Purveyor of Single Sign-on SSH | The better way to manage SSH credentials

Announcing v0.14.2 of step and step-ca

Announcing v0.14.2 of step and step-ca

Version 0.14.2 of step and step-ca is now available. You can get it using brew install step (or brew upgrade step) on macOS or grab release artifacts for step and step-ca from Github. This is a big and long-awaited open-source release.

V0.14.2 step

This release adds initial support for Microsoft Windows and a suite of step ssh subcommands for interacting with the SSH certificate authority, configuring clients and hosts for SSH, and working with SSH certificates. Thank you to @christianlupus, @NonLogicalDev, @mkontani, @shuLhan!

V0.14.2 step-ca

First-class support for an SSH certificate authority that features SSO for SSH flows. Addition of TLS-ALPN-01 challenge to the ACME api (thanks @ibrt!). Addition of Software and CloudKMS options for storing PKI. Thank you to @josephvoss, @jkralik, @rmedaer, @anxolerd, @ibrt, @256dpi, @Johannestegner, @mkontani.

CLI | step v0.14.2 includes:

  • Add step ssh proxy.
  • Add ability to use templates in step ssh config.
  • Add support for multiple SSH root certificates (federation).
  • Add step ssh check-host
  • Add option to set listenAddress in OIDC provisioners.
  • Add step ssh fingerprint
  • Add step ssh proxycommand
  • Add an SSH pop provisioner that can renew/rekey/revoke SSH certificates using that same certificate priv key to sign a JWT.
  • Allow K8sSA provisioner to generate SSH certificates.
  • Add method(s) to list SSH keys and certificates
  • Add identity certificate support to step ssh (login | certificate)
  • Initial MS Windows support
  • Add support for parsing and serializing openSSH format
  • Add support for OpenSSH private keys in step crypto key format
  • Add ARM builds
  • Fix zsh autocompletion Summary: Suite of step ssh subcommands for interacting with the SSH certificate authority, configuring clients and hosts for SSH, and working with SSH certificates. Thank you to @christianlupus, @NonLogicalDev, @mkontani, @shuLhan!

Certificates | step-ca v0.14.2 includes:

  • Update Sign and Renew api to return certificate chain of arbitrary length (rather than 1 intermediate and 1 leaf)
  • Add 'x5c' provisioner that can authenticate to the CA using an x509 Certificate to sign a JWT
  • Switch to Go Mod (from Go Dep)
  • Add Kubernetes Service Account Provisioner (k8sSA) - validate and authenticate kubernetes service account tokens
  • Add step ssh config implementation
  • Onboarding Flow
  • Add support for templated ssh configuration
  • Add support for multiple ssh roots - e.g. for federation and rolling roots.
  • Add step ssh check-host endpoint and implementation
  • Set default ssh user cert duration to 16hr
  • Add step ssh proxycommand implementation
  • Add step ssh hosts implementation / api
  • Add ssh POP provisioner allowing signing of OTTs using ssh certificates
  • Add support for ssh via bastion
  • Add identity x509 certificates to the ssh flow
  • Update error API to return errors that retain information about the error, http statuses and messages, and user facing dialogue.
  • Fix wildcard domain normalization in DNS ACME challenge
  • Add fault tolerance against clock skew to x509 and ssh certificates
  • Add support for CloudKMS
  • Add support for SoftKMS (software KMS)
  • Use crypto.Signer for all signing operations instead of private keys directly.
  • Fix race conditions in certificate renewal
  • Remove custom x509 package (go x509 now supports ECDSA keys)
  • Added optional DNs resolver to be used instead of the default
  • Add TLS-ALPN-01 challenge implementation
  • Add tooling to initialize PKI in CloudKMS.
  • Add docs for CloudKMS
  • Allow using custom SSH principals on cloud provisioners
  • Upgrade github.com/x/crypto to fix a vulnerability in ssh
  • Switch to using host Tags instead of Groups in SSH
  • Add ARM builds as part of CI/CD packaging

That's (a lot!) it, for now...

Issues & PRs always welcome. Or join us on GitHub Discussions and help us build the next version!

Subscribe to updates

Unsubscribe anytime, see Privacy Policy


Experience SSH certificates for yourself in <5min⚡!