max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
max furman
9bf9bf142d
wip
3 years ago
max furman
7b5d6968a5
first commit
3 years ago
max furman
8c709fe3c2
Init config on load | Add wrapper for cli
4 years ago
Mariano Cano
a6115e29c2
Add initial implementation of StepCAS.
...
StepCAS allows to configure step-ca as an RA using another step-ca
as the main CA.
4 years ago
Mariano Cano
ef92a3a6d7
Move cas options under authority.
4 years ago
Mariano Cano
38fa780775
Add interface to get root certificate from CAS.
...
This change makes easier the configuration of cloudCAS as it does
not require to configure the root or intermediate certificate
in the ca.json. CloudCAS will get the root certificate using
the configured certificateAuthority.
4 years ago
Mariano Cano
aad8f9e582
Pass issuer and signer to softCAS options.
...
Remove commented code and initialize CAS properly.
Minor fixes in CloudCAS.
4 years ago
Mariano Cano
1b1f73dec6
Early attempt to develop a CAS interface.
4 years ago
Mariano Cano
4943ae58d8
Move TLSOption, TLSVersion, CipherSuites and ASN1DN to certificates.
4 years ago
Mariano Cano
4e544344f9
Initialize the required config fields on embedded authorities.
...
This change is to make easier the use of embedded authorities. It
can be difficult for third parties to know what fields are required.
The new init methods will define the minimum usable configuration.
5 years ago
Mariano Cano
824374bde0
Create a method to initialize the authority without a config file.
...
When the CA is embedded in a third party product like Caddy, the
config needed to use placeholders to be valid. This change adds
a new method `NewEmbeddedAuthority` that allows to create an
authority with the given options, the minimum options are a root
and intermediate certificate, and the intermediate key.
Fixes #218
5 years ago
Mariano Cano
c62526b39f
Add wip support for kms.
5 years ago
Mariano Cano
e67ccd9e3d
Add fault tolerance against clock skew accross system on TLS certificates.
5 years ago
Mariano Cano
6d6f496331
Allow no provisioners.
5 years ago
Mariano Cano
50152391a3
Add leeway in identity not before.
5 years ago
Mariano Cano
3fda081e42
Add identity certificate in ssh response.
5 years ago
Mariano Cano
2cb6bd880b
Make audiences compatible with the old version.
5 years ago
Mariano Cano
69a7058ff0
Remove global check for number of k8sSA provisioners.
...
This was causing a bug in the reload of the ca.
5 years ago
max furman
a9ea292bd4
sshpop provisioner + ssh renew | revoke | rekey first pass
5 years ago
Mariano Cano
cf2b9301c0
Change default user duration to 16h.
5 years ago
Mariano Cano
e84489775b
Add support for multiple ssh roots.
...
Fixes #125
5 years ago
Mariano Cano
7b8bb6deb4
Add initial support for ssh config.
...
Related to smallstep/cli#170
5 years ago
Mariano Cano
57a529cc1a
Allow to enable the SSH CA per provisioner
5 years ago
Mariano Cano
e71072d389
Add experimental support for provisioning users.
5 years ago
Mariano Cano
004ea12212
Allow to use custom SSH user/host key files.
5 years ago
Mariano Cano
1c8f610ca9
Add initial implementation of an SSH CA using the JWK provisioner.
...
Fixes smallstep/ca-component#187
5 years ago
max furman
ff20d9f5af
Fix composite literal uses unkeyed field
6 years ago
max furman
ab4d569f36
Add /revoke API with interface db backend
6 years ago
Mariano Cano
7378ed27ac
Refactor claims so they can be totally omitted if only the parent is set.
6 years ago
Mariano Cano
507fd01062
Remove provisioner intermediate type.
6 years ago
Mariano Cano
2d00cd0933
Validate audiences in the default provisioner.
6 years ago
Mariano Cano
34ff388828
Use new types in config.
6 years ago
max furman
2c72ada610
remove dead code
6 years ago
max furman
6dc89f46d8
make Duration public
6 years ago
max furman
0615f7eb11
don't wrap time.Duration
6 years ago
max furman
4b742042ee
make Duration wrapper publicly accessible
6 years ago
Mariano Cano
6e620073f5
Rename method Empties to HasEmpties
6 years ago
Mariano Cano
98cc243a37
Add support for multiple roots.
6 years ago
Mariano Cano
722bcb7e7a
Add initial support for federated root certificates.
6 years ago
Mariano Cano
7e95fc0e45
Strip ports on audience check.
...
Services might have proxies behind them so we cannot rely on them.
Fixes #17
6 years ago
Mariano Cano
d6cad2a7f3
Add provisioner option to disable renewal.
...
Fixes smallstep/ca-component#108
6 years ago
max furman
c74fcd57a7
ca-component -> certificates
...
* fix redundant error check
* add README
6 years ago
max furman
b457b15292
fix: omit empty claims in AuthConfig
6 years ago
max furman
d2872564b4
accidentally removed DisableIssuedAtCheck during merge
6 years ago
max furman
ee7db4006a
change sign + authorize authority api | add provisioners
...
* authorize returns []interface{}
- operators in this list can conform to any interface the user decides
- our implementation has a combination of certificate claim validators
and certificate template modifiers.
* provisioners can set and enforce tls cert options
6 years ago
Mariano Cano
1c1ac1b3fb
Add disableIssuedAt check functionality
...
Fixes #86
6 years ago
max furman
0b5f6487e1
change provisioners api
...
* /provisioners -> /provisioners/jwk-set-by-issuer
* /provisioners now returns a list of Provisioners
6 years ago
max furman
f1dc00c810
add Provisioner config validation
6 years ago
max furman
c284a2c0ab
first commit
6 years ago