Opened 6 years ago

Closed 5 years ago

#788 closed Bug / Defect (duplicate)


Reported by: bsaner Owned by: Eric Crist
Priority: trivial Milestone:
Component: easy-rsa Version: easyrsa-3.x
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: keysize


(Please see the associated github issue)

easyrsa ignores both EASYRSA_KEY_SIZE in vars...:

[root@g bdisk]# grep KEY vars
set_var EASYRSA_KEY_SIZE        4096
[root@g bdisk]# easyrsa init-pki && yes '' | easyrsa build-ca nopass

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/servers/keygen/bdisk/pki

Generating a 2048 bit RSA private key
writing new private key to '/etc/openvpn/servers/keygen/bdisk/pki/private/ca.key.Orh3ijGp3Z'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:

[root@g bdisk]# openssl rsa -in pki/private/ca.key -noout -text | head -n1
Private-Key: (2048 bit)

and EASYRSA_DIGEST in vars:

[root@g bdisk]# grep DIGEST vars
set_var EASYRSA_DIGEST          "sha512"
[root@g bdisk]# openssl x509 -in pki/ca.crt -noout -text | grep 'Signature Algorithm'
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

As a sidenote, if you use Trac for bugs, you should either have a member focused on watching GitHub? Issues for new reports or simply disable Issues on GH- otherwise it gives the impression that you are ignoring bug reports.

Change History (7)

comment:1 Changed 6 years ago by bsaner

(I should note if you'd like to rewrite easyrsa in python, I recently wrote a PKI creation implementation viewable here. It may prove to be less painful than bash, albeit it requires a non-STDLIB module.)

comment:2 Changed 6 years ago by Gert Döring

Not sure about easy-rsa 3.x - but in older versions, you need to source "vars" from the shell *before* running any of the
scripts, as in

$ . ./vars
$ ./build-key foobar

maybe that's still the same? (Note the "." in front of the "./vars" = "execute in local shell")

comment:3 Changed 6 years ago by Gert Döring

Owner: set to Eric Crist
Status: newassigned

comment:4 Changed 6 years ago by debbie10t

I have generated dozens of test PKIs and can not replicate this problem.
If $PWD/vars contains set_var EASYRSA_KEY_SIZE 4096 then I get a 4096bit PKI.

In the github report above, I notice the commands in use are:
$ easyrsa foo bar
# easyrsa foo bar

For my tests, from $PWD, I use the command:
$ ./easyrsa foo bar

Last edited 6 years ago by debbie10t (previous) (diff)

comment:5 Changed 6 years ago by deepthought

"For my tests, from $PWD, I use the command:
$ ./easyrsa foo bar"

well, this is exactly the important difference: The vars file is not sourced if it's in the working directory or in pki/ -- only if it's e.g. also in the directory of the executable. However, many distributions ship easyrsa with its binary in /usr/bin/.
Have a look here:
and here:

comment:6 Changed 5 years ago by tct

It seems to me that this issue has been adequately addressed.

From easyrsa3/vars.example

# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
# this file in place -- instead, you should copy the entire easy-rsa directory
# to another location so future upgrades don't wipe out your changes.

comment:7 Changed 5 years ago by Eric Crist

Priority: criticaltrivial
Resolution: duplicate
Status: assignedclosed

Closing this ticket - we only need a ticket in either the EasyRSA project on github (preferred), or here. We'll handle this one on github.

Note: See TracTickets for help on using tickets.