Option --days can be used as an alias for all commands which have a validity period

[TinCanTech]

THIS COMMENT HAS BEEN SUPERSEDED.

Help states:

easy-rsa/easyrsa3/easyrsa

Line 451 in c8e93ca

--days=# : sets the signing validity to the specified number of days

But $EASYRSA_CRL_DAYS is also set:

easy-rsa/easyrsa3/easyrsa

Lines 4649 to 4659 in c8e93ca

	case "$opt" in
	--days)
	export EASYRSA_CERT_EXPIRE="$val"
	export EASYRSA_CA_EXPIRE="$val"
	export EASYRSA_CRL_DAYS="$val"
	case "$EASYRSA_CERT_EXPIRE" in
	(*[!1234567890]*|0*)
	print "--days - Number expected: $EASYRSA_CERT_EXPIRE"
	exit 1
	esac
	;;

The CRL is not a signed certificate and should not be set here.
There should be a new option --crl-days to specifically set $EASYRSA_CRL_DAYS

[TinCanTech]

Having thought this through, I can see my mistake.

The option --days can be used to set the number of days which are pertinent to which-ever command is called:

• --days=3650 build-ca - Would build a 10 year valid CA.
• --days=1095 build-server-full - Would build a 3 year valid Server cert.
• --days=182 gen-crl - Would build a 6 month valid CRL.

Therefore, --days usage is valid.

I may introduce --ca-days, --cert-days and --crl-days to complement --days.

It may be preferable to correct / improve the help text.

[TinCanTech]

An even more radical approach:

	case "$opt" in
	--days|--ca-days|--cert-days|--crl-days|--renew-days)
		export EASYRSA_CA_EXPIRE="$val"
		export EASYRSA_CERT_EXPIRE="$val"
		export EASYRSA_CRL_DAYS="$val"
		export EASYRSA_CERT_RENEW="$val"
		case "$val" in
			(*[!1234567890]*|0*)
				print "$opt - Number expected: '$val'"
				exit 1
		esac
		;;

--days is an alias for which-ever number of days is required.

IMPORTANT: This works in version 3.1.1 because renew does not have a cut-off date before which a certificate cannot be renewed.

TEST:

• Build a certificate valid for 3 years:

tct@home:~/git/easy-rsa/test/installed/test$ easyrsa --days=1095 build-server-full s1 nopass
* Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test/pki/vars

Generating a RSA private key
......+++++
................................................................................................................................................................................................................................................................................................................................................+++++
writing new private key to '/home/tct/git/easy-rsa/test/installed/test/pki/d15b940f/temp.8852402b'
-----

Notice
------
Keypair and certificate request completed. Your files are:
req: /home/tct/git/easy-rsa/test/installed/test/pki/reqs/s1.req
key: /home/tct/git/easy-rsa/test/installed/test/pki/private/s1.key

Using configuration from /home/tct/git/easy-rsa/test/installed/test/pki/d15b940f/temp.a64e6a32
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'s1'
Certificate is to be certified until Aug 30 11:58:54 2025 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at: /home/tct/git/easy-rsa/test/installed/test/pki/issued/s1.crt

• Renew the certificate valid for 10 days:

tct@home:~/git/easy-rsa/test/installed/test$ easyrsa --days=10 renew s1 nopass
* Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test/pki/vars


WARNING
=======
This process is destructive!

These files will be moved to the 'renewed' storage sub-directory:
* /home/tct/git/easy-rsa/test/installed/test/pki/issued/s1.crt
* /home/tct/git/easy-rsa/test/installed/test/pki/private/s1.key
* /home/tct/git/easy-rsa/test/installed/test/pki/reqs/s1.req

These files will be DELETED:
* All PKCS files for commonName : s1
* The inline credentials file   : /home/tct/git/easy-rsa/test/installed/test/pki/s1.creds
* The duplicate certificate     : /home/tct/git/easy-rsa/test/installed/test/pki/certs_by_serial/DEED6DFCCC840B5D8A58B8AD11E03746.pem

IMPORTANT: The new key will NOT be password protected.


Please confirm you wish to renew the certificate
with the following subject:

  subject=
    commonName                = s1

X509v3 Subject Alternative Name:
    DNS:s1

  serial-number: DEED6DFCCC840B5D8A58B8AD11E03746

Type the word 'yes' to continue, or any other input to abort.
    Continue with renewal: yes

Generating a RSA private key
..........+++++
................................+++++
writing new private key to '/home/tct/git/easy-rsa/test/installed/test/pki/d1cbb51d/temp.7f9d6ca8'
-----

Notice
------
Keypair and certificate request completed. Your files are:
req: /home/tct/git/easy-rsa/test/installed/test/pki/reqs/s1.req
key: /home/tct/git/easy-rsa/test/installed/test/pki/private/s1.key

Using configuration from /home/tct/git/easy-rsa/test/installed/test/pki/d1cbb51d/temp.29d18467
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'s1'
Certificate is to be certified until Sep 10 12:00:11 2022 GMT (10 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at: /home/tct/git/easy-rsa/test/installed/test/pki/issued/s1.crt


Notice
------
Renew was successful.

                              * IMPORTANT *

Renew has created a new certificate and key, both files MUST be replaced!

To revoke the old certificate, once the new one has been deployed,
use: 'revoke-renewed s1 reason' ('reason' is optional)

• Check certificate expiry valid for only 10 days:

tct@home:~/git/easy-rsa/test/installed/test$ easyrsa --days=10 show-expire
* Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test/pki/vars


Notice
------
* Showing certificates which expire in less than 10 days (--renew-days):

V | Serial: FE68DD4A7B25B6AC69394144A6D5B0E9 | Expires: Sep 10 12:00:11 2022 GMT | CN: s1

• Revoke the old renewed certificate:

tct@home:~/git/easy-rsa/test/installed/test$ easyrsa revoke-renewed s1
* Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test/pki/vars


WARNING
=======
This process is destructive!

These files will be moved to the 'revoked' storage sub-directory:
* /home/tct/git/easy-rsa/test/installed/test/pki/renewed/issued/s1.crt
* /home/tct/git/easy-rsa/test/installed/test/pki/renewed/private/s1.key
* /home/tct/git/easy-rsa/test/installed/test/pki/renewed/reqs/s1.req


  Please confirm you wish to revoke the renewed certificate
  with the following subject:

  subject=
    commonName                = s1

X509v3 Subject Alternative Name:
    DNS:s1

  serial-number: DEED6DFCCC840B5D8A58B8AD11E03746

  Reason: None given

Type the word 'yes' to continue, or any other input to abort.
    Continue with revocation: yes

Using configuration from /home/tct/git/easy-rsa/test/installed/test/pki/11395186/temp.5963d15c
Revoking Certificate DEED6DFCCC840B5D8A58B8AD11E03746.
Data Base Updated

Notice
------
                              * IMPORTANT *

Revocation was successful. You must run 'gen-crl' and upload a new CRL to your
infrastructure in order to prevent the revoked certificate from being accepted.

• Generate a CRL:

tct@home:~/git/easy-rsa/test/installed/test$ easyrsa --days=180 gen-crl
* Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test/pki/vars

Using configuration from /home/tct/git/easy-rsa/test/installed/test/pki/dcff3adb/temp.b933b47d

Notice
------
An updated CRL has been created.
CRL file: /home/tct/git/easy-rsa/test/installed/test/pki/crl.pem

• Show CRL details, notice validity of CRL is 180 days (default):

tct@home:~/git/easy-rsa/test/installed/test$ easyrsa show-crl
* Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test/pki/vars


Notice
------
Showing crl details for: 'crl'

This file is stored at:
* /home/tct/git/easy-rsa/test/installed/test/pki/crl.pem

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = wiscii
        Last Update: Aug 31 12:03:03 2022 GMT
        Next Update: Feb 27 12:03:03 2023 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:75:39:4E:8B:2A:29:68:BE:02:53:DF:AF:CF:25:D5:60:A9:C6:25:77
                DirName:/CN=wiscii
                serial:65:A6:32:F0:61:59:A8:4A:EB:92:66:61:24:BF:3A:3F:8F:4E:75:E1

Revoked Certificates:
    Serial Number: DEED6DFCCC840B5D8A58B8AD11E03746
        Revocation Date: Aug 31 12:02:46 2022 GMT
    Signature Algorithm: sha256WithRSAEncryption
         98:5f:18:d3:20:d4:40:86:5c:25:96:d0:2d:45:8e:b8:4f:3d:
         44:8c:92:b2:d5:34:ba:ba:34:12:a2:34:29:66:57:df:30:b6:
         92:84:72:8d:fb:4a:eb:df:ea:b4:ee:27:19:51:ce:b8:a5:88:
         de:11:06:50:bb:02:63:ce:8c:95:5b:ca:ed:b7:c6:33:b2:31:
         a6:88:92:d3:28:ef:56:17:ef:e1:d5:3e:fa:f1:1c:2c:2f:83:
         ee:43:8a:bb:bf:2c:ba:d6:8d:bb:6a:15:88:fe:2a:97:29:50:
         c0:a3:33:7e:1f:a5:d6:b5:e5:b4:3a:0e:7b:56:48:af:6c:97:
         24:77:3b:ce:6e:1e:e2:02:3d:7f:7a:56:61:d4:7f:78:6a:8e:
         e7:55:5d:c7:be:68:ea:6c:7d:c7:0b:41:94:2e:ed:09:5a:8f:
         bd:15:1d:d2:14:30:6a:30:24:11:3d:33:a7:1e:88:30:43:4c:
         81:69:ef:fe:3c:c1:8d:e0:dd:50:c4:f0:3c:49:5c:bb:ce:6c:
         d2:52:58:b1:6a:f9:ef:94:44:03:b2:2b:92:cf:f9:7e:92:84:
         15:4c:74:9c:0e:c6:9f:54:17:1b:63:a3:1c:f9:84:9d:0a:30:
         8e:e2:5c:41:98:c9:59:3a:06:cf:41:88:fb:1d:98:b0:b9:f3:
         25:1d:af:c0

I like this, a lot.