All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Added
step-kms-pluginto docker images, and a new image,smallstep/step-ca-hsm, compiled with cgo (smallstep#1243). - Added
scooppackages back to the release (smallstep#1250). - Added optional flag
--pidfilewhich allows passing a filename where step-ca will write its process id (smallstep#1251). - Added helpful message on CA startup when config can't be opened (smallstep#1252).
- Improved validation and error messages on
device-attest-01orders (smallstep#1235).
- The deprecated CLI utils
step-awskms-init,step-cloudkms-init,step-pkcs11-init,step-yubikey-inithave been removed.stepandstep-kms-pluginshould be used instead (smallstep#1240).
- Fixed remote management flags in docker images (smallstep#1228).
- Added configuration property
.crl.idpURLto be able to set a custom Issuing Distribution Point in the CRL (smallstep#1178). - Added WithContext methods to the CA client (smallstep#1211).
- Docker: Added environment variables for enabling Remote Management and ACME provisioner (smallstep#1201).
- Docker: The entrypoint script now generates and displays an initial JWK provisioner password by default when the CA is being initialized (smallstep#1223).
- Ignore SSH principals validation when using an OIDC provisioner. The provisioner will ignore the principals passed and set the defaults or the ones including using WebHooks or templates (smallstep#1206).
- Added support for ACME device-attest-01 challenge on iOS, iPadOS, tvOS and YubiKey.
- Ability to disable ACME challenges and attestation formats.
- Added flags to change ACME challenge ports for testing purposes.
- Added name constraints evaluation and enforcement when issuing or renewing X.509 certificates.
- Added provisioner webhooks for augmenting template data and authorizing certificate requests before signing.
- Added automatic migration of provisioners when enabling remote management.
- Added experimental support for CRLs.
- Add certificate renewal support on RA mode. The
step ca renewcommand must use the flag--mtls=falseto use the token renewal flow. - Added support for initializing remote management using
step ca init. - Added support for renewing X.509 certificates on RAs.
- Added support for using SCEP with keys in a KMS.
- Added client support to set the dialer's local address with the environment variable
STEP_CLIENT_ADDR.
- Remove the email requirement for issuing SSH certificates with an OIDC provisioner.
- Root files can contain more than one certificate.
- Fixed MySQL DSN parsing issues with an upgrade to smallstep/[email protected].
- Fixed renewal of certificates with missing subject attributes.
- Fixed ACME support with ejabberd.
- The CLIs
step-awskms-init,step-cloudkms-init,step-pkcs11-init,step-yubikey-initare deprecated. Now you can usestep-kms-pluginin combination withstep certificates createto initialize your PKI.
- Fixed signature algorithm on EC (root) + RSA (intermediate) PKIs.
- Added automatic configuration of Linked RAs.
- Send provisioner configuration on Linked RAs.
- Certificates signed by an issuer using an RSA key will be signed using the same algorithm used to sign the issuer certificate. The signature will no longer default to PKCS #1. For example, if the issuer certificate was signed using RSA-PSS with SHA-256, a new certificate will also be signed using RSA-PSS with SHA-256.
- Support two latest versions of Go (1.18, 1.19).
- Validate revocation serial number (either base 10 or prefixed with an appropriate base).
- Sanitize TLS options.
- Added Kubernetes auth method for Vault RAs.
- Added support for reporting provisioners to linkedca.
- Added support for certificate policies on authority level.
- Added a Dockerfile with a step-ca build with HSM support.
- A few new WithXX methods for instantiating authorities
- Context usage in HTTP APIs.
- Changed authentication for Vault RAs.
- Error message returned to client when authenticating with expired certificate.
- Strip padding from ACME CSRs.
- HTTP API handler types.
- Fixed SSH revocation.
- CA client dial context for js/wasm target.
- Incomplete
extraNamessupport in templates. - SCEP GET request support.
- Large SCEP request handling.
- Added support for certificate renewals after expiry using the claim
allowRenewalAfterExpiry. - Added support for
extraNamesin X.509 templates. - Added
armv5builds. - Added RA support using a Vault instance as the CA.
- Added
WithX509SignerFuncauthority option. - Added a new
/roots.pemendpoint to download the CA roots in PEM format. - Added support for Azure
Managed Identitytokens. - Added support for automatic configuration of linked RAs.
- Added support for the
--contextflag. It's now possible to start the CA withstep-ca --context=abcto use the configuration from contextabc. When a context has been configured and no configuration file is provided on startup, the configuration for the current context is used. - Added startup info logging and option to skip it (
--quiet). - Added support for renaming the CA (Common Name).
- Made SCEP CA URL paths dynamic.
- Support two latest versions of Go (1.17, 1.18).
- Upgrade go.step.sm/crypto to v0.16.1.
- Upgrade go.step.sm/linkedca to v0.15.0.
- Go 1.16 support.
- Fixed admin credentials on RAs.
- Fixed ACME HTTP-01 challenges for IPv6 identifiers.
- Various improvements under the hood.
- Added
subscriptionIDsandobjectIDsfilters to the Azure provisioner. - NoSQL package allows filtering
out database drivers using Go tags. For example, using the Go flag
--tags=nobadger,nobbolt,nomysqlwill only compilestep-cawith the pgx driver for PostgreSQL.
- IPv6 addresses are normalized as IP addresses instead of hostnames.
- More descriptive JWK decryption error message.
- Make the X5C leaf certificate available to the templates using
{{ .AuthorizationCrt }}.
- During provisioner add - validate provisioner configuration before storing to DB.
- Support for ACME revocation.
- Replace hash function with an RSA SSH CA to "rsa-sha2-256".
- Support Nebula provisioners.
- Example Ansible configurations.
- Support PKCS#11 as a decrypter, as used by SCEP.
- Automatically create database directory on
step ca init. - Slightly improve errors reported when a template has invalid content.
- Error reporting in logs and to clients.
- SCEP renewal using HTTPS on macOS.
- Support for multiple certificate authority contexts.
- Support for generating extractable keys and certificates on a pkcs#11 module.
- Support two latest versions of Go (1.16, 1.17)
- go 1.15 support
- 0.17.5 failed in CI/CD
- Support for Azure Key Vault as a KMS.
- Adapt
pkipackage to support key managers. - gocritic linter
- gocritic warnings
- Support host-only or user-only SSH CA.
- go 1.17 to github action test matrix
- Support for CloudKMS RSA-PSS signers without using templates.
- Add flags to support individual passwords for the intermediate and SSH keys.
- Global support for group admins in the OIDC provisioner.
- Using go 1.17 for binaries
- Upgrade go-jose.v2 to fix a bug in the JWK fingerprint of Ed25519 keys.
- Use cosign to sign and upload signatures for multi-arch Docker container.
- Add debian checksum
- Additional way to distinguish Azure IID and Azure OIDC tokens.
- Sign over all goreleaser github artifacts using cosign
- Add support for Linked CAs using protocol buffers and gRPC
step-ca initadds support for- configuring a StepCAS RA
- configuring a Linked CA
- congifuring a
step-causing Helm
- Update badger driver to use v2 by default
- Update TLS cipher suites to include 1.3
- Fix key version when SHA512WithRSA is used. There was a typo creating RSA keys with SHA256 digests instead of SHA512.