Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
mariano/account-provisioner
dependabot/go_modules/github.com/prometheus/client_golang-1.19.1
dependabot/go_modules/golang.org/x/net-0.25.0
dependabot/go_modules/google.golang.org/protobuf-1.34.1
dependabot/go_modules/google.golang.org/api-0.180.0
dependabot/go_modules/github.com/slackhq/nebula-1.9.0
master
wire-acme-extensions
mariano/init-provisioners
fix-1637
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0efaf514d7'
${ noResults }
smallstep-certificates/CHANGELOG.md

5.5 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

TEMPLATE -- do not alter or remove

[x.y.z] - aaaa-bb-cc

Added

Changed

Deprecated

Removed

Fixed

Security

[Unreleased]

Changed

  • Certificates signed by an issuer using an RSA key will be signed using the same algorithm as the issuer certificate was signed with. The signature will no longer default to PKCS #1. For example, if the issuer certificate was signed using RSA-PSS with SHA-256, a new certificate will also be signed using RSA-PSS with SHA-256.

[0.20.0] - 2022-05-26

Added

  • Added Kubernetes auth method for Vault RAs.
  • Added support for reporting provisioners to linkedca.
  • Added support for certificate policies on authority level.
  • Added a Dockerfile with a step-ca build with HSM support.
  • A few new WithXX methods for instantiating authorities

Changed

  • Context usage in HTTP APIs.
  • Changed authentication for Vault RAs.
  • Error message returned to client when authenticating with expired certificate.
  • Strip padding from ACME CSRs.

Deprecated

  • HTTP API handler types.

Fixed

  • Fixed SSH revocation.
  • CA client dial context for js/wasm target.
  • Incomplete extraNames support in templates.
  • SCEP GET request support.
  • Large SCEP request handling.

[0.19.0] - 2022-04-19

Added

  • Added support for certificate renewals after expiry using the claim allowRenewalAfterExpiry.
  • Added support for extraNames in X.509 templates.
  • Added armv5 builds.
  • Added RA support using a Vault instance as the CA.
  • Added WithX509SignerFunc authority option.
  • Added a new /roots.pem endpoint to download the CA roots in PEM format.
  • Added support for Azure Managed Identity tokens.
  • Added support for automatic configuration of linked RAs.
  • Added support for the --context flag. It's now possible to start the CA with step-ca --context=abc to use the configuration from context abc. When a context has been configured and no configuration file is provided on startup, the configuration for the current context is used.
  • Added startup info logging and option to skip it (--quiet).
  • Added support for renaming the CA (Common Name).

Changed

  • Made SCEP CA URL paths dynamic.
  • Support two latest versions of Go (1.17, 1.18).
  • Upgrade go.step.sm/crypto to v0.16.1.
  • Upgrade go.step.sm/linkedca to v0.15.0.

Deprecated

  • Go 1.16 support.

Removed

Fixed

  • Fixed admin credentials on RAs.
  • Fixed ACME HTTP-01 challenges for IPv6 identifiers.
  • Various improvements under the hood.

Security

[0.18.2] - 2022-03-01

Added

  • Added subscriptionIDs and objectIDs filters to the Azure provisioner.
  • NoSQL package allows filtering out database drivers using Go tags. For example, using the Go flag --tags=nobadger,nobbolt,nomysql will only compile step-ca with the pgx driver for PostgreSQL.

Changed

  • IPv6 addresses are normalized as IP addresses instead of hostnames.
  • More descriptive JWK decryption error message.
  • Make the X5C leaf certificate available to the templates using {{ .AuthorizationCrt }}.

Fixed

  • During provisioner add - validate provisioner configuration before storing to DB.

[0.18.1] - 2022-02-03

Added

  • Support for ACME revocation.
  • Replace hash function with an RSA SSH CA to "rsa-sha2-256".
  • Support Nebula provisioners.
  • Example Ansible configurations.
  • Support PKCS#11 as a decrypter, as used by SCEP.

Changed

  • Automatically create database directory on step ca init.
  • Slightly improve errors reported when a template has invalid content.
  • Error reporting in logs and to clients.

Fixed

  • SCEP renewal using HTTPS on macOS.

[0.18.0] - 2021-11-17

Added

  • Support for multiple certificate authority contexts.
  • Support for generating extractable keys and certificates on a pkcs#11 module.

Changed

  • Support two latest versions of Go (1.16, 1.17)

Deprecated

  • go 1.15 support

[0.17.6] - 2021-10-20

Notes

  • 0.17.5 failed in CI/CD

[0.17.5] - 2021-10-20

Added

  • Support for Azure Key Vault as a KMS.
  • Adapt pki package to support key managers.
  • gocritic linter

Fixed

  • gocritic warnings

[0.17.4] - 2021-09-28

Fixed

  • Support host-only or user-only SSH CA.

[0.17.3] - 2021-09-24

Added

  • go 1.17 to github action test matrix
  • Support for CloudKMS RSA-PSS signers without using templates.
  • Add flags to support individual passwords for the intermediate and SSH keys.
  • Global support for group admins in the OIDC provisioner.

Changed

  • Using go 1.17 for binaries

Fixed

  • Upgrade go-jose.v2 to fix a bug in the JWK fingerprint of Ed25519 keys.

Security

  • Use cosign to sign and upload signatures for multi-arch Docker container.
  • Add debian checksum

[0.17.2] - 2021-08-30

Added

  • Additional way to distinguish Azure IID and Azure OIDC tokens.

Security

  • Sign over all goreleaser github artifacts using cosign

[0.17.1] - 2021-08-26

[0.17.0] - 2021-08-25

Added

  • Add support for Linked CAs using protocol buffers and gRPC
  • step-ca init adds support for
    • configuring a StepCAS RA
    • configuring a Linked CA
    • congifuring a step-ca using Helm

Changed

  • Update badger driver to use v2 by default
  • Update TLS cipher suites to include 1.3

Security

  • Fix key version when SHA512WithRSA is used. There was a typo creating RSA keys with SHA256 digests instead of SHA512.