This commit changes the parsing of root and federated roots to support
a bundle of certificates, this makes easier to configure a root rotation
when using helm charts, just appending the old root.
This commit adds some changes to PR #731, some of them are:
- Add distribution point to the CRL
- Properly stop the goroutine that generates the CRLs
- CRL config validation
- Remove expired certificates from the CRL
- Require enable set to true to generate a CRL
This last point is the principal change in behaviour from the previous
implementation. The CRL will not be generated if it's not enabled, and
if it is enabled it will always be regenerated at some point, not only
if there is a revocation.
The first super admin subject can now be provided through the
`--admin-subject` flag when initializing a CA.
It's not yet possible to configure the subject of the first
super admin when provisioners are migrated from `ca.json` to the
database. This effectively limits usage of the flag to scenarios
in which the provisioners are written to the database immediately,
so when `--remote-management` is enabled. It currently also doesn't
work with Helm deployments, because there's no mechanism yet to
pass this type of option to the Helm chart.
This commit partially addresses https://github.com/smallstep/cli/issues/697
Provisioners stored in the CA configuration file are
automatically migrated to the database.
Currently no cleanup of the provisioners in the
configuration file yet. In certain situations this
may not work as expected, for example if the CA can't
write to the file. But it's probalby good to try it, so
that we can keep the configuration state of the CA consistent.
- add skipInit option to skip authority initialization
- check admin API status when removing provisioners - no need to check
admins when not using Admin API
