macOS
brew install easy-rsalocal Homebrew formula metadata
sudo port install easy-rsaMacPorts ports tree · security/easy-rsa/Portfile · source: api.github.com
brew
CLI utility to build and manage a PKI CA. Version 3.2.6 via Homebrew; verified 2026-06-22.
install
brew install easy-rsalocal Homebrew formula metadata
sudo port install easy-rsaMacPorts ports tree · security/easy-rsa/Portfile · source: api.github.com
sudo apk add easy-rsaAlpine Linux edge package indexes · easy-rsa · source: dl-cdn.alpinelinux.org
sudo apt install easy-rsaDebian stable package indexes · easy-rsa · source: deb.debian.org
sudo dnf install easy-rsaFedora Rawhide package metadata · easy-rsa · source: dl.fedoraproject.org
sudo pacman -S easy-rsaArch Linux sync databases · easy-rsa · source: geo.mirror.pkgbuild.com
sudo zypper install easy-rsaopenSUSE Tumbleweed package metadata · easy-rsa · source: download.opensuse.org
nix profile install nixpkgs#easyrsanixpkgs package indexes · pkgs/by-name/ea/easyrsa/package.nix · source: api.github.com
scoop install extras/easyrsaScoop official bucket manifest trees · bucket/easyrsa.json · source: api.github.com
overview
CLI utility to build and manage a PKI CA
history
Easy-RSA is OpenVPN's shell-based CLI utility for creating and managing a small X.509 public key infrastructure. It is best known as the practical certificate-authority helper that many OpenVPN administrators install when they need to generate a CA, server/client certificates, requests, and certificate revocation lists without operating a full CA platform.
Easy-RSA originated in the OpenVPN ecosystem and still co-exists with OpenVPN development while remaining a separate project. The official README describes current development on the 3.x release cycle and keeps prior 2.x and 1.x lines as release branches for tracking and possible back-porting.
The 3.x documentation describes a portable POSIX shell implementation with OpenSSL as the cryptographic backend. Easy-RSA 3 changed the configuration model from older versions: it can run with built-in defaults and no mandatory config file, while optional settings can come from command-line options, environment variables, or a `vars` file.
The tool's long-lived value is its narrowness. It does not try to be a web CA, enterprise PKI service, or certificate inventory system. It gives OpenVPN and TLS administrators a scriptable way to initialize a `pki` directory, build a CA, import certificate requests, sign client/server/intermediate certificates, revoke certificates, and generate CRLs.
Easy-RSA became widely packaged because OpenVPN deployments frequently need a local certificate authority. The input source facts show package-manager coverage across Homebrew, Debian, Ubuntu, Fedora/DNF, Arch/pacman, Alpine, openSUSE/zypper, MacPorts, Nix, and Scoop.
That packaging footprint is the adoption story: Easy-RSA is not a flashy standalone application, but it is the small utility administrators expect to find next to OpenVPN in OS package repositories. Homebrew packages the official release tarball from GitHub, and the README points users to GitHub releases or named tags for downloads.
Easy-RSA 3 remains active enough for OpenSSL 3 compatibility concerns to shape branch status. The README marks older 3.0.x and release/2.x branches as not compatible with OpenSSL 3, while master tracks the 3.2.x rolling line.
The quickstart flow is the classic CA workflow: run `easyrsa init-pki`, `easyrsa build-ca`, generate a keypair/request on the requesting system, import the request on the CA system, sign it as a client/server/CA type, and move the signed certificate back to the requester.
Operational commands cover revocation and CRL publication (`easyrsa revoke`, `easyrsa gen-crl`), Diffie-Hellman parameter generation, request/certificate inspection, and private-key passphrase changes. The documentation recommends using releases rather than the rolling master branch.
Easy-RSA stores generated CA state in the `pki` directory, including CA certificates, private keys, serial numbers, issued certificates, request files, and revocation data. That makes the package easy to understand and easy to back up, but also puts responsibility for private-key handling on the administrator.
Easy-RSA matters to package nerds because it is a tiny utility with an outsized operational footprint. A single shell script plus OpenSSL became the common path for bootstrapping PKI in OpenVPN environments across many Unix distributions.
It is also a reminder that important packages are not always daemons or libraries. Sometimes the historically important package is a CLI that administrators run only when they provision, rotate, or revoke certificates, then leave untouched for months.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
pki/varsvarsexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
easyrsa | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/OpenVPN/easy-rsa
install metadata
| Package key | brew:easy-rsa |
|---|---|
| Version | 3.2.6 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/easy-rsa |
| Homepage | https://github.com/OpenVPN/easy-rsa |
| Repository | https://github.com/OpenVPN/easy-rsa |
| Upstream docs | https://github.com/OpenVPN/easy-rsa#readme |
| License | GPL-2.0-only |
| Source archive | https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.6/EasyRSA-3.2.6.tgz |
| Last updated | 2026-06-22T14:03:13-07:00 |
| Pulse | updated |
| Dependencies | openssl@4 |
| Bottle | available (on all) |
| Homebrew post-install | not defined |
| Service | none declared |
| Caveats | By default, keys will be created in: $HOMEBREW_PREFIX/etc/easy-rsa/pki The configuration may be modified by editing and renaming: $HOMEBREW_PREFIX/etc/easy-rsa/vars.example |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | easy-rsa |
| Version Scheme | 0 |
| Revision | 1 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
easy-rsa 3.2.2-1
Simple shell based CA utility
https://github.com/OpenVPN/easy-rsa
sudo apt install easy-rsaeasy-rsa 3.1.7-2
Simple shell based CA utility
https://github.com/OpenVPN/easy-rsa
sudo apt install easy-rsaeasy-rsa 3.2.5-r0
Simple shell based CA utility
https://github.com/OpenVPN/easy-rsa
sudo apk add easy-rsaeasy-rsa-doc 3.2.5-r0
Simple shell based CA utility (documentation)
https://github.com/OpenVPN/easy-rsa
sudo apk add easy-rsa-doceasy-rsa 3.2.6-1.fc45
Simple shell based CA utility
https://github.com/OpenVPN/easy-rsa
sudo dnf install easy-rsaeasy-rsa 3.2.6-1
Simple shell based CA utility
https://github.com/OpenVPN/easy-rsa
sudo pacman -S easy-rsaeasy-rsa 3.2.6-1.1
CLI utility to build and manage a PKI CA
https://github.com/OpenVPN/easy-rsa
sudo zypper install easy-rsaeasy-rsa
sudo port install easy-rsaeasyrsa
nix profile install nixpkgs#easyrsaextras/easyrsa
scoop install extras/easyrsasource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.