Currently, the only commands which support --req-cn are:
build-ca: --req-cn allows changing the default CA commonName
from Easy-RSA CA (or Easy-RSA Sub-CA) to a user defined value.
This is required because the CA certificate is always named pki/ca.crt.
gen-req: --req-cn allows disconnecting the commonName from
file_name_base. This is unnecessary.
In future, Easy-RSA will enforce file_name_base to commonNameparity.
The only exception being the CA certificate, as explained previously.
However, it is suitable for sign-req to use --req-cn.
If a CSR is received with unsuitable details then a CA administrator needs
a way to be able to change those details, when signing the request.
For --dn-mode=cn_only, only the commonName field needs to be changed.
This can be done by using --req-cn=<NEW-CN>, to replace the CSR commonName.
For --dn-mode=org, all the subject fields need to be replaced with the values
defined in the CA certificate. And also change the CSR commonName.
The CSR commonName can be replaced by --req-cn=<NEW-CN> and the other
subject fields can be forced to comply with the CA subject fields, automatically.
Replacing the CSR commonName this way will result in a signed certificate
with a differentfile_name_base to the CSR file name.
However, the file_name_base to signed certificate commonName parity will
be maintained. All signed certificate commonName fields will match the
certificate file_name_base.
Effects use of global option:
--req-cnCurrently, the only commands which support
--req-cnare:build-ca:--req-cnallows changing the default CAcommonNamefromEasy-RSA CA(orEasy-RSA Sub-CA) to a user defined value. This is required because the CA certificate is always namedpki/ca.crt.gen-req:--req-cnallows disconnecting thecommonNamefromfile_name_base. This is unnecessary.In future, Easy-RSA will enforce
file_name_basetocommonNameparity. The only exception being the CA certificate, as explained previously.However, it is suitable for
sign-reqto use--req-cn.If a CSR is received with unsuitable details then a CA administrator needs a way to be able to change those details, when signing the request.
For
--dn-mode=cn_only, only thecommonNamefield needs to be changed. This can be done by using--req-cn=<NEW-CN>, to replace the CSRcommonName.For
--dn-mode=org, all the subject fields need to be replaced with the values defined in the CA certificate. And also change the CSRcommonName.The CSR
commonNamecan be replaced by--req-cn=<NEW-CN>and the other subject fields can be forced to comply with the CA subject fields, automatically.Replacing the CSR
commonNamethis way will result in a signed certificate with a differentfile_name_baseto the CSR file name.However, the
file_name_baseto signed certificatecommonNameparity will be maintained. All signed certificatecommonNamefields will match the certificatefile_name_base.