Closed malibata closed 1 month ago
@malibata Which version of EasyRSA are you using ?
Easy-RSA version 3.2.0, I beleive this change is introduced in this version... I see now on github that it is a development snapshot, but was pulled by Fedora as the latest stable version and installed by dnf upgrade...
Probably NOT removing key file would be a good idea since you are already not moving request file because it could be signed again:
--- easyrsa.saved 2024-05-18 14:20:59.000000000 +0200
+++ easyrsa 2024-08-05 13:46:46.301014865 +0200
@@ -3054,14 +3054,11 @@
# do NOT move the req - can be signed again
# move crt to renewed_then_revoked folders
mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in"
- # only move the key if we have it
- if [ -e "$key_in" ]; then
- mv "$key_in" "$key_out" || warn "Failed to move: $key_in"
- fi
+ # do NOT move the key - req can be signed again
# remove any pkcs files
for pkcs in p12 p7b p8 p1; do
if [ -e "$in_dir/issued/$file_name_base.$pkcs" ]; then
# issued
OK and thanks for testing.
This has been addressed in git/master
a.k.a. v3.2.1
.
In the following way:
revoke
will revoke the cert and move .req and .key files to the revoked
sub-dir.expire
will only move the cert to the expired
sub-dir, allowing the original CSR to be signed again, as in renew
but with more flexibility.renew
has been reinstated but is more strict in order that a renewed cert has the same attributes as the original. renew
also uses the original .req and .key files, so they are not moved.If you care to try this then please clone this repo and test it. Otherwise, v3.2.1
is intended for release in early September 2024.
Edit: Inlining files has also been/about to be addressed #1200
New procedure meant to replace simple renew command is kind of useless. If you issue expire command followed by sign-req command easyrsa will sign new certificate but will not generate new inline file and will leave the old one with expired certificate... If you then issue revoke-expired command it will not remove request file so that it can be signed again as it should be but will remove private key file making request file useless. revoke-renewed does not work anymore because it looks for a certificate in pki/renewed directory instead of pki/renewed/issued where the files actually are... All this makes new procedure basically dysfunctional and using something like revoke followed by build-TYPE-full commands, although not as simple as renew, the way to go for now.