sign-req: Allow the CSR DN-field order to be preserved

When signing a request, EasyRSA ALWAYS defaults to the CA defined Distinguished Name field order, as defined by openssl-easyrsa.cnf configuration file. In the unlikely event that a CSR is received with a different DN- field order, that order can be preserved for the signed certificate. Command 'sign-req', now has a command option 'preserve' for this. Additional: Use of 'preserve = yes' in openssl-easyrsa.cnf has no effect for EasyRSA. Testing OpenSSL directly indicates that this option may have no effect when used in OpenSSL default configuration file openssl.cnf Also, OpenSSL documentation for command 'ca', option '-preserveDN' does NOT infer that this option can be used in the configuration file. None of which is important to EasyRSA because only foreign CSRs can have a different DN-field order, so default bahavior can remain. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
OpenVPN · Jun 30, 2023 · ec8cbf8 · ec8cbf8
1 parent 27c5973
commit ec8cbf8
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -128,14 +128,16 @@ cmd_help() {
 	;;
 	sign|sign-req)
 		text="
-* sign-req <type> <file_name_base>
+* sign-req <type> <file_name_base> [ cmd-opts ]
 
       Sign a certificate request of the defined type. <type> must be a known type,
       such as: 'client', 'server', 'serverClient', or 'ca' (or a user-added type).
       All supported types are listed in the x509-types directory.
 
       This request file must exist in the reqs/ dir and have a .req file
       extension. See import-req below for importing reqs from other sources."
+		opts="
+      * preserve - When signing a request, 'preserve' the DN-field order of the CSR."
 	;;
 	build|build-client-full|build-server-full|build-serverClient-full)
 		text="
@@ -2243,6 +2245,15 @@ sign_req() {
 Incorrect number of arguments provided to sign-req:
 expected 2, got $# (see command help for usage)"
 
+	# Check for preserve-dn
+	if [ "$3" ]; then
+		case "$3" in
+			preserve*) export EASYRSA_PRESERVE_DN=1 ;;
+			*)
+				warn "Ignoring unknown option '$3'"
+		esac
+	fi
+
 	# Cert type must exist under the EASYRSA_EXT_DIR
 	[ -e "$EASYRSA_EXT_DIR/$crt_type" ] || warn "\
 Missing X509-type '$crt_type'"
@@ -2512,6 +2523,7 @@ $(display_dn req "$req_in")
 	easyrsa_openssl ca -utf8 -batch \
 		-in "$req_in" -out "$crt_out_tmp" \
 		-extfile "$ext_tmp" \
+		${EASYRSA_PRESERVE_DN:+ -preserveDN} \
 		${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
 		${EASYRSA_NO_TEXT:+ -notext} \
 		${EASYRSA_CERT_EXPIRE:+ -days "$EASYRSA_CERT_EXPIRE"} \

diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf
@@ -31,6 +31,9 @@ crl_extensions	= crl_ext
 default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for
 default_crl_days	= $ENV::EASYRSA_CRL_DAYS	# how long before next CRL
 default_md	= $ENV::EASYRSA_DIGEST		# use public key default MD
+
+# Note: preserve=no|yes, does nothing for EasyRSA.
+# Use sign-req command option 'preserve' instead.
 preserve	= no			# keep passed DN ordering
 
 # This allows to renew certificates which have not been revoked

diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example
@@ -105,6 +105,12 @@ fi
 #set_var EASYRSA_REQ_EMAIL	"me@example.net"
 #set_var EASYRSA_REQ_OU		"My Organizational Unit"
 
+# Preserve the Distinguished Name field order
+# of the certificate signing request
+# *Only* effective in --dn-mode=org
+#
+#set_var EASYRSA_PRESERVE_DN	1
+
 # Set no password mode - This will create the entire PKI without passwords.
 # This can be better managed by choosing which entity private keys should be
 # encrypted with the following command line options: