Mariano Cano
d4cb9f4ac7
Define an interface for kms operations.
...
This interface will be used for unit testing.
2020-05-20 12:43:14 -07:00
Mariano Cano
deac15327f
Add docs for AWS KMS.
2020-05-20 12:30:32 -07:00
Mariano Cano
82fb96588e
Fix unit tests.
2020-05-19 17:45:15 -07:00
Mariano Cano
5b680b2349
Add initialization script for an AWS KMS.
2020-05-19 17:35:58 -07:00
Mariano Cano
c32abb76cd
Add initial implementation to support AWS KMS.
2020-05-19 17:35:36 -07:00
Mariano Cano
b0f768a3fb
Add implementation of URIs for KMS.
...
Implementation is based on the PKCS #11 URI Scheme RFC
https://tools.ietf.org/html/rfc7512
2020-05-19 17:32:52 -07:00
Mariano Cano
2bc69d3edd
Merge pull request #252 from smallstep/yubikey
...
Yubikey support
2020-05-19 13:47:33 -07:00
Mariano Cano
89e164dad6
Add AuthorityKeyId to cloudkms root cert.
2020-05-19 13:15:09 -07:00
Mariano Cano
97508ca215
Add AuthorityKeyId to root certificate.
...
Fix error string.
2020-05-19 13:05:55 -07:00
Max
ba91f4ed13
Merge pull request #260 from anxolerd/feat-force-cn-if-empty
...
[Feature] Force CommonName for certificates from ACME provisioner
2020-05-18 14:40:01 -07:00
Oleksandr Kovalchuk
4cd01b6868
Implement tests for forceCNOption modifier
...
Implement unit tests which checks forceCNOption modifier (implemented
in 322200b7db
) is not broken and works
correctly.
Ref: https://github.com/smallstep/certificates/issues/259
2020-05-17 20:29:28 +03:00
Oleksandr Kovalchuk
893a53793a
Modify existing tests to accept forceCNOption modifier
...
Modify existing tests to pass with changes introduced in commit
322200b7db
. This is safe to do as
tests assert exact length of modifiers, which has changed.
2020-05-17 20:27:09 +03:00
Oleksandr Kovalchuk
322200b7db
Implement modifier to set CommonName
...
Implement modifier which sets CommonName to the certificate if
CommonName is empty and forceCN is set in the config. Replace previous
implementation introduced in 0218018cee
with new modifier.
Closes https://github.com/smallstep/certificates/issues/259
Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322
2020-05-17 20:23:13 +03:00
Mariano Cano
3e40cb89a7
Add some docs for YubiKey configuration.
2020-05-15 12:24:25 -07:00
Mariano Cano
d95c055163
piv-go requires libpcsclite-dev on linux.
2020-05-15 11:40:26 -07:00
Mariano Cano
03a6789f0e
Fix compile errors without cgo support.
2020-05-15 11:33:22 -07:00
Mariano Cano
012a4734bf
Add better messaging when yubikey is not detected.
2020-05-15 11:33:04 -07:00
Mariano Cano
7d61c0003c
Enable softkms and cloudkms.
2020-05-15 11:32:12 -07:00
Max
ae15573f93
Merge pull request #249 from smallstep/clive-jevons/dynamic-host-detection-for-acme-directory
...
dynamic host detection for acme directory
Closes #235 , #193
2020-05-14 17:40:01 -07:00
max furman
e1409349f3
Allow relative URL for all links in ACME api ...
...
* Pass the request context all the way down the ACME stack.
* Save baseURL in context and use when generating ACME urls.
2020-05-14 17:32:54 -07:00
Oleksandr Kovalchuk
0218018cee
Generate Subject if forceCN
and Subject is empty
...
When `forceCN` is set in provisioner configuration and
Subject.CommonName is empty, set Subject.CommonName to the first SAN
from the CSR to follow the letsencrypt's boulder behavior. This is done
in order to support system which require certificate's Subject field to
be non-empty.
N.B. certbot does not send Subject in its certificate request and relies
on similar behavior of letsencrypt.
Closes https://github.com/smallstep/certificates/issues/259
2020-05-14 13:23:42 +03:00
Oleksandr Kovalchuk
503c9f6101
Add config option to force CN
...
Add configuration option `forceCN` to ACME provisioner. When this option
is set to `true`, provisioner should generate Subject.CommonName for
certificate if it was not present in the request. Default value of
`false` should keep the existing behavior (do not modify CSR and
certificate).
Ref: https://github.com/smallstep/certificates/issues/259
2020-05-14 13:20:55 +03:00
Clive Jevons
639993bd09
Read host and protocol information from request for links
...
When constructing links we want to read the required host and protocol
information in a dynamic manner from the request for constructing ACME
links such as the directory information. This way, if the server is
running behind a proxy, and we don't know what the exposed URL should
be at runtime, we can construct the required information from the
host, tls and X-Forwarded-Proto fields in the HTTP request.
Inspired by the LetsEncrypt Boulder project (web/relative.go).
2020-05-12 16:58:12 -07:00
Mariano Cano
025c0aa20f
Display the proper yubikey uri.
2020-05-11 19:42:21 -07:00
Mariano Cano
22b86c3fcc
Only rewrite keys with --force.
2020-05-11 19:40:12 -07:00
Mariano Cano
63e36ecd7a
Refactor the initialization of KeyManagers.
2020-05-11 18:47:22 -07:00
Max
f126962f3f
Merge pull request #257 from smallstep/max/accUpd
...
ACME accountUpdate ignore fields not recognized by the server.
2020-05-11 14:18:08 -07:00
max furman
4cb777bdc1
ACME accountUpdate ignore fields not recognized by the server.
2020-05-08 11:52:30 -07:00
Mariano Cano
c02fe77998
Close the key manager before shutting down.
2020-05-07 18:59:30 -07:00
Mariano Cano
029483463b
Remove extra +build statement.
2020-05-07 18:51:41 -07:00
Mariano Cano
ef2b13b163
Add step-yubikey-init as a target.
2020-05-07 18:40:36 -07:00
Mariano Cano
677e99793e
Create alternative yubikey file when cgo is not enabled.
...
This yubikey will always fail.
2020-05-07 18:35:10 -07:00
Mariano Cano
6868190fff
Add initial support for yubikey.
2020-05-07 18:22:09 -07:00
Mariano Cano
9f1d95d8bf
Fix renew of certificate at the start of the server.
2020-05-07 18:21:11 -07:00
Mariano Cano
e855707dc2
Merge pull request #248 from smallstep/embedded-config-init
...
Initialize the required config fields on embedded authorities
2020-05-06 14:29:53 -07:00
Mariano Cano
4e544344f9
Initialize the required config fields on embedded authorities.
...
This change is to make easier the use of embedded authorities. It
can be difficult for third parties to know what fields are required.
The new init methods will define the minimum usable configuration.
2020-05-06 13:00:42 -07:00
Mariano Cano
9499aed6d1
Merge pull request #247 from smallstep/embedded-authority
...
Create a method to initialize the authority without a config file
2020-05-05 18:17:37 -07:00
Mariano Cano
b5eab009b2
Rename method to NewEmbedded
2020-05-05 17:46:22 -07:00
Mariano Cano
824374bde0
Create a method to initialize the authority without a config file.
...
When the CA is embedded in a third party product like Caddy, the
config needed to use placeholders to be valid. This change adds
a new method `NewEmbeddedAuthority` that allows to create an
authority with the given options, the minimum options are a root
and intermediate certificate, and the intermediate key.
Fixes #218
2020-05-04 18:52:18 -07:00
max furman
ca0861bf17
Add documentation for running HA
2020-05-04 16:44:55 -07:00
max furman
083abf5150
Fix a bit of getting started doc syntax
2020-05-04 16:09:36 -07:00
max furman
8227449746
Add docs for ssh cert duration for authority config.
...
Fixes #238 .
2020-05-01 14:48:14 -07:00
max furman
c1a84c1405
go mod tidy
2020-04-30 18:59:41 -07:00
max furman
1b6bf38b52
Bump cli to v0.14.3
2020-04-30 17:48:58 -07:00
max furman
d40c029582
Fix docs database link.
2020-04-28 10:42:05 -07:00
max furman
30e38dc501
Bumpt the version of cli for a certificates RC.
2020-04-28 09:34:10 -07:00
Mariano Cano
df3b9f637e
Use a tagged version of nosql.
2020-04-27 18:13:54 -07:00
Mariano Cano
18869323f4
Merge pull request #234 from smallstep/oidc-multinenant
...
Add support for multi-tenant OIDC provisioners
2020-04-27 15:21:55 -07:00
Mariano Cano
4e9bff0986
Add support for OIDC multitoken tenants for azure.
2020-04-24 14:36:32 -07:00
Mariano Cano
c7907a4626
Merge pull request #233 from smallstep/oidc-add-user-cert
...
Add support for user provisioner certificates on OIDC provisioners.
2020-04-24 10:54:25 -07:00