Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Better certificate handling #1085

Closed
gits7r opened this issue Jan 15, 2023 · 5 comments
Closed

Feature request: Better certificate handling #1085

gits7r opened this issue Jan 15, 2023 · 5 comments
Labels
enhancement

Comments

@gits7r
Copy link
Contributor

gits7r commented Jan 15, 2023

It would be nice to have the following more options that will make this script absolutely complete:

  1. When running it for the first time (deploying OpenVPN and settings) among the questions about rsa/ec dh/ecdh and curve, we should ask before generating the signing request for CA. This can be done using the var EASYRSA_CA_EXPIRE:
In how many days should the CA expire?
(Note: The CA certificate is authenticating the server and client certificates, thus it MUST have a much larger validity period)
Defaults to 3650 days.

Here user will enter 1 for default or 2 for custom period.

  1. Before generating the server certificate sign request, we should ask for how much it should be valid for. This can be done using the EASYRSA_CERT_EXPIRE var. A message like this to be printed:
In how many days should the server certificate expire?
Defaults to 825 days

Here user will enter 1 for default or 2 for custom period AND if 2, user MUST not be allowed to enter a period greater than (>) period selected fro CA certificate before. Return and ask to enter again the expiration days with notification that it cannot be greater than CA, where CA expires in $ca_days.

Secondly, if script is run the second time (after OpenVPN has been installed), in addition to

  • Add a client
  • Remove a client
  • Uninstall OpenVPN

We should also have:

  • List all certificates
    Here we will read the contents of /pki and display all the certificates with their respective CN, serial, expiration time, and days that it can be renewed before its expiration (the EASYRSA_CERT_RENEW value that was used at certificate generation time, currently defaults to 90 days).

After we list this information in a table, among Add a client and Remove a client we should also have Renew a certificate (that should also work for also for SERVER certificate and for clients certificates if they are within their CERT_RENEW time-window) and if selected, ask again for the var EASYRSA_CERT_EXPIRE how much it should be, otherwise fail down to the default.
@gits7r
Copy link
Contributor Author

gits7r commented Jan 15, 2023

Related #1072 that can be closed in favor of this one. If anyone is willing to do this I will send some beers in BTC.

@angristan
Copy link
Owner

Would love some nice PRs on this!

@angristan angristan pinned this issue Jan 18, 2023
@TinCanTech
Copy link
Contributor

For the CA: export EASYRSA_CA_EXPIRE=$value
For certs: export EASYRSA_CERT_EXPIRE=$value

Otherwise, use option --days=$value on the command line.

@angristan
Copy link
Owner

There is this PR that partially tackles this: #1060 but it's not mergeable.

@angristan angristan unpinned this issue Jan 21, 2023
@angristan
Copy link
Owner

Closing to keep things in #974

@angristan angristan closed this as not planned Won't fix, can't repro, duplicate, stale Jan 22, 2023
@gits7r gits7r mentioned this issue Jan 22, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gits7r @angristan @TinCanTech