NOTE: Please look to the technical section of the smallstep blog for all release notes for step cli and certificates.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Support for inspecting certificates with post-quantum algorithms ML-DSA and SLH-DSA (smallstep/certinfo#69).
- Update certificates to v0.30.2
- Fix release issue
- Allow using KMS URIs directly without the
--kmsflag for commands that use the cryptoutils package (#1560).
- Expand
--kmsflag help text with detailed documentation for all supported KMS types (YubiKey PIV, PKCS #11, TPM 2.0, Google Cloud KMS, AWS KMS, Azure Key Vault) and usage examples (#1550). - Prefer
verification_uri_completeoververification_uriin the OIDC Device Authorization Flow when the IdP provides it, so users don't need to manually enter a code (#1430). - Skip printing the user code during OIDC device authorization when the complete verification URI already embeds it (#1595).
- Suppress output messages for
step certificate needs-renewalandstep ssh needs-renewalcommands when certificates don't need renewal. Use the--verboseflag to always show messages regardless of renewal status (#1548).
- Overwrite file when using --force with step crypto key format (#1581)
- Add PKIX fingerprint support for
step crypto key fingerprint(#1474) - Add remote configuration of the provisioner GCP organization id (#1490)
- Do not create an identity token if it's not enabled (#1495).
- Make --attestation-uri incompatible with --kms for
step ca certificate(#1516)
- Add support for specifying key usage, extended key usage, and basic constraints in certificate requests (smallstep/crypto#767)
- Ensure HOMEDRIVE is used, on Windows, when locating SSH config file (#1434)
- Enable alternate SSH agents for
step sshon Windows (#1428) - Refactor CLI to enable testing via testscript (#1426)
- Fix step ca token help text around validity period flags (#1411)
- Fix some provisioner and policy prompt issues (#1391)
- SCEP provisioners not detected in admin token flows. They now return an error, similar to ACME provisioners, if selected.
- Invalid provisioner selection logic when managing provisioner policies. The --provisioner flag was used to select a provisioner to authenticate as well as the provisioner to manage policies for.
- Unexpected error messages showing "issuer" instead of "provisioner" flag. In certain situations the CLI would return error messages indicating an issue with the --issuer flag value, whereas it was actually supplied in the --provisioner flag.
- dependabot updates
- v0.28.4 skipped due to broken CI
- Add the --set and --set-file flags to the step ca token command, allowing the user to set keys in the "user" claim in the resulting JWT. (#1375)
- Support for downloading additional default settings when running 'step ssh config' (#1377)
- 'min-password-length' and 'provisioner'
- Add support for KMS in the ca renew and rekey commands (#1353)
- Correctly handle redirect-url flag when bootstrapping (#1350)
- Broken release process
- Updated smallstep/certinfo package (#1309)
- disableSSHCAUser and disableSSHCAHost options to GCP provisioner create and update commands (#1305)
- Support programmatically opening browser on Android devices (#1301)
- Fix --context being ignored in commands that rely on certificates (#1301)
- Add
--remove-scopeflag to provisioner update command. Removes the given scope, used to validate the scopes extension in an OpenID Connect token (#1287)
- Support for signing and publishing RPM and Deb packages to GCP Artifact Registry (#1246)
- Update Release download URLs for RPM and DEB packages with new file name formats (#1256)
- Skipping 0.27.3 to synchronize with smallstep/certificates
- Broken release process
- Makefile: install to /usr/local/bin, not /usr/bin (#1214)
- Set proper JOSE algorithm for Ed25519 keys (#1208)
- Makefile: usage of install command line flags on MacOS (#1212)
- Restore operation of '--bundle' flag in certificate inspect (#1215)
- Fish completion (#1222)
- Restore operation of inspect CSR from STDIN (#1232)
- Options for auth-params and scopes to OIDC token generator (#1154)
- --kty, --curve, and --size to ssh commands (login, certificate) (#1156)
- Stdin input for SSH needs-renewal (#1157)
- Allow users to define certificate comment in SSH agent (#1158)
- Add OCSP and CRL support to certificate verify (#1161)
- Ability to output inspected CSR in PEM format (#1153)
- Allow 'certificate inspect' to parse PEM files containig extraneous data (#1153)
- Sending of (an automatically generated) request identifier in the X-Request-Id header (#1120)
- Upgrade certinfo (#1129)
- Upgrade other dependencies
- OIDC flows failing using Chrome and other Chromium based browsers (#1136)
- Upgrade to using cosign v2 for signing artifacts
- Add support for Nebula certificates using ECDSA P-256 (#1085)
- Upgrade docker image using Debian to Bookworm (#1080)
- Upgrade dependencies, including go-jose to v3 (#1086)
- Add
step crypto randcommand in (#1054) - Support for custom TPM device name in
--attestation-uriflag in (#1044)
- Ignore BOM when reading files in (#1045)
- Upgraded
truststoreto fix installing certificates on certain Linux systems in (#1053)
- Scoop and WinGet releases
- Command completion for
zshin (#1055)
- Add support for provisioner claim
disableSmallstepExtensions(#986) - Add support for PowerShell plugins on Windows (#992)
- Create API token using team slug (#980)
- Detect OIDC tokens issued by Kubernetes (#953)
- Add support for Smallstep Managed Endpoint X509 extension (#989)
- Support signing a certificate for a private key that can only be used for
encryption with the
--skip-csr-signatureflag instep certificate create. Some KMSs restrict key usage to a single type of cryptographic operation. This blocks RSA decryption keys from being used to sign a CSR for their public key. Using the--skip-csr-signatureflag, the public key is used directly with a certificate template, removing the need for the CSR signature. - Add all AWS identity document certificates (smallstep/certificates#1510)
- Add SCEP decrypter configuration flags (#950)
- Add detection of OIDC tokens issued by Kubernetes (#953)
- Add unversioned release artifacts to build (#965)
- Increase PBKDF2 iterations to 600k (#949)
--kmsflag is no longer used for the CA (signing) key forstep certificate create. It was replaced by the--ca-kmsflag (#942).- Hide
step oauth commandon failure (#993)
- Look for Windows plugins with executable extensions (smallstep/certificates#976)
- Fix empty ca.json with invalid template data (smallstep/certificates#1501)
- Fix interactive prompt on docker builds (#963)
step certificate fingerprintcorrectly parse PEM files with non-PEM header (smallstep/crypto#311)step certificate formatcorrectly parse PEM files with non-PEM header (#1006)- Fix TOFU flag in
ca provisioner update(#941) - Make
--teamincompatible with--fingerprintand--ca-urlin `step ca bootstrap (#1017)
- Remove automatic creation of the step path (smallstep/certificates#991)
- Depend on smallstep/go-attestation instead of google/go-attestation
- Implementation for parsing CRLs (#926)
- Storing of certificate chain for TPM keys in TPM storage (#915)
- The enrolment URL path used when enrolling with an attestation CA (#915)
- Issue with CLI reference not showing curly braces correctly (#916)
- Word wrapping for
step api tokenexample (#917)
- Cross-compile Debian docker builds to improve release performance (#911).
- Fix encrypted PKCS#8 keys used on
step crypto key format(smallstep/crypto#216).
- Upgrade certificates version (#910).
- Support for ACME device-attest-01 challenge with TPM 2.0 (#712).
- Build and release cleanups (#883, #884, #888, and #896).
- Release of the smallstep/step-cli:bullseye docker image with CGO and glibc support (#885).
- Support for reload using the HUP signal on the test command
step fileserver(#891). - Support for Azure sovereign clouds (#872).
- Fix the
--insecureflag when creating RSA keys of less than 2048 bits (#878). - Fix docs for active revocation (#889)
- Fix signing of X5C tokens with ECDSA P-384 and P-521 keys.
- Fix 404 links in docs (#907).
- Linting and cleanup changes (#904 and #905).
- Use key fingerprints by default for SSH certificates, and add
--certificateflag to print the certificate fingerprint (#908).
- Remove
--hugoflag instep helpcommand (#898).
- Support on
step ca tokenfor signing JWK, X5C and SSHPOP tokens using a KMS (#871). - debian:bullseye base image (#861)
step certificate needs-renewalwill only check the leaf certificate by default. To test the full certificate bundle use the--bundleflag. (#873)- Change how
step help --markdownworks: It now ouputs "REAME.mdx" instead of "index.md"
- Prevent re-use of TCP connections between requests on
step oauth(#858). - Upgrade certinfo with a fix for the YubiKey touch policy information (#854).
- Upgrade Golang dependencies with reported issues.
- Added support for extended SANs when creating CSRs (smallstep/crypto#168).
- Added check for empty DNS value in
step ca init(#815).
- Improved prompts and error messages in
step ca init(#827), (#831), (#839). - Improved ACME device-attest-01 challenge validation logic (#837).
- Fixed
step ca provisioner addwhen CA is not online (#833).
- Add scope parameter in
step oauth(#816).
- Check for remote configuration API before prompting for admin credentials (smallstep/cli809).
- Generation of OTT when signing a CSR with URIs (#799).
- CA certificates path for SLSE with smallstep/truststore/#16 (#818).
- Added support for configuring ACME device-attest-01 challenges.
- Added support to disable ACME challenges and attestation formats.
- Added support for ACME device-attest-01 challenges with YubiKeys.
- Added support for SUSE13 and upwards for
step certificate install. - Added support for printing Sigstore certificate
details to
step certificate inspect - Added the
--acmeflag to thestep ca initcommand to create a default ACME provisioner when initializing a CA. - Added
--remote-managementflag to thestep ca initcommand, which enables Remote Management of the CA using the Admin API. - Added
x5ctokens using certificates and keys in a KMS. - Added Window's CryptoAPI support on
step-kms-plugin. - Added
--admin-password-fileflag on admin flows. - Added support for GitHub OAuth flows.
- New OAuth success page with color.
- Added
x5c-rootsas alias forx5c-rootflag.
- Removed support for Google OOB.
- Initial support for
stepplugins. A plugin is an executable file named with the format step-name-plugin, located in the$PATHor the$STEPPATH/pluginsdirectory. These plugins will be executed usingstep name. - Integration of
step-kms-pluginonstep certificate createandstep certificate sign. - Add the certificate signature to
step ssh inspectoutput. - Add the
--mtls=falseflag to force the token authorization flow onstep ca renew. - Add the
--setand--set-fileflag tostep certificate createandstep certificate signcommands.
- Support two latest versions of Go (1.18, 1.19)
step ca revoke <serial>requires either a base 10 serial number or a value with a prefix indicating the appropriate base.
- Device Authorization Grant flow for input constrained devices needing OAuth
credentials.
--console-flowflag instep oauthfor selecting which alternative OAuth flow to use.
- Added back --domain and --remove-domain flags to provisioner CRUD.
- The
betaprefix for remote provisioner and admin management.
- Add commands for managing certificate issuance policies on authority, provisioner and ACME account level.
- Admin API enabled functionality for
step beta ca provisionerandstep beta ca admin.
- step beta ca provisioner [add|remove|update] -> functionality moved to step ca provisioner [add|remove|update]
- step beta ca admin [add|remove|update] -> functionality moved to step ca admin [add|remove|update]
- Add flags to include subscription and object ids in the Azure provisioner.
- Add support for certificate renewals after expiry using the
--allow-renewal-after-expiryflag. - Add
--x5c-insecureflag. - Add support for Azure
Managed Identitytokens. - Add
smtpsandldapsas additional protocols supported by thecertificate inspectcommand. - Add
--sha1flag to getcertificate fingerprintusing SHA-1 instead of the default SHA-256 algorithm.
- Support two latest versions of Go (1.17, 1.18).
- Go 1.16 support.
- Fix flags to add or remove options in AWS, Azure, and GCP provisioners.
- Fix admin credentials on RAs.
- Add Solus OS support to truststore when used in
step ca bootstrap --install. - Add
step completioncommand to print the shell completion script.
- IPv6 addresses are normalized as IP addresses internally.
- When the
--contextflag is provided when initializing a CA, configuration and other files will be stored in a directory named after the value provided instead of being named after the first DNS name.
- IP SAN support when using
step ca signand an ACME provisioner (see 819). - Offline mode no longer requires
--ca-urlto be set. - Add missing
TemplateDatawhen signing x509 certificates in offline mode. - Improved
needs-renewalexample help texts. - Improved
step crl inspectreason output.
- Add additional
emojiandbase64-rawencoding to the--formatflag ofstep certificate fingerprint. - Add
--formatflag tostep crypto key fingerprint. - Add
--formatflag tostep ssh fingerprint. - Add FreeBSD support to
step certificate install. - Add
step crl inspectto inspect a certificate revocation list (CRL). - Add
--auth-paramflag tostep oauthfor adding args to query. - Add
--no-agentflag tostep ssh certificateto skip ssh-add. - Add IP SANs support to
step ca certificatewhen using an ACME provisioner. - Add support for adding and updating Nebula provisioners.
- Allow
step ssh loginandstep ssh logoutwithout positional arguments. - Additional configuration options for SCEP provisioners.
- Ability to use multiple certificate authority contexts without the need to change $STEPPATH.
- Support for go 1.15
- gocritic linter
- Allow to initialize step-ca config with Azure Key Vault using
step ca init --kms azurekms.
- gocritic warnings
- Allow override of the listen address on OIDC flows when there is an existing value in provisioner configuration.
- Add a way to set the redirect_uri in an OIDC flow. Allowing to get a certificate from containers or environments where it is hard to send traffic to 127.0.0.1 and where the IDP does not support the urn:ietf:wg:oauth:2.0:oob flow.
- Bug in step ssh certificate --offline where password-file flag was always set to the value of provisioner-password-file flag.
- exit code '2' for file not exists scenarios in 'needs-renewal' commands
- go 1.17 to github action test matrix
- non interactive provisioner password file flag in
step ca token --offline
- Using go 1.17 to build
- Have
--dnsbehave as string slice flag instep ca init - The way CSR is created on
step ca certificatewith OIDC to better support of admins
- Fix
make bootstrapfailing to get GOPATH and installgolangci-lint. - ipv6 address error in multi-DNS csv
step ca init
- Use cosign to sign and upload signatures for multi-arch Docker container.
- Debian checksum
- Sign over goreleaser github artifacts using cosign
--bundleflag to cert/inspect for inspecting all the full chain or bundle given a path. Default behavior is unchanged; only inspect the first (leaf) certificate.- distribution.md with documentation on how to create releases.
- travis build and upload artifacts to GitHub Releases on tagged pushes.
- logging of invalid http requests to the oauth server
- default PEM format encryption alg AES128 -> AES256
- Initial version of
step