2018-11-01 07:46:13 +00:00
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog ](http://keepachangelog.com/en/1.0.0/ )
and this project adheres to [Semantic Versioning ](http://semver.org/spec/v2.0.0.html ).
2022-07-06 22:04:55 +00:00
### TEMPLATE -- do not alter or remove
---
## [x.y.z] - aaaa-bb-cc
### Added
### Changed
### Deprecated
### Removed
### Fixed
### Security
---
2022-06-16 02:10:58 +00:00
## [Unreleased]
### Changed
2022-06-16 21:41:55 +00:00
- Certificates signed by an issuer using an RSA key will be signed using the same algorithm as the issuer certificate was signed with. The signature will no longer default to PKCS #1 . For example, if the issuer certificate was signed using RSA-PSS with SHA-256, a new certificate will also be signed using RSA-PSS with SHA-256.
2022-08-08 19:01:18 +00:00
- Support two latest versions of Go (1.18, 1.19)
2022-08-09 18:04:00 +00:00
- Vadlidate revocation serial number (either base 10 or prefixed with an appropriate base)
2022-06-16 02:10:58 +00:00
2022-05-26 17:55:24 +00:00
## [0.20.0] - 2022-05-26
2022-04-19 19:24:21 +00:00
### Added
2022-05-25 19:52:32 +00:00
- Added Kubernetes auth method for Vault RAs.
- Added support for reporting provisioners to linkedca.
2022-05-25 21:28:37 +00:00
- Added support for certificate policies on authority level.
- Added a Dockerfile with a step-ca build with HSM support.
2022-05-26 17:55:24 +00:00
- A few new WithXX methods for instantiating authorities
2022-04-19 19:24:21 +00:00
### Changed
2022-05-25 19:52:32 +00:00
- Context usage in HTTP APIs.
- Changed authentication for Vault RAs.
2022-05-25 21:28:37 +00:00
- Error message returned to client when authenticating with expired certificate.
- Strip padding from ACME CSRs.
2022-04-19 19:24:21 +00:00
### Deprecated
2022-05-25 19:52:32 +00:00
- HTTP API handler types.
2022-04-19 19:24:21 +00:00
### Fixed
2022-05-25 23:55:22 +00:00
- Fixed SSH revocation.
2022-05-25 21:28:37 +00:00
- CA client dial context for js/wasm target.
- Incomplete `extraNames` support in templates.
- SCEP GET request support.
- Large SCEP request handling.
2022-04-19 19:24:21 +00:00
## [0.19.0] - 2022-04-19
2022-03-02 05:01:34 +00:00
### Added
2022-04-13 22:11:54 +00:00
- Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry` .
2022-03-31 01:24:17 +00:00
- Added support for `extraNames` in X.509 templates.
2022-04-19 19:24:21 +00:00
- Added `armv5` builds.
2022-04-12 21:41:25 +00:00
- Added RA support using a Vault instance as the CA.
2022-04-19 19:24:21 +00:00
- Added `WithX509SignerFunc` authority option.
- Added a new `/roots.pem` endpoint to download the CA roots in PEM format.
- Added support for Azure `Managed Identity` tokens.
2022-04-14 00:44:23 +00:00
- Added support for automatic configuration of linked RAs.
2022-04-19 19:24:21 +00:00
- Added support for the `--context` flag. It's now possible to start the
2022-04-19 20:50:28 +00:00
CA with `step-ca --context=abc` to use the configuration from context `abc` .
2022-04-19 19:24:21 +00:00
When a context has been configured and no configuration file is provided
on startup, the configuration for the current context is used.
- Added startup info logging and option to skip it (`--quiet`).
2022-05-25 21:28:37 +00:00
- Added support for renaming the CA (Common Name).
2022-03-02 05:01:34 +00:00
### Changed
2022-04-19 19:24:21 +00:00
- Made SCEP CA URL paths dynamic.
- Support two latest versions of Go (1.17, 1.18).
- Upgrade go.step.sm/crypto to v0.16.1.
- Upgrade go.step.sm/linkedca to v0.15.0.
2022-03-02 05:01:34 +00:00
### Deprecated
2022-04-19 19:24:21 +00:00
- Go 1.16 support.
2022-03-02 05:01:34 +00:00
### Removed
### Fixed
2022-04-08 21:29:20 +00:00
- Fixed admin credentials on RAs.
2022-04-19 19:24:21 +00:00
- Fixed ACME HTTP-01 challenges for IPv6 identifiers.
- Various improvements under the hood.
2022-03-02 05:01:34 +00:00
### Security
## [0.18.2] - 2022-03-01
2021-09-24 21:24:28 +00:00
### Added
2022-02-28 22:37:09 +00:00
- Added `subscriptionIDs` and `objectIDs` filters to the Azure provisioner.
2022-03-04 18:56:09 +00:00
- [NoSQL ](https://github.com/smallstep/nosql/pull/21 ) package allows filtering
out database drivers using Go tags. For example, using the Go flag
`--tags=nobadger,nobbolt,nomysql` will only compile `step-ca` with the pgx
driver for PostgreSQL.
2021-09-24 21:24:28 +00:00
### Changed
2022-02-15 23:01:16 +00:00
- IPv6 addresses are normalized as IP addresses instead of hostnames.
- More descriptive JWK decryption error message.
2022-02-18 19:39:44 +00:00
- Make the X5C leaf certificate available to the templates using `{{ .AuthorizationCrt }}` .
2021-09-24 21:24:28 +00:00
### Fixed
2022-02-28 19:05:59 +00:00
- During provisioner add - validate provisioner configuration before storing to DB.
2021-09-24 21:24:28 +00:00
2022-02-03 21:21:58 +00:00
## [0.18.1] - 2022-02-03
### Added
- Support for ACME revocation.
- Replace hash function with an RSA SSH CA to "rsa-sha2-256".
2022-02-15 23:01:16 +00:00
- Support Nebula provisioners.
- Example Ansible configurations.
- Support PKCS#11 as a decrypter, as used by SCEP.
### Changed
- Automatically create database directory on `step ca init` .
- Slightly improve errors reported when a template has invalid content.
- Error reporting in logs and to clients.
### Fixed
- SCEP renewal using HTTPS on macOS.
2022-02-03 21:21:58 +00:00
2021-11-17 20:33:03 +00:00
## [0.18.0] - 2021-11-17
### Added
- Support for multiple certificate authority contexts.
- Support for generating extractable keys and certificates on a pkcs#11 module.
### Changed
2022-04-19 19:24:21 +00:00
- Support two latest versions of Go (1.16, 1.17)
2021-11-17 20:33:03 +00:00
### Deprecated
- go 1.15 support
2021-10-20 21:31:33 +00:00
## [0.17.6] - 2021-10-20
### Notes
- 0.17.5 failed in CI/CD
2021-10-20 20:41:26 +00:00
## [0.17.5] - 2021-10-20
### Added
- Support for Azure Key Vault as a KMS.
- Adapt `pki` package to support key managers.
- gocritic linter
### Fixed
- gocritic warnings
2021-09-28 23:15:23 +00:00
## [0.17.4] - 2021-09-28
### Fixed
- Support host-only or user-only SSH CA.
2021-09-24 21:24:28 +00:00
## [0.17.3] - 2021-09-24
2018-11-01 07:46:13 +00:00
### Added
2021-09-07 18:39:49 +00:00
- go 1.17 to github action test matrix
2021-09-09 00:46:55 +00:00
- Support for CloudKMS RSA-PSS signers without using templates.
2021-09-23 00:41:12 +00:00
- Add flags to support individual passwords for the intermediate and SSH keys.
2021-09-24 20:50:47 +00:00
- Global support for group admins in the OIDC provisioner.
2018-11-01 07:46:13 +00:00
### Changed
2021-09-07 18:39:49 +00:00
- Using go 1.17 for binaries
2018-11-01 07:46:13 +00:00
### Fixed
2021-09-22 22:15:19 +00:00
- Upgrade go-jose.v2 to fix a bug in the JWK fingerprint of Ed25519 keys.
2018-11-01 07:46:13 +00:00
### Security
2021-09-01 20:21:59 +00:00
- Use cosign to sign and upload signatures for multi-arch Docker container.
2021-09-07 18:39:49 +00:00
- Add debian checksum
2021-08-31 03:54:46 +00:00
2021-09-08 04:45:32 +00:00
## [0.17.2] - 2021-08-30
2021-08-31 03:54:46 +00:00
### Added
- Additional way to distinguish Azure IID and Azure OIDC tokens.
### Security
- Sign over all goreleaser github artifacts using cosign
2021-08-31 17:18:13 +00:00
## [0.17.1] - 2021-08-26
## [0.17.0] - 2021-08-25
### Added
- Add support for Linked CAs using protocol buffers and gRPC
- `step-ca init` adds support for
- configuring a StepCAS RA
- configuring a Linked CA
- congifuring a `step-ca` using Helm
### Changed
- Update badger driver to use v2 by default
- Update TLS cipher suites to include 1.3
### Security
- Fix key version when SHA512WithRSA is used. There was a typo creating RSA keys with SHA256 digests instead of SHA512.