# Install easy-rsa with Homebrew, apk, apt, dnf, MacPorts, pacman, zypper, Nix, scoop

CLI utility to build and manage a PKI CA. Version 3.2.6 via Homebrew; verified 2026-06-22.

## Install

```sh
sudo av install brew:easy-rsa
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install easy-rsa
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install easy-rsa
```

  Evidence: MacPorts ports tree: security/easy-rsa/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add easy-rsa
```

  Evidence: Alpine Linux edge package indexes: easy-rsa from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install easy-rsa
```

  Evidence: Debian stable package indexes: easy-rsa from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install easy-rsa
```

  Evidence: Fedora Rawhide package metadata: easy-rsa from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- pacman (92%):

```sh
sudo pacman -S easy-rsa
```

  Evidence: Arch Linux sync databases: easy-rsa from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install easy-rsa
```

  Evidence: openSUSE Tumbleweed package metadata: easy-rsa from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#easyrsa
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ea/easyrsa/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

### Windows

- Scoop (92%):

```sh
scoop install extras/easyrsa
```

  Evidence: Scoop official bucket manifest trees: bucket/easyrsa.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:easy-rsa
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/easy-rsa>
- **Version:** 3.2.6
- **Source summary:** CLI utility to build and manage a PKI CA
- **Homepage:** <https://github.com/OpenVPN/easy-rsa>
- **Repository:** <https://github.com/OpenVPN/easy-rsa>
- **Upstream docs:** <https://github.com/OpenVPN/easy-rsa#readme>
- **License:** GPL-2.0-only
- **Source archive:** <https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.6/EasyRSA-3.2.6.tgz>
- **Last updated:** 2026-06-22T14:03:13-07:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- easyrsa (cli)
- easyrsa (alias)

## Dependencies

- openssl@4

## Install behavior

- Post-install hook: not defined
- Caveats: By default, keys will be created in: $HOMEBREW_PREFIX/etc/easy-rsa/pki The configuration may be modified by editing and renaming: $HOMEBREW_PREFIX/etc/easy-rsa/vars.example
- Bottle: available on all

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 3.2.6
- Package-manager updated: 2026-06-22
- Local data: ok
- Upstream repository: https://github.com/OpenVPN/easy-rsa
- info: No cached GitHub release or tag data was available.
## Project history and usage

Easy-RSA is OpenVPN's shell-based CLI utility for creating and managing a small X.509 public key infrastructure. It is best known as the practical certificate-authority helper that many OpenVPN administrators install when they need to generate a CA, server/client certificates, requests, and certificate revocation lists without operating a full CA platform.

### Project history

Easy-RSA originated in the OpenVPN ecosystem and still co-exists with OpenVPN development while remaining a separate project. The official README describes current development on the 3.x release cycle and keeps prior 2.x and 1.x lines as release branches for tracking and possible back-porting.

The 3.x documentation describes a portable POSIX shell implementation with OpenSSL as the cryptographic backend. Easy-RSA 3 changed the configuration model from older versions: it can run with built-in defaults and no mandatory config file, while optional settings can come from command-line options, environment variables, or a `vars` file.

The tool's long-lived value is its narrowness. It does not try to be a web CA, enterprise PKI service, or certificate inventory system. It gives OpenVPN and TLS administrators a scriptable way to initialize a `pki` directory, build a CA, import certificate requests, sign client/server/intermediate certificates, revoke certificates, and generate CRLs.

### Adoption history

Easy-RSA became widely packaged because OpenVPN deployments frequently need a local certificate authority. The input source facts show package-manager coverage across Homebrew, Debian, Ubuntu, Fedora/DNF, Arch/pacman, Alpine, openSUSE/zypper, MacPorts, Nix, and Scoop.

That packaging footprint is the adoption story: Easy-RSA is not a flashy standalone application, but it is the small utility administrators expect to find next to OpenVPN in OS package repositories. Homebrew packages the official release tarball from GitHub, and the README points users to GitHub releases or named tags for downloads.

Easy-RSA 3 remains active enough for OpenSSL 3 compatibility concerns to shape branch status. The README marks older 3.0.x and release/2.x branches as not compatible with OpenSSL 3, while master tracks the 3.2.x rolling line.

### How it is used

The quickstart flow is the classic CA workflow: run `easyrsa init-pki`, `easyrsa build-ca`, generate a keypair/request on the requesting system, import the request on the CA system, sign it as a client/server/CA type, and move the signed certificate back to the requester.

Operational commands cover revocation and CRL publication (`easyrsa revoke`, `easyrsa gen-crl`), Diffie-Hellman parameter generation, request/certificate inspection, and private-key passphrase changes. The documentation recommends using releases rather than the rolling master branch.

Easy-RSA stores generated CA state in the `pki` directory, including CA certificates, private keys, serial numbers, issued certificates, request files, and revocation data. That makes the package easy to understand and easy to back up, but also puts responsibility for private-key handling on the administrator.

### Why package nerds care

Easy-RSA matters to package nerds because it is a tiny utility with an outsized operational footprint. A single shell script plus OpenSSL became the common path for bootstrapping PKI in OpenVPN environments across many Unix distributions.

It is also a reminder that important packages are not always daemons or libraries. Sometimes the historically important package is a CLI that administrators run only when they provision, rotate, or revoke certificates, then leave untouched for months.

### Timeline

- Pre-3.x: Easy-RSA 1.x and 2.x existed as earlier OpenVPN-era release branches.
- 3.x: Easy-RSA moved to the current POSIX shell/OpenSSL-backed project line with optional `vars` configuration and built-in defaults.
- 2025: Homebrew packages Easy-RSA 3.2.x from official GitHub release tarballs.
- 2026: The official README tracks master as the active 3.2.x rolling development branch and marks older 3.0/2.x/1.x lines as archived or unmaintained.

### Related projects

- OpenVPN is the adjacent VPN project and community context in which Easy-RSA is documented and supported.
- OpenSSL is the cryptographic backend used for certificate and key operations.
- X.509 PKI, certificate revocation lists, certificate signing requests, and intermediate CAs are the standards and workflows Easy-RSA automates.

### Sources

- <https://github.com/OpenVPN/easy-rsa>
- <https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md>
- <https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Readme.md>
- <https://formulae.brew.sh/api/formula/easy-rsa.json>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: pki/vars, vars
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** easy-rsa
- **Version Scheme:** 0
- **Revision:** 1
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - easy-rsa - 3.2.2-1: normalized package name match | Debian stable package indexes: easy-rsa from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Simple shell based CA utility | https://github.com/OpenVPN/easy-rsa
- Ubuntu apt - easy-rsa - 3.1.7-2: normalized package name match | Ubuntu 24.04 LTS package indexes: easy-rsa from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Simple shell based CA utility | https://github.com/OpenVPN/easy-rsa
- apk - easy-rsa - 3.2.5-r0: normalized package name match | Alpine Linux edge package indexes: easy-rsa from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Simple shell based CA utility | https://github.com/OpenVPN/easy-rsa
- apk - easy-rsa-doc - 3.2.5-r0: normalized package name match | Alpine Linux edge package indexes: easy-rsa-doc from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz | Simple shell based CA utility (documentation) | https://github.com/OpenVPN/easy-rsa
- dnf - easy-rsa - 3.2.6-1.fc45: normalized package name match | Fedora Rawhide package metadata: easy-rsa from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Simple shell based CA utility | https://github.com/OpenVPN/easy-rsa
- pacman - easy-rsa - 3.2.6-1: normalized package name match | Arch Linux sync databases: easy-rsa from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Simple shell based CA utility | https://github.com/OpenVPN/easy-rsa
- zypper - easy-rsa - 3.2.6-1.1: normalized package name match | openSUSE Tumbleweed package metadata: easy-rsa from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | CLI utility to build and manage a PKI CA | https://github.com/OpenVPN/easy-rsa
- MacPorts - easy-rsa: normalized package name match | MacPorts ports tree: security/easy-rsa/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Nix - easyrsa: installed executable or alias match | nixpkgs package indexes: pkgs/by-name/ea/easyrsa/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Scoop - extras/easyrsa: installed executable or alias match | Scoop official bucket manifest trees: bucket/easyrsa.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [openssl@4](https://www.automicvault.com/pkg/brew/openssl-4/) - Runtime dependency declared by Homebrew.
- [certstrap](https://www.automicvault.com/pkg/brew/certstrap/) - Shares av.db curated category or tags: certificate-authority, certificates, cli, pki, security.
- [fetch-crl](https://www.automicvault.com/pkg/brew/fetch-crl/) - Shares av.db curated category or tags: certificates, cli, openssl, pki, security.
- [minica](https://www.automicvault.com/pkg/brew/minica/) - Shares av.db curated category or tags: certificate-authority, certificates, cli, pki, security.
- [cfssl](https://www.automicvault.com/pkg/brew/cfssl/) - Shares av.db curated category or tags: certificates, cli, pki, security.
- [redwax-tool](https://www.automicvault.com/pkg/brew/redwax-tool/) - Shares av.db curated category or tags: certificates, cli, pki, security.
- [crip](https://www.automicvault.com/pkg/brew/crip/) - Shares av.db curated category or tags: certificates, cli, security.
- [gimmecert](https://www.automicvault.com/pkg/brew/gimmecert/) - Shares av.db curated category or tags: certificate-authority, certificates, cli, security.
- [nss](https://www.automicvault.com/pkg/brew/nss/) - Shares av.db curated category or tags: cli, pki, security.
- [pwsafe](https://www.automicvault.com/pkg/brew/pwsafe/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, manage, openssl, openssl-4, security.

## Combined YAML source

View the package source record on GitHub. [combined/easy-rsa.yml](https://github.com/automic-vault/db/blob/main/combined/easy-rsa.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
