Closed TinCanTech closed 12 months ago
The FINAL stage:
vars
in use is within the PKI then it MUST NOT reassign EASYRSA_PKI
. Which only effects hard-coded pki/vars
.auto-load
result is as follows:If EASYRSA_VARS_FILE
--vars=FILE
is set then use it and no auto-load
.
Reminder: easyrsa
program location is no longer considered a viable place to keep a vars
file.
Working directory:
$PWD/vars
is the default.vars
file is allowed to set the PKI.Working directory Default PKI:
$PWD/pki/vars
auto-loaded if $PWD/vars
does NOT exist.vars
changes the EASYRSA_PKI
then it is a fatal error.if EASYRSA_PKI
--pki-dir=DIR
is set then allow auto-load
:
$EASYRSA_PKI/vars
(User set PKI directory)$PWD/vars
(Working directory)vars
cannot change EASYRSA_PKI
because it is already set.This allows --pki-dir=DIR
to auto-load
a vars
file inside the user set PKI.
vars
with multiple PKI directoriesUse --vars=FILE
:
This will always use ONLY the specified file, which is allowed to set the PKI.
Use --pki-dir=DIR
If no default vars
file exists then the PKI vars
file will be used.
This file cannot change the PKI in use.
Thus, for a multiple PKI installation with multiple vars
files:
./pki-home/vars
./pki-work/vars
The SAFEST use is with --pki-dir=DIR
, which can then differentiate between the two vars
files shown.
To use --vars=FILE
the following setup is required:
./vars.pki-home
./vars.pki-work
./pki-home/
./pki-work/
Use --vars=vars.pki-home
to set EASYRSA_PKI
to pki-home
. etc. This is more prone to user error.
Add this to https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md
This refines the automatic loading of a
vars
file.