- Patched bug that required the
allow_any_nameorallowed_domains=[""]role parameters to issue/sign certificates with no CN.
- Upgrade from Go
v1.21tov1.22. - Implement more strict golangci-lint policy.
- If upstream EJBCA API call fails, the HTTP status code is propogated to the Vault user via the Vault API status code.
- Implement OAuth 2.0 "client credentials" token flow as a supported authentication mechanism to EJBCA.
- Paths that need to write to the Storage backend now forward the request to the primary node. This is important in Enterprise HA deployments where Performance Standby Nodes are allowed to handle read requests/paths.
- Certificate revocation with the
/revoke*paths now support revocation of certificates not in local Engine storage if a certificate is provided. Revoked certificates are stored in the revoked storage regardless of the initial role configuration used to issue the certificate.
- Create
revoke-with-keypath to revoke certificate only if user proves they have the private key - Implement the following role restrictions for
issueandsignpaths:allow_localhostallowed_domainsallow_bare_domainsallow_subdomainsallow_glob_domainsallow_wildcard_certificates
- Mark the following paths to not require authentication to match in-tree PKI engine:
cert/*ca/pemca_chaincaissuer/+/pemissuer/+/derissuer/+/jsonissuers/
- Implement
ca_certfield in config path for communication with EJBCA API that doesn't serve publically trusted certificate- Upgrade
ejbca-go-client-sdktov0.1.5that supports communication with non-publically trusted servers
- Upgrade
- Implement logging
- Update documentation
- Refactor
readverb for/configpath to redact private key in response
- First public release of EJBCA Vault PKI Engine