diff --git a/security/easy-rsa/Makefile b/security/easy-rsa/Makefile
index d603acdba2f1..6ae64ff70223 100644
--- a/security/easy-rsa/Makefile
+++ b/security/easy-rsa/Makefile
@@ -1,49 +1,50 @@
 PORTNAME=	easy-rsa
-DISTVERSION=	3.1.7
+DISTVERSION=	3.2.0
 CATEGORIES=	security net-mgmt
 MASTER_SITES=	https://github.com/OpenVPN/easy-rsa/releases/download/v${DISTVERSION}/ \
 		LOCAL/mandree/
 DISTNAME=	EasyRSA-${DISTVERSION}
 
 MAINTAINER=	mandree@FreeBSD.org
 COMMENT=	Small RSA key management package based on openssl
 WWW=		https://github.com/OpenVPN/easy-rsa
 
 LICENSE=	GPLv2
 
 USES=		tar:tgz
 
 CONFLICTS_INSTALL=easy-rsa2
 
 NO_BUILD=	yes
 NO_ARCH=	yes
 
 WRKSRC=		${WRKDIR}/EasyRSA-${DISTVERSION}
 
 OPTIONS_DEFINE=		DOCS EXAMPLES
 
 PORTDATA=	x509-types/
 _pd_files=	ChangeLog COPYING.md README.md README.quickstart.md mktemp.txt
 _pd_dirs=	doc/
 PORTDOCS=	${_pd_files} ${_pd_dirs}
+SUB_FILES=	pkg-message
 
 do-install:
 		${MKDIR} ${STAGEDIR}${PREFIX}/bin
 		${MKDIR} ${STAGEDIR}${DATADIR}/x509-types/
 		${INSTALL_SCRIPT} ${WRKSRC}/easyrsa ${STAGEDIR}${PREFIX}/bin/
 		${LN} -fh ${STAGEDIR}${PREFIX}/bin/easyrsa ${STAGEDIR}${PREFIX}/bin/easy-rsa
 		${INSTALL_DATA} ${WRKSRC}/vars.example ${STAGEDIR}${DATADIR}/
 		${INSTALL_DATA} ${WRKSRC}/openssl-easyrsa.cnf ${STAGEDIR}${DATADIR}/openssl-easyrsa.cnf.example
 		(cd ${WRKSRC}/x509-types/ && ${COPYTREE_SHARE} . ${STAGEDIR}${DATADIR}/x509-types/)
 
 do-install-DOCS-on:
 		${MKDIR} ${STAGEDIR}${DOCSDIR}
 .for i in ${_pd_files}
 		${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}
 .endfor
 .for i in ${_pd_dirs}
 		${MKDIR} ${STAGEDIR}${DOCSDIR}/${i}
 		(cd ${WRKSRC}/${i} && ${COPYTREE_SHARE} . ${STAGEDIR}${DOCSDIR}/${i})
 .endfor
 
 .include <bsd.port.mk>
diff --git a/security/easy-rsa/distinfo b/security/easy-rsa/distinfo
index 2c6d7f89d628..672e1f43a5c9 100644
--- a/security/easy-rsa/distinfo
+++ b/security/easy-rsa/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1697487333
-SHA256 (EasyRSA-3.1.7.tgz) = aaa48fadcbb77511b9c378554ef3eae09f8c7bc149d6f56ba209f1c9bab98c6e
-SIZE (EasyRSA-3.1.7.tgz) = 81373
+TIMESTAMP = 1716037822
+SHA256 (EasyRSA-3.2.0.tgz) = db8164165a109bf1f6dbf578c3341349821bb4fde5629398d82918330134b43c
+SIZE (EasyRSA-3.2.0.tgz) = 73675
diff --git a/security/easy-rsa/files/pkg-message.in b/security/easy-rsa/files/pkg-message.in
new file mode 100644
index 000000000000..698bf9ad17fb
--- /dev/null
+++ b/security/easy-rsa/files/pkg-message.in
@@ -0,0 +1,15 @@
+
+NOTE: easyrsa will require you to initialize a PKI upon first use.
+
+ONLY for the very first run for a new PKI, do something such as this,
+assuming you will have its data in $HOME/my_new_pki:
+
+  easyrsa --pki-dir=$HOME/my_new_pki init-pki # DANGEROUS - DESTROYS ~/my_new_pki
+
+See %%PREFIX%%/share/doc/easy-rsa/README.quickstart.md for further information.
+
+An on-line help is available, you can run:
+
+  easyrsa help          # for help on commands
+  easyrsa help options  # for help on options
+
diff --git a/security/easy-rsa/pkg-message b/security/easy-rsa/pkg-message
deleted file mode 100644
index 64008e57eb92..000000000000
--- a/security/easy-rsa/pkg-message
+++ /dev/null
@@ -1,15 +0,0 @@
-NOTE: easy-rsa will require you to initialize a pki ONLY UPON FIRST USE.
-The packaging itself no longer does this because that would confuse easy-rsa,
-and easy-rsa expects the vars not to be per-installation, but per-PKI.
-
-ONLY for the very first run for a new PKI, do something such as:
-
-  easyrsa --pki-dir=~/my_new_pki init-pki # DANGEROUS - DESTROYS ~/my_new_pki
-  which will copy vars.example both into ~/my_new_pki
-  and create another copy named ~/my/new_pki/vars for you to edit for this PKI.
-
-  Then, edit ~/my/new_pki/vars to set the defaults.
-
-After upgrades, use other commands, explained by running: easyrsa help.
-to explain options such as --pki-dir (see above), run: easyrsa help options
-