Announcing v0.14.2 of step and step-ca
Max Furman
Announcing v0.14.2 of step
and step-ca
Version 0.14.2
of step
and step-ca
is now available. You can get it using brew install step
(or brew upgrade step
) on macOS or grab release artifacts for step
and step-ca
from Github. This is a big and long-awaited open-source release.
V0.14.2 step
This release adds initial support for Microsoft Windows and a suite of step ssh
subcommands for interacting with the SSH certificate authority, configuring clients and hosts for SSH, and working with SSH certificates.
Thank you to @christianlupus, @NonLogicalDev, @mkontani, @shuLhan!
V0.14.2 step-ca
First-class support for an SSH certificate authority that features SSO for SSH flows. Addition of TLS-ALPN-01 challenge to the ACME api (thanks @ibrt!). Addition of Software and CloudKMS options for storing PKI. Thank you to @josephvoss, @jkralik, @rmedaer, @anxolerd, @ibrt, @256dpi, @Johannestegner, @mkontani.
CLI | step
v0.14.2 includes:
- Add
step ssh proxy
. - Add ability to use templates in
step ssh config
. - Add support for multiple SSH root certificates (federation).
- Add
step ssh check-host
- Add option to set listenAddress in OIDC provisioners.
- Add
step ssh fingerprint
- Add
step ssh proxycommand
- Add an SSH pop provisioner that can renew/rekey/revoke SSH certificates using that same certificate priv key to sign a JWT.
- Allow K8sSA provisioner to generate SSH certificates.
- Add method(s) to list SSH keys and certificates
- Add identity certificate support to
step ssh (login | certificate)
- Initial MS Windows support
- Add support for parsing and serializing openSSH format
- Add support for OpenSSH private keys in
step crypto key format
- Add ARM builds
- Fix zsh autocompletion
Summary: Suite of
step ssh
subcommands for interacting with the SSH certificate authority, configuring clients and hosts for SSH, and working with SSH certificates. Thank you to @christianlupus, @NonLogicalDev, @mkontani, @shuLhan!
Certificates | step-ca
v0.14.2 includes:
- Update Sign and Renew api to return certificate chain of arbitrary length (rather than 1 intermediate and 1 leaf)
- Add 'x5c' provisioner that can authenticate to the CA using an x509 Certificate to sign a JWT
- Switch to Go Mod (from Go Dep)
- Add Kubernetes Service Account Provisioner (k8sSA) - validate and authenticate kubernetes service account tokens
- Add
step ssh config
implementation - Onboarding Flow
- Add support for templated ssh configuration
- Add support for multiple ssh roots - e.g. for federation and rolling roots.
- Add
step ssh check-host
endpoint and implementation - Set default ssh user cert duration to 16hr
- Add
step ssh proxycommand
implementation - Add
step ssh hosts
implementation / api - Add ssh POP provisioner allowing signing of OTTs using ssh certificates
- Add support for ssh via bastion
- Add identity x509 certificates to the ssh flow
- Update error API to return errors that retain information about the error, http statuses and messages, and user facing dialogue.
- Fix wildcard domain normalization in DNS ACME challenge
- Add fault tolerance against clock skew to x509 and ssh certificates
- Add support for CloudKMS
- Add support for SoftKMS (software KMS)
- Use crypto.Signer for all signing operations instead of private keys directly.
- Fix race conditions in certificate renewal
- Remove custom x509 package (go x509 now supports ECDSA keys)
- Added optional DNs resolver to be used instead of the default
- Add TLS-ALPN-01 challenge implementation
- Add tooling to initialize PKI in CloudKMS.
- Add docs for CloudKMS
- Allow using custom SSH principals on cloud provisioners
- Upgrade github.com/x/crypto to fix a vulnerability in ssh
- Switch to using host Tags instead of Groups in SSH
- Add ARM builds as part of CI/CD packaging
That's (a lot!) it, for now...
Issues & PRs always welcome. Or join us on GitHub Discussions and help us build the next version!