jeffscrum · June 5, 2025 15:22 · Jun 5, 2025 · Jun 5, 2025 · Jun 5, 2025 · Jun 5, 2025
diff --git a/easyrsa.sh b/easyrsa.sh
@@ -21,6 +21,11 @@ cp offline/issued/sub.crt sub/ca.crt
 # Real-world use should import a CSR from the actual clients. We don't for brevity here.
 EASYRSA_PKI=sub easyrsa gen-req server nopass
 EASYRSA_PKI=sub easyrsa gen-req client nopass
+# ./easyrsa sign-req <type> nameOfRequest
+# client - A TLS client, suitable for a VPN user or web browser (web client)
+# server - A TLS server, suitable for a VPN or web server
+# ca - A intermediate CA, used when chaining multiple CAs together
+# serverClient - A TLS server and TLS client
 EASYRSA_PKI=sub easyrsa sign-req server server
 EASYRSA_PKI=sub easyrsa sign-req client client
 

diff --git a/setup.sh → easyrsa.sh b/setup.sh → easyrsa.sh
@@ -31,4 +31,21 @@ cat sub/issued/client.crt sub/ca.crt > client-bundle.crt
 # Full chain (server cert + Intermediate + Root)
 cat sub/issued/server.crt \
     sub/ca.crt \
-    offline/ca.crt > server.full-chain.crt
+    offline/ca.crt > server.full-chain.crt
+
+# Create an updated CRL that contains all revoked certs up to that point
+EASYRSA_PKI=sub easyrsa gen-crl
+
+# Revoke cert
+# Values accepted for option [ reason ]:
+#    us | uns* | unspecified
+#    kc | key* | keyCompromise
+#    cc | ca*  | CACompromise
+#    ac | aff* | affiliationChanged
+#    ss | sup* | superseded
+#    co | ces* | cessationOfOperation
+#    ch | cer* | certificateHold
+
+#EASYRSA_PKI=sub easyrsa revoke-issued <file_name_base> [ reason ]     # Revoke a current, issued certificate.
+#EASYRSA_PKI=sub easyrsa revoke-expired <file_name_base> [ reason ]    # Revoke an old, expired certificate.
+#EASYRSA_PKI=sub easyrsa revoke-renewed <file_name_base> [ reason ]    # Revoke an old, renewed certificate.
diff --git a/setup.sh b/setup.sh
@@ -24,6 +24,11 @@ EASYRSA_PKI=sub easyrsa gen-req client nopass
 EASYRSA_PKI=sub easyrsa sign-req server server
 EASYRSA_PKI=sub easyrsa sign-req client client
 
-# Finally, create "bundle" files for use at each entity (ie: server and client ends.)
+# Server bundle (server or client cert + Intermediate CA cert)
 cat sub/issued/server.crt sub/ca.crt > server-bundle.crt
-cat sub/issued/client.crt sub/ca.crt > client-bundle.crt
+cat sub/issued/client.crt sub/ca.crt > client-bundle.crt
+
+# Full chain (server cert + Intermediate + Root)
+cat sub/issued/server.crt \
+    sub/ca.crt \
+    offline/ca.crt > server.full-chain.crt
diff --git a/setup.sh b/setup.sh
@@ -3,26 +3,26 @@
 # A real-world setup would use different systems and transport the public components.
 
 # Build root CA:
-EASYRSA_PKI=offline ./easyrsa init-pki
-EASYRSA_PKI=offline ./easyrsa build-ca nopass
+EASYRSA_PKI=offline easyrsa init-pki
+EASYRSA_PKI=offline easyrsa build-ca nopass
 
 # Build sub-CA request:
-EASYRSA_PKI=sub ./easyrsa init-pki
-EASYRSA_PKI=sub ./easyrsa build-ca nopass subca
+EASYRSA_PKI=sub easyrsa init-pki
+EASYRSA_PKI=sub easyrsa build-ca nopass subca
 
 # Import the sub-CA request under the short-name "sub" on the offline PKI:
-EASYRSA_PKI=offline ./easyrsa import-req sub/reqs/ca.req sub
+EASYRSA_PKI=offline easyrsa import-req sub/reqs/ca.req sub
 # Then sign it as a CA:
-EASYRSA_PKI=offline ./easyrsa sign-req ca sub
+EASYRSA_PKI=offline easyrsa sign-req ca sub
 # Transport sub-CA cert to sub PKI:
 cp offline/issued/sub.crt sub/ca.crt
 
 # Generate and sign some requests on the sub-CA.
 # Real-world use should import a CSR from the actual clients. We don't for brevity here.
-EASYRSA_PKI=sub ./easyrsa gen-req server nopass
-EASYRSA_PKI=sub ./easyrsa gen-req client nopass
-EASYRSA_PKI=sub ./easyrsa sign-req server server
-EASYRSA_PKI=sub ./easyrsa sign-req client client
+EASYRSA_PKI=sub easyrsa gen-req server nopass
+EASYRSA_PKI=sub easyrsa gen-req client nopass
+EASYRSA_PKI=sub easyrsa sign-req server server
+EASYRSA_PKI=sub easyrsa sign-req client client
 
 # Finally, create "bundle" files for use at each entity (ie: server and client ends.)
 cat sub/issued/server.crt sub/ca.crt > server-bundle.crt

diff --git a/setup.sh b/setup.sh
@@ -4,7 +4,7 @@
 
 # Build root CA:
 EASYRSA_PKI=offline ./easyrsa init-pki
-EASYRSA_PKI=offline ./easyrsa init-ca nopass
+EASYRSA_PKI=offline ./easyrsa build-ca nopass
 
 # Build sub-CA request:
 EASYRSA_PKI=sub ./easyrsa init-pki

diff --git a/setup.sh b/setup.sh
@@ -0,0 +1,29 @@
+# Assumptions: easyrsa3 available in current dir, and functional openssl.
+# This basic example puts the "offline" and "sub" PKI dirs on the same system.
+# A real-world setup would use different systems and transport the public components.
+
+# Build root CA:
+EASYRSA_PKI=offline ./easyrsa init-pki
+EASYRSA_PKI=offline ./easyrsa init-ca nopass
+
+# Build sub-CA request:
+EASYRSA_PKI=sub ./easyrsa init-pki
+EASYRSA_PKI=sub ./easyrsa build-ca nopass subca
+
+# Import the sub-CA request under the short-name "sub" on the offline PKI:
+EASYRSA_PKI=offline ./easyrsa import-req sub/reqs/ca.req sub
+# Then sign it as a CA:
+EASYRSA_PKI=offline ./easyrsa sign-req ca sub
+# Transport sub-CA cert to sub PKI:
+cp offline/issued/sub.crt sub/ca.crt
+
+# Generate and sign some requests on the sub-CA.
+# Real-world use should import a CSR from the actual clients. We don't for brevity here.
+EASYRSA_PKI=sub ./easyrsa gen-req server nopass
+EASYRSA_PKI=sub ./easyrsa gen-req client nopass
+EASYRSA_PKI=sub ./easyrsa sign-req server server
+EASYRSA_PKI=sub ./easyrsa sign-req client client
+
+# Finally, create "bundle" files for use at each entity (ie: server and client ends.)
+cat sub/issued/server.crt sub/ca.crt > server-bundle.crt
+cat sub/issued/client.crt sub/ca.crt > client-bundle.crt