doc: Revoke and Renew, update for Easy-RSA v3.2.1 - Partial renew CA

Signed-off-by: Richard T Bonhomme <[email protected]>

Author: TinCanTech

doc/EasyRSA-Renew-and-Revoke.md

@@ -6,7 +6,7 @@ with regard to Renewal and Revocation of Certificates.
 
 ## In summary:
 
- **Easy-RSA Version 3.1.7** provides the most flexible support of renewal.
+**Easy-RSA Version 3.1.7** provides the most flexible support of renewal.
 This includes command `rewind-renew`, which is required to recover certificates
 renewed by `renew` command version 1. However, this does **not** include renewing
 any supported certificate attributes.
@@ -33,7 +33,7 @@ The follow is an exhaustive list of available `reason` codes, with abbreviations
 ----
 
 Easy-RSA version 3.2.x
-----------------------
+======================
 For **Easy-RSA Version 3.2.0**, command `renew` is NOT supported.
 
 Please upgrade to Easy-RSA Version 3.2.1
@@ -75,11 +75,7 @@ to be edited the same way.
 ----
 
 Easy-RSA version 3.1.x
-----------------------
-
-**UPDATE**:
-The changes noted for Easy-RSA version 3.1.2 have all been included with
-Easy-RSA version 3.1.1 - See https://github.com/OpenVPN/easy-rsa/pull/688
+======================
 
 Command Details: `renew`
 ------------------------
@@ -190,4 +186,65 @@ an old certificate/key pair, which has been _rebuilt_ by command `rebuild`.
 Renew CA Certificate
 ====================
 
-TBD
+Easy-RSA Version 3.2.1+ supports a simple way to effectively renew a CA Certificate.
+
+**Preamble** - Specifically for use with OpenVPN:
+
+When a CA certificate expires it must be replaced, this is unavoidable.
+No matter what method is used to create a new or renewed CA certificate,
+that CA certificate must be distributed to all of your servers and clients.
+
+Please consider the method outlined here, which requires very little work:
+
+1. **Before you do anything else -- Make a BACKUP of your current PKI.**
+
+2. Use command `init-pki soft`
+
+   This will reset your current PKI but will keep your `vars` setting file
+   and your current Request files [CSR], in the `pki/reqs` directory.
+
+   If you have an Easy-RSA generated TLS key for OpenVPN, that will also be
+   preserved. However, it will NOT be used for new `inline` files. The file
+   `pki/private/easyrsa-tls.key` will be moved to `pki/easyrsa-keepsafe-tls.key`,
+   for safe keeping. Easy-RSA will display a warning that this key is still
+   valid and possibly in use, before allowing another TLS key to be generated.
+
+3. Use command `build-ca`
+
+   (With or without password and other preferences)
+
+   This will build a completely new CA Certificate and private key.
+
+   Use option `--days` to extend the lifetime of your new CA.
+
+4. Use command `sign-req <TYPE> <NAME>`
+
+   (With or without other preferences, password is not relavent)
+
+   This will use an existing Request to sign a new Certificate.
+
+   This will NOT generate a new Private Key for each new Certificate.
+
+   This will generate new `inline` files that can be distributed publicly.
+   These `inline` files will not contain any security sensitive data.
+
+   This means that you will have a new CA certificate and private key.
+   And signed certificates for all of your users, including servers.
+
+5. Distribute the new `inline` files to all members of your PKI/VPN.
+
+   These new `inline` files will not contain the user private key or the
+   OpenVPN Pre-shared TLS key.
+
+   These new `inline` files can be used by OpenVPN, examples below:
+
+   * specify: `--config <INLNE-FILE>` in the OpenVPN user config file.
+   * Use copy/paste to add the new details to the OpenVPN user config file.
+   * Use `cat` to append the `inline` file to the OpenVPN user config file.
+
+   Note:
+   `inline` files in the `pki/inline/private` directory include security keys,
+   which MUST only be transmitted over a secure connection, such as `https`.
+
+   As of Easy-RSA Version 3.2.1, this is the only supported way to renew an
+   expired CA certificate.