Announcing v0.14.2 of step and step-ca

Max Furman

Follow Smallstep

Announcing v0.14.2 of step and step-ca

Version 0.14.2 of step and step-ca is now available. You can get it using brew install step (or brew upgrade step) on macOS or grab release artifacts for step and step-ca from Github. This is a big and long-awaited open-source release.

V0.14.2 step

This release adds initial support for Microsoft Windows and a suite of step ssh subcommands for interacting with the SSH certificate authority, configuring clients and hosts for SSH, and working with SSH certificates. Thank you to @christianlupus, @NonLogicalDev, @mkontani, @shuLhan!

V0.14.2 step-ca

First-class support for an SSH certificate authority that features SSO for SSH flows. Addition of TLS-ALPN-01 challenge to the ACME api (thanks @ibrt!). Addition of Software and CloudKMS options for storing PKI. Thank you to @josephvoss, @jkralik, @rmedaer, @anxolerd, @ibrt, @256dpi, @Johannestegner, @mkontani.

CLI | step v0.14.2 includes:

• Add step ssh proxy.
• Add ability to use templates in step ssh config.
• Add support for multiple SSH root certificates (federation).
• Add step ssh check-host
• Add option to set listenAddress in OIDC provisioners.
• Add step ssh fingerprint
• Add step ssh proxycommand
• Add an SSH pop provisioner that can renew/rekey/revoke SSH certificates using that same certificate priv key to sign a JWT.
• Allow K8sSA provisioner to generate SSH certificates.
• Add method(s) to list SSH keys and certificates
• Add identity certificate support to step ssh (login | certificate)
• Initial MS Windows support
• Add support for parsing and serializing openSSH format
• Add support for OpenSSH private keys in step crypto key format
• Add ARM builds
• Fix zsh autocompletion Summary: Suite of step ssh subcommands for interacting with the SSH certificate authority, configuring clients and hosts for SSH, and working with SSH certificates. Thank you to @christianlupus, @NonLogicalDev, @mkontani, @shuLhan!

Certificates | step-ca v0.14.2 includes:

• Update Sign and Renew api to return certificate chain of arbitrary length (rather than 1 intermediate and 1 leaf)
• Add 'x5c' provisioner that can authenticate to the CA using an x509 Certificate to sign a JWT
• Switch to Go Mod (from Go Dep)
• Add Kubernetes Service Account Provisioner (k8sSA) - validate and authenticate kubernetes service account tokens
• Add step ssh config implementation
• Onboarding Flow
• Add support for templated ssh configuration
• Add support for multiple ssh roots - e.g. for federation and rolling roots.
• Add step ssh check-host endpoint and implementation
• Set default ssh user cert duration to 16hr
• Add step ssh proxycommand implementation
• Add step ssh hosts implementation / api
• Add ssh POP provisioner allowing signing of OTTs using ssh certificates
• Add support for ssh via bastion
• Add identity x509 certificates to the ssh flow
• Update error API to return errors that retain information about the error, http statuses and messages, and user facing dialogue.
• Fix wildcard domain normalization in DNS ACME challenge
• Add fault tolerance against clock skew to x509 and ssh certificates
• Add support for CloudKMS
• Add support for SoftKMS (software KMS)
• Use crypto.Signer for all signing operations instead of private keys directly.
• Fix race conditions in certificate renewal
• Remove custom x509 package (go x509 now supports ECDSA keys)
• Added optional DNs resolver to be used instead of the default
• Add TLS-ALPN-01 challenge implementation
• Add tooling to initialize PKI in CloudKMS.
• Add docs for CloudKMS
• Allow using custom SSH principals on cloud provisioners
• Upgrade github.com/x/crypto to fix a vulnerability in ssh
• Switch to using host Tags instead of Groups in SSH
• Add ARM builds as part of CI/CD packaging

That's (a lot!) it, for now...

Issues & PRs always welcome. Or join us on GitHub Discussions and help us build the next version!