EasyRSA 3.0.9

** Note: Files here were updated to remove a test pki mistakenly included with the original. There are no functional changes to the release. **

What's Changed

• fixed renew filename confusion by @patchhoernchen in #443
• Introduce support for OpenSSL version 3 by @TinCanTech in #492
• small typo fix by @thesteve0 in #463
• Re-arrange "# Signing a request" to fix markdown problem by @TinCanTech in #495
• OpenSSL Configuration: Add required white space separator by @TinCanTech in #496
• Simple maintenance improvements by @a1346054 in #455
• Add possibility to configure umask by @faxm0dem in #460
• Update EasyRSA-Readme.md by @noah-de in #426
• Windows unit test: On error then exit with error by @TinCanTech in #500
• Bugfix/spaces in path by @markus-t314 in #427
• Expand new verify_ssl_lib() to support LibreSSL version 2.x (again) by @TinCanTech in #505
• Add SSL Library version 2 to easyrsa_openssl() by @TinCanTech in #507
• Introduce install_data_to_pki() - Copy data-files to PKI by @TinCanTech in #510
• When initialising a new PKI, create "$EASYRSA_PKI/vars' from example by @TinCanTech in #513
• Improve install_data_to_pki(): Create pki/vars at 'init-pki' by @TinCanTech in #514
• added support to specify open-ssl config file using --ssl-conf command flag by @mxc5178 in #67
• Add notice to 'init-pki': 'vars' file has now moved to PKI above by @TinCanTech in #515
• copy_data_to_pki(): Immediate exit-with-error or 'shift' on success by @TinCanTech in #516
• Add authority information access example by @IPv4v6 in #307
• Fix renew on OpenBSD by @pacija in #418
• Remove obsolete function copy_data_to_pki() by @wiscii in #521
• Make gen_req() Always use EASYRSA_REQ_CN as intended by @TinCanTech in #524
• Remove inline file for revoke and renew by @TinCanTech in #529
• Use x509-types 'ca' and COMMON when building a CA by @TinCanTech in #526
• shellcheck recommendations (Ongoing) by @TinCanTech in #527
• Separate silent-mode from batch-mode - Respect batch-mode by @TinCanTech in #523
• Introduce new vars_setup() regime by @TinCanTech in #528
• Silence cleanup() by @TinCanTech in #534
• Detect Windows and Git-for-Windows bash by @TinCanTech in #533
• Remove EASYRSA_EXTRA_EXTS code injection inside 'sed' script. by @TinCanTech in #535
• Disallow use of single quote (') in vars file by @TinCanTech in #530
• easyrsa_openssl() - Minor syle changes by @TinCanTech in #536
• build_ca() - Quote temporary password file "$out_key_pass_tmp" by @TinCanTech in #537
• Replace non-POSIX mktemp with POSIX mkdir and mv by @TinCanTech in #541
• Make build-ca() almost completely SSL library version independent by @TinCanTech in #542
• added option to set PKCS#12 alias name by @jdelker in #544
• Adds export-p1 command by @nkakouros in #341
• revoke(): Purge unquoted $opts + General improvements by @TinCanTech in #546
• Introduce 'revoke-renewed' by @TinCanTech in #547
• Display certificates in UTF8 by @AndersBlomdell in #551
• Set notBefore/notAfter to the beginning of the year to issuing certificate (v2) by @ValdikSS in #550
• Add 'verify' - SSL Verify certificate against CA by @TinCanTech in #549
• Release/3.0 by @ecrist in #558
• Backport patch for #559 to 3.0 by @ecrist in #563
• Always respect --vars=file by @nkakouros in #562
• Introduce extensible PKI reporting tool framework by @TinCanTech in #557
• Add command for testing which certificates are eligible for renewal by @AndersBlomdell in #555

New Contributors

• @patchhoernchen made their first contribution in #443
• @thesteve0 made their first contribution in #463
• @noah-de made their first contribution in #426
• @markus-t314 made their first contribution in #427
• @mxc5178 made their first contribution in #67
• @pacija made their first contribution in #418
• @wiscii made their first contribution in #521
• @jdelker made their first contribution in #544
• @AndersBlomdell made their first contribution in #551
• @ecrist made their first contribution in #558

Full Changelog: v3.0.8...v3.0.9

v3.0.9-rc1

3.0.9 (2022-05-04)

• Upgrade OpenSSL from 1.1.0j to 1.1.1o (#405, #407)
  • We are buliding this ourselves now.
• Fix --version so it uses EASYRSA_OPENSSL (#416)
• Use openssl rand instead of non-POSIX mktemp (#478)
• Fix paths with spaces (#443)
• Correct OpenSSL version from Homebrew on macOs (#416)
• Fix revoking a renewed certificate (Original PR #394)
  Follow-up commit: ef22701
• Introduce 'show-crl' (d199389)
• Support Windows-Git 'version of bash' (#533)
• Disallow use of single quote (') in vars file, Warning (#530)
• Creating a CA uses x509-types/ca and COMMON (#526)
• Prefer 'PKI/vars' over all other locations (#528)
• Introduce 'init-pki soft' option (#197)
• Warnings are no longer silenced by --batch (#523)
• Improve packaging options (#510)

*** Lots of work by Richard Bonhomme on this release! ***

What's Changed

• fixed renew filename confusion by @patchhoernchen in #443
• Introduce support for OpenSSL version 3 by @TinCanTech in #492
• small typo fix by @thesteve0 in #463
• Re-arrange "# Signing a request" to fix markdown problem by @TinCanTech in #495
• OpenSSL Configuration: Add required white space separator by @TinCanTech in #496
• Simple maintenance improvements by @a1346054 in #455
• Add possibility to configure umask by @faxm0dem in #460
• Update EasyRSA-Readme.md by @noah-de in #426
• Windows unit test: On error then exit with error by @TinCanTech in #500
• Bugfix/spaces in path by @markus-t314 in #427
• Expand new verify_ssl_lib() to support LibreSSL version 2.x (again) by @TinCanTech in #505
• Add SSL Library version 2 to easyrsa_openssl() by @TinCanTech in #507
• Introduce install_data_to_pki() - Copy data-files to PKI by @TinCanTech in #510
• When initialising a new PKI, create "$EASYRSA_PKI/vars' from example by @TinCanTech in #513
• Improve install_data_to_pki(): Create pki/vars at 'init-pki' by @TinCanTech in #514
• added support to specify open-ssl config file using --ssl-conf command flag by @mxc5178 in #67
• Add notice to 'init-pki': 'vars' file has now moved to PKI above by @TinCanTech in #515
• copy_data_to_pki(): Immediate exit-with-error or 'shift' on success by @TinCanTech in #516
• Add authority information access example by @IPv4v6 in #307
• Fix renew on OpenBSD by @pacija in #418
• Remove obsolete function copy_data_to_pki() by @wiscii in #521
• Make gen_req() Always use EASYRSA_REQ_CN as intended by @TinCanTech in #524
• Remove inline file for revoke and renew by @TinCanTech in #529
• Use x509-types 'ca' and COMMON when building a CA by @TinCanTech in #526
• shellcheck recommendations (Ongoing) by @TinCanTech in #527
• Separate silent-mode from batch-mode - Respect batch-mode by @TinCanTech in #523
• Introduce new vars_setup() regime by @TinCanTech in #528
• Silence cleanup() by @TinCanTech in #534
• Detect Windows and Git-for-Windows bash by @TinCanTech in #533
• Remove EASYRSA_EXTRA_EXTS code injection inside 'sed' script. by @TinCanTech in #535
• Disallow use of single quote (') in vars file by @TinCanTech in #530
• easyrsa_openssl() - Minor syle changes by @TinCanTech in #536
• build_ca() - Quote temporary password file "$out_key_pass_tmp" by @TinCanTech in #537
• Replace non-POSIX mktemp with POSIX mkdir and mv by @TinCanTech in #541
• Make build-ca() almost completely SSL library version independent by @TinCanTech in #542
• added option to set PKCS#12 alias name by @jdelker in #544
• Adds export-p1 command by @nkakouros in #341
• revoke(): Purge unquoted $opts + General improvements by @TinCanTech in #546
• Introduce 'revoke-renewed' by @TinCanTech in #547
• Display certificates in UTF8 by @AndersBlomdell in #551
• Set notBefore/notAfter to the beginning of the year to issuing certificate (v2) by @ValdikSS in #550

New Contributors

• @patchhoernchen made their first contribution in #443
• @thesteve0 made their first contribution in #463
• @noah-de made their first contribution in #426
• @markus-t314 made their first contribution in #427
• @mxc5178 made their first contribution in #67
• @pacija made their first contribution in #418
• @wiscii made their first contribution in #521
• @jdelker made their first contribution in #544
• @AndersBlomdell made their first contribution in #551

Full Changelog: v3.0.8...v3.0.9-rc1

EasyRSA 3.0.8

3.0.8 (2020-09-09)

• Provide --version option (#372)
• Version information now within generated certificates like on *nix
• Fixed issue where gen-dh overwrote existing files without warning (#373)
• Fixed issue with ED/EC certificates were still signed by RSA (#374)
• Added support for export-p8 (#339)
• Clarified error message (#384)
• 2->3 upgrade now errors and prints message when vars isn't found (#377)
• Update OpenSSL Windows binaries to 1.1.1g
• Reverted OpenSSL back to 1.1.0j

EasyRSA 3.0.7

3.0.7 (2020-03-30)

• Include OpenSSL libs and binary for Windows 1.1.0j
• Remove RANDFILE environment variable (#261)
• Workaround for bug in win32 mktemp (#247, #305, PR #312)
• Handle IP address in SAN and renewals (#317)
• Workaround for ash and no set -o echo (#319)
• Shore up windows testing framework (#314)
• Provide upgrade mechanism for older versions of EasyRSA (#349)
• Add support for KDC certificates (#322)
• Add support for Edward Curves (#354, #350)
• Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars (#368)
• Add support for RID to SAN (#362)

EasyRSA 3.0.6

3.0.6 (2019-02-01)

• Certifcates that are revoked now move to a revoked subdirectory (#63)
• EasyRSA no longer clobbers non-EASYRSA environment variables (#277)
• More sane string checking, allowingn for commas in CN (#267)
• Support for reasonCode in CRL (#280)
• Better handling for capturing passphrases (#230, others)
• Improved LibreSSL/MacOS support
• Adds support to renew certificates up to 30 days before expiration (#286)
  • This changes previous behavior allowing for certificate creation using
    duplicate CNs.

EasyRSA 3.0.5

3.0.5 (2018-09-15)

• Fix #17 & #58: use AES256 for CA key
• Also, don't use read -s, use stty -echo
• Fix broken "nopass" option
• Add -r to read to stop errors reported by shellcheck (and to behave)
• remove overzealous quotes around $pkcs_opts (more SC errors)
• Support for LibreSSL (now works on latest version of MacOS)
• EasyRSA version will be reported in certificate comments
• Client certificates now expire in 3 year (1080 days) by default

v3.0.4

3.0.4
* Remove use of egrep (#154)
* Integrate with Travis-CI (#165)
* Remove "local" from variable assignment (#165)
* Other changes related to Travis-CI fixes
* Assign values to variables defined previously w/local
* Finally(?) fix the subjectAltName issues I presented earlier (really
fixes #168

v3.0.3

Minor update that includes the mktemp Windows binary.

v3.0.2

Add missing Windows binaries and publish release.

v3.0.1

This release addresses some packaging and documentation issues. With 3.0.0, the binaries needed to run EasyRSA on Windows were missing. Additionally, the documentation was released in a format that wasn't easily readable on that platform (markdown).

Please find updated Unix and Windows packages attached. There are NO functionality changes in this release.