1 files changed, 18 insertions, 2 deletions

diff --git a/pkgs/tools/networking/easyrsa/default.nix b/pkgs/tools/networking/easyrsa/default.nix
index 740a9935ca35..1591bff41c8f 100644
--- a/pkgs/tools/networking/easyrsa/default.nix
+++ b/pkgs/tools/networking/easyrsa/default.nix
@@ -8,10 +8,11 @@ stdenv.mkDerivation rec {
     owner = "OpenVPN";
     repo = "easy-rsa";
     rev = "v${version}";
-    sha256 = "sha256-zdVcT04nj7eE1a6M7WHeWpwG/TVTwyK+WgD70XwPXfY=";
+    hash = "sha256-zdVcT04nj7eE1a6M7WHeWpwG/TVTwyK+WgD70XwPXfY=";
   };
 
   nativeBuildInputs = [ makeWrapper ];
+  nativeInstallCheckInputs = [ openssl.bin ];
 
   installPhase = ''
     mkdir -p $out/share/easy-rsa
@@ -26,7 +27,7 @@ stdenv.mkDerivation rec {
 
     # Wrap it with the correct OpenSSL binary.
     wrapProgram $out/bin/easyrsa \
-      --set EASYRSA_OPENSSL ${openssl.bin}/bin/openssl
+      --set-default EASYRSA_OPENSSL ${openssl.bin}/bin/openssl
 
     # Helper utility
     cat > $out/bin/easyrsa-init <<EOF
@@ -36,6 +37,21 @@ stdenv.mkDerivation rec {
     chmod +x $out/bin/easyrsa-init
   '';
 
+  doInstallCheck = true;
+  postInstallCheck = ''
+    set -euo pipefail
+    export EASYRSA_BATCH=1
+    export EASYRSA_PASSIN=pass:nixpkgs
+    export EASYRSA_PASSOUT="$EASYRSA_PASSIN"
+    export EASYRSA_REQ_CN='nixpkgs test CA'
+    export EASYRSA_KEY_SIZE=3072
+    export EASYRSA_ALGO=rsa
+    export EASYRSA_DIGEST=sha512
+    $out/bin/easyrsa init-pki
+    $out/bin/easyrsa build-ca
+    openssl x509 -in pki/ca.crt -noout -subject | tee /dev/stderr | grep -zq "$EASYRSA_REQ_CN"
+  '';
+
   meta = with lib; {
     description = "Simple shell based CA utility";
     homepage = "https://openvpn.net/";