Bug#796185: Improvement: Option to generate initial empty CRL

Wed, 19 Aug 2015 23:03:24 -0700 

Package: easy-rsa
Version: 2.2.2-1
Severity: wishlist
Tags: upstream patch

Dear Maintainer,

the easy-rsa package does not include a way of generating an initial empty CRL
after setting up a new CA. Only the 'revoke-full' tool will generate CRL's, 
and only as part of revoking an existing certificate.

The attached diff adds a "--initcrl" option to revoke-full, which simply 
skips the revoking step of a certificate - so the CRL is (re-)generated
resulting in an empty CRL if no certificates have been revoked.

If certificates have already been revoked, it simply regenerates the CRL.


Regards,
Henrik Stoerner

-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=da_DK.UTF-8, LC_CTYPE=da_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages easy-rsa depends on:
ii  openssl  1.0.1k-3+deb8u1

Versions of packages easy-rsa recommends:
ii  opensc  0.14.0-2

easy-rsa suggests no packages.

-- no debconf information

--- revoke-full.orig	2015-07-13 19:24:43.000000000 +0200
+++ revoke-full	2015-08-20 07:46:03.296973081 +0200
@@ -8,6 +8,8 @@
 
 if [ $# -ne 1 ]; then
     echo "usage: revoke-full <cert-name-base>";
+    echo "       or"
+    echo "       revoke-full --initcrl"
     exit 1
 fi
 
@@ -23,8 +25,11 @@
 	# required due to hack in openssl.cnf that supports Subject Alternative Names
     export KEY_ALTNAMES=""
 
-    # revoke key and generate a new CRL
-    $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
+    if [ "$1" != "--initcrl" ]
+    then
+        # revoke key and generate a new CRL
+        $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
+    fi
 
     # generate a new CRL -- try to be compatible with
     # intermediate PKIs
@@ -35,8 +40,11 @@
         cat ca.crt "$CRL" >"$RT"
     fi
 
-    # verify the revocation
-    $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
+    if [ "$1" != "--initcrl" ]
+    then
+        # verify the revocation
+        $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
+    fi
 else
     echo 'Please source the vars script first (i.e. "source ./vars")'
     echo 'Make sure you have edited it to reflect your configuration.'

Reply via email to