Expose 'sign-req' unique, random serial number check to command line #980
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem:
EasyRSA uses SSL CA command parameter '-serial $serial_number', to check if a serial-number exists within the database.
The primary function of the SSL CA command parameter '-serial' is to check if a certificate is Valid or has been Revoked.
EasyRSA abuses the SSL output to infer that a serial-number must be unique because that output contains the text 'not present in db'.
SSL CA command parameter '-serial' ALWAYS returns an error, reagrdless of what-ever check it does. Likely, an SSL bug.
As a step-in-the-right direction:
To ease this needless-headache, expose the unique, random serial-number check to the command line.
This helps to understand what is going on under-the-hood.
The command 'sign-req' remains the same; except the unique, random serial-number check is moved to a separate, stand-alone function, which is also exposed to the command line for validation.