Skip to content

revoke: Archive request and private key files and expand help #1378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TinCanTech merged 2 commits into from
Aug 6, 2025
Merged

revoke: Archive request and private key files and expand help #1378

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
79754da
revoke: Archive request and private key files and expand help
TinCanTech Aug 6, 2025
d222147
ChangeLog: revoke: Archive request and private key files
TinCanTech Aug 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ Easy-RSA 3 ChangeLog

3.2.4 (TBD)

* revoke: Archive request and private key files and expand help (79754da) (#1378)
Original bug report: github-user spacefreak86 (#1377)
* Remove 'easyrsa_mkdir()', use only 'mkdir' (5738f3d) (#1376)
* help: Correct build-ca 'rawca' command option (0447f42) (#1374)
* Windows easyrsa-shell-init.sh: Modernize prompt (5bf2e99) (#1374)
Expand Down
47 changes: 29 additions & 18 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,9 +256,6 @@ Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]"
text="
* revoke <file_name_base> [ reason ]

Commmand 'revoke' is DEPRECATED and can ONLY be used in batch mode.
Commmand 'revoke-issued' REPLACES command 'revoke'.

Revoke a certificate specified by the <file_name_base>,
with an optional revocation [ reason ].

Expand All @@ -274,21 +271,27 @@ Commmand 'revoke-issued' REPLACES command 'revoke'.
Commands 'revoke-expired' and 'revoke-renewed' are functionally
equivalent to 'revoke-issued', however, they are used to revoke
certificates which have been either 'expired' or 'renewed' by
other EasyRSA commands.
Easy-RSA commands 'expire' or 'renew'.

Commmand 'revoke' is DEPRECATED and can ONLY be used in batch mode.
Commmand 'revoke-issued' REPLACES command 'revoke'.

Commmand 'revoke' is DEPRECATED and can ONLY be used in batch mode.
Commmand 'revoke-issued' REPLACES command 'revoke'.
REQUIRED COMMANDS:

REQUIRED COMMANDS:
* 'revoke-issued' <file_name_base> [ reason ]
Revoke a current, issued certificate.
Archives the original request and private key files.

* 'revoke-issued' <file_name_base> [ reason ]
Revoke a current, issued certificate.
* 'revoke-expired' <file_name_base> [ reason ]
Revoke an old, expired certificate.
Preserves the original request and private key files.

* 'revoke-expired' <file_name_base> [ reason ]
Revoke an old, expired certificate.
* 'revoke-renewed' <file_name_base> [ reason ]
Revoke an old, renewed certificate.
Preserves the original request and private key files.

* 'revoke-renewed' <file_name_base> [ reason ]
Revoke an old, renewed certificate."
All 'revoke' commands archive the specified certificate
by serial number."
opts="
* [ reason ]${NL}
Values accepted for option [ reason ]: Details above."
Expand Down Expand Up @@ -3219,7 +3222,9 @@ Conflicting file(s) found:${msg}
Please select which type of 'revoke' command is required:
* 'revoke-issued' will revoke a current certificate.
* 'revoke-expired' will revoke an old cert, which has been expired.
* 'revoke-renewed' will revoke an old cert, which has been renewed."
* 'revoke-renewed' will revoke an old cert, which has been renewed.

Please see 'help revoke' for full details."
fi
fi
# Clear variables no longer in use
Expand Down Expand Up @@ -3269,12 +3274,12 @@ Cannot revoke this certificate, a conflicting file exists.

# Check for key and request files
unset -v if_exist_key_in if_exist_req_in
if [ "$move_req_and_key" ] && [ -f "$key_in" ]; then
if [ "$revoke_move_req_and_key" ] && [ -f "$key_in" ]; then
if_exist_key_in="
* $key_in"
fi

if [ "$move_req_and_key" ] && [ -f "$req_in" ]; then
if [ "$revoke_move_req_and_key" ] && [ -f "$req_in" ]; then
if_exist_req_in="
* $req_in"
fi
Expand Down Expand Up @@ -3339,7 +3344,7 @@ revoke_move() {

# only move the req when revoking an issued cert
# and if we have the req
if [ "$move_req_and_key" ] && [ -f "$req_in" ]; then
if [ "$revoke_move_req_and_key" ] && [ -f "$req_in" ]; then
mv "$req_in" "$req_out" || warn "Failed to move: $req_in"
fi

Expand All @@ -3348,7 +3353,7 @@ revoke_move() {

# only move the key when revoking an issued cert
# and if we have the key
if [ "$move_req_and_key" ] && [ -f "$key_in" ]; then
if [ "$revoke_move_req_and_key" ] && [ -f "$key_in" ]; then
mv "$key_in" "$key_out" || warn "Failed to move: $key_in"
fi

Expand Down Expand Up @@ -7007,14 +7012,20 @@ case "$cmd" in
;;
revoke|revoke-issued)
require_pki=1; require_ca=1; verify_working_env
# Only move req and key if revoking an issued cert
# renewed certs want to keep the req/key for further renewal
# manually expired certs are intended to be renewed
revoke_move_req_and_key=1
revoke 'issued' "$@"
;;
revoke-expired)
require_pki=1; require_ca=1; verify_working_env
revoke_move_req_and_key=
revoke 'expired' "$@"
;;
revoke-renewed)
require_pki=1; require_ca=1; verify_working_env
revoke_move_req_and_key=
revoke 'renewed/issued' "$@"
;;
import-req)
Expand Down
Loading