[geeks] On Replacing "Easy" RSA
Jonathan Patschke
jp at celestrion.net
Wed Jun 13 11:52:39 CDT 2018
I switched away from using IPsec to using OpenVPN for connecting to my
home network several years ago. "Easy" RSA has always been the sticking
point for me.
I'd get it happy, generate some certs, and forget about it. When a
certs expired, I'd run into some new obscure thing to trip me up. Was I
supposed to run that as root rather than the ca owner? Do I source the
'vars' file into my shell in this version, or do the scripts do that for
me? Crap, was I in the wrong directory again? Why does easy-rsa see the
updated cert, but openvpn doesn't recognize it? Why is that old copy of
that other cert still hanging around?
Fragile junk. So, I upgraded to the brand-new/all-redone version 3 of it.
It doesn't really like LibreSSL 2.4 (which is what shipped with OpenBSD
6.0), and I finally got it to the point where it would do everything right
except for that it would sign CSRs with the result of 0-byte certificate
files.
Today, I found this (upon a recommendation from someone else frustrated
with easy-rsa):
https://github.com/nicolas314/2cca
I wrapped the 2cca.py script in another Python script that changes to my
CA directory auto-populates sane default arguments for my site (unless
overridden on the command-line). And, how about that, it just works.
Now, instead of easy-rsa, I have sane-rsa.
User experience. It's not just for smartphone applications.
--
Jonathan Patschke
Austin, TX
USA
More information about the geeks
mailing list