Announcing v0.12.0 of step and step-ca
step-ca is now available. You can get it using
brew install step (or
brew upgrade step) on macOS or grab release artifacts for
step-ca from Github.
The big headline feature for this release is the ability to create SSH user and host certificates, allowing you to streamline your SSH infrastructure and processes. No more editing Authorized Keys files for every change in membership and especially no more warnings about "remote host identification changes" which you're just going to ignore anyways (or is that just me?). This feature is covered in detail in its own blog post. In addition we've made another small improvement described below.
Remove password encryption from private keys
It is good hygiene to store private keys in encrypted format, so that they cannot be casually read from disk. However, many types of software and clients require that a private key be unencrypted. In general
step tries to err on the side of caution; most of the time when
step is creating and serializing a private key you will get prompted for a passphrase.
step had a facility for changing the encryption passphrase on a key (
step crypto change-pass), but it did not have the ability to remove encryption from a key and then serialize the unencrypted key to disk. So we've added that feature! Here's how it works:
step change-pass my-secret.priv --no-password --insecure
Storing unencrypted private keys on disk is insecure, hence
step asks you to confirm your intention using the
--insecure flag. If you decide to re-encrypt your private key later, you can also use the
change-pass subcommand to make that change.
Unreleased stuff you might want to preview
If you're using kubernetes and haven't checked out autocert yet, you should. We're also working on a cert-manager integration for
step-ca and an Envoy SDS integration.
That's it, for now...
Issues & PRs always welcome. Or start a discussion and help us build