OpenVPN · TinCanTech · Dec 7, 2025 · Dec 6, 2025 · Dec 6, 2025 · Dec 6, 2025
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog
 
 3.2.5 (TBD)
 
+   * New function ssl_cert_sig_digest() (f9d2b49) (#1414)
    * Add '-b' alias for --batch (575a964) (#1411)
    * Introduce peer-fingerprint inline lists (94c3690) (#1410)
    * Create new inline file type 'pfp', peer-fingerprint (353adc5) (#1407)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -4719,6 +4719,11 @@ Use command 'revoke-renewed' to revoke this certificate."
 	cert_type=
 	ssl_cert_x509v3_eku "$crt_in" cert_type
 
+	# Extract Signature digest from old cert
+	sig_digest=
+	ssl_cert_digest "$crt_in" sig_digest
+	export EASYRSA_DIGEST="$sig_digest"
+
 	# create temp-file for full cert text
 	full_crt_tmp=
 	easyrsa_mktemp full_crt_tmp
@@ -4991,6 +4996,11 @@ $cmd does not support setting an external commonName."
 	)" || die "renew_ca_cert - Failed to get EASYRSA_REQ_CN"
 	export EASYRSA_REQ_CN
 
+	# Extract Signature digest from old cert
+	sig_digest=
+	ssl_cert_digest "$ca_cert_file" sig_digest
+	export EASYRSA_DIGEST="$sig_digest"
+
 	# Set ssl batch mode, as required
 	[ "$EASYRSA_BATCH" ] && ssl_batch=1
 
@@ -5371,6 +5381,48 @@ ssl_cert_x509v3_eku() {
 	return 1
 } # => ssl_cert_x509v3_eku()
 
+# get the digest of the certificate
+ssl_cert_digest() {
+	[ "$#" = 2 ] || die "ssl_cert_digest - input error"
+	[ -f "$1" ] || die "ssl_cert_digest - missing cert"
+
+	fn_ssl_out="$(
+		"$EASYRSA_OPENSSL" x509 -in "$1" -noout -text \
+			-certopt no_header,no_version,no_serial,no_sigdump \
+			-certopt no_pubkey,no_validity,no_subject,no_issuer \
+			-certopt no_extensions
+		)" || die "ssl_cert_digest - failed: digest"
+
+	# remove the 'Signature Algorithm: ' part
+	fn_ssl_out="${fn_ssl_out##*: }"
+
+	case "$fn_ssl_out" in
+		# remove the 'WithRSAEncryption' part
+		*WithRSAEncryption)
+			fn_ssl_out="${fn_ssl_out%%With*}"
+		"$EASYRSA_OPENSSL" dgst "-$fn_ssl_out" "$1" || \
+			die "ssl_cert_digest - Bad Sig-Alg: '$fn_ssl_out'"
+		;;
+		# remove the 'ecdsa-with-' part
+		ecdsa-with-*)
+			fn_ssl_out="${fn_ssl_out##*with-}"
+		"$EASYRSA_OPENSSL" dgst "-$fn_ssl_out" "$1" || \
+			die "ssl_cert_digest - Bad Sig-Alg: '$fn_ssl_out'"
+		;;
+		# remove everything for Edwards Curve
+		ED25519|ED448)
+			fn_ssl_out=""
+			# digest verification is not required
+		;;
+		*) die "ssl_cert_digest - Bad Sig-Alg: '$fn_ssl_out'"
+	esac
+
+	force_set_var "$2" "$fn_ssl_out" || \
+		die "ssl_cert_digest - failed to set var '$*'"
+
+	unset -v fn_ssl_out
+} # => ssl_cert_digest()
+
 # get the serial number of the certificate -> serial=XXXX
 ssl_cert_serial() {
 	[ "$#" = 2 ] || die "ssl_cert_serial - input error"