Skip to content

Releases: OpenVPN/easy-rsa


13 Oct 22:34
Choose a tag to compare

3.1.7 (2023-10-13)

  • Rewrite vars-auto-detect, adhere to (#1029)
    Under the hood, this is a considerable change but there are no user
    noticable differences. With the exception of:
    Caveat: The default '$PWD/pki/vars' file is forbidden to change either
    EASYRSA or EASYRSA_PKI, which are both implied by default.
  • Correct vars-auto-detect hierarchy (#1029)
    Commit: ecd6506
    EASYRSA/vars is moved to a higher priority than a default PKI.
    vars-auto-detect no longer searches 'easyrsa' program directory.
  • gen-crl: preserve existing crl.pem ownership+mode (#1020)
  • New command: make-vars - Print vars.example (here-doc) to stdout (#1024)
  • show-expire: Calculate cert. expire seconds from DB date (#1023)
  • Update OpenSSL to 3.1.2

What's Changed

New Contributors

Full Changelog: v3.1.6...v3.1.7


18 Aug 14:29
Choose a tag to compare

Update: Before using v3.1.6, please see this issue #1009

What's Changed

Full Changelog: v3.1.5...v3.1.6


10 Jun 14:03
Choose a tag to compare

3.1.5 (2023-06-10)

  • Build Update: script now supports signing and verifying

  • Automate support-file creation (Free packaging) (#964)

  • build-ca: New command option 'raw-ca', abbrevation: 'raw' (#963)

    This 'raw' method, is the most reliable way to build a CA,
    with a password, without writing the CA password to a temp-file.

This option completely replaces both methods below:

  • build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)
    Option '--ca-via-stdin' offers no more security than standard method.
    Easy-RSA version 3.1.4 ONLY.

  • build-ca: Replace password temp-files with file-descriptors (#955)
    Using file-descriptors does not work in Windows.
    Easy-RSA version 3.1.3 ONLY.

What's Changed

  • build-ca: New command option 'raw-ca', abbrevation: 'raw' by @TinCanTech in #963
  • Automate support-file creation (Free packaging) by @TinCanTech in #964

Full Changelog: v3.1.4...v3.1.5


24 May 12:07
Choose a tag to compare

3.1.4 (2023-05-23)

  • build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' (#959)

  • build-ca: Revert manual CA password method to temp-files (#959)
    Supersedes #955

    Release v3.1.3 was fatally flawed, it would fail to build a CA under Windows.
    Release v3.1.4 is specifically a bugfix ONLY, to resolve the Windows problem.

    See the following commits for further details:
    build-ca: Revert manual CA password method to temp-files
    build-ca: Use OpenSSL password I/O argument 'stdin'
    build-ca: Replace password temp-file method with file-descriptors
    Superseded by 5d7ad13 above.

Full Changelog: v3.1.3...v3.1.4


19 May 12:59
Choose a tag to compare

What's Changed

Full Changelog: v3.1.2...v3.1.3


13 Jan 21:59
Choose a tag to compare

What's Changed

Full Changelog: v3.1.1...v3.1.2


13 Oct 11:42
Choose a tag to compare

2022-10-14 - Signatures were corrupted on upload. Re-uploading verified sigs.

What's Changed

  • Standardise all output for warn(), notice() and message():[New] by @TinCanTech in #574
  • Expand status reports to include checking a single certificate by @TinCanTech in #577
  • Introduce 'rewind-renew' - Recover "guineapig" renewed certificates by @TinCanTech in #579
  • Improve revocation and renewal functions by @TinCanTech in #580
  • Correctly quote 'sed' and auto-escape ampersand by @TinCanTech in #584
  • Auto-escape '&' and '$' in 'org' mode fields - Other minor tweaks by @TinCanTech in #590
  • Remove restrictive 30-day window hindering 'renew' by @TinCanTech in #594
  • Replace cert dates by @TinCanTech in #595
  • Introduce 'serialNumber' field for DN (OID by @TinCanTech in #606
  • Upgrade-23: Assign a secure session for temporary directory by @TinCanTech in #623
  • Introduce 'renew-req': Create new CSR for an existing private key by @TinCanTech in #616
  • Restore files when 'renew' fails during 'build_full()' phase by @TinCanTech in #617
  • Ensure 'pki/renewed/' exist for 'rewind-renew' by @TinCanTech in #618
  • Allow vars file to exist in current directory (Fix make-cadir) by @TinCanTech in #635
  • gen-dh: Use temporary file by @TinCanTech in #636
  • sign--req: Prohibit COMMON as a certificate type by @TinCanTech in #637
  • show: Reorder parameter checks to guard against empty input by @TinCanTech in #639
  • verify_ca_init: Reorder names to improve error message by @TinCanTech in #638
  • Re-enable the use of --vars=file for init-pki by @TinCanTech in #640
  • Expand the possible values of $prog_dir, include full path by @TinCanTech in #641
  • vars_setup(): Always warn about unsupported characters in vars by @TinCanTech in #642
  • renew: Improve notices and input check by @TinCanTech in #645
  • Options: Check that $val is numeric when a number is expected by @TinCanTech in #646
  • Unsupported characters: Correct check and warning message by @TinCanTech in #649
  • sign-req: Enforce X509-type files exist and are used. (#581) by @TinCanTech in #650
  • cleanup: Make "clean line" respect silent, batch and quiet modes by @TinCanTech in #652
  • Overhaul vars detection by @TinCanTech in #655
  • detect_host: Use SSL Library version from EasyRSA version by @TinCanTech in #656
  • Options: Add '-s' to also enabe --silent mode. by @TinCanTech in #657
  • Options: Rescind deprecation notice of option --req-cn by @TinCanTech in #660
  • x509-types: Add x509-types location to usage() STATUS by @TinCanTech in #662
  • vars_setup: Correctly locate x509-types for usage() directory STATUS by @TinCanTech in #665
  • x509-types: Reset non-existent x509-types dir set by vars by @TinCanTech in #666
  • fixed typo by @ashutoshojha5 in #670
  • Options: Expand alias '--days' to all suitable options with a period by @TinCanTech in #674
  • Options: Introduce --keep-tmp=NAME; Keep the temporary session data by @TinCanTech in #667
  • Option --req-cn: Restore original behavior from v30x series by @TinCanTech in #682
  • renew-req: Add command option 'nopass' by @TinCanTech in #683
  • Remove renew-req by @TinCanTech in #685
  • Documentation: Add by @TinCanTech in #690
  • X509-types: Always check SSL config file for EasyRSA insert-markers by @TinCanTech in #695
  • Rename 'renew' to 'rebuild' - Introduce 'renew' version 3 by @TinCanTech in #688
  • build-ca: Check x509-types 'ca' and 'COMMON' files exist by @TinCanTech in #697
  • Status Report 'show-renew': Include renewed certs from /cert_by_serial by @TinCanTech in #700
  • Doc-Update: Note that all changes were included with Easy-RSA v3.1.1 by @TinCanTech in #701
  • ChangeLog: Final update for v3.1.1 by @TinCanTech in #702
  • build_full: Remove sign_req() subshell and do full cleanup by @TinCanTech in #705
  • Option --keep-tmp: Append EASYRSA_TEMP_DIR_session random number by @TinCanTech in #711
  • Option --keep-tmp: Reliability improvements by @TinCanTech in #712
  • Opt. --subca-len: basicConstraints CA extension, Append 'pathlen:N' by @TinCanTech in #706
  • Refactor Netscape support by @TinCanTech in #710
  • help: Document supported certificate X509 types by @TinCanTech in #704
  • Remove obsolete command 'renewable' by @TinCanTech in #715
  • Doc: - Update by @TinCanTech in #719
  • init-pki soft: Include delete of revoked and renewed sub-directories by @TinCanTech in #720

New Contributors

Full Changelog: v3.1.0...v3.1.1

EasyRSA 3.1.0

19 May 02:00
Choose a tag to compare


This version of EasyRSA introduces OpenSSL 3 (3.0.3). Effectively, v3.1.0 is nearly identical to v3.0.9, but we ship different binaries in the Windows package. @TinCanTech has put a ton of work in to support for the new OpenSSL, but there may be bugs. We intend to make big changes early in the v3.1.x branch and only back-port bug fixes to v3.0.x going forward.

What's Changed

New Contributors

Full Changelog: v3.0.9...v3.1.0

Our ChangeLog

3.1.0 (2022-05-18)
   * Introduce basic support for OpenSSL version 3 (#492)
   * Update regex in grep to be POSIX compliant (#556)
   * Introduce status reporting tools (#555 & #557)
   * Display certificates using UTF8 (#551)
   * Allow certificates to be created with fixed date offset (#550)
   * Add 'verify' to verify certificate against CA (#549)
   * Add PKCS#12 alias 'friendlyName' (#544)
   * Disallow use of '--vars=FILE init-pki' (#566)
   * Support multiple IP-Addresses in SAN (#564)
   * Add option '--renew-days=NN', custom renew grace period (#557)
   * Add 'nopass' option to the 'export-pkcs' functions (#411)
   * Add support for 'busybox' (#543)
   * Add option '--tmp-dir=DIR' to declare Temp-dir (Commit f503a22)  

EasyRSA 3.0.9

18 May 02:33
Choose a tag to compare

** Note: Files here were updated to remove a test pki mistakenly included with the original. There are no functional changes to the release. **

What's Changed

New Contributors

Full Changelog: v3.0.8...v3.0.9


05 May 03:04
Choose a tag to compare
v3.0.9-rc1 Pre-release

3.0.9 (2022-05-04)

  • Upgrade OpenSSL from 1.1.0j to 1.1.1o (#405, #407)
    • We are buliding this ourselves now.
  • Fix --version so it uses EASYRSA_OPENSSL (#416)
  • Use openssl rand instead of non-POSIX mktemp (#478)
  • Fix paths with spaces (#443)
  • Correct OpenSSL version from Homebrew on macOs (#416)
  • Fix revoking a renewed certificate (Original PR #394)
    Follow-up commit: ef22701
  • Introduce 'show-crl' (d199389)
  • Support Windows-Git 'version of bash' (#533)
  • Disallow use of single quote (') in vars file, Warning (#530)
  • Creating a CA uses x509-types/ca and COMMON (#526)
  • Prefer 'PKI/vars' over all other locations (#528)
  • Introduce 'init-pki soft' option (#197)
  • Warnings are no longer silenced by --batch (#523)
  • Improve packaging options (#510)

*** Lots of work by Richard Bonhomme on this release! ***

What's Changed

New Contributors

Full Changelog: v3.0.8...v3.0.9-rc1