Herman Slatman
c7c5c3c94e
Merge branch 'master' into herman/scep-macos-renewal-fixes
3 years ago
Herman Slatman
64680bb16d
Fix PR comments
3 years ago
Herman Slatman
3612eefc31
Cleanup
3 years ago
Herman Slatman
9c6580ccd2
Fix macOS SCEP client issues
...
Fixes #746
3 years ago
Herman Slatman
d799359917
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
2d357da99b
Add tests for ACME revocation
3 years ago
Herman Slatman
e0b495e4c8
Merge branch 'master' into hs/acme-eab
3 years ago
max furman
933b40a02a
Introduce gocritic linter and address warnings
3 years ago
Herman Slatman
9d4cafc4bd
Merge branch 'master' into hs/acme-eab
3 years ago
Mariano Cano
6729c79253
Add support for setting individual password for ssh and tls keys
...
This change add the following flags:
* --ssh-host-password-file
* --ssh-user-password-file
Fixes #693
3 years ago
Herman Slatman
a98fe03e80
Merge branch 'master' into hs/acme-eab
3 years ago
Herman Slatman
c6bfc6eac2
Fix PR comments
3 years ago
Mariano Cano
8fb5340dc9
Use a token at start time to configure linkedca.
...
Instead of using `step-ca login` we will use a new token provided
as a flag to configure and start linkedca. Certificates will be kept
in memory and refreshed automatically.
3 years ago
max furman
77fdfc9fa3
Merge branch 'master' into max/cert-mgr-crud
3 years ago
max furman
9fdef64709
Admin level API for provisioner mgmt v1
3 years ago
Herman Slatman
03c472359c
Add sync.WaitGroup for proper error handling in Run()
3 years ago
Herman Slatman
13fe7a0121
Make serving SCEP endpoints optional
...
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.
The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
3 years ago
Herman Slatman
97b88c4d58
Address (most) PR comments
3 years ago
Herman Slatman
5df60c5a9b
Add support for multiple SCEP provisioners
...
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
3 years ago
Herman Slatman
339039768c
Refactor SCEP authority initialization and clean some code
3 years ago
Herman Slatman
48c86716a0
Add rudimentary (and incomplete) support for SCEP
3 years ago
max furman
9bf9bf142d
wip
3 years ago
max furman
5d09d04d14
wip
3 years ago
max furman
af3cf7dae9
first steps
3 years ago
max furman
7b5d6968a5
first commit
3 years ago
Herman Slatman
0487686f69
Merge branch 'master' into hs/scep
4 years ago
max furman
93c3c2bf2e
Error handle non existent provisioner downstream and disable debug route logging
4 years ago
max furman
b1888fd34d
Use different method for unescpaed paths for the router
4 years ago
Max
b724af30ad
Merge pull request #496 from smallstep/max/acme
...
Convert to ACME DB interface
4 years ago
Herman Slatman
2320d0911e
Add sync.WaitGroup for proper error handling in Run()
4 years ago
Herman Slatman
b815478981
Make serving SCEP endpoints optional
...
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.
The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
4 years ago
Herman Slatman
c5e4ea08b3
Merge branch 'master' into hs/scep
4 years ago
Herman Slatman
b97f024f8a
Remove superfluous call to StoreCertificate
4 years ago
max furman
df05340521
fixing broken unit tests
4 years ago
max furman
fc395f4d69
[acme db interface] compiles!
4 years ago
max furman
80a6640103
[acme db interface] wip
4 years ago
Mariano Cano
8c8c160c92
Fix method name in comment.
4 years ago
Mariano Cano
bdeb0ccd7c
Add support for the flag --issuer-password-file
...
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
4 years ago
Herman Slatman
583d60dc0d
Address (most) PR comments
4 years ago
Herman Slatman
e1cab4966f
Improve initialization of SCEP authority
4 years ago
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
...
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.
This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.
The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.
This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
4 years ago
Herman Slatman
2d21b09d41
Remove some duplicate and unnecessary logic
4 years ago
Herman Slatman
3a5f633cdd
Add support for multiple SCEP provisioners
...
Similarly to how ACME suppors multiple provisioners, it's
now possible to load the right provisioner based on the
URL.
4 years ago
Herman Slatman
7ad90d10b3
Refactor initialization of SCEP authority
4 years ago
Herman Slatman
78d78580b2
Add note about using a second (unsecured) server
4 years ago
Herman Slatman
9e43dc85d8
Merge branch 'master' into hs/scep-master
4 years ago
Herman Slatman
713b571d7a
Refactor SCEP authority initialization and clean some code
4 years ago
Herman Slatman
ffdd58ea3c
Add rudimentary (and incomplete) support for SCEP
4 years ago
Mariano Cano
b487edbd13
Clarify comment.
4 years ago
Mariano Cano
fbd2208044
Close key manager for safe reloads when a cgo module is used.
4 years ago
max furman
6e69f99310
Always set nbf and naf for new ACME orders ...
...
- Use the default value from the ACME provisioner if values are not
defined in the request.
4 years ago
max furman
7aec7c2612
Create ACME database tables when initializing ACME autority.
5 years ago
max furman
fe7973c060
wip
5 years ago
max furman
e3826dd1c3
Add ACME CA capabilities
5 years ago
Mariano Cano
120e2d0caf
Fix restart with simple DB.
5 years ago
Mariano Cano
3a1a4c5ea9
Do not allow reload with database configuration changes.
...
Fixes #smallstep/ca-component#170
5 years ago
Mariano Cano
b595c55f0a
Update CA properties on reload.
...
Fixes #71
5 years ago
max furman
c242602231
reload and shutdown trickery
...
* Only shutdown the database once.
* Be careful when reloading the CA. Depending on whether the DB has
already been shutdown, and error may be unrecoverable.
6 years ago
max furman
cbeca9383b
Update nosql integration
...
* shutdown and reload database on SIGHUP
6 years ago
max furman
ab4d569f36
Add /revoke API with interface db backend
6 years ago
Mariano Cano
98cc243a37
Add support for multiple roots.
6 years ago
Mariano Cano
f7a5be3942
Force the renew of the CA server.
6 years ago
max furman
c74fcd57a7
ca-component -> certificates
...
* fix redundant error check
* add README
6 years ago
max furman
c284a2c0ab
first commit
6 years ago