Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce 'renew-req': Create new CSR for an existing private key #616

Merged
merged 3 commits into from Aug 6, 2022
Merged

Introduce 'renew-req': Create new CSR for an existing private key #616

merged 3 commits into from Aug 6, 2022

Conversation

TinCanTech
Copy link
Collaborator

EasyRSA 'renew' does not renew a certificate, it builds a new cert/key pair.
This 'old' method thus causes the Entity Private Key to be 'leaked'.

'renew-req' allows the original Entity Private Key to remain ''secure''.

This is achieved by generating a new CSR for the original Entity Private Key,
to be submitted for signing by the CA administrator.

Resolves: #609

Signed-off-by: Richard T Bonhomme tincantech@protonmail.com

@TinCanTech
Introduce 'renew-req': Create new certificate request for an existing…
727cd69 
… key

EasyRSA 'renew' does not renew a certificate, it builds a new cert/key pair.
This 'old' method thus causes the Entity Private Key to be 'leaked'.

'renew-req' allows the original Entity Private Key to remain ''secure''.

This is achieved by generating a new certificate request for the original
Entity Private Key, to be submitted for signing by the CA administrator.

Resolves: OpenVPN#609

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Copy link
Collaborator Author

Requires OpenVPN/easyrsa-unit-tests#34 for complete test

@TinCanTech TinCanTech mentioned this pull request Jun 25, 2022
Merged
@TinCanTech
Add 'renew-req' to ChangeLog
ae584fa 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Improve comments regarding 'verify_pki_init' (No functional change)
a46e33a 
Also, verify use of verify_pki_init(), manually.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech self-assigned this Aug 6, 2022
@TinCanTech TinCanTech added enhancement Major Changes Changes between Major 3.X version numbers - X is Major labels Aug 6, 2022
@TinCanTech TinCanTech added this to the v3.1.1-RC1 milestone Aug 6, 2022
@TinCanTech TinCanTech merged commit 51aa8a8 into OpenVPN:master Aug 6, 2022
@TinCanTech TinCanTech mentioned this pull request Aug 6, 2022
Closed
This was referenced Sep 7, 2022
Closed
Closed
TinCanTech added a commit to TinCanTech/easy-rsa that referenced this pull request Sep 9, 2022
@TinCanTech
Remove renew-req
2850fbb 
Phase-2: OpenVPN#684

Supersedes: OpenVPN#616

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech mentioned this pull request Sep 9, 2022
Merged
@TinCanTech TinCanTech deleted the renew-req branch October 28, 2022 00:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
enhancement Major Changes Changes between Major 3.X version numbers - X is Major
Projects
None yet
Milestone
v3.1.1 - RC1 - development
Development

Successfully merging this pull request may close these issues.

EasyRSA 'renew' does NOT renew, it builds a new certificate *and* key
1 participant
@TinCanTech