certificates/CHANGELOG.md

181 lines
6.1 KiB
Markdown
Raw Normal View History

2018-11-01 07:46:13 +00:00
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
2022-07-06 22:04:55 +00:00
### TEMPLATE -- do not alter or remove
---
## [x.y.z] - aaaa-bb-cc
### Added
### Changed
### Deprecated
### Removed
### Fixed
### Security
---
## [Unreleased]
### Added
- Added support for ACME device-attest-01 challenge.
2022-09-27 18:03:27 +00:00
- Added name constraints evaluation and enforcement when issuing or renewing
X.509 certificates.
2022-08-31 04:10:18 +00:00
## [0.22.1] - 2022-08-31
2022-08-30 23:57:31 +00:00
### Fixed
2022-08-31 04:10:18 +00:00
- Fixed signature algorithm on EC (root) + RSA (intermediate) PKIs.
2022-08-30 23:57:31 +00:00
## [0.22.0] - 2022-08-26
2022-08-16 21:48:03 +00:00
### Added
- Added automatic configuration of Linked RAs.
- Send provisioner configuration on Linked RAs.
### Changed
2022-08-16 21:48:03 +00:00
- Certificates signed by an issuer using an RSA key will be signed using the
2022-08-16 22:11:49 +00:00
same algorithm used to sign the issuer certificate. The signature will no
longer default to PKCS #1. For example, if the issuer certificate was signed
using RSA-PSS with SHA-256, a new certificate will also be signed using
2022-08-16 21:48:03 +00:00
RSA-PSS with SHA-256.
- Support two latest versions of Go (1.18, 1.19).
- Validate revocation serial number (either base 10 or prefixed with an
appropriate base).
- Sanitize TLS options.
## [0.20.0] - 2022-05-26
2022-04-19 19:24:21 +00:00
### Added
2022-05-25 19:52:32 +00:00
- Added Kubernetes auth method for Vault RAs.
- Added support for reporting provisioners to linkedca.
2022-05-25 21:28:37 +00:00
- Added support for certificate policies on authority level.
- Added a Dockerfile with a step-ca build with HSM support.
- A few new WithXX methods for instantiating authorities
2022-04-19 19:24:21 +00:00
### Changed
2022-05-25 19:52:32 +00:00
- Context usage in HTTP APIs.
- Changed authentication for Vault RAs.
2022-05-25 21:28:37 +00:00
- Error message returned to client when authenticating with expired certificate.
- Strip padding from ACME CSRs.
2022-04-19 19:24:21 +00:00
### Deprecated
2022-05-25 19:52:32 +00:00
- HTTP API handler types.
2022-04-19 19:24:21 +00:00
### Fixed
2022-05-25 23:55:22 +00:00
- Fixed SSH revocation.
2022-05-25 21:28:37 +00:00
- CA client dial context for js/wasm target.
- Incomplete `extraNames` support in templates.
- SCEP GET request support.
- Large SCEP request handling.
2022-04-19 19:24:21 +00:00
## [0.19.0] - 2022-04-19
2022-03-02 05:01:34 +00:00
### Added
- Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry`.
2022-03-31 01:24:17 +00:00
- Added support for `extraNames` in X.509 templates.
2022-04-19 19:24:21 +00:00
- Added `armv5` builds.
2022-04-12 21:41:25 +00:00
- Added RA support using a Vault instance as the CA.
2022-04-19 19:24:21 +00:00
- Added `WithX509SignerFunc` authority option.
- Added a new `/roots.pem` endpoint to download the CA roots in PEM format.
- Added support for Azure `Managed Identity` tokens.
2022-04-14 00:44:23 +00:00
- Added support for automatic configuration of linked RAs.
2022-04-19 19:24:21 +00:00
- Added support for the `--context` flag. It's now possible to start the
2022-04-19 20:50:28 +00:00
CA with `step-ca --context=abc` to use the configuration from context `abc`.
2022-04-19 19:24:21 +00:00
When a context has been configured and no configuration file is provided
on startup, the configuration for the current context is used.
- Added startup info logging and option to skip it (`--quiet`).
2022-05-25 21:28:37 +00:00
- Added support for renaming the CA (Common Name).
2022-03-02 05:01:34 +00:00
### Changed
2022-04-19 19:24:21 +00:00
- Made SCEP CA URL paths dynamic.
- Support two latest versions of Go (1.17, 1.18).
- Upgrade go.step.sm/crypto to v0.16.1.
- Upgrade go.step.sm/linkedca to v0.15.0.
2022-03-02 05:01:34 +00:00
### Deprecated
2022-04-19 19:24:21 +00:00
- Go 1.16 support.
2022-03-02 05:01:34 +00:00
### Removed
### Fixed
2022-04-08 21:29:20 +00:00
- Fixed admin credentials on RAs.
2022-04-19 19:24:21 +00:00
- Fixed ACME HTTP-01 challenges for IPv6 identifiers.
- Various improvements under the hood.
2022-03-02 05:01:34 +00:00
### Security
## [0.18.2] - 2022-03-01
2021-09-24 21:24:28 +00:00
### Added
2022-02-28 22:37:09 +00:00
- Added `subscriptionIDs` and `objectIDs` filters to the Azure provisioner.
- [NoSQL](https://github.com/smallstep/nosql/pull/21) package allows filtering
out database drivers using Go tags. For example, using the Go flag
`--tags=nobadger,nobbolt,nomysql` will only compile `step-ca` with the pgx
driver for PostgreSQL.
2021-09-24 21:24:28 +00:00
### Changed
2022-02-15 23:01:16 +00:00
- IPv6 addresses are normalized as IP addresses instead of hostnames.
- More descriptive JWK decryption error message.
- Make the X5C leaf certificate available to the templates using `{{ .AuthorizationCrt }}`.
2021-09-24 21:24:28 +00:00
### Fixed
2022-02-28 19:05:59 +00:00
- During provisioner add - validate provisioner configuration before storing to DB.
2021-09-24 21:24:28 +00:00
2022-02-03 21:21:58 +00:00
## [0.18.1] - 2022-02-03
### Added
- Support for ACME revocation.
- Replace hash function with an RSA SSH CA to "rsa-sha2-256".
2022-02-15 23:01:16 +00:00
- Support Nebula provisioners.
- Example Ansible configurations.
- Support PKCS#11 as a decrypter, as used by SCEP.
### Changed
- Automatically create database directory on `step ca init`.
- Slightly improve errors reported when a template has invalid content.
- Error reporting in logs and to clients.
### Fixed
- SCEP renewal using HTTPS on macOS.
2022-02-03 21:21:58 +00:00
2021-11-17 20:33:03 +00:00
## [0.18.0] - 2021-11-17
### Added
- Support for multiple certificate authority contexts.
- Support for generating extractable keys and certificates on a pkcs#11 module.
### Changed
2022-04-19 19:24:21 +00:00
- Support two latest versions of Go (1.16, 1.17)
2021-11-17 20:33:03 +00:00
### Deprecated
- go 1.15 support
2021-10-20 21:31:33 +00:00
## [0.17.6] - 2021-10-20
### Notes
- 0.17.5 failed in CI/CD
2021-10-20 20:41:26 +00:00
## [0.17.5] - 2021-10-20
### Added
- Support for Azure Key Vault as a KMS.
- Adapt `pki` package to support key managers.
- gocritic linter
### Fixed
- gocritic warnings
2021-09-28 23:15:23 +00:00
## [0.17.4] - 2021-09-28
### Fixed
- Support host-only or user-only SSH CA.
2021-09-24 21:24:28 +00:00
## [0.17.3] - 2021-09-24
2018-11-01 07:46:13 +00:00
### Added
2021-09-07 18:39:49 +00:00
- go 1.17 to github action test matrix
2021-09-09 00:46:55 +00:00
- Support for CloudKMS RSA-PSS signers without using templates.
2021-09-23 00:41:12 +00:00
- Add flags to support individual passwords for the intermediate and SSH keys.
2021-09-24 20:50:47 +00:00
- Global support for group admins in the OIDC provisioner.
2018-11-01 07:46:13 +00:00
### Changed
2021-09-07 18:39:49 +00:00
- Using go 1.17 for binaries
2018-11-01 07:46:13 +00:00
### Fixed
- Upgrade go-jose.v2 to fix a bug in the JWK fingerprint of Ed25519 keys.
2018-11-01 07:46:13 +00:00
### Security
2021-09-01 20:21:59 +00:00
- Use cosign to sign and upload signatures for multi-arch Docker container.
2021-09-07 18:39:49 +00:00
- Add debian checksum
2021-08-31 03:54:46 +00:00
2021-09-08 04:45:32 +00:00
## [0.17.2] - 2021-08-30
2021-08-31 03:54:46 +00:00
### Added
- Additional way to distinguish Azure IID and Azure OIDC tokens.
### Security
- Sign over all goreleaser github artifacts using cosign
2021-08-31 17:18:13 +00:00
## [0.17.1] - 2021-08-26
## [0.17.0] - 2021-08-25
### Added
- Add support for Linked CAs using protocol buffers and gRPC
- `step-ca init` adds support for
- configuring a StepCAS RA
- configuring a Linked CA
- congifuring a `step-ca` using Helm
### Changed
- Update badger driver to use v2 by default
- Update TLS cipher suites to include 1.3
### Security
- Fix key version when SHA512WithRSA is used. There was a typo creating RSA keys with SHA256 digests instead of SHA512.