Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build-ca: New command option 'raw-ca', abbrevation: 'raw' #963

Merged
merged 3 commits into from Jun 5, 2023
Merged

build-ca: New command option 'raw-ca', abbrevation: 'raw' #963

merged 3 commits into from Jun 5, 2023

Conversation

TinCanTech
Copy link
Collaborator

This option bypasses the Easy-RSA code to manage the CA password. The result is that the User MUST enter the CA password THREE times. These three inputs are made directly to the SSL binary. Easy-RSA will remain unaware of the CA password.

This is the most reliable way for Easy-RSA to create a CA, with a password, without writing that password to a temp-file.

Equivalent to global option: '--raw-ca'

Usage:

  • Command option: 'easyrsa build-ca raw-ca'
  • Global option: 'easyrsa --raw-ca build-ca'

When specified, in ANY form, 'raw' method ALWAYS takes pririoty.

This change COMPLETELY removes the '--ca-via-stdin' method (v3.1.4), which did not offer any more secuity than the standard method.

@TinCanTech
build-ca: New command option 'raw-ca', abbrevation: 'raw'
05b4fad 
This option bypasses the Easy-RSA code to manage the CA password.
The result is that the User MUST enter the CA password THREE times.
These three inputs are made directly to the SSL binary.
Easy-RSA will remain unaware of the CA password.

This is the most reliable way for Easy-RSA to create a CA, with a
password, without writing that password to a temp-file.

Equivalent to global option: '--raw-ca'

Usage:
* Command option: 'easyrsa build-ca raw-ca'
* Global option: 'easyrsa --raw-ca build-ca'

When specified, in ANY form, 'raw' method ALWAYS takes pririoty.

This change COMPLETELY removes the '--ca-via-stdin' method (v3.1.4),
which did not offer any more secuity than the standard method.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech linked an issue Jun 5, 2023 that may be closed by this pull request
Create a CA without using a temp-file for the password #962
Closed
@TinCanTech TinCanTech added this to the v3.1.5 milestone Jun 5, 2023
@OpenVPN OpenVPN deleted a comment from ecnoe Jun 5, 2023
@TinCanTech
ChangeLog: Announce build-ca 'raw' method
5747111 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
build-ca: If specified, prioritise 'raw' method over all others
c8ae6e3 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech merged commit f4b48ee into OpenVPN:master Jun 5, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ChangeLog Item enhancement Full-Approval Merge is imminent version 3.1.5
Projects
None yet
Milestone
v3.1.5
Development

Successfully merging this pull request may close these issues.

Create a CA without using a temp-file for the password
1 participant
@TinCanTech