Announcing v0.12.0 of step and step-ca
Max Furman
Version 0.12.0
of step
and step-ca
is now available. You can get it using brew install step
(or brew upgrade step
) on macOS or grab release artifacts for step
and step-ca
from Github.
The big headline feature for this release is the ability to create SSH user and host certificates, allowing you to streamline your SSH infrastructure and processes. No more editing Authorized Keys files for every change in membership and especially no more warnings about "remote host identification changes" which you're just going to ignore anyways (or is that just me?). This feature is covered in detail in its own blog post. In addition we've made another small improvement described below.
Remove password encryption from private keys
It is good hygiene to store private keys in encrypted format, so that they cannot be casually read from disk. However, many types of software and clients require that a private key be unencrypted. In general step
tries to err on the side of caution; most of the time when step
is creating and serializing a private key you will get prompted for a passphrase. step
had a facility for changing the encryption passphrase on a key (step crypto change-pass
), but it did not have the ability to remove encryption from a key and then serialize the unencrypted key to disk. So we've added that feature! Here's how it works:
step change-pass my-secret.priv --no-password --insecure
Storing unencrypted private keys on disk is insecure, hence step
asks you to confirm your intention using the --insecure
flag. If you decide to re-encrypt your private key later, you can also use the change-pass
subcommand to make that change.
Unreleased stuff you might want to preview
If you're using kubernetes and haven't checked out autocert yet, you should. We're also working on a cert-manager integration for step-ca
and an Envoy SDS integration.
That's it, for now...
Issues & PRs always welcome. Or start a discussion and help us build v0.13.0
!