ChangeLog: Introduce global option --san-crit, mark SAN critical

Signed-off-by: Richard T Bonhomme <[email protected]>

ChangeLog

@@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog
 
 3.2.1 (TBD)
 
+   * Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
    * gen-req: Always check for existing request file (7eab98e) (#1177)
    * revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
    * revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)

easyrsa3/easyrsa

@@ -611,6 +611,7 @@ Certificate & Request options: (these impact cert/req field values)
 --san|--subject-alt-name=SUBJECT_ALT_NAME
                 : Add a subjectAltName. Can be used multiple times.
                   For more info and syntax, see: 'easyrsa help altname'
+--san-crit      : Mark X509v3 subjectAltName as critical
 
 --new-subject='SUBJECT'
                 : Specify a new subject field to sign a request with.
@@ -2546,6 +2547,7 @@ Failed to create temp extension file (bad permissions?) at:
 	verbose "sign_req: Generated extensions file OK"
 
 	# Get request CN
+	# EASYRSA_REQ_CN MUST always be set to the CSR CN
 	EASYRSA_REQ_CN="$(
 		"$EASYRSA_OPENSSL" req -utf8 -in "$req_in" -noout \
 			-subject -nameopt multiline | grep 'commonName'
@@ -5461,16 +5463,16 @@ while :; do
 				EASYRSA_SAN="$val"
 			fi
 			;;
+		--san-crit*)
+			empty_ok=1
+			export EASYRSA_SAN_CRIT='critical,'
+			;;
 		--new-subj*)
 			export EASYRSA_NEW_SUBJECT="$val"
 			;;
 		--usefn)
 			export EASYRSA_P12_FR_NAME="$val"
 			;;
-		--san-crit*)
-			empty_ok=1
-			export EASYRSA_SAN_CRIT='critical,'
-			;;
 		--tools)
 			export EASYRSA_TOOLS_LIB="$val"
 			;;