Skip to content

Releases: micromdm/scep

v2.3.0

23 Jan 18:17
Compare
Choose a tag to compare

Thanks to our contributors for this release: @bkstein and @hslatman!

New

  • Add -key-encipherment-selector switch to scepclient and use CA certs for verification: #217

Fixed

  • Added KeyUsage DigitalSignature to CA certs: #197
  • GH actions Go version too old: c519f39
  • Update docs for docker CGO usage: 78cb98e
  • Fix Makefile phony target: 8eb5412

Other

v2.2.0

01 Dec 06:55
988fe4e
Compare
Choose a tag to compare

Thanks to our contributors for this release: @marcinjahn, @klubi, @korylprince, @mceIdo, @9072997, @bkstein, @macmule, @venkyg-sec, and @jbpin!

New

  • ARM Makefile binary targets for Apple and Linux: #176, #186
  • Bind address configurable: #182
  • Server key usages support: #189
  • CN in CA cert: #196
  • DNS name flag: #202
  • PKCS8 key and non-encrypted CA: #198

Fixed

  • Fix signer grace from 600ns to 10 minutes: #193
  • BoltDB Depot serial number changes for data races: #185, #190

Other

v2.1.0

15 Aug 19:39
415371e
Compare
Choose a tag to compare

Changes:

  • FingerprintCertsSelector is now hash-independent (#168)
  • Refactor CA certificate generation (#170)
  • Mark depot volume in Dockerfile (75c6aca)
  • Update pkcs7 dependency (#174). Finally we don't have to use a fork of the library!

v2.0.0

25 Mar 20:44
Compare
Choose a tag to compare

Three years in the making! micromdm/scep v2.0.0 release.

So much has changed. As just one example we've gone through three different Go dependency systems (Glide, dep, and finally Go modules) since the last release. So I'll try and highlight just some of bigger changes since then. Not all of this is particularly new — indeed some projects have been using newer commit hashes than the last v1.0.0 tag. At any rate:

Feature/functionality related

  • Full GET & POST support for PKIOperation (#43, #114)
  • New CA fingerprint flag for selecting amongst multiple CAs (i.e. for NDES) (#43)
    • scepclient fingerprint expects SHA-256 hashes now (formerly MD5) (#160)
  • Support signing and re-signing CSRs (to support embedding the challenge attribute) (#45)
  • New dynamic one-time challenge password support (#50)
  • Complete bolt Depot implementataion (HasCN) (e6079f0, #30)
  • SCEPStandard capability (#51)
  • New CSR verifier flag to scepserver that shells-out: -csrverifierexec (#68)
  • CA certificate is now generated with CRL signing key usage (#69)
  • New switch to specify OU for CA cert in scepserver (#82)
  • Set a default CN for new CA certs (#89)
  • Copy attributes from CSR SANs to new cert template (#107, #121)
  • Accept ECDSA keys in SCEP core module (#109)
  • New scepserver Pluggable CSR signing framework (#113)
  • Populate the server's CertRep with CA certificates before verifying (#131)
  • New CertsSelector interface for selecting which certificates a CA returns (#147)
  • Remove SHA-1 (and MD5, etc.) support for signing (and re-signing) CSRs for challenges in (#144)
  • Send Content-type: application/octet-stream header with PKIOperation (#146)
  • Support Message parameter for GetCACert (#152)
  • scepclient can now print CA certificates (and hashes) with debug output (#157)

Other changes

  • Module is now named github.com/micromdm/scep/v2. Update your import paths!
  • Various logging & error handling improvements
  • Various bug fixes
  • Makefile and build changes (#151)
  • Various iterations of Dockerfile changes (#33, #74, #83, c892534)
  • Glide->dep->go modules
  • Various PKCS7 library dependency changes ending up (currently) with a fork of Mozilla's fork of Fullsailor's PKCS7 library. (#38, #116, #128)

bug fixes and deps update

21 Mar 20:33
Compare
Choose a tag to compare
v1.0.0

update server to go-kit 0.4.0

chain vs single ca cert

09 Jun 03:01
Compare
Choose a tag to compare
Pre-release

updated client and server to support chain and leaf cert responses.

# create a new CA
scepserver ca -init
# start server
scepserver -depot depot -port 2016 -challenge=secret

# in a separate terminal window, run a client
# note, if the client.key doesn't exist, the client will create a new rsa private key. Must be in PEM format.
scepclient -private-key client.key -server-url=http://scep.groob.io:2016 -challenge=secret

client and server

07 Jun 19:56
Compare
Choose a tag to compare
client and server Pre-release
Pre-release
# create a new CA
scepserver ca -init
# start server
scepserver -depot depot -port 2016 -challenge=secret

# in a separate terminal window, run a client
# note, if the client.key doesn't exist, the client will create a new rsa private key. Must be in PEM format.
scepclient -private-key client.key -server-url=http://scep.groob.io:2016 -challenge=secret

preview

02 Jun 17:43
Compare
Choose a tag to compare
preview Pre-release
Pre-release

It's usable now, but not everything is complete.

it works!

29 May 21:03
Compare
Choose a tag to compare
it works! Pre-release
Pre-release

a very basic version

# clone the repo
git clone https://github.com/micromdm/scep.git
# download scep binary and place it in the scep repo root
# change the binary permissions to make it executable.
chmod a+x ./scep
# run scep binary inside the repo folder.
cd scep
# starts scep server at localhost:9001
./scep
# install sceptest.mobileconfig profile
# the CA and the SCEP signed cert will be added to your OS X keychain