renew: Move SAN critical into SAN detected step

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
OpenVPN · Jul 29, 2024 · 81256ce · 81256ce
1 parent 30fe311
commit 81256ce
Showing 1 changed file with 9 additions and 8 deletions.
diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib
@@ -1007,14 +1007,6 @@ Cannot renew this certificate, a conflicting file exists:
 	# Extract certificate usage from old cert
 	ssl_cert_x509v3_eku "$crt_in" cert_type
 
-	# --san-crit
-	unset -v EASYRSA_SAN_CRIT
-	if grep -q 'X509v3 Subject Alternative Name: critical' "$crt_in"
-	then
-		export EASYRSA_SAN_CRIT='critical,'
-		verbose "renew: --san-crit ENABLED"
-	fi
-
 	# Use SAN from old cert ONLY
 	if grep 'X509v3 Subject Alternative Name' "$crt_in"; then
 		EASYRSA_SAN="$(
@@ -1025,6 +1017,15 @@ Cannot renew this certificate, a conflicting file exists:
 		)" || die "renew - EASYRSA_SAN: easyrsa_openssl subshell"
 		verbose "renew: EASYRSA_SAN: ${EASYRSA_SAN}"
 
+		# --san-crit
+		unset -v EASYRSA_SAN_CRIT
+		if grep -q 'X509v3 Subject Alternative Name: critical' \
+			"$crt_in"
+		then
+			export EASYRSA_SAN_CRIT='critical,'
+			verbose "renew: --san-crit ENABLED"
+		fi
+
 		export EASYRSA_EXTRA_EXTS="\
 $EASYRSA_EXTRA_EXTS
 subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"