NOTE: Please look to the technical section of the smallstep blog for all release notes for step cli and certificates.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Broken release process
- Updated smallstep/certinfo package (#1309)
- disableSSHCAUser and disableSSHCAHost options to GCP provisioner create and update commands (#1305)
- Support programmatically opening browser on Android devices (#1301)
- Fix --context being ignored in commands that rely on certificates (#1301)
- Add
--remove-scope
flag to provisioner update command. Removes the given scope, used to validate the scopes extension in an OpenID Connect token (#1287)
- Support for signing and publishing RPM and Deb packages to GCP Artifact Registry (#1246)
- Update Release download URLs for RPM and DEB packages with new file name formats (#1256)
- Skipping 0.27.3 to synchronize with smallstep/certificates
- Broken release process
- Makefile: install to /usr/local/bin, not /usr/bin (#1214)
- Set proper JOSE algorithm for Ed25519 keys (#1208)
- Makefile: usage of install command line flags on MacOS (#1212)
- Restore operation of '--bundle' flag in certificate inspect (#1215)
- Fish completion (#1222)
- Restore operation of inspect CSR from STDIN (#1232)
- Options for auth-params and scopes to OIDC token generator (#1154)
- --kty, --curve, and --size to ssh commands (login, certificate) (#1156)
- Stdin input for SSH needs-renewal (#1157)
- Allow users to define certificate comment in SSH agent (#1158)
- Add OCSP and CRL support to certificate verify (#1161)
- Ability to output inspected CSR in PEM format (#1153)
- Allow 'certificate inspect' to parse PEM files containig extraneous data (#1153)
- Sending of (an automatically generated) request identifier in the X-Request-Id header (#1120)
- Upgrade certinfo (#1129)
- Upgrade other dependencies
- OIDC flows failing using Chrome and other Chromium based browsers (#1136)
- Upgrade to using cosign v2 for signing artifacts
- Add support for Nebula certificates using ECDSA P-256 (#1085)
- Upgrade docker image using Debian to Bookworm (#1080)
- Upgrade dependencies, including go-jose to v3 (#1086)
- Add
step crypto rand
command in (#1054) - Support for custom TPM device name in
--attestation-uri
flag in (#1044)
- Ignore BOM when reading files in (#1045)
- Upgraded
truststore
to fix installing certificates on certain Linux systems in (#1053)
- Scoop and WinGet releases
- Command completion for
zsh
in (#1055)
- Add support for provisioner claim
disableSmallstepExtensions
(#986) - Add support for PowerShell plugins on Windows (#992)
- Create API token using team slug (#980)
- Detect OIDC tokens issued by Kubernetes (#953)
- Add support for Smallstep Managed Endpoint X509 extension (#989)
- Support signing a certificate for a private key that can only be used for
encryption with the
--skip-csr-signature
flag instep certificate create
. Some KMSs restrict key usage to a single type of cryptographic operation. This blocks RSA decryption keys from being used to sign a CSR for their public key. Using the--skip-csr-signature
flag, the public key is used directly with a certificate template, removing the need for the CSR signature. - Add all AWS identity document certificates (smallstep/certificates#1510)
- Add SCEP decrypter configuration flags (#950)
- Add detection of OIDC tokens issued by Kubernetes (#953)
- Add unversioned release artifacts to build (#965)
- Increase PBKDF2 iterations to 600k (#949)
--kms
flag is no longer used for the CA (signing) key forstep certificate create
. It was replaced by the--ca-kms
flag (#942).- Hide
step oauth command
on failure (#993)
- Look for Windows plugins with executable extensions (smallstep/certificates#976)
- Fix empty ca.json with invalid template data (smallstep/certificates#1501)
- Fix interactive prompt on docker builds (#963)
step certificate fingerprint
correctly parse PEM files with non-PEM header (smallstep/crypto#311)step certificate format
correctly parse PEM files with non-PEM header (#1006)- Fix TOFU flag in
ca provisioner update
(#941) - Make
--team
incompatible with--fingerprint
and--ca-url
in `step ca bootstrap (#1017)
- Remove automatic creation of the step path (smallstep/certificates#991)
- Depend on smallstep/go-attestation instead of google/go-attestation
- Implementation for parsing CRLs (#926)
- Storing of certificate chain for TPM keys in TPM storage (#915)
- The enrolment URL path used when enrolling with an attestation CA (#915)
- Issue with CLI reference not showing curly braces correctly (#916)
- Word wrapping for
step api token
example (#917)
- Cross-compile Debian docker builds to improve release performance (#911).
- Fix encrypted PKCS#8 keys used on
step crypto key format
(smallstep/crypto#216).
- Upgrade certificates version (#910).
- Support for ACME device-attest-01 challenge with TPM 2.0 (#712).
- Build and release cleanups (#883, #884, #888, and #896).
- Release of the smallstep/step-cli:bullseye docker image with CGO and glibc support (#885).
- Support for reload using the HUP signal on the test command
step fileserver
(#891). - Support for Azure sovereign clouds (#872).
- Fix the
--insecure
flag when creating RSA keys of less than 2048 bits (#878). - Fix docs for active revocation (#889)
- Fix signing of X5C tokens with ECDSA P-384 and P-521 keys.
- Fix 404 links in docs (#907).
- Linting and cleanup changes (#904 and #905).
- Use key fingerprints by default for SSH certificates, and add
--certificate
flag to print the certificate fingerprint (#908).
- Remove
--hugo
flag instep help
command (#898).
- Support on
step ca token
for signing JWK, X5C and SSHPOP tokens using a KMS (#871). - debian:bullseye base image (#861)
step certificate needs-renewal
will only check the leaf certificate by default. To test the full certificate bundle use the--bundle
flag. (#873)- Change how
step help --markdown
works: It now ouputs "REAME.mdx" instead of "index.md"
- Prevent re-use of TCP connections between requests on
step oauth
(#858). - Upgrade certinfo with a fix for the YubiKey touch policy information (#854).
- Upgrade Golang dependencies with reported issues.
- Added support for extended SANs when creating CSRs (smallstep/crypto#168).
- Added check for empty DNS value in
step ca init
(#815).
- Improved prompts and error messages in
step ca init
(#827), (#831), (#839). - Improved ACME device-attest-01 challenge validation logic (#837).
- Fixed
step ca provisioner add
when CA is not online (#833).
- Add scope parameter in
step oauth
(#816).
- Check for remote configuration API before prompting for admin credentials (smallstep/cli809).
- Generation of OTT when signing a CSR with URIs (#799).
- CA certificates path for SLSE with smallstep/truststore/#16 (#818).
- Added support for configuring ACME device-attest-01 challenges.
- Added support to disable ACME challenges and attestation formats.
- Added support for ACME device-attest-01 challenges with YubiKeys.
- Added support for SUSE13 and upwards for
step certificate install
. - Added support for printing Sigstore certificate
details to
step certificate inspect
- Added the
--acme
flag to thestep ca init
command to create a default ACME provisioner when initializing a CA. - Added
--remote-management
flag to thestep ca init
command, which enables Remote Management of the CA using the Admin API. - Added
x5c
tokens using certificates and keys in a KMS. - Added Window's CryptoAPI support on
step-kms-plugin
. - Added
--admin-password-file
flag on admin flows. - Added support for GitHub OAuth flows.
- New OAuth success page with color.
- Added
x5c-roots
as alias forx5c-root
flag.
- Removed support for Google OOB.
- Initial support for
step
plugins. A plugin is an executable file named with the format step-name
-plugin, located in the$PATH
or the$STEPPATH/plugins
directory. These plugins will be executed usingstep name
. - Integration of
step-kms-plugin
onstep certificate create
andstep certificate sign
. - Add the certificate signature to
step ssh inspect
output. - Add the
--mtls=false
flag to force the token authorization flow onstep ca renew
. - Add the
--set
and--set-file
flag tostep certificate create
andstep certificate sign
commands.
- Support two latest versions of Go (1.18, 1.19)
step ca revoke <serial>
requires either a base 10 serial number or a value with a prefix indicating the appropriate base.
- Device Authorization Grant flow for input constrained devices needing OAuth
credentials.
--console-flow
flag instep oauth
for selecting which alternative OAuth flow to use.
- Added back --domain and --remove-domain flags to provisioner CRUD.
- The
beta
prefix for remote provisioner and admin management.
- Add commands for managing certificate issuance policies on authority, provisioner and ACME account level.
- Admin API enabled functionality for
step beta ca provisioner
andstep beta ca admin
.
- step beta ca provisioner [add|remove|update] -> functionality moved to step ca provisioner [add|remove|update]
- step beta ca admin [add|remove|update] -> functionality moved to step ca admin [add|remove|update]
- Add flags to include subscription and object ids in the Azure provisioner.
- Add support for certificate renewals after expiry using the
--allow-renewal-after-expiry
flag. - Add
--x5c-insecure
flag. - Add support for Azure
Managed Identity
tokens. - Add
smtps
andldaps
as additional protocols supported by thecertificate inspect
command. - Add
--sha1
flag to getcertificate fingerprint
using SHA-1 instead of the default SHA-256 algorithm.
- Support two latest versions of Go (1.17, 1.18).
- Go 1.16 support.
- Fix flags to add or remove options in AWS, Azure, and GCP provisioners.
- Fix admin credentials on RAs.
- Add Solus OS support to truststore when used in
step ca bootstrap --install
. - Add
step completion
command to print the shell completion script.
- IPv6 addresses are normalized as IP addresses internally.
- When the
--context
flag is provided when initializing a CA, configuration and other files will be stored in a directory named after the value provided instead of being named after the first DNS name.
- IP SAN support when using
step ca sign
and an ACME provisioner (see 819). - Offline mode no longer requires
--ca-url
to be set. - Add missing
TemplateData
when signing x509 certificates in offline mode. - Improved
needs-renewal
example help texts. - Improved
step crl inspect
reason output.
- Add additional
emoji
andbase64-raw
encoding to the--format
flag ofstep certificate fingerprint
. - Add
--format
flag tostep crypto key fingerprint
. - Add
--format
flag tostep ssh fingerprint
. - Add FreeBSD support to
step certificate install
. - Add
step crl inspect
to inspect a certificate revocation list (CRL). - Add
--auth-param
flag tostep oauth
for adding args to query. - Add
--no-agent
flag tostep ssh certificate
to skip ssh-add. - Add IP SANs support to
step ca certificate
when using an ACME provisioner. - Add support for adding and updating Nebula provisioners.
- Allow
step ssh login
andstep ssh logout
without positional arguments. - Additional configuration options for SCEP provisioners.
- Ability to use multiple certificate authority contexts without the need to change $STEPPATH.
- Support for go 1.15
- gocritic linter
- Allow to initialize step-ca config with Azure Key Vault using
step ca init --kms azurekms
.
- gocritic warnings
- Allow override of the listen address on OIDC flows when there is an existing value in provisioner configuration.
- Add a way to set the redirect_uri in an OIDC flow. Allowing to get a certificate from containers or environments where it is hard to send traffic to 127.0.0.1 and where the IDP does not support the urn:ietf:wg:oauth:2.0:oob flow.
- Bug in step ssh certificate --offline where password-file flag was always set to the value of provisioner-password-file flag.
- exit code '2' for file not exists scenarios in 'needs-renewal' commands
- go 1.17 to github action test matrix
- non interactive provisioner password file flag in
step ca token --offline
- Using go 1.17 to build
- Have
--dns
behave as string slice flag instep ca init
- The way CSR is created on
step ca certificate
with OIDC to better support of admins
- Fix
make bootstrap
failing to get GOPATH and installgolangci-lint
. - ipv6 address error in multi-DNS csv
step ca init
- Use cosign to sign and upload signatures for multi-arch Docker container.
- Debian checksum
- Sign over goreleaser github artifacts using cosign
--bundle
flag to cert/inspect for inspecting all the full chain or bundle given a path. Default behavior is unchanged; only inspect the first (leaf) certificate.- distribution.md with documentation on how to create releases.
- travis build and upload artifacts to GitHub Releases on tagged pushes.
- logging of invalid http requests to the oauth server
- default PEM format encryption alg AES128 -> AES256
- Initial version of
step