I know it's the project of OpenVPN devs, and they've consistently chosen a half-baked, poorly implemented, horrendously maintained, half-assed openssl implementation.
- Finally, after years, they decided to update it to version 3 and still couldn't manage to properly implement CN requirements or SANs by default (
easy-rsa
supports them, but they're buried, and last I checked ~a month ago, were still not working correctly)
My philosophy: when doing something, take the time to do it right the first time around, and don't settle for half-assedness simply because it's easier or more convenient...
- I would have thought OpenVPN devs would have taken the time to properly implement the correct certificate requirements in Easy-RSA v3, which they chose not to do.
I'd have to do some research to dig up the exact RFC number, but ~20 years ago it was stipulated in an RFC the CN must not contain an IP or DNS due to it being actively exploitable via an MITM exploit, and until Easy-RSA v3 was released, it only supported an IP or DNS as the CN, and that was still the default in v3 when I last checked around a month ago.
Easy-RSA was always intended to be half-baked and poorly implemented, put out there as a simple way to create certificates for the devs' main project, regardless if the resultant certificates were properly created or not.
Perhaps in the last month or so Easy-RSA v3 added SANs as the default method, prevented IPs and DNS' from being utilized in the CN, and ensured the correct KUs and EKUs are set, but the fact Easy-RSA either never supported these, or didn't set them to default in v3 (as of around a month ago), means I will never recommend them and will always actively advocate to never utilize Easy-RSA.
- I, or any user for that matter, should not have to routinely check their GtHub issues page to ensure they've properly implemented the most basic of options for a SSL cert... the fact Easy-RSA has existed for years and has never managed to create a proper certificate (correct KUs & EKUs, utilizing SANs, preventing IP/DNS in CN, etc.) means Easy-RSA should not be trusted by anyone to properly create a certificate, as Easy-RSA has consistently demonstrated it should not be trusted to do so.
On a side note, with respect to OpenWrt, it's more convenient, and efficient, for an OpenWrt user to utilize openssl
directly via an openssl.cnf
for their certificate management, as it then empowers them to create a main CA for their router, utilize that CA to digitally sign their LuCI cert (as uhttpd
's default implementation of generating a self-signed cert is not secure and therefore not acceptable... again, do it right the first time around), digitally sign an ICA for their VPN server, and utilize that ICA to sign their VPN certs.