Mariano Cano
91878051c1
Merge pull request #741 from gdbelvin/ssh
...
Support CSR Requests from PKCS11
3 years ago
Mariano Cano
febb619882
Add some extra validation and print certificate objects
...
This commit also changes the following flags for consistency:
- --crt-cert to --crt-cert-obj
- --crt-key to --crt-key-obj
3 years ago
max furman
10db335f13
mv pkg config -> step
3 years ago
Gary Belvin
bbb327c8c5
Make a csr if there's not a root
3 years ago
Gary Belvin
29f5a35965
simplify flags
3 years ago
Mariano Cano
8366b7ddf1
Revert "Remove extractable from StoreCertificate."
...
This reverts commit 614ee79489
.
3 years ago
Mariano Cano
614ee79489
Remove extractable from StoreCertificate.
3 years ago
Mariano Cano
aa80bf9f07
Merge branch 'smallstep_master' into extractable
3 years ago
Mariano Cano
e15b5faf7d
Merge branch 'master' into keyvault
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Mariano Cano
205148ad1f
Fix exit after defer.
3 years ago
Mariano Cano
48549bf317
Initialize windows terminal on all binaries.
3 years ago
Mariano Cano
d02cb1c869
Enable azurekms.
3 years ago
Mariano Cano
cfe08ad6fe
Add flags to usage.
3 years ago
Gary Belvin
22b471acf9
Extractable certs
3 years ago
Gary Belvin
be89459524
Set key export bit
3 years ago
Mariano Cano
a0633a6efb
Merge pull request #612 from gdbelvin/kmspin
...
Allow reading pin from kms string
3 years ago
Gary Belvin
1fb4406801
minimize diff
3 years ago
Gary Belvin
c6bb7aa199
Add back UI check, but don't read file
3 years ago
Gary Belvin
a63a1d6482
Don't double read from u.Pin()
3 years ago
Gary Belvin
063a09a521
Allow reading pin from kms string
3 years ago
Mariano Cano
595f12505c
Merge branch 'master' into name
3 years ago
Gary Belvin
c264e8f580
Configurable pkcs11-init output paths
3 years ago
Gary Belvin
623e387fb0
Allow configuration of PKCS11 subject name
3 years ago
Mariano Cano
e727532963
Fix wrong format of the first flag on `step-ca --help`
4 years ago
Mariano Cano
bdeb0ccd7c
Add support for the flag --issuer-password-file
...
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
4 years ago
Mariano Cano
71f59de396
Merge pull request #510 from smallstep/ra-mode
...
StepCAS.
4 years ago
Gary Belvin
341966c30f
Check pin flag
4 years ago
Gary Belvin
1ac838628a
Add flag for setting the pin
4 years ago
Mariano Cano
a6115e29c2
Add initial implementation of StepCAS.
...
StepCAS allows to configure step-ca as an RA using another step-ca
as the main CA.
4 years ago
Mariano Cano
e446e22520
Remove extra default.
4 years ago
Mariano Cano
3648c3fab6
Fix error message when --kms is not passed.
4 years ago
Mariano Cano
1d2146166b
Close key manager.
4 years ago
Mariano Cano
51ac28656e
Fix protection level for host keys in cloudkms script.
...
Fixes #460
4 years ago
Mariano Cano
7f9d7eadc9
Attempt to delete key and certificate with the same name.
...
Nitrokey will override the label of the key with the certificate one.
If they are stored with the same id.
4 years ago
Mariano Cano
162c535705
Add option to not store certificates in the pkcs11 module.
4 years ago
Mariano Cano
8dca652bc7
Add support for PKCS #11 KMS.
...
The implementation works with YubiHSM2. Unit tests are still pending.
Fixes #301
4 years ago
Anton Lundin
3e6137110b
Add support for using ssh-agent as a KMS
...
This adds a new KMS, SSHAgentKMS, which is a KMS to provide signing keys
for issuing ssh certificates signed by a key managed by a ssh-agent. It
uses the golang.org/x/crypto package to get a native Go implementation
to talk to a ssh-agent.
This was primarly written to be able to use gpg-agent to provide the
keys stored in a YubiKeys openpgp interface, but can be used for other
setups like proxying a ssh-agent over network.
That way the signing key for ssh certificates can be kept in a
"sign-only" hsm.
This code was written for my employer Intinor AB, but for simplicity
sake gifted to me to contribute upstream.
Signed-off-by: Anton Lundin <glance@acc.umu.se>
4 years ago
Mariano Cano
40d0596b71
Use smallstep/cli-utils instead of smallstep/cli
4 years ago
Mariano Cano
647b9b4541
Merge pull request #367 from smallstep/cas
...
Support for CAS Interface and CloudCAS
4 years ago
Carl Tashian
fd07e25e61
Change Gitter links to GH Discussions tab
4 years ago
Mariano Cano
f100b2d0e3
Make the YubiKey management key configurable.
...
With this change the default management key is not required as the
user is able to set its own.
Fixes #323
4 years ago
Mariano Cano
1b1f73dec6
Early attempt to develop a CAS interface.
4 years ago
Mariano Cano
d30a95236d
Use always go.step.sm/crypto
4 years ago
Mariano Cano
ddb4ca7a74
Move load of kms to main package.
...
With this change packages that import the authority won't load by
default all the supported kms with all its dependencies.
Fixes #228
4 years ago
Mariano Cano
26c89cf779
Rename method.
4 years ago
Mariano Cano
7a985b1470
Fix usage, remove unsupported flag.
4 years ago
Mariano Cano
5b680b2349
Add initialization script for an AWS KMS.
4 years ago
Mariano Cano
89e164dad6
Add AuthorityKeyId to cloudkms root cert.
4 years ago
Mariano Cano
97508ca215
Add AuthorityKeyId to root certificate.
...
Fix error string.
4 years ago