Releases: micromdm/scep
Releases · micromdm/scep
v2.3.0
Thanks to our contributors for this release: @bkstein and @hslatman!
New
- Add
-key-encipherment-selector
switch toscepclient
and use CA certs for verification: #217
Fixed
- Added KeyUsage
DigitalSignature
to CA certs: #197 - GH actions Go version too old: c519f39
- Update docs for docker CGO usage: 78cb98e
- Fix Makefile phony target: 8eb5412
Other
v2.2.0
Thanks to our contributors for this release: @marcinjahn, @klubi, @korylprince, @mceIdo, @9072997, @bkstein, @macmule, @venkyg-sec, and @jbpin!
New
- ARM Makefile binary targets for Apple and Linux: #176, #186
- Bind address configurable: #182
- Server key usages support: #189
- CN in CA cert: #196
- DNS name flag: #202
- PKCS8 key and non-encrypted CA: #198
Fixed
- Fix signer grace from 600ns to 10 minutes: #193
- BoltDB Depot serial number changes for data races: #185, #190
Other
v2.1.0
v2.0.0
Three years in the making! micromdm/scep
v2.0.0 release.
So much has changed. As just one example we've gone through three different Go dependency systems (Glide, dep, and finally Go modules) since the last release. So I'll try and highlight just some of bigger changes since then. Not all of this is particularly new — indeed some projects have been using newer commit hashes than the last v1.0.0 tag. At any rate:
Feature/functionality related
- Full GET & POST support for PKIOperation (#43, #114)
- New CA fingerprint flag for selecting amongst multiple CAs (i.e. for NDES) (#43)
- scepclient fingerprint expects SHA-256 hashes now (formerly MD5) (#160)
- Support signing and re-signing CSRs (to support embedding the challenge attribute) (#45)
- New dynamic one-time challenge password support (#50)
- Complete bolt
Depot
implementataion (HasCN
) (e6079f0, #30) - SCEPStandard capability (#51)
- New CSR verifier flag to scepserver that shells-out:
-csrverifierexec
(#68) - CA certificate is now generated with CRL signing key usage (#69)
- New switch to specify OU for CA cert in scepserver (#82)
- Set a default CN for new CA certs (#89)
- Copy attributes from CSR SANs to new cert template (#107, #121)
- Accept ECDSA keys in SCEP core module (#109)
- New scepserver Pluggable CSR signing framework (#113)
- Populate the server's CertRep with CA certificates before verifying (#131)
- New
CertsSelector
interface for selecting which certificates a CA returns (#147) - Remove SHA-1 (and MD5, etc.) support for signing (and re-signing) CSRs for challenges in (#144)
- Send
Content-type: application/octet-stream
header with PKIOperation (#146) - Support Message parameter for GetCACert (#152)
- scepclient can now print CA certificates (and hashes) with debug output (#157)
Other changes
- Module is now named
github.com/micromdm/scep/v2
. Update your import paths! - Various logging & error handling improvements
- Various bug fixes
- Makefile and build changes (#151)
- Various iterations of Dockerfile changes (#33, #74, #83, c892534)
- Glide->dep->go modules
- Various PKCS7 library dependency changes ending up (currently) with a fork of Mozilla's fork of Fullsailor's PKCS7 library. (#38, #116, #128)
bug fixes and deps update
v1.0.0 update server to go-kit 0.4.0
chain vs single ca cert
updated client and server to support chain and leaf cert responses.
# create a new CA
scepserver ca -init
# start server
scepserver -depot depot -port 2016 -challenge=secret
# in a separate terminal window, run a client
# note, if the client.key doesn't exist, the client will create a new rsa private key. Must be in PEM format.
scepclient -private-key client.key -server-url=http://scep.groob.io:2016 -challenge=secret
client and server
# create a new CA
scepserver ca -init
# start server
scepserver -depot depot -port 2016 -challenge=secret
# in a separate terminal window, run a client
# note, if the client.key doesn't exist, the client will create a new rsa private key. Must be in PEM format.
scepclient -private-key client.key -server-url=http://scep.groob.io:2016 -challenge=secret
preview
it works!
a very basic version
# clone the repo
git clone https://github.com/micromdm/scep.git
# download scep binary and place it in the scep repo root
# change the binary permissions to make it executable.
chmod a+x ./scep
# run scep binary inside the repo folder.
cd scep
# starts scep server at localhost:9001
./scep
# install sceptest.mobileconfig profile
# the CA and the SCEP signed cert will be added to your OS X keychain