On 2015/10/25 17:26, Jona Joachim wrote: > reyk@ fixed this for iked by having the code generate a temporary > configuration file for openssl(1) which has the correct variables set.
That's good for iked, but doesn't help the scripts in the wild that rely on this. Since the commands for certificate operations outside of the basic "generate a webserver cert for a single hostname" are so arcane, people rely on published recipes and scripts to do this all the time, and at least in the ones I've found relating to VPN cert generation (IPsec and others), and for subjectAltName for servers with multiple hostnames, it's pretty common to use variables. BTW http://www.carbonwind.net/VPN/XCA_OpenVPN/XCA_OpenVPN.htm has an example of how to use XCA (gui for PKI operations) to generate certs for OpenVPN, this might be a workable alternative to easy-rsa for some.
