11# Changelog
2+
23All notable changes to this project will be documented in this file.
34
45The format is based on [ Keep a Changelog] ( http://keepachangelog.com/en/1.0.0/ )
56and this project adheres to [ Semantic Versioning] ( http://semver.org/spec/v2.0.0.html ) .
67
7- ### TEMPLATE -- do not alter or remove
8+ ## TEMPLATE -- do not alter or remove
9+
810---
11+
912## [ x.y.z] - aaaa-bb-cc
13+
1014### Added
15+
1116### Changed
17+
1218### Deprecated
19+
1320### Removed
21+
1422### Fixed
23+
1524### Security
25+
1626---
1727
1828## [ Unreleased]
29+
30+ ## [ v0.23.0] - 2022-11-11
31+
1932### Added
20- - Added support for ACME device-attest-01 challenge.
33+
34+ - Added support for ACME device-attest-01 challenge on iOS, iPadOS, tvOS and
35+ YubiKey.
36+ - Ability to disable ACME challenges and attestation formats.
37+ - Added flags to change ACME challenge ports for testing purposes.
2138- Added name constraints evaluation and enforcement when issuing or renewing
2239 X.509 certificates.
23- - Added provisioner webhooks for augmenting template data and authorizing certificate requests before signing.
24- - Added automatic migration of provisioners when enabling remote managment.
40+ - Added provisioner webhooks for augmenting template data and authorizing
41+ certificate requests before signing.
42+ - Added automatic migration of provisioners when enabling remote management.
2543- Added experimental support for CRLs.
2644- Add certificate renewal support on RA mode. The ` step ca renew ` command must
2745 use the flag ` --mtls=false ` to use the token renewal flow.
46+ - Added support for initializing remote management using ` step ca init ` .
47+ - Added support for renewing X.509 certificates on RAs.
48+ - Added support for using SCEP with keys in a KMS.
49+ - Added client support to set the dialer's local address with the environment variable
50+ ` STEP_CLIENT_ADDR ` .
51+
52+ ### Changed
53+
54+ - Remove the email requirement for issuing SSH certificates with an OIDC
55+ provisioner.
56+ - Root files can contain more than one certificate.
2857
2958### Fixed
30- - MySQL DSN parsing issues fixed with upgrade to
[ smallstep/
[email protected] ] ( https://github.com/smallstep/nosql/releases/tag/v0.5.0 ) .
59+
60+ - Fixed MySQL DSN parsing issues with an upgrade to
61+ [ smallstep/
[email protected] ] ( https://github.com/smallstep/nosql/releases/tag/v0.5.0 ) .
62+ - Fixed renewal of certificates with missing subject attributes.
63+ - Fixed ACME support with [ ejabberd] ( https://github.com/processone/ejabberd ) .
64+
65+ ### Deprecated
66+
67+ - The CLIs ` step-awskms-init ` , ` step-cloudkms-init ` , ` step-pkcs11-init ` ,
68+ ` step-yubikey-init ` are deprecated. Now you can use
69+ [ ` step-kms-plugin ` ] ( https://github.com/smallstep/step-kms-plugin ) in
70+ combination with ` step certificates create ` to initialize your PKI.
3171
3272## [ 0.22.1] - 2022-08-31
73+
3374### Fixed
75+
3476- Fixed signature algorithm on EC (root) + RSA (intermediate) PKIs.
3577
3678## [ 0.22.0] - 2022-08-26
79+
3780### Added
81+
3882- Added automatic configuration of Linked RAs.
3983- Send provisioner configuration on Linked RAs.
84+
4085### Changed
86+
4187- Certificates signed by an issuer using an RSA key will be signed using the
4288 same algorithm used to sign the issuer certificate. The signature will no
4389 longer default to PKCS #1 . For example, if the issuer certificate was signed
@@ -49,28 +95,38 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
4995- Sanitize TLS options.
5096
5197## [ 0.20.0] - 2022-05-26
98+
5299### Added
100+
53101- Added Kubernetes auth method for Vault RAs.
54102- Added support for reporting provisioners to linkedca.
55103- Added support for certificate policies on authority level.
56104- Added a Dockerfile with a step-ca build with HSM support.
57105- A few new WithXX methods for instantiating authorities
106+
58107### Changed
108+
59109- Context usage in HTTP APIs.
60110- Changed authentication for Vault RAs.
61111- Error message returned to client when authenticating with expired certificate.
62112- Strip padding from ACME CSRs.
113+
63114### Deprecated
115+
64116- HTTP API handler types.
117+
65118### Fixed
119+
66120- Fixed SSH revocation.
67121- CA client dial context for js/wasm target.
68122- Incomplete ` extraNames ` support in templates.
69123- SCEP GET request support.
70124- Large SCEP request handling.
71125
72126## [ 0.19.0] - 2022-04-19
127+
73128### Added
129+
74130- Added support for certificate renewals after expiry using the claim ` allowRenewalAfterExpiry ` .
75131- Added support for ` extraNames ` in X.509 templates.
76132- Added ` armv5 ` builds.
@@ -79,110 +135,162 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
79135- Added a new ` /roots.pem ` endpoint to download the CA roots in PEM format.
80136- Added support for Azure ` Managed Identity ` tokens.
81137- Added support for automatic configuration of linked RAs.
82- - Added support for the ` --context ` flag. It's now possible to start the
138+ - Added support for the ` --context ` flag. It's now possible to start the
83139 CA with ` step-ca --context=abc ` to use the configuration from context ` abc ` .
84140 When a context has been configured and no configuration file is provided
85141 on startup, the configuration for the current context is used.
86142- Added startup info logging and option to skip it (` --quiet ` ).
87143- Added support for renaming the CA (Common Name).
144+
88145### Changed
146+
89147- Made SCEP CA URL paths dynamic.
90148- Support two latest versions of Go (1.17, 1.18).
91149- Upgrade go.step.sm/crypto to v0.16.1.
92150- Upgrade go.step.sm/linkedca to v0.15.0.
151+
93152### Deprecated
153+
94154- Go 1.16 support.
155+
95156### Removed
157+
96158### Fixed
159+
97160- Fixed admin credentials on RAs.
98161- Fixed ACME HTTP-01 challenges for IPv6 identifiers.
99162- Various improvements under the hood.
163+
100164### Security
101165
102166## [ 0.18.2] - 2022-03-01
167+
103168### Added
169+
104170- Added ` subscriptionIDs ` and ` objectIDs ` filters to the Azure provisioner.
105171- [ NoSQL] ( https://github.com/smallstep/nosql/pull/21 ) package allows filtering
106172 out database drivers using Go tags. For example, using the Go flag
107173 ` --tags=nobadger,nobbolt,nomysql ` will only compile ` step-ca ` with the pgx
108174 driver for PostgreSQL.
175+
109176### Changed
177+
110178- IPv6 addresses are normalized as IP addresses instead of hostnames.
111179- More descriptive JWK decryption error message.
112180- Make the X5C leaf certificate available to the templates using ` {{ .AuthorizationCrt }} ` .
181+
113182### Fixed
183+
114184- During provisioner add - validate provisioner configuration before storing to DB.
115185
116186## [ 0.18.1] - 2022-02-03
187+
117188### Added
189+
118190- Support for ACME revocation.
119191- Replace hash function with an RSA SSH CA to "rsa-sha2-256".
120192- Support Nebula provisioners.
121193- Example Ansible configurations.
122194- Support PKCS #11
195+
123196### Changed
197+
124198- Automatically create database directory on ` step ca init ` .
125199- Slightly improve errors reported when a template has invalid content.
126200- Error reporting in logs and to clients.
201+
127202### Fixed
203+
128204- SCEP renewal using HTTPS on macOS.
129205
130206## [ 0.18.0] - 2021-11-17
207+
131208### Added
209+
132210- Support for multiple certificate authority contexts.
133211- Support for generating extractable keys and certificates on a pkcs #11
212+
134213### Changed
214+
135215- Support two latest versions of Go (1.16, 1.17)
216+
136217### Deprecated
218+
137219- go 1.15 support
138220
139221## [ 0.17.6] - 2021-10-20
222+
140223### Notes
224+
141225- 0.17.5 failed in CI/CD
142226
143227## [ 0.17.5] - 2021-10-20
228+
144229### Added
230+
145231- Support for Azure Key Vault as a KMS.
146232- Adapt ` pki ` package to support key managers.
147233- gocritic linter
234+
148235### Fixed
236+
149237- gocritic warnings
150238
151239## [ 0.17.4] - 2021-09-28
240+
152241### Fixed
242+
153243- Support host-only or user-only SSH CA.
154244
155245## [ 0.17.3] - 2021-09-24
246+
156247### Added
248+
157249- go 1.17 to github action test matrix
158250- Support for CloudKMS RSA-PSS signers without using templates.
159251- Add flags to support individual passwords for the intermediate and SSH keys.
160252- Global support for group admins in the OIDC provisioner.
253+
161254### Changed
255+
162256- Using go 1.17 for binaries
257+
163258### Fixed
259+
164260- Upgrade go-jose.v2 to fix a bug in the JWK fingerprint of Ed25519 keys.
261+
165262### Security
263+
166264- Use cosign to sign and upload signatures for multi-arch Docker container.
167265- Add debian checksum
168266
169267## [ 0.17.2] - 2021-08-30
268+
170269### Added
270+
171271- Additional way to distinguish Azure IID and Azure OIDC tokens.
272+
172273### Security
274+
173275- Sign over all goreleaser github artifacts using cosign
174276
175277## [ 0.17.1] - 2021-08-26
176278
177279## [ 0.17.0] - 2021-08-25
280+
178281### Added
282+
179283- Add support for Linked CAs using protocol buffers and gRPC
180284- ` step-ca init ` adds support for
181285 - configuring a StepCAS RA
182286 - configuring a Linked CA
183287 - congifuring a ` step-ca ` using Helm
288+
184289### Changed
290+
185291- Update badger driver to use v2 by default
186292- Update TLS cipher suites to include 1.3
293+
187294### Security
295+
188296- Fix key version when SHA512WithRSA is used. There was a typo creating RSA keys with SHA256 digests instead of SHA512.
0 commit comments