Closed bjoern-r closed 8 months ago
@bjoern-r Thanks for this PR.
Unfortunately, I have to decline this for these reasons:
IMHO, Easy-RSA should never support changing a certificate type.
Open to discussion.
I did not think about the side effect of changing the certificate type.. but somehow it should be possible to renew a certificate that is a custom type.
Actually i can resign a csr with a different type with the current implementation when i manually remove the issued/foo.crt
and use ./easyrsa sign-req foo newtype
.
we also face the same issue if we want to renew a certificate of type kdc
If easyrsa
were to support changing certificate type then it would have to be a new command. Command renew
is absolutely the wrong place for such a procedure.
If you want to work on expanding renew
, that would be welcome.
do you have an idea how to detect custom cert types in the current implementation of renew? i just see hardcoded values in the __eku detection switch case
Therenew
EKU case
switch should be maintained. Expanding the hard-coded types should be possible.
Because this is a PR, I am closing it.
This adds the optional command cert-type to the
renew
operation. This supports to renew custom certificate types like it is handled in thesign-req
command. When no type is specified it will fall back to the automatic detection.