Announcing v0.14.2 of
step-ca is now available. You can get it using
brew install step (or
brew upgrade step) on macOS or grab release artifacts for
step-ca from Github. This is a big and long-awaited open-source release.
This release adds initial support for Microsoft Windows and a suite of
step ssh subcommands for interacting with the SSH certificate authority, configuring clients and hosts for SSH, and working with SSH certificates.
Thank you to @christianlupus, @NonLogicalDev, @mkontani, @shuLhan!
First-class support for an SSH certificate authority that features SSO for SSH flows. Addition of TLS-ALPN-01 challenge to the ACME api (thanks @ibrt!). Addition of Software and CloudKMS options for storing PKI. Thank you to @josephvoss, @jkralik, @rmedaer, @anxolerd, @ibrt, @256dpi, @Johannestegner, @mkontani.
step v0.14.2 includes:
step ssh proxy.
- Add ability to use templates in
step ssh config.
- Add support for multiple SSH root certificates (federation).
step ssh check-host
- Add option to set listenAddress in OIDC provisioners.
step ssh fingerprint
step ssh proxycommand
- Add an SSH pop provisioner that can renew/rekey/revoke SSH certificates using that same certificate priv key to sign a JWT.
- Allow K8sSA provisioner to generate SSH certificates.
- Add method(s) to list SSH keys and certificates
- Add identity certificate support to
step ssh (login | certificate)
- Initial MS Windows support
- Add support for parsing and serializing openSSH format
- Add support for OpenSSH private keys in
step crypto key format
- Add ARM builds
- Fix zsh autocompletion
Summary: Suite of
step sshsubcommands for interacting with the SSH certificate authority, configuring clients and hosts for SSH, and working with SSH certificates. Thank you to @christianlupus, @NonLogicalDev, @mkontani, @shuLhan!
step-ca v0.14.2 includes:
- Update Sign and Renew api to return certificate chain of arbitrary length (rather than 1 intermediate and 1 leaf)
- Add ‘x5c’ provisioner that can authenticate to the CA using an x509 Certificate to sign a JWT
- Switch to Go Mod (from Go Dep)
- Add Kubernetes Service Account Provisioner (k8sSA) - validate and authenticate kubernetes service account tokens
step ssh configimplementation
- Onboarding Flow
- Add support for templated ssh configuration
- Add support for multiple ssh roots - e.g. for federation and rolling roots.
step ssh check-hostendpoint and implementation
- Set default ssh user cert duration to 16hr
step ssh proxycommandimplementation
step ssh hostsimplementation / api
- Add ssh POP provisioner allowing signing of OTTs using ssh certificates
- Add support for ssh via bastion
- Add identity x509 certificates to the ssh flow
- Update error API to return errors that retain information about the error, http statuses and messages, and user facing dialogue.
- Fix wildcard domain normalization in DNS ACME challenge
- Add fault tolerance against clock skew to x509 and ssh certificates
- Add support for CloudKMS
- Add support for SoftKMS (software KMS)
- Use crypto.Signer for all signing operations instead of private keys directly.
- Fix race conditions in certificate renewal
- Remove custom x509 package (go x509 now supports ECDSA keys)
- Added optional DNs resolver to be used instead of the default
- Add TLS-ALPN-01 challenge implementation
- Add tooling to initialize PKI in CloudKMS.
- Add docs for CloudKMS
- Allow using custom SSH principals on cloud provisioners
- Upgrade github.com/x/crypto to fix a vulnerability in ssh
- Switch to using host Tags instead of Groups in SSH
- Add ARM builds as part of CI/CD packaging
That’s (a lot!) it, for now…
Issues & PRs always welcome. Or join us on GitHub Discussions and help us build the next version!