Add equivalent of `--req-*` but for `sign-req`.

agowa commented 5 months ago

Hi, going to make this a feature request then. I'd like to have a way to overwrite the values within a signing request while signing it. Similar to --req-* but while signing.

I.E. a csr with invalid/missing values is provided and one wants to fix that while signing. This happens very often for e.g. appliances. Especially when they're behind a load balancer as they then often do not have the ability to include the load balancers fqdn. And some other appliances do not allow the dn to be user defined and instead always use the same hard coded one.

From my original ticket (where I thought this was a bug) #1087

          `sign-req` does not honor any Easy-RSA `--req-*` values because they are only valid in a request context. IE. `gen-req`.

Originally posted by @TinCanTech in https://github.com/OpenVPN/easy-rsa/issues/1087#issuecomment-2021622637

TinCanTech commented 5 months ago

The accepted solution is to create your CSR correctly, in the first place.

Duplicate: #439 #995

agowa commented 5 months ago

That doesn't work with appliances...

In principal I agree, but that doesn't solve the real world issue of an appliance handing you a CSR and you having to deal with it...

TinCanTech commented 5 months ago

https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Contributing.md

OpenVPN / easy-rsa

Add equivalent of `--req-*` but for `sign-req`. #1099