2022-10-14 - Signatures were corrupted on upload. Re-uploading verified sigs.

What's Changed

• Standardise all output for warn(), notice() and message():[New] by @TinCanTech in #574
• Expand status reports to include checking a single certificate by @TinCanTech in #577
• Introduce 'rewind-renew' - Recover "guineapig" renewed certificates by @TinCanTech in #579
• Improve revocation and renewal functions by @TinCanTech in #580
• Correctly quote 'sed' and auto-escape ampersand by @TinCanTech in #584
• Auto-escape '&' and '$' in 'org' mode fields - Other minor tweaks by @TinCanTech in #590
• Remove restrictive 30-day window hindering 'renew' by @TinCanTech in #594
• Replace cert dates by @TinCanTech in #595
• Introduce 'serialNumber' field for DN (OID 2.5.4.5) by @TinCanTech in #606
• Upgrade-23: Assign a secure session for temporary directory by @TinCanTech in #623
• Introduce 'renew-req': Create new CSR for an existing private key by @TinCanTech in #616
• Restore files when 'renew' fails during 'build_full()' phase by @TinCanTech in #617
• Ensure 'pki/renewed/' exist for 'rewind-renew' by @TinCanTech in #618
• Allow vars file to exist in current directory (Fix make-cadir) by @TinCanTech in #635
• gen-dh: Use temporary file by @TinCanTech in #636
• sign--req: Prohibit COMMON as a certificate type by @TinCanTech in #637
• show: Reorder parameter checks to guard against empty input by @TinCanTech in #639
• verify_ca_init: Reorder names to improve error message by @TinCanTech in #638
• Re-enable the use of --vars=file for init-pki by @TinCanTech in #640
• Expand the possible values of $prog_dir, include full path by @TinCanTech in #641
• vars_setup(): Always warn about unsupported characters in vars by @TinCanTech in #642
• renew: Improve notices and input check by @TinCanTech in #645
• Options: Check that $val is numeric when a number is expected by @TinCanTech in #646
• Unsupported characters: Correct check and warning message by @TinCanTech in #649
• sign-req: Enforce X509-type files exist and are used. (#581) by @TinCanTech in #650
• cleanup: Make "clean line" respect silent, batch and quiet modes by @TinCanTech in #652
• Overhaul vars detection by @TinCanTech in #655
• detect_host: Use SSL Library version from EasyRSA version by @TinCanTech in #656
• Options: Add '-s' to also enabe --silent mode. by @TinCanTech in #657
• Options: Rescind deprecation notice of option --req-cn by @TinCanTech in #660
• x509-types: Add x509-types location to usage() STATUS by @TinCanTech in #662
• vars_setup: Correctly locate x509-types for usage() directory STATUS by @TinCanTech in #665
• x509-types: Reset non-existent x509-types dir set by vars by @TinCanTech in #666
• fixed typo by @ashutoshojha5 in #670
• Options: Expand alias '--days' to all suitable options with a period by @TinCanTech in #674
• Options: Introduce --keep-tmp=NAME; Keep the temporary session data by @TinCanTech in #667
• Option --req-cn: Restore original behavior from v30x series by @TinCanTech in #682
• renew-req: Add command option 'nopass' by @TinCanTech in #683
• Remove renew-req by @TinCanTech in #685
• Documentation: Add EasyRSA-Renew-and-Revoke.md by @TinCanTech in #690
• X509-types: Always check SSL config file for EasyRSA insert-markers by @TinCanTech in #695
• Rename 'renew' to 'rebuild' - Introduce 'renew' version 3 by @TinCanTech in #688
• build-ca: Check x509-types 'ca' and 'COMMON' files exist by @TinCanTech in #697
• Status Report 'show-renew': Include renewed certs from /cert_by_serial by @TinCanTech in #700
• Doc-Update: Note that all changes were included with Easy-RSA v3.1.1 by @TinCanTech in #701
• ChangeLog: Final update for v3.1.1 by @TinCanTech in #702
• build_full: Remove sign_req() subshell and do full cleanup by @TinCanTech in #705
• Option --keep-tmp: Append EASYRSA_TEMP_DIR_session random number by @TinCanTech in #711
• Option --keep-tmp: Reliability improvements by @TinCanTech in #712
• Opt. --subca-len: basicConstraints CA extension, Append 'pathlen:N' by @TinCanTech in #706
• Refactor Netscape support by @TinCanTech in #710
• help: Document supported certificate X509 types by @TinCanTech in #704
• Remove obsolete command 'renewable' by @TinCanTech in #715
• Doc: EasyRSA-Contributing.md - Update by @TinCanTech in #719
• init-pki soft: Include delete of revoked and renewed sub-directories by @TinCanTech in #720

New Contributors

• @ashutoshojha5 made their first contribution in #670

Full Changelog: v3.1.0...v3.1.1

NOTICE

This version of EasyRSA introduces OpenSSL 3 (3.0.3). Effectively, v3.1.0 is nearly identical to v3.0.9, but we ship different binaries in the Windows package. @TinCanTech has put a ton of work in to support for the new OpenSSL, but there may be bugs. We intend to make big changes early in the v3.1.x branch and only back-port bug fixes to v3.0.x going forward.

What's Changed

• Add 'verify' - SSL Verify certificate against CA by @TinCanTech in #549
• Release/3.0 by @ecrist in #558
• Backport patch for #559 to 3.0 by @ecrist in #563
• Always respect --vars=file by @nkakouros in #562
• Introduce extensible PKI reporting tool framework by @TinCanTech in #557
• Add command for testing which certificates are eligible for renewal by @AndersBlomdell in #555
• update ChangeLog for v3.0.9 final release by @ecrist in #570
• update python call, remove test pki on build by @ecrist in #575

New Contributors

• @ecrist made their first contribution in #558

Full Changelog: v3.0.9...v3.1.0

Our ChangeLog

3.1.0 (2022-05-18)
   * Introduce basic support for OpenSSL version 3 (#492)
   * Update regex in grep to be POSIX compliant (#556)
   * Introduce status reporting tools (#555 & #557)
   * Display certificates using UTF8 (#551)
   * Allow certificates to be created with fixed date offset (#550)
   * Add 'verify' to verify certificate against CA (#549)
   * Add PKCS#12 alias 'friendlyName' (#544)
   * Disallow use of '--vars=FILE init-pki' (#566)
   * Support multiple IP-Addresses in SAN (#564)
   * Add option '--renew-days=NN', custom renew grace period (#557)
   * Add 'nopass' option to the 'export-pkcs' functions (#411)
   * Add support for 'busybox' (#543)
   * Add option '--tmp-dir=DIR' to declare Temp-dir (Commit f503a22)  

** Note: Files here were updated to remove a test pki mistakenly included with the original. There are no functional changes to the release. **

What's Changed

• fixed renew filename confusion by @patchhoernchen in #443
• Introduce support for OpenSSL version 3 by @TinCanTech in #492
• small typo fix by @thesteve0 in #463
• Re-arrange "# Signing a request" to fix markdown problem by @TinCanTech in #495
• OpenSSL Configuration: Add required white space separator by @TinCanTech in #496
• Simple maintenance improvements by @a1346054 in #455
• Add possibility to configure umask by @faxm0dem in #460
• Update EasyRSA-Readme.md by @noah-de in #426
• Windows unit test: On error then exit with error by @TinCanTech in #500
• Bugfix/spaces in path by @markus-t314 in #427
• Expand new verify_ssl_lib() to support LibreSSL version 2.x (again) by @TinCanTech in #505
• Add SSL Library version 2 to easyrsa_openssl() by @TinCanTech in #507
• Introduce install_data_to_pki() - Copy data-files to PKI by @TinCanTech in #510
• When initialising a new PKI, create "$EASYRSA_PKI/vars' from example by @TinCanTech in #513
• Improve install_data_to_pki(): Create pki/vars at 'init-pki' by @TinCanTech in #514
• added support to specify open-ssl config file using --ssl-conf command flag by @mxc5178 in #67
• Add notice to 'init-pki': 'vars' file has now moved to PKI above by @TinCanTech in #515
• copy_data_to_pki(): Immediate exit-with-error or 'shift' on success by @TinCanTech in #516
• Add authority information access example by @IPv4v6 in #307
• Fix renew on OpenBSD by @pacija in #418
• Remove obsolete function copy_data_to_pki() by @wiscii in #521
• Make gen_req() Always use EASYRSA_REQ_CN as intended by @TinCanTech in #524
• Remove inline file for revoke and renew by @TinCanTech in #529
• Use x509-types 'ca' and COMMON when building a CA by @TinCanTech in #526
• shellcheck recommendations (Ongoing) by @TinCanTech in #527
• Separate silent-mode from batch-mode - Respect batch-mode by @TinCanTech in #523
• Introduce new vars_setup() regime by @TinCanTech in #528
• Silence cleanup() by @TinCanTech in #534
• Detect Windows and Git-for-Windows bash by @TinCanTech in #533
• Remove EASYRSA_EXTRA_EXTS code injection inside 'sed' script. by @TinCanTech in #535
• Disallow use of single quote (') in vars file by @TinCanTech in #530
• easyrsa_openssl() - Minor syle changes by @TinCanTech in #536
• build_ca() - Quote temporary password file "$out_key_pass_tmp" by @TinCanTech in #537
• Replace non-POSIX mktemp with POSIX mkdir and mv by @TinCanTech in #541
• Make build-ca() almost completely SSL library version independent by @TinCanTech in #542
• added option to set PKCS#12 alias name by @jdelker in #544
• Adds export-p1 command by @nkakouros in #341
• revoke(): Purge unquoted $opts + General improvements by @TinCanTech in #546
• Introduce 'revoke-renewed' by @TinCanTech in #547
• Display certificates in UTF8 by @AndersBlomdell in #551
• Set notBefore/notAfter to the beginning of the year to issuing certificate (v2) by @ValdikSS in #550
• Add 'verify' - SSL Verify certificate against CA by @TinCanTech in #549
• Release/3.0 by @ecrist in #558
• Backport patch for #559 to 3.0 by @ecrist in #563
• Always respect --vars=file by @nkakouros in #562
• Introduce extensible PKI reporting tool framework by @TinCanTech in #557
• Add command for testing which certificates are eligible for renewal by @AndersBlomdell in #555

New Contributors

• @patchhoernchen made their first contribution in #443
• @thesteve0 made their first contribution in #463
• @noah-de made their first contribution in #426
• @markus-t314 made their first contribution in #427
• @mxc5178 made their first contribution in #67
• @pacija made their first contribution in #418
• @wiscii made their first contribution in #521
• @jdelker made their first contribution in #544
• @AndersBlomdell made their first contribution in #551
• @ecrist made their first contribution in #558

Full Changelog: v3.0.8...v3.0.9

3.0.9 (2022-05-04)

• Upgrade OpenSSL from 1.1.0j to 1.1.1o (#405, #407)
  • We are buliding this ourselves now.
• Fix --version so it uses EASYRSA_OPENSSL (#416)
• Use openssl rand instead of non-POSIX mktemp (#478)
• Fix paths with spaces (#443)
• Correct OpenSSL version from Homebrew on macOs (#416)
• Fix revoking a renewed certificate (Original PR #394)
  Follow-up commit: ef22701
• Introduce 'show-crl' (d199389)
• Support Windows-Git 'version of bash' (#533)
• Disallow use of single quote (') in vars file, Warning (#530)
• Creating a CA uses x509-types/ca and COMMON (#526)
• Prefer 'PKI/vars' over all other locations (#528)
• Introduce 'init-pki soft' option (#197)
• Warnings are no longer silenced by --batch (#523)
• Improve packaging options (#510)

*** Lots of work by Richard Bonhomme on this release! ***

What's Changed

• fixed renew filename confusion by @patchhoernchen in #443
• Introduce support for OpenSSL version 3 by @TinCanTech in #492
• small typo fix by @thesteve0 in #463
• Re-arrange "# Signing a request" to fix markdown problem by @TinCanTech in #495
• OpenSSL Configuration: Add required white space separator by @TinCanTech in #496
• Simple maintenance improvements by @a1346054 in #455
• Add possibility to configure umask by @faxm0dem in #460
• Update EasyRSA-Readme.md by @noah-de in #426
• Windows unit test: On error then exit with error by @TinCanTech in #500
• Bugfix/spaces in path by @markus-t314 in #427
• Expand new verify_ssl_lib() to support LibreSSL version 2.x (again) by @TinCanTech in #505
• Add SSL Library version 2 to easyrsa_openssl() by @TinCanTech in #507
• Introduce install_data_to_pki() - Copy data-files to PKI by @TinCanTech in #510
• When initialising a new PKI, create "$EASYRSA_PKI/vars' from example by @TinCanTech in #513
• Improve install_data_to_pki(): Create pki/vars at 'init-pki' by @TinCanTech in #514
• added support to specify open-ssl config file using --ssl-conf command flag by @mxc5178 in #67
• Add notice to 'init-pki': 'vars' file has now moved to PKI above by @TinCanTech in #515
• copy_data_to_pki(): Immediate exit-with-error or 'shift' on success by @TinCanTech in #516
• Add authority information access example by @IPv4v6 in #307
• Fix renew on OpenBSD by @pacija in #418
• Remove obsolete function copy_data_to_pki() by @wiscii in #521
• Make gen_req() Always use EASYRSA_REQ_CN as intended by @TinCanTech in #524
• Remove inline file for revoke and renew by @TinCanTech in #529
• Use x509-types 'ca' and COMMON when building a CA by @TinCanTech in #526
• shellcheck recommendations (Ongoing) by @TinCanTech in #527
• Separate silent-mode from batch-mode - Respect batch-mode by @TinCanTech in #523
• Introduce new vars_setup() regime by @TinCanTech in #528
• Silence cleanup() by @TinCanTech in #534
• Detect Windows and Git-for-Windows bash by @TinCanTech in #533
• Remove EASYRSA_EXTRA_EXTS code injection inside 'sed' script. by @TinCanTech in #535
• Disallow use of single quote (') in vars file by @TinCanTech in #530
• easyrsa_openssl() - Minor syle changes by @TinCanTech in #536
• build_ca() - Quote temporary password file "$out_key_pass_tmp" by @TinCanTech in #537
• Replace non-POSIX mktemp with POSIX mkdir and mv by @TinCanTech in #541
• Make build-ca() almost completely SSL library version independent by @TinCanTech in #542
• added option to set PKCS#12 alias name by @jdelker in #544
• Adds export-p1 command by @nkakouros in #341
• revoke(): Purge unquoted $opts + General improvements by @TinCanTech in #546
• Introduce 'revoke-renewed' by @TinCanTech in #547
• Display certificates in UTF8 by @AndersBlomdell in #551
• Set notBefore/notAfter to the beginning of the year to issuing certificate (v2) by @ValdikSS in #550

New Contributors

• @patchhoernchen made their first contribution in #443
• @thesteve0 made their first contribution in #463
• @noah-de made their first contribution in #426
• @markus-t314 made their first contribution in #427
• @mxc5178 made their first contribution in #67
• @pacija made their first contribution in #418
• @wiscii made their first contribution in #521
• @jdelker made their first contribution in #544
• @AndersBlomdell made their first contribution in #551

Full Changelog: v3.0.8...v3.0.9-rc1

3.0.8 (2020-09-09)

• Provide --version option (#372)
• Version information now within generated certificates like on *nix
• Fixed issue where gen-dh overwrote existing files without warning (#373)
• Fixed issue with ED/EC certificates were still signed by RSA (#374)
• Added support for export-p8 (#339)
• Clarified error message (#384)
• 2->3 upgrade now errors and prints message when vars isn't found (#377)
• Update OpenSSL Windows binaries to 1.1.1g
• Reverted OpenSSL back to 1.1.0j

3.0.7 (2020-03-30)

• Include OpenSSL libs and binary for Windows 1.1.0j
• Remove RANDFILE environment variable (#261)
• Workaround for bug in win32 mktemp (#247, #305, PR #312)
• Handle IP address in SAN and renewals (#317)
• Workaround for ash and no set -o echo (#319)
• Shore up windows testing framework (#314)
• Provide upgrade mechanism for older versions of EasyRSA (#349)
• Add support for KDC certificates (#322)
• Add support for Edward Curves (#354, #350)
• Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars (#368)
• Add support for RID to SAN (#362)

3.0.6 (2019-02-01)

• Certifcates that are revoked now move to a revoked subdirectory (#63)
• EasyRSA no longer clobbers non-EASYRSA environment variables (#277)
• More sane string checking, allowingn for commas in CN (#267)
• Support for reasonCode in CRL (#280)
• Better handling for capturing passphrases (#230, others)
• Improved LibreSSL/MacOS support
• Adds support to renew certificates up to 30 days before expiration (#286)
  • This changes previous behavior allowing for certificate creation using
    duplicate CNs.

3.0.5 (2018-09-15)

• Fix #17 & #58: use AES256 for CA key
• Also, don't use read -s, use stty -echo
• Fix broken "nopass" option
• Add -r to read to stop errors reported by shellcheck (and to behave)
• remove overzealous quotes around $pkcs_opts (more SC errors)
• Support for LibreSSL (now works on latest version of MacOS)
• EasyRSA version will be reported in certificate comments
• Client certificates now expire in 3 year (1080 days) by default

3.0.4
* Remove use of egrep (#154)
* Integrate with Travis-CI (#165)
* Remove "local" from variable assignment (#165)
* Other changes related to Travis-CI fixes
* Assign values to variables defined previously w/local
* Finally(?) fix the subjectAltName issues I presented earlier (really
fixes #168

Minor update that includes the mktemp Windows binary.