forked from TrueCloudLab/certificates
108 lines
3.5 KiB
Markdown
108 lines
3.5 KiB
Markdown
# Changelog
|
|
All notable changes to this project will be documented in this file.
|
|
|
|
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
|
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
|
|
|
## [Unreleased - 0.18.3] - DATE
|
|
### Added
|
|
- Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry`.
|
|
- Added support for `extraNames` in X.509 templates.
|
|
- Added RA support using a Vault instance as the CA.
|
|
- Added support for automatic configuration of linked RAs.
|
|
### Changed
|
|
- Made SCEP CA URL paths dynamic
|
|
- Support two latest versions of Go (1.17, 1.18)
|
|
### Deprecated
|
|
### Removed
|
|
### Fixed
|
|
- Fixed admin credentials on RAs.
|
|
### Security
|
|
|
|
## [0.18.2] - 2022-03-01
|
|
### Added
|
|
- Added `subscriptionIDs` and `objectIDs` filters to the Azure provisioner.
|
|
- [NoSQL](https://github.com/smallstep/nosql/pull/21) package allows filtering
|
|
out database drivers using Go tags. For example, using the Go flag
|
|
`--tags=nobadger,nobbolt,nomysql` will only compile `step-ca` with the pgx
|
|
driver for PostgreSQL.
|
|
### Changed
|
|
- IPv6 addresses are normalized as IP addresses instead of hostnames.
|
|
- More descriptive JWK decryption error message.
|
|
- Make the X5C leaf certificate available to the templates using `{{ .AuthorizationCrt }}`.
|
|
### Fixed
|
|
- During provisioner add - validate provisioner configuration before storing to DB.
|
|
|
|
## [0.18.1] - 2022-02-03
|
|
### Added
|
|
- Support for ACME revocation.
|
|
- Replace hash function with an RSA SSH CA to "rsa-sha2-256".
|
|
- Support Nebula provisioners.
|
|
- Example Ansible configurations.
|
|
- Support PKCS#11 as a decrypter, as used by SCEP.
|
|
### Changed
|
|
- Automatically create database directory on `step ca init`.
|
|
- Slightly improve errors reported when a template has invalid content.
|
|
- Error reporting in logs and to clients.
|
|
### Fixed
|
|
- SCEP renewal using HTTPS on macOS.
|
|
|
|
## [0.18.0] - 2021-11-17
|
|
### Added
|
|
- Support for multiple certificate authority contexts.
|
|
- Support for generating extractable keys and certificates on a pkcs#11 module.
|
|
### Changed
|
|
- Support two latest versions of golang (1.16, 1.17)
|
|
### Deprecated
|
|
- go 1.15 support
|
|
|
|
## [0.17.6] - 2021-10-20
|
|
### Notes
|
|
- 0.17.5 failed in CI/CD
|
|
|
|
## [0.17.5] - 2021-10-20
|
|
### Added
|
|
- Support for Azure Key Vault as a KMS.
|
|
- Adapt `pki` package to support key managers.
|
|
- gocritic linter
|
|
### Fixed
|
|
- gocritic warnings
|
|
|
|
## [0.17.4] - 2021-09-28
|
|
### Fixed
|
|
- Support host-only or user-only SSH CA.
|
|
|
|
## [0.17.3] - 2021-09-24
|
|
### Added
|
|
- go 1.17 to github action test matrix
|
|
- Support for CloudKMS RSA-PSS signers without using templates.
|
|
- Add flags to support individual passwords for the intermediate and SSH keys.
|
|
- Global support for group admins in the OIDC provisioner.
|
|
### Changed
|
|
- Using go 1.17 for binaries
|
|
### Fixed
|
|
- Upgrade go-jose.v2 to fix a bug in the JWK fingerprint of Ed25519 keys.
|
|
### Security
|
|
- Use cosign to sign and upload signatures for multi-arch Docker container.
|
|
- Add debian checksum
|
|
|
|
## [0.17.2] - 2021-08-30
|
|
### Added
|
|
- Additional way to distinguish Azure IID and Azure OIDC tokens.
|
|
### Security
|
|
- Sign over all goreleaser github artifacts using cosign
|
|
|
|
## [0.17.1] - 2021-08-26
|
|
|
|
## [0.17.0] - 2021-08-25
|
|
### Added
|
|
- Add support for Linked CAs using protocol buffers and gRPC
|
|
- `step-ca init` adds support for
|
|
- configuring a StepCAS RA
|
|
- configuring a Linked CA
|
|
- congifuring a `step-ca` using Helm
|
|
### Changed
|
|
- Update badger driver to use v2 by default
|
|
- Update TLS cipher suites to include 1.3
|
|
### Security
|
|
- Fix key version when SHA512WithRSA is used. There was a typo creating RSA keys with SHA256 digests instead of SHA512.
|