Herman Slatman
9bda3c465a
Add more template data
2021-03-26 16:11:35 +01:00
Herman Slatman
b815478981
Make serving SCEP endpoints optional
...
Only when a SCEP provisioner is enabled, the SCEP endpoints
will now be available.
The SCEP endpoints will be served on an "insecure" server,
without TLS, only when an additional "insecureAddress" and a
SCEP provisioner are configured for the CA.
2021-03-26 16:05:33 +01:00
Herman Slatman
69d701062a
Fix typo
2021-03-26 15:24:27 +01:00
Herman Slatman
c5e4ea08b3
Merge branch 'master' into hs/scep
2021-03-26 15:22:41 +01:00
Herman Slatman
65aab963c9
Add validation to SCEP Options
2021-03-26 15:22:04 +01:00
Herman Slatman
b97f024f8a
Remove superfluous call to StoreCertificate
2021-03-26 14:02:52 +01:00
Mariano Cano
5249ce794b
Merge pull request #516 from smallstep/ra-mode-improvements
...
RA mode improvements
2021-03-25 11:58:13 -07:00
Mariano Cano
84018ec71b
Clarify comment.
2021-03-25 11:07:58 -07:00
Mariano Cano
8c8c160c92
Fix method name in comment.
2021-03-25 11:06:37 -07:00
Mariano Cano
a9297100d8
Allow to configure the JWK using the encrypted key.
2021-03-24 19:05:56 -07:00
Mariano Cano
e727532963
Fix wrong format of the first flag on step-ca --help
2021-03-24 14:55:34 -07:00
Mariano Cano
bdeb0ccd7c
Add support for the flag --issuer-password-file
...
The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
2021-03-24 14:53:19 -07:00
Mariano Cano
71f59de396
Merge pull request #510 from smallstep/ra-mode
...
StepCAS.
2021-03-24 14:39:27 -07:00
Mariano Cano
d9f93ccfde
Fix typo.
2021-03-24 12:06:29 -07:00
Mariano Cano
edc7c4d90e
Add support for password encrypted files
2021-03-23 17:54:42 -07:00
Mariano Cano
80542d6d9a
Add JWK as an issuer for stepcas.
2021-03-23 16:14:49 -07:00
Mariano Cano
81428afa6f
Merge pull request #514 from gdbelvin/pin
...
PKCS11 Init Pin Flag
2021-03-23 15:20:44 -07:00
Gary Belvin
341966c30f
Check pin flag
2021-03-23 22:13:35 +00:00
Carl Tashian
9146fe8055
Merge branch 'carl/sysd-update'
2021-03-23 11:17:28 -07:00
Gary Belvin
1ac838628a
Add flag for setting the pin
2021-03-23 10:40:13 +00:00
Mariano Cano
ce3e6bfdf6
Fix linting errors.
2021-03-22 13:45:20 -07:00
Mariano Cano
0b8528ce6b
Allow mTLS revocation without provisioner.
2021-03-22 13:37:31 -07:00
Mariano Cano
96de4e6ec8
Return a non-implemented error in stepcas.RenewCertificate.
2021-03-22 12:56:12 -07:00
Mariano Cano
348815f4f6
Fix error message.
2021-03-22 11:51:11 -07:00
Herman Slatman
583d60dc0d
Address (most) PR comments
2021-03-21 16:42:41 +01:00
Herman Slatman
a526065d0c
Merge branch 'master' into hs/scep
2021-03-21 13:16:28 +01:00
Mariano Cano
e7a6c46e54
Fix linting errors.
2021-03-19 14:21:47 -07:00
Mariano Cano
08e75b614e
Do not depend on Go 1.16.
2021-03-19 13:23:32 -07:00
Mariano Cano
6fd6270e7d
Remove debug statements.
2021-03-19 13:21:14 -07:00
Mariano Cano
7958f6ebb5
Add support for lifetime.
2021-03-19 13:19:49 -07:00
Mariano Cano
ae4b8f58b8
Add support for emails, ips and uris.
2021-03-19 12:02:03 -07:00
Mariano Cano
561341a6f2
Update go.step.sm/crypto.
2021-03-18 18:04:38 -07:00
Mariano Cano
dbb48ecf8d
Add tests for stepcas.
2021-03-18 18:01:38 -07:00
Mariano Cano
bcf70206ac
Add support for revocation using an extra provisioner in the RA.
2021-03-17 19:47:36 -07:00
Mariano Cano
a6115e29c2
Add initial implementation of StepCAS.
...
StepCAS allows to configure step-ca as an RA using another step-ca
as the main CA.
2021-03-17 19:33:35 -07:00
Carl Tashian
9f0fce6df8
Quoting fix
2021-03-17 18:24:10 -07:00
Carl Tashian
2c09baf696
Two small systemd changes
...
1. Don't halt the cert renewer service from ExecStartPost ops if a relying service doesn't exist; halt it if the relying service exists and doesn't restart properly.
2. Use /bin/env bash instead of /bin/bash for portability.
2021-03-16 17:08:27 -07:00
max furman
3b9eed003d
[action] set goreleaser config values back to default
2021-03-15 12:27:29 -07:00
max furman
6861202762
go.sum update
2021-03-15 11:23:06 -07:00
max furman
6d879affa4
[action] remove duplicate step in job
2021-03-15 11:01:14 -07:00
Carl Tashian
33bba8fcd5
Fix goreleaser indentation issue
2021-03-15 11:00:46 -07:00
Carl Tashian
7249f495a9
Merge pull request #503 from smallstep/carl/goreleaser-windows
...
Add step-ca Windows build & Scoop release to goreleaser
2021-03-15 10:41:11 -07:00
Herman Slatman
a4844fee7b
Make tests green
2021-03-12 16:58:52 +01:00
Herman Slatman
99952080c7
Make tests not fail hard on ECDSA keys
...
All tests for the Authority failed because the test data
contains ECDSA keys. ECDSA keys are no crypto.Decrypter,
resulting in a failure when instantiating the Authority.
2021-03-12 16:27:26 +01:00
Herman Slatman
e30084c9a8
Make linter happy
2021-03-12 16:02:00 +01:00
Herman Slatman
3e0dac3ab4
Fix certificateChain property
2021-03-12 15:51:16 +01:00
Herman Slatman
e1cab4966f
Improve initialization of SCEP authority
2021-03-12 15:49:39 +01:00
Herman Slatman
8c5b12e21d
Add non-TLS server and improve crypto.Decrypter interface
...
A server without TLS was added to serve the SCEP endpoints. According
to the RFC, SCEP has to be served via HTTP. The `sscep` client, for
example, will stop any URL that does not start with `http://` from
being used, so serving SCEP seems to be the right way to do it.
This commit adds a second server for which no TLS configuration is
configured. A distinct field in the configuration, `insecureAddress`
was added to specify the address for the insecure server.
The SCEP endpoints will also still be served via HTTPS. Some clients
may be able to work with that.
This commit also improves how the crypto.Decrypter interface is
handled for the different types of KMSes supported by step. The
apiv1.Decrypter interface was added. Currently only SoftKMS
implements this interface, providing a crypto.Decrypter required
for SCEP operations.
2021-03-12 14:18:36 +01:00
Herman Slatman
efd5501aca
Merge branch 'master' into hs/scep
2021-03-12 12:16:10 +01:00
Carl Tashian
192207d263
Add Windows build to goreleaser
2021-03-10 15:46:43 -08:00