Improve docs: add Upgrade-Notes; add online support refs

Upgrade-Notes includes v2 to v3 upgrade changes that users should be
aware of.

The updated top-level README helps point users to online support
locations.

Signed-off-by: Josh Cepek <[email protected]>

README

@@ -1,13 +1,3 @@
-STRUCTURE:
-
-The easy-rsa master branch is currently tracking development for the 3.x release
-cycle. The prior 2.x and 1.x versions are available as release branches for
-tracking and possible back-porting of relevant fixes. Branch layout is:
-
-  release/1.x
-  release/2.x
-  master <- 3.x, at present
-
 DOWNLOADS:
 
 If you are looking for release downloads, please see the releases section on
@@ -20,4 +10,25 @@ the more detailed docs under the doc/ directory. The .md files are in Markdown
 format and can be converted to html files as desired for release packages, or
 read as-is in plaintext.
 
+GETTING HELP USING EASY-RSA:
+
+Currently, Easy-RSA development co-exists with OpenVPN even though they are
+separate projects. The following resources are good places as of this writing to
+seek help using Easy-RSA:
+
+The openvpn-users mailing list is a good place to post usage or help questions:
+https://lists.sourceforge.net/lists/listinfo/openvpn-users
+
+You can also try IRC at Freenode/#openvpn
+
+BRANCH STRUCTURE:
+
+The easy-rsa master branch is currently tracking development for the 3.x release
+cycle. The prior 2.x and 1.x versions are available as release branches for
+tracking and possible back-porting of relevant fixes. Branch layout is:
+
+  master <- 3.x, at present
+  release/2.x
+  release/1.x
+
 LICENSING info for 3.x is in the COPYING file

doc/EasyRSA-Upgrade-Notes.md

@@ -0,0 +1,52 @@
+Upgrading to Easy-RSA 3 from earlier versions
+=========
+
+People upgrading to Easy-RSA 3 from a 2.x version should note some important
+changes start with version 3. For a better overview of version 3 in general, see
+the Readme in the doc/ directory.
+
+List of important changes
+----
+
+ * nsCertType extensions are no longer included by default. Use of such
+   "Netscape" attributes have been deprecated upstream and their use is
+   discouraged. Configure `EASYRSA_NS_SUPPORT` in vars if you want to enable
+   this legacy behavior.
+
+   Notably, this is important for OpenVPN deployments relying on the
+   `--ns-cert-type` directive. Either have OpenVPN use the preferred
+   `--remote-cert-tls` option, or enable legacy NS extensions.
+
+ * The default request Subject (or DN, Distinguished Name) includes just the
+   commonName. This is more suitable for VPNs and environments that don't wish
+   to include info about the Country/State/City/Org/OU in certs. Configure
+   `EASYRSA_DN` in vars if you want to enable the legacy behavior.
+
+ * The 3.0 release lacks PKCS#11 (smartcard/token) support. This is anticipated
+   to be supported in a future point-release to target each platform's need.
+
+Some new concepts
+----
+
+Easy-RSA 3 has some new concepts compared to the prior v2 series.
+
+### Request-Import-Sign workflow
+
+  v3 is now designed to support keypairs generated on the target system where
+  they will be used, thus improving security as no keys need to be transferred
+  between hosts. The old workflow of generating everything in a single PKI is
+  still supported as well.
+
+  The recommended workflow when using Easy-RSA as a CA is to import requests,
+  sign them, and return the issued & CA certs. Each requesting system can use
+  Easy-RSA without a CA to generate keypairs & requests.
+
+### "Org"-style DN flexibility
+
+  When using Easy-RSA in the "org" DN mode, it is no longer required to match
+  some of the field values. This improves flexibility, and enables easier remote
+  generation as the requester doesn't need to know the CA's values in advance.
+
+  Previously in v2, the Country, State, and Org values all had to match or a
+  request couldn't be signed. If you want the old behavior your can change the
+  OpenSSL config to require it or simply look over the DN at signing time.