forked from TrueCloudLab/certificates
4.4 KiB
4.4 KiB
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
[Unreleased - 0.19.1] - DATE
Added
Changed
Deprecated
Removed
Fixed
Security
[0.19.0] - 2022-04-19
Added
- Added support for certificate renewals after expiry using the claim
allowRenewalAfterExpiry
. - Added support for
extraNames
in X.509 templates. - Added
armv5
builds. - Added RA support using a Vault instance as the CA.
- Added
WithX509SignerFunc
authority option. - Added a new
/roots.pem
endpoint to download the CA roots in PEM format. - Added support for Azure
Managed Identity
tokens. - Added support for automatic configuration of linked RAs.
- Added support for the
--context
flag. It's now possible to start the CA withstep-ca --context=abc
to use the configuration from contextabc
. When a context has been configured and no configuration file is provided on startup, the configuration for the current context is used. - Added startup info logging and option to skip it (
--quiet
).
Changed
- Made SCEP CA URL paths dynamic.
- Support two latest versions of Go (1.17, 1.18).
- Upgrade go.step.sm/crypto to v0.16.1.
- Upgrade go.step.sm/linkedca to v0.15.0.
Deprecated
- Go 1.16 support.
Removed
Fixed
- Fixed admin credentials on RAs.
- Fixed ACME HTTP-01 challenges for IPv6 identifiers.
- Various improvements under the hood.
Security
[0.18.2] - 2022-03-01
Added
- Added
subscriptionIDs
andobjectIDs
filters to the Azure provisioner. - NoSQL package allows filtering
out database drivers using Go tags. For example, using the Go flag
--tags=nobadger,nobbolt,nomysql
will only compilestep-ca
with the pgx driver for PostgreSQL.
Changed
- IPv6 addresses are normalized as IP addresses instead of hostnames.
- More descriptive JWK decryption error message.
- Make the X5C leaf certificate available to the templates using
{{ .AuthorizationCrt }}
.
Fixed
- During provisioner add - validate provisioner configuration before storing to DB.
[0.18.1] - 2022-02-03
Added
- Support for ACME revocation.
- Replace hash function with an RSA SSH CA to "rsa-sha2-256".
- Support Nebula provisioners.
- Example Ansible configurations.
- Support PKCS#11 as a decrypter, as used by SCEP.
Changed
- Automatically create database directory on
step ca init
. - Slightly improve errors reported when a template has invalid content.
- Error reporting in logs and to clients.
Fixed
- SCEP renewal using HTTPS on macOS.
[0.18.0] - 2021-11-17
Added
- Support for multiple certificate authority contexts.
- Support for generating extractable keys and certificates on a pkcs#11 module.
Changed
- Support two latest versions of Go (1.16, 1.17)
Deprecated
- go 1.15 support
[0.17.6] - 2021-10-20
Notes
- 0.17.5 failed in CI/CD
[0.17.5] - 2021-10-20
Added
- Support for Azure Key Vault as a KMS.
- Adapt
pki
package to support key managers. - gocritic linter
Fixed
- gocritic warnings
[0.17.4] - 2021-09-28
Fixed
- Support host-only or user-only SSH CA.
[0.17.3] - 2021-09-24
Added
- go 1.17 to github action test matrix
- Support for CloudKMS RSA-PSS signers without using templates.
- Add flags to support individual passwords for the intermediate and SSH keys.
- Global support for group admins in the OIDC provisioner.
Changed
- Using go 1.17 for binaries
Fixed
- Upgrade go-jose.v2 to fix a bug in the JWK fingerprint of Ed25519 keys.
Security
- Use cosign to sign and upload signatures for multi-arch Docker container.
- Add debian checksum
[0.17.2] - 2021-08-30
Added
- Additional way to distinguish Azure IID and Azure OIDC tokens.
Security
- Sign over all goreleaser github artifacts using cosign
[0.17.1] - 2021-08-26
[0.17.0] - 2021-08-25
Added
- Add support for Linked CAs using protocol buffers and gRPC
step-ca init
adds support for- configuring a StepCAS RA
- configuring a Linked CA
- congifuring a
step-ca
using Helm
Changed
- Update badger driver to use v2 by default
- Update TLS cipher suites to include 1.3
Security
- Fix key version when SHA512WithRSA is used. There was a typo creating RSA keys with SHA256 digests instead of SHA512.