Easyrsa "renew" is a misleading name

[TinCanTech]

The renew function is misleading because it implies that a certificate can be renewed. This is a falsehood because the original certificate must be revoked and a completely new certificate and key created.

Propose renaming "renew" to rebuild

[ecrist]

While you're technically correct, renew is the term often used by others in the industry, including for Let's Encrypt (as an example). Unless this becomes a real issue, I'm closing for now.

[TinCanTech]

I hereby formally object to closing this issue.

[TinCanTech]

renew is a task whereby there is not a new key. rebuild is a task whereby the entire entity credentials are rebuilt and all associated security considerations are accepted. Lead the herd, don't follow it.

[AlD]

I was about to file the same bug as this one.

In the same vein, I was suprised to find that:

• Resigning a request (via sign-req) fails when there is an existing expired certificate.
• An expired certificate is labeled as Valid.
• Revoking a certificate also removes the CSR.

This is counter-intuitive. The functionality I was expecting also seems to be missing. This make Easy-RSA harder to use than plain OpenSSL tbh.

[AlD]

While you're technically correct, renew is the term often used by others in the industry, including for Let's Encrypt (as an example). Unless this becomes a real issue, I'm closing for now.

The Let's Encrypt analogy doesn't work imho, because LE also takes care of the private key distribution, which is the hard part.

[TinCanTech]

@AlD I also struggled to comprehend the way renew has been implemented here.

However, after stepping through the real work flow, I realised that: The reason the old certificate is not revoked immediately, when easyrsa renew's the cert., is because the client still has the old cert. in use. This gives the server/pki admin an indefinite grace period to distribute the new cert.

Unfortunately, if you do renew a cert then easyrsa is no longer capable of revoking that cert because that part of the code has not been written. easyrsa revoke cannot find a renewed certificate because they are renamed to the cert serial and moved to a separate sub-dir. This point should have is own issue.

419 partially covers this & #105 is partially related.

https://github.com/TinCanTech/easy-tls has some tools to help manage this problem.

[AlD]

Note that I was referring to a much simpler case than what you're describing, in which the certificate has already expired.

I only tried to revoke the expired certificate to unblock sign-req, which was still showing the expired certificate as Valid (presumaby because it only checks the state according to index.txt).

This of course also didn't help as revoke also removed the CSR for unclear reasons.

I think strictly speaking all of these are separate bugs. Considering how this bug was received, I won't bother reporting them, though. There seems to be a fundamental difference in understanding of how CAs are usually run.

[TinCanTech]

Unfortunately, if you do renew a cert then easyrsa is no longer capable of revoking that cert because that part of the code has not been written. easyrsa revoke cannot find a renewed certificate because they are renamed to the cert serial and moved to a separate sub-dir. This point should have is own issue.

Needs thorough investigation

[xeruf]

so why is it closed?