSA/$i"
		WIN_FILE="$EASYRSA/$i.bat"
		if [ -f "$NIX_FILE" ]
		then
			cp "$NIX_FILE" "$EASYRSA_SAFE_PKI" \
			|| up23_fail_upgrade "copy $NIX_FILE $EASYRSA_SAFE_PKI"
		fi

		if [ -f "$WIN_FILE" ]
		then
			cp "$WIN_FILE" "$EASYRSA_SAFE_PKI" \
			|| up23_fail_upgrade "copy $WIN_FILE $EASYRSA_SAFE_PKI"
		fi

		if [ ! -f "$NIX_FILE" ] && [ ! -f "$WIN_FILE" ]
		then
			up23_verbose "File does not exist, ignoring: $i(.bat)"
		fi

	# These files are not removed on TEST run
	[ "$NOSAVE" -eq 1  ] && rm -f "$NIX_FILE" "$WIN_FILE"
	done

	up23_verbose "> OK"
	up23_verbose "  Easyrsa2 programs successfully moved to: $EASYRSA_SAFE_PKI"
} #=> up23_move_easyrsa2_programs ()

up23_build_v3_vars ()
{
	up23_verbose "> Build v3 vars file .."

	EASYRSA_EXT="easyrsa-upgrade-23"
	EASYRSA_VARSV2_TMP="$EASYRSA/vars-v2.tmp.$EASYRSA_EXT"
	rm -f "$EASYRSA_VARSV2_TMP"
	EASYRSA_VARSV3_TMP="$EASYRSA/vars-v3.tmp.$EASYRSA_EXT"
	rm -f "$EASYRSA_VARSV3_TMP"
	EASYRSA_VARSV3_NEW="$EASYRSA/vars-v3.new.$EASYRSA_EXT"
	rm -f "$EASYRSA_VARSV3_NEW"
	EASYRSA_VARSV3_WRN="$EASYRSA/vars-v3.wrn.$EASYRSA_EXT"
	rm -f "$EASYRSA_VARSV3_WRN"

	printf "%s\n" "\
########################++++++++++#########################
###                                                     ###
###  WARNING: THIS FILE WAS AUTOMATICALLY GENERATED     ###
###           ALL SETTINGS ARE AT THE END OF THE FILE   ###
###                                                     ###
########################++++++++++#########################

" > "$EASYRSA_VARSV3_WRN" || up23_fail_upgrade "Failed to create $EASYRSA_VARSV3_WRN"

	# Create vars v3 temp file from sourced vars v2 key variables
	{
		printf "%s\n" "set_var EASYRSA_KEY_SIZE $KEY_SIZE"
		printf "%s\n" "set_var EASYRSA_REQ_COUNTRY \"$KEY_COUNTRY\""
		printf "%s\n" "set_var EASYRSA_REQ_PROVINCE \"$KEY_PROVINCE\""
		printf "%s\n" "set_var EASYRSA_REQ_CITY \"$KEY_CITY\""
		printf "%s\n" "set_var EASYRSA_REQ_ORG \"$KEY_ORG\""
		printf "%s\n" "set_var EASYRSA_REQ_EMAIL \"$KEY_EMAIL\""
		printf "%s\n" "set_var EASYRSA_REQ_OU \"$KEY_OU\""
		printf "%s\n" 'set_var EASYRSA_NS_SUPPORT "yes"'
		printf "%s\n" 'set_var EASYRSA_DN "org"'
		printf "%s\n" 'set_var EASYRSA_RAND_SN "no"'
		printf "%s\n" ""
	} > "$EASYRSA_VARSV3_TMP" \
	|| up23_fail_upgrade "Failed to create $EASYRSA_VARSV3_TMP"

	# cat temp files into new v3 vars
	cat "$EASYRSA_VARSV3_WRN" "$EASYRSA_VARSV3_EXMP" "$EASYRSA_VARSV3_TMP" \
	> "$EASYRSA_VARSV3_NEW" \
	|| up23_fail_upgrade "Failed to create $EASYRSA_VARSV3_NEW"

	# This file must be created and restored at the end of TEST
	# for the REAL update to to succeed
	EASYRSA_VARS_LIVEBKP="$EASYRSA_TARGET_VARSFILE.livebackup"
	cp "$EASYRSA_VER2_VARSFILE" "$EASYRSA_VARS_LIVEBKP" \
	|| up23_fail_upgrade "Failed to create $EASYRSA_VARS_LIVEBKP"
	rm -f "$EASYRSA_VER2_VARSFILE"

	# "$EASYRSA_TARGET_VARSFILE" is always $EASYRSA/vars
	cp "$EASYRSA_VARSV3_NEW" "$EASYRSA_TARGET_VARSFILE" \
	|| up23_fail_upgrade "copy $EASYRSA_VARSV3_NEW to $EASYRSA_TARGET_VARSFILE"

	# Delete temp files
	rm -f "$EASYRSA_VARSV2_TMP" "$EASYRSA_VARSV3_TMP" \
	"$EASYRSA_VARSV3_NEW" "$EASYRSA_VARSV3_WRN"

	up23_verbose "> OK"
	up23_verbose "  New v3 vars file created in: $EASYRSA_TARGET_VARSFILE"
} #=> up23_build_v3_vars ()

up23_do_upgrade_23 ()
{
	up23_verbose "============================================================================"
	up23_verbose "Begin ** $1 ** upgrade process .."
	up23_verbose ""
	up23_verbose "Easyrsa upgrade version: $EASYRSA_UPGRADE_23"
	up23_verbose ""

	up23_verify_new_pki
	up23_verify_current_pki
	up23_verify_current_ca
	up23_backup_current_pki
	up23_create_new_pki
	up23_upgrade_ca
	up23_move_easyrsa2_programs
	up23_build_v3_vars
	up23_create_openssl_cnf

	if [ "$NOSAVE" -eq 0 ]
	then
		# Must stay in this order
		# New created dirs: EASYRSA_NEW_PKI and EASYRSA_SAFE_PKI
		rm -rf "$EASYRSA_NEW_PKI"
		rm -rf "$EASYRSA_SAFE_PKI"
		# EASYRSA_TARGET_VARSFILE is always the new created v3 vars
		# Need to know if this fails
		rm "$EASYRSA_TARGET_VARSFILE" \
		|| up23_fail_upgrade "remove new vars file: $EASYRSA_TARGET_VARSFILE"
		# EASYRSA_VER2_VARSFILE is either v2 *nix ./vars or Win vars.bat
		# Need this dance because v2 vars is same name as v3 vars above
		cp "$EASYRSA_VARS_LIVEBKP" "$EASYRSA_VER2_VARSFILE"
	fi
	rm -f "$EASYRSA_VARS_LIVEBKP"
} #= up23_do_upgrade_23 ()

up23_manage_upgrade_23 ()
{
	EASYRSA_UPGRADE_VERSION="v1.0a (2020/01/08)"
	EASYRSA_UPGRADE_TYPE="$1"
	EASYRSA_FOUND_VARS=0

	# Verify all existing versions of vars/vars.bat
	if [ -f "$vars" ]
	then
		if grep -q 'Complain if a user tries to do this:' "$vars"
		then
			EASYRSA_FOUND_VARS=1
			EASYRSA_VARS_IS_VER3=1
		fi

		# Easyrsa v3 does not use NOR allow use of `export`.
		if grep -q 'export' "$vars"
		then
			EASYRSA_FOUND_VARS=1
			EASYRSA_VARS_IS_VER2=1
			EASYRSA_VER2_VARSFILE="$vars"
			EASYRSA_TARGET_VARSFILE="$vars"
		fi
	fi

	if [ -f "$EASYRSA/vars.bat" ]
	then
		EASYRSA_FOUND_VARS=1
		EASYRSA_VARS_IS_WIN2=1
		EASYRSA_VER2_VARSFILE="$EASYRSA/vars.bat"
		EASYRSA_TARGET_VARSFILE="$EASYRSA/vars"
	fi

	if [ $EASYRSA_FOUND_VARS -ne 1 ];
	then
		die "vars file not found"
	fi

	# Only allow specific vars/vars.bat to exist
	if [ "$EASYRSA_VARS_IS_VER3" ] && [ "$EASYRSA_VARS_IS_VER2" ]
	then
		die "Verify your current vars file, v3 cannot use 'export'."
	fi

	if [ "$EASYRSA_VARS_IS_VER3" ] && [ "$EASYRSA_VARS_IS_WIN2" ]
	then
		die "Verify your current vars/vars.bat file, cannot have both."
	fi

	if [ "$EASYRSA_VARS_IS_VER2" ] && [ "$EASYRSA_VARS_IS_WIN2" ]
	then
		die "Verify your current vars/vars.bat file, cannot have both."
	fi

	# Die on invalid upgrade type or environment
	if [ "$EASYRSA_UPGRADE_TYPE" = "ca" ]
	then
		if [ "$EASYRSA_VARS_IS_VER3" ]
		then
			# v3 ensure index.txt.attr "unique_subject = no"
			up23_upgrade_ca
			unset EASYRSA_BATCH
			notice "Your CA is fully up to date."
			return 0
		else
			die "Only v3 PKI CA can be upgraded."
		fi
	fi

	if [ "$EASYRSA_UPGRADE_TYPE" = "pki" ]
	then
		if [ "$EASYRSA_VARS_IS_VER3" ]
		then
			unset EASYRSA_BATCH
			notice "Your PKI is fully up to date."
			return 0
		fi
	else
		die "upgrade type must be 'pki' or 'ca'."
	fi

	# PKI is potentially suitable for upgrade

	warn "
=========================================================================

                           * WARNING *

Found settings from EasyRSA-v2 which are not compatible with EasyRSA-v3.
Before you can continue, EasyRSA must upgrade your settings and PKI.
* Found EASYRSA and vars file:
  $EASYRSA
  $EASYRSA_VER2_VARSFILE :

Further info:
* https://community.openvpn.net/openvpn/wiki/easyrsa-upgrade

Easyrsa upgrade version: $EASYRSA_UPGRADE_VERSION
=========================================================================
"

# Test upgrade

	NOSAVE=0

	confirm "* EasyRSA **TEST** upgrade (Changes will NOT be written): " "yes" "
This upgrade will TEST that the upgrade works BEFORE making any changes."

	up23_do_upgrade_23 "TEST"

	notice "
=========================================================================

                             * NOTICE *

EasyRSA upgrade **TEST** has successfully completed.
"
# Upgrade for REAL

	NOSAVE=1

	confirm "* EasyRSA **REAL** upgrade (Changes WILL be written): " "yes" "
=========================================================================

                             * WARNING *

Run REAL upgrade: Answer yes (Once completed you will have a version 3 PKI)
Terminate upgrade: Answer no (No changes have been made to your current PKI)
"

	confirm "* Confirm **REAL** upgrade (Changes will be written): " "yes" "
=========================================================================

                          * SECOND WARNING *

This upgrade will permanently write changes to your PKI !
(With full backup backout)
"
	up23_do_upgrade_23 "REAL"

	notice "
=========================================================================

                             * NOTICE *

Your settings and PKI have been successfully upgraded to EasyRSA version3

A backup of your current PKI is here:
  $EASYRSA_SAFE_PKI

                        * IMPORTANT NOTICE *

1. YOU MUST VERIFY THAT YOUR NEW ./vars FILE IS SETUP CORRECTLY
2. IF YOU ARE USING WINDOWS YOU MUST ENSURE THAT openssl IS CORRECTLY DEFINED
   IN ./vars (example follows)

 #
 # This sample is in Windows syntax -- edit it for your path if not using PATH:
 # set_var EASYRSA_OPENSSL   \"C:/Program Files/OpenSSL-Win32/bin/openssl.exe\"
 #
 # Alternate location (Note: Forward slash '/' is correct for Windpws):
 # set_var EASYRSA_OPENSSL   \"C:/Program Files/Openvpn/bin/openssl.exe\"
 #

3. Finally, you can verify that easyrsa works by using these two commands:
    ./easyrsa show-ca (Verify that your CA is intact and correct)
    ./easyrsa gen-crl ((re)-generate a CRL file)

Further info:
* https://community.openvpn.net/openvpn/wiki/easyrsa-upgrade"
          up23_verbose "
                   * UPGRADE COMPLETED SUCCESSFULLY *
"

return 0

} # => up23_manage_upgrade_23 ()

print_version()
{
		cat <<HERE
EasyRSA Version Information
Version:     ~VER~
Generated:   ~DATE~
SSL Lib:     $($EASYRSA_OPENSSL version)
Git Commit:  ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
HERE
		exit 0
} # => print_version ()


########################################
# Invocation entry point:

NL='
'

# Be secure with a restrictive umask
[ -z "$EASYRSA_NO_UMASK" ] && umask ${EASYRSA_UMASK:-077}

# Parse options
while :; do
	# Separate option from value:
	opt="${1%%=*}"
	val="${1#*=}"
	empty_ok="" # Empty values are not allowed unless excepted

	case "$opt" in
	--days)
		export EASYRSA_CERT_EXPIRE="$val"
		export EASYRSA_CA_EXPIRE="$val"
		export EASYRSA_CRL_DAYS="$val"
		;;
	--pki-dir)
		export EASYRSA_PKI="$val" ;;
	--use-algo)
		export EASYRSA_ALGO="$val" ;;
	--keysize)
		export EASYRSA_KEY_SIZE="$val" ;;
	--curve)
		export EASYRSA_CURVE="$val" ;;
	--dn-mode)
		export EASYRSA_DN="$val" ;;
	--req-cn)
		export EASYRSA_REQ_CN="$val" ;;
	--digest)
		export EASYRSA_DIGEST="$val" ;;
	--req-c)
		empty_ok=1
		export EASYRSA_REQ_COUNTRY="$val" ;;
	--req-st)
		empty_ok=1
		export EASYRSA_REQ_PROVINCE="$val" ;;
	--req-city)
		empty_ok=1
		export EASYRSA_REQ_CITY="$val" ;;
	--req-org)
		empty_ok=1
		export EASYRSA_REQ_ORG="$val" ;;
	--req-email)
		empty_ok=1
		export EASYRSA_REQ_EMAIL="$val" ;;
	--req-ou)
		empty_ok=1
		export EASYRSA_REQ_OU="$val" ;;
	--ns-cert)
		export EASYRSA_NS_SUPPORT="$val" ;;
	--ns-comment)
		empty_ok=1
		export EASYRSA_NS_COMMENT="$val" ;;
	--batch)
		empty_ok=1
		export EASYRSA_BATCH=1 ;;
	--passin)
		export EASYRSA_PASSIN="$val";;
	--passout)
		export EASYRSA_PASSOUT="$val";;
	--subca-len)
		export EASYRSA_SUBCA_LEN="$val" ;;
	--vars)
		export EASYRSA_VARS_FILE="$val" ;;
	--copy-ext)
		empty_ok=1
		export EASYRSA_CP_EXT=1 ;;
	--subject-alt-name)
		export EASYRSA_EXTRA_EXTS="\
$EASYRSA_EXTRA_EXTS
subjectAltName = $val" ;;
	--version)
		print_version
		;;
	*)
		break ;;
	esac

	# fatal error when no value was provided
	if [ ! $empty_ok ] && { [ "$val" = "$1" ] || [ -z "$val" ]; }; then
		die "Missing value to option: $opt"
	fi

	shift
done

# Intelligent env-var detection and auto-loading:
vars_setup

# Register cleanup on EXIT
trap "cleanup" EXIT
# When SIGHUP, SIGINT, SIGQUIT, SIGABRT and SIGTERM,
# explicitly exit to signal EXIT (non-bash shells)
trap "exit 1" 1
trap "exit 2" 2
trap "exit 3" 3
trap "exit 6" 6
trap "exit 14" 15

# Upgrade: EasyRSA v2.x to EasyRSA v3.x
# Upgrade: EasyRSA < v3.0.6 to v3.0.6+
#up23_manage_upgrade_23

# determine how we were called, then hand off to the function responsible
cmd="$1"
[ -n "$1" ] && shift # scrape off command
case "$cmd" in
	init-pki|clean-all)
		init_pki "$@"
		;;
	build-ca)
		build_ca "$@"
		;;
	gen-dh)
		gen_dh
		;;
	gen-req)
		gen_req "$@"
		;;
	sign|sign-req)
		sign_req "$@"
		;;
	build-client-full)
		build_full client "$@"
		;;
	build-server-full)
		build_full server "$@"
		;;
	build-serverClient-full)
		build_full serverClient "$@"
		;;
	gen-crl)
		gen_crl
		;;
	revoke)
		revoke "$@"
		;;
	renew)
		renew "$@"
		;;
	import-req)
		import_req "$@"
		;;
	export-p12)
		export_pkcs p12 "$@"
		;;
	export-p7)
		export_pkcs p7 "$@"
		;;
	export-p8)
		export_pkcs p8 "$@"
		;;
	set-rsa-pass)
		set_pass rsa "$@"
		;;
	set-ec-pass)
		set_pass ec "$@"
		;;
	update-db)
		update_db
		;;
	show-req)
		show req "$@"
		;;
	show-cert)
		show cert "$@"
		;;
	show-ca)
		show_ca "$@"
		;;
	upgrade)
		up23_manage_upgrade_23 "$@"
		;;
	""|help|-h|--help|--usage)
		cmd_help "$1"
		exit 0
		;;
	version)
		print_version
		;;
	*)
		die "Unknown command '$cmd'. Run without commands for usage help."
		;;
esac

# vim: ft=sh nu ai sw=8 ts=8 noet