This document explains how the differing versions of Easy-RSA 3 work with Renewal and Revocation of Certificates and Private keys.
v3.2 no longer supports the renew
command.
Instead, the process is as follows:
-
Command
expire <NAME>
- This will move an existing certificate frompki/issued
topki/expired
, so that a new certificate can be signed, using the original request.Generally, renewing is required ONLY when a certificate is due to expire. This means that certificates moved to
pki/expired
are expected to be expired or to expire in the near future. -
Command
sign-req <TYPE> <NAME>
- Sign a new certificate.This allows ALL command line cutomisations to be used. eg: SAN. (These customisations do not work correctly with the old
renew
) -
If required, Command
revoke-expired
can be used to revoke an expired certificate in thepki/expired
directory.
This approach also allows certificates which have been edited during
sign-req
to be edited the same way, without the need for excessive
and non-standard code. (Note: OpenSSL allows only one way for edits)
UPDATE: The changes noted for Easy-RSA version 3.1.2 have all been included with Easy-RSA version 3.1.1 - See OpenVPN#688
easyrsa renew file-name-base [ cmd-opts ]
renew
is only available since Easy-RSA version 3.0.6
-
renew
Version 1: Easy-RSA version3.0.6
,3.0.7
and3.0.8
.- Both certificate and private key are rebuilt.
- Once a certificate has been renewed it cannot be revoked.
-
renew
Version 2: Easy-RSA version3.0.9
and3.1.0
.-
Both certificate and private key are rebuilt.
-
Once a certificate has been renewed it can be revoked.
-
Use command:
revoke-renewed file-name-base [ reason ]
-
-
renew
Version 3: Easy-RSA version3.1.1+
.- Only certificate is renewed.
- The original
renew
command has been renamed torebuild
, which rebuilds both certificate and private key.
renew
version 1 rebuilds the certificate and private key.
Once a certificate has been renewed by version 1, the files are saved in the
renewed/
storage area by serialNumber
. These files must be recovered by
using command:
easyrsa rewind-renew serialNumber
Command rewind-renew
is available since Easy-RSA version 3.1.1
Once rewind-renew
has recovered the files, the certificate can be revoked:
easyrsa revoke-renewed file-name-base [ reason ]
renew
version 2 rebuilds the certificate and private key.
Renewed certificate can be revoked:
easyrsa revoke-renewed file-name-base [ reason ]
renew
version 3 renews the certificate only.
Renewed certificate can be revoked:
easyrsa revoke-renewed file-name-base [ reason ]
This is the preferred method to renew a certificate because the original private key is still valid.
renew
version 3 is only available since Easy-RSA version 3.1.1+
.
Easy-RSA version 3.1.x
, also has the following tools to keep track of
certificate staus:
easyrsa [ --days=# ] show-expire [ file-name-base ]
show-expire
shows all certificates which will expire in given --days
.
easyrsa show-renew [ file-name-base ]
show-renew
shows all certificates which have been renewed, where the old
certificate has not been revoked.
easyrsa show-revoke [ file-name-base ]
show-revoke
shows all certificates which have been revoked.
The follow is an exhaustive list of available reason
codes:
-
unspecified
-
keyCompromise
-
CACompromise
-
affiliationChanged
-
superseded
-
cessationOfOperation
-
certificateHold
reason
must be one of these codes, otherwise not be used.
If rebuild
is used then the output directory of old certificate, key and
request is also the renewed
directory. Use revoke-renewed
to revoke
an old certificate/key pair, which has been rebuilt by command rebuild
.