All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Support for using template data from SCEPCHALLENGE webhooks (smallstep#2065)
- New field to Webhook response that allows for propagation of human readable errors to the client (smallstep#2066, smallstep#2069)
- CICD for pushing DEB and RPM packages to packages.smallstep.com on releases (smallstep#2076)
- PKCS11 utilities in HSM container image (smallstep#2077)
- Artifact names for RPM and DEB packages in conformance with standards (smallstep#2076)
- Add options to GCP IID provisioner to enable or disable signing of SSH user and host certificates (smallstep#2045)
- For IID provisioners with disableCustomSANs set to true, validate that the requested DNS names are a subset of the allowed DNS names (based on the IID token), rather than requiring an exact match to the entire list of allowed DNS names. (smallstep#2044)
- Option to log real IP (x-forwarded-for) in logging middleware (smallstep#2002)
- Pulled in updates to smallstep/pkcs7 to fix failing Windows SCEP enrollment certificates (smallstep#1994)
- Release worfklow
- AWS auth method for Vault RA mode (smallstep#1976)
- API endpoints for retrieving Intermediate certificates (smallstep#1962)
- Enable use of OIDC provisioner with private identity providers and a certificate from step-ca (smallstep#1940)
- Support for verifying
cnf
andx5rt#S256
claim when provided in token (smallstep#1660) - Add Wire integration to ACME provisioner (smallstep#1666)
- Clarified SSH certificate policy errors (smallstep#1951)
- Nebula ECDSA P-256 support (smallstep#1662)
--console
option to default step-ssh config (smallstep#1931)
- Enable use of strict FQDN with a flag (smallstep#1926)
- This reverses a change in 0.27.0 that required the use of strict FQDNs (smallstep/certificate#1910)
- Support for validity windows in templates (smallstep#1903)
- Create identity certificate with host URI when using any provisioner (smallstep#1922)
- Do strict DNS lookup on ACME (smallstep#1910)
- Handle bad attestation object in deviceAttest01 validation (smallstep#1913)
- Add provisionerID to ACME accounts (smallstep#1830)
- Enable verifying ACME provisioner using provisionerID if available (smallstep#1844)
- Add methods to Authority to get intermediate certificates (smallstep#1848)
- Add GetX509Signer method (smallstep#1850)
- Make ISErrNotFound more flexible (smallstep#1819)
- Log errors using slog.Logger (smallstep#1849)
- Update hardcoded AWS certificates (smallstep#1881)
- Allow configuration of a custom SCEP key manager (smallstep#1797)
- id-scep-failInfoText OID (smallstep#1794)
- CA startup with Vault RA configuration (smallstep#1803)
- TPM KMS support for CA keys (smallstep#1772)
- Propagation of HTTP request identifier using X-Request-Id header (smallstep#1743, smallstep#1542)
- Expires header in CRL response (smallstep#1708)
- Support for providing TLS configuration programmatically (smallstep#1685)
- Support for providing external CAS implementation (smallstep#1684)
- AWS
ca-west-1
identity document root certificate (smallstep#1715) - COSE RS1 as a supported algorithm with ACME
device-attest-01
challenge (smallstep#1663)
- In an RA setup, let the CA decide the RA certificate lifetime (smallstep#1764)
- Use Debian Bookworm in Docker containers (smallstep#1615)
- Error message for CSR validation (smallstep#1665)
- Updated dependencies
- Stop CA when any of the required servers fails to start (smallstep#1751). Before the fix, the CA would continue running and only log the server failure when stopped.
- Configuration loading errors when not using context were not returned. Fixed in cli-utils/109.
- HTTP_PROXY and HTTPS_PROXY support for ACME validation client (smallstep#1658).
- Upgrade to using cosign v2 for signing artifacts
- Provisioner name in SCEP webhook request body in (smallstep#1617)
- Support for ASN1 boolean encoding in (smallstep#1590)
- Generation of first provisioner name on
step ca init
in (smallstep#1566) - Processing of SCEP Get PKIOperation requests in (smallstep#1570)
- Support for signing identity certificate during SSH sign by skipping URI validation in (smallstep#1572)
- Dependency on
micromdm/scep
andgo.mozilla.org/pkcs7
to use Smallstep forks in (smallstep#1600) - Make the Common Name validator for JWK provisioners accept values from SANs too in (smallstep#1609)
- Registration Authority token creation relied on values from CSR. Fixed to rely on template in (smallstep#1608)
- Use same glibc version for running the CA when built using CGo in (smallstep#1616)
- Added support for configuring SCEP decrypters in the provisioner (smallstep#1414)
- Added support for TPM KMS (smallstep/crypto#253)
- Added support for disableSmallstepExtensions provisioner claim (smallstep#1484)
- Added script to migrate a badger DB to MySQL or PostgreSQL (smallstep#1477)
- Added AWS public certificates for me-central-1 and ap-southeast-3 (smallstep#1404)
- Added namespace field to VaultCAS JSON config (smallstep#1424)
- Added AWS public certificates for me-central-1 and ap-southeast-3 (smallstep#1404)
- Added unversioned filenames to Github release assets (smallstep#1435)
- Send X5C leaf certificate to webhooks (smallstep#1485)
- Added support for disableSmallstepExtensions claim (smallstep#1484)
- Added all AWS Identity Document Certificates (smallstep#1404, smallstep#1510)
- Added Winget release automation (smallstep#1519)
- Added CSR to SCEPCHALLENGE webhook request body (smallstep#1523)
- Added SCEP issuance notification webhook (smallstep#1544)
- Added ability to disable color in the log text formatter (smallstep/certificates(#1559)
- Changed the Makefile to produce cgo-enabled builds running
make build GO_ENVS="CGO_ENABLED=1"
(smallstep#1446) - Return more detailed errors to ACME clients using device-attest-01 (smallstep#1495)
- Change SCEP password type to string (smallstep#1555)
- Removed OIDC user regexp check (smallstep#1481)
- Removed automatic initialization of $STEPPATH (smallstep#1493)
- Removed db datasource from error msg to prevent leaking of secrets to logs (smallstep#1528)
- Improved authentication for ACME requests using kid and provisioner name (smallstep#1386).
- Fixed indentation of KMS configuration in helm charts (smallstep#1405)
- Fixed simultaneous sign or decrypt operation on a YubiKey (smallstep#1476, smallstep/crypto#288)
- Fixed adding certificate templates with ASN.1 functions (smallstep#1500, smallstep/crypto#302)
- Fixed a problem when the ca.json is truncated if the encoding of the configuration fails (e.g., new provisioner with bad template data) (smallstep/cli#994, smallstep#1501)
- Fixed provisionerOptionsToLinkedCA missing template and templateData (smallstep#1520)
- Fix calculation of webhook signature (smallstep#1546)
- Log SSH certificates (smallstep#1374)
- CRL endpoints on the HTTP server (smallstep#1372)
- Dynamic SCEP challenge validation using webhooks (smallstep#1366)
- For Docker deployments, added DOCKER_STEPCA_INIT_PASSWORD_FILE. Useful for pointing to a Docker Secret in the container (smallstep#1384)
- Depend on smallstep/go-attestation instead of google/go-attestation
- Render CRLs into http.ResponseWriter instead of memory (smallstep#1373)
- Redaction of SCEP static challenge when listing provisioners (smallstep#1204)
- VaultCAS certificate lifetime (smallstep#1376)
- Docker image name for HSM support (smallstep#1348)
- Add ACME
device-attest-01
support with TPM 2.0 (smallstep#1063). - Add support for new Azure SDK, sovereign clouds, and HSM keys on Azure KMS (smallstep/crypto#192, smallstep/crypto#197, smallstep/crypto#198, smallstep#1323, smallstep#1309).
- Add support for ASN.1 functions on certificate templates (smallstep/crypto#208, smallstep#1345)
- Add
DOCKER_STEPCA_INIT_ADDRESS
to configure the address to use in a docker container (smallstep#1262). - Make sure that the CSR used matches the attested key when using AME
device-attest-01
challenge (smallstep#1265). - Add support for compacting the Badger DB (smallstep#1298).
- Build and release cleanups (smallstep#1322, smallstep#1329, smallstep#1340).
- Fix support for PKCS #7 RSA-OAEP decryption through smallstep/pkcs7#4, as used in SCEP.
- Fix RA installation using
scripts/install-step-ra.sh
(smallstep#1255). - Clarify error messages on policy errors (smallstep#1287, smallstep#1278).
- Clarify error message on OIDC email validation (smallstep#1290).
- Mark the IDP critical in the generated CRL data (smallstep#1293).
- Disable database if CA is initialized with the
--no-db
flag (smallstep#1294).
- Added
step-kms-plugin
to docker images, and a new image,smallstep/step-ca-hsm
, compiled with cgo (smallstep#1243). - Added
scoop
packages back to the release (smallstep#1250). - Added optional flag
--pidfile
which allows passing a filename where step-ca will write its process id (smallstep#1251). - Added helpful message on CA startup when config can't be opened (smallstep#1252).
- Improved validation and error messages on
device-attest-01
orders (smallstep#1235).
- The deprecated CLI utils
step-awskms-init
,step-cloudkms-init
,step-pkcs11-init
,step-yubikey-init
have been removed.step
andstep-kms-plugin
should be used instead (smallstep#1240).
- Fixed remote management flags in docker images (smallstep#1228).
- Added configuration property
.crl.idpURL
to be able to set a custom Issuing Distribution Point in the CRL (smallstep#1178). - Added WithContext methods to the CA client (smallstep#1211).
- Docker: Added environment variables for enabling Remote Management and ACME provisioner (smallstep#1201).
- Docker: The entrypoint script now generates and displays an initial JWK provisioner password by default when the CA is being initialized (smallstep#1223).
- Ignore SSH principals validation when using an OIDC provisioner. The provisioner will ignore the principals passed and set the defaults or the ones including using WebHooks or templates (smallstep#1206).
- Added support for ACME device-attest-01 challenge on iOS, iPadOS, tvOS and YubiKey.
- Ability to disable ACME challenges and attestation formats.
- Added flags to change ACME challenge ports for testing purposes.
- Added name constraints evaluation and enforcement when issuing or renewing X.509 certificates.
- Added provisioner webhooks for augmenting template data and authorizing certificate requests before signing.
- Added automatic migration of provisioners when enabling remote management.
- Added experimental support for CRLs.
- Add certificate renewal support on RA mode. The
step ca renew
command must use the flag--mtls=false
to use the token renewal flow. - Added support for initializing remote management using
step ca init
. - Added support for renewing X.509 certificates on RAs.
- Added support for using SCEP with keys in a KMS.
- Added client support to set the dialer's local address with the environment variable
STEP_CLIENT_ADDR
.
- Remove the email requirement for issuing SSH certificates with an OIDC provisioner.
- Root files can contain more than one certificate.
- Fixed MySQL DSN parsing issues with an upgrade to smallstep/[email protected].
- Fixed renewal of certificates with missing subject attributes.
- Fixed ACME support with ejabberd.
- The CLIs
step-awskms-init
,step-cloudkms-init
,step-pkcs11-init
,step-yubikey-init
are deprecated. Now you can usestep-kms-plugin
in combination withstep certificates create
to initialize your PKI.
- Fixed signature algorithm on EC (root) + RSA (intermediate) PKIs.
- Added automatic configuration of Linked RAs.
- Send provisioner configuration on Linked RAs.
- Certificates signed by an issuer using an RSA key will be signed using the same algorithm used to sign the issuer certificate. The signature will no longer default to PKCS #1. For example, if the issuer certificate was signed using RSA-PSS with SHA-256, a new certificate will also be signed using RSA-PSS with SHA-256.
- Support two latest versions of Go (1.18, 1.19).
- Validate revocation serial number (either base 10 or prefixed with an appropriate base).
- Sanitize TLS options.
- Added Kubernetes auth method for Vault RAs.
- Added support for reporting provisioners to linkedca.
- Added support for certificate policies on authority level.
- Added a Dockerfile with a step-ca build with HSM support.
- A few new WithXX methods for instantiating authorities
- Context usage in HTTP APIs.
- Changed authentication for Vault RAs.
- Error message returned to client when authenticating with expired certificate.
- Strip padding from ACME CSRs.
- HTTP API handler types.
- Fixed SSH revocation.
- CA client dial context for js/wasm target.
- Incomplete
extraNames
support in templates. - SCEP GET request support.
- Large SCEP request handling.
- Added support for certificate renewals after expiry using the claim
allowRenewalAfterExpiry
. - Added support for
extraNames
in X.509 templates. - Added
armv5
builds. - Added RA support using a Vault instance as the CA.
- Added
WithX509SignerFunc
authority option. - Added a new
/roots.pem
endpoint to download the CA roots in PEM format. - Added support for Azure
Managed Identity
tokens. - Added support for automatic configuration of linked RAs.
- Added support for the
--context
flag. It's now possible to start the CA withstep-ca --context=abc
to use the configuration from contextabc
. When a context has been configured and no configuration file is provided on startup, the configuration for the current context is used. - Added startup info logging and option to skip it (
--quiet
). - Added support for renaming the CA (Common Name).
- Made SCEP CA URL paths dynamic.
- Support two latest versions of Go (1.17, 1.18).
- Upgrade go.step.sm/crypto to v0.16.1.
- Upgrade go.step.sm/linkedca to v0.15.0.
- Go 1.16 support.
- Fixed admin credentials on RAs.
- Fixed ACME HTTP-01 challenges for IPv6 identifiers.
- Various improvements under the hood.
- Added
subscriptionIDs
andobjectIDs
filters to the Azure provisioner. - NoSQL package allows filtering
out database drivers using Go tags. For example, using the Go flag
--tags=nobadger,nobbolt,nomysql
will only compilestep-ca
with the pgx driver for PostgreSQL.
- IPv6 addresses are normalized as IP addresses instead of hostnames.
- More descriptive JWK decryption error message.
- Make the X5C leaf certificate available to the templates using
{{ .AuthorizationCrt }}
.
- During provisioner add - validate provisioner configuration before storing to DB.
- Support for ACME revocation.
- Replace hash function with an RSA SSH CA to "rsa-sha2-256".
- Support Nebula provisioners.
- Example Ansible configurations.
- Support PKCS#11 as a decrypter, as used by SCEP.
- Automatically create database directory on
step ca init
. - Slightly improve errors reported when a template has invalid content.
- Error reporting in logs and to clients.
- SCEP renewal using HTTPS on macOS.
- Support for multiple certificate authority contexts.
- Support for generating extractable keys and certificates on a pkcs#11 module.
- Support two latest versions of Go (1.16, 1.17)
- go 1.15 support
- 0.17.5 failed in CI/CD
- Support for Azure Key Vault as a KMS.
- Adapt
pki
package to support key managers. - gocritic linter
- gocritic warnings
- Support host-only or user-only SSH CA.
- go 1.17 to github action test matrix
- Support for CloudKMS RSA-PSS signers without using templates.
- Add flags to support individual passwords for the intermediate and SSH keys.
- Global support for group admins in the OIDC provisioner.
- Using go 1.17 for binaries
- Upgrade go-jose.v2 to fix a bug in the JWK fingerprint of Ed25519 keys.
- Use cosign to sign and upload signatures for multi-arch Docker container.
- Add debian checksum
- Additional way to distinguish Azure IID and Azure OIDC tokens.
- Sign over all goreleaser github artifacts using cosign
- Add support for Linked CAs using protocol buffers and gRPC
step-ca init
adds support for- configuring a StepCAS RA
- configuring a Linked CA
- congifuring a
step-ca
using Helm
- Update badger driver to use v2 by default
- Update TLS cipher suites to include 1.3
- Fix key version when SHA512WithRSA is used. There was a typo creating RSA keys with SHA256 digests instead of SHA512.