Jeff Mitchell
bf0909a892
Tab -> space doc fix
2015-12-05 15:04:54 -05:00
Jeff Mitchell
1dbfcc3b45
Merge branch 'master' into pki-csrs
2015-12-03 15:23:08 -05:00
Jeff Mitchell
04b04bf2bd
Merge pull request #816 from hashicorp/issue-816
...
Remove datacenter from Consul configuration
2015-12-03 15:22:05 -05:00
Jeff Mitchell
3bdbd66f7d
Remove datacenter from Consul configuration, as it cannot actually do
...
anything
Fixes #816
2015-12-03 15:16:37 -05:00
Jeff Mitchell
d8acd9262c
Cut version 0.4.0-rc2
2015-12-01 13:18:11 -05:00
Jeff Mitchell
83fc154c98
Sync dist script from pki-csrs
2015-12-01 13:12:58 -05:00
Jeff Mitchell
32b8a5ddc9
Have dist script publish and purge
2015-12-01 13:09:38 -05:00
Jeff Mitchell
d642a16a4b
Support relbranch in dist script
2015-12-01 12:53:18 -05:00
Jeff Mitchell
b0708b9f9b
Fix bashism in dist script
2015-12-01 12:33:59 -05:00
Jeff Mitchell
6ad1b75caf
Merge branch 'master' into pki-csrs
2015-12-01 00:09:23 -05:00
Jeff Mitchell
564969acfd
Merge pull request #809 from hashicorp/add-monitor-retries
...
Add new Consul API client MonitorRetries option
2015-12-01 00:08:53 -05:00
Jeff Mitchell
69b522f3ea
Add new Consul API client MonitorRetries option
2015-12-01 00:08:14 -05:00
Jeff Mitchell
64cd58463b
Fix AWS tests
2015-12-01 00:05:04 -05:00
Jeff Mitchell
2c012c2830
Update godeps, most notably to get Consul client updates
2015-11-30 23:58:03 -05:00
Jeff Mitchell
4eec9d69e8
Change allowed_base_domain to allowed_domains and allow_base_domain to
...
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
Jeff Mitchell
b6c49ddf01
Remove token display names from input options as there isn't a viable
...
use-case for it at the moment
2015-11-30 18:07:42 -05:00
Jeff Mitchell
cf366bda9c
Greatly simplify and fix the name validation function, as well as fully
...
comment it.
2015-11-23 14:15:32 -05:00
Jeff Mitchell
4e4340ee57
Cut version 0.4.0-rc1
2015-11-20 13:40:40 -05:00
Jeff Mitchell
84e6701f36
Update dist script for hc-releases
2015-11-20 13:39:05 -05:00
Jeff Mitchell
aad13f202a
Bump version to 0.4.0-rc1
2015-11-20 13:18:29 -05:00
Jeff Mitchell
ee8e143555
Add PKI enhancements to Changelog
2015-11-20 13:18:07 -05:00
Jeff Mitchell
d461929c1d
Documentation update
2015-11-20 13:13:57 -05:00
Jeff Mitchell
22a6d6fa22
Merge branch 'master' into pki-csrs
2015-11-20 12:48:38 -05:00
Jeff Mitchell
fcd749af75
Merge pull request #786 from hashicorp/issue-784
...
Reintroduce the ability to look up obfuscated values in the audit log
2015-11-20 12:39:54 -05:00
Jeff Mitchell
25e359084c
Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up
2015-11-19 17:14:22 -05:00
Jeff Mitchell
0dbe15cb87
Mostly revert changes to certutil as the embedded struct stuff was being
...
problematic.
2015-11-19 14:18:39 -05:00
Jeff Mitchell
af3d6ced8e
Update validator function for URIs. Change example of entering a CA to a
...
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
2015-11-19 11:35:17 -05:00
Jeff Mitchell
f41a2e562a
fix tests
2015-11-19 10:13:28 -05:00
Jeff Mitchell
71f9ea8561
Make it clear that generating/setting a CA cert will overwrite what's
...
there.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
a95228e4ee
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
26c8cf874d
Move public key comparison logic to its own function
2015-11-19 09:51:18 -05:00
Jeff Mitchell
4681d027c0
Move serial number generation and key validation into certutil; centralize format and key verification
2015-11-19 09:51:18 -05:00
Jeff Mitchell
c6ba4f24bc
Add URL validation
2015-11-19 09:51:18 -05:00
Jeff Mitchell
5510a2b16f
Add unit tests for CSR bundle conversion
2015-11-19 09:51:18 -05:00
Jeff Mitchell
b14050bebc
Fix zero path length handling, and move common field defs elsewhere
2015-11-19 09:51:18 -05:00
Jeff Mitchell
8008451fb5
Fix logic around zero path length -- only restrict issuing intermediate CAs in this case
2015-11-19 09:51:18 -05:00
Jeff Mitchell
c461652b40
Address some feedback from review
2015-11-19 09:51:18 -05:00
Jeff Mitchell
ed62afec14
Large documentation updates, remove the pathlength path in favor of
...
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
5970cb76b6
Add path length paths and unit tests to verify same.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
ca844b1dc1
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
4cb10abcc0
Add tests for using raw CSR values
2015-11-19 09:51:18 -05:00
Jeff Mitchell
83975314c7
Change a few checks on names:
...
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).
- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.
Also, fix a nil pointer issue.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
deb5131cd3
Add config/urls CRUD operations to get and set the URLs encoded into
...
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
779efbbbc3
Change use_csr_subject to use_csr_values; copy not only the subject, but
...
also the alternate names and the extensions over as well.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
76af733ee2
Remove setting serial number in the pkix Subject
2015-11-19 09:51:17 -05:00
Jeff Mitchell
54c5c232fd
Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR
2015-11-19 09:51:17 -05:00
Jeff Mitchell
7c5a174493
Add capability to use the CSR's common name (by default for CA CSRs if
...
no common_name parameter is given, role-controlled for non-CA CSRs).
Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
2015-11-19 09:51:17 -05:00
Jeff Mitchell
54fccb2ff4
Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
4261e594af
Address some minor PR feedback
2015-11-19 09:51:17 -05:00
Jeff Mitchell
69794c7078
Fix otto import of uuid
2015-11-19 09:51:17 -05:00