Automated certificate management using a CFSSL CA.
BSD-2-CLAUSE License
key_usages: [“client auth”]
to specify the certificate should be valid for client auth.certmgr version
not showing the actual version infoPublished by jmunson over 4 years ago
This is a minor release that fixes the output of certmgr version
so that the version number is defined when building in travis.
Published by terinjokes over 4 years ago
take_actions_only_if_running: true
configuration option added, which instructs certmgr to not try to restart a downed service when a new cert is createdPublished by terinjokes almost 5 years ago
Published by ferringb over 5 years ago
Changes since 2.0.0 are thus:
Fix regression for spec's that have an IP as part of the hosts; for certmgr
2.0.0 would regenerate the spec every interval invalidly. The code now
properly validates that IP + DNS is the same.
PKI content on disk now has permissions verified; if the permissions no longer
match the spec requires- due to OOB changes or the spec being changed while the
daemon was down- certmgr will trigger a regeneration of that spec.
If the permissions don't align with what the spec states, we have no way of
knowing if the service consuming the PKI was able to access the content- thus
our only option is to trigger a regeneration.
Certmgr no longer tolerates spec's that have non unique pathways for the CA, Cert,
or Key files. This is broken client side configuration if 2 spec's specify a shared
path (or if a spec internally specifies the same path for cert and CA).
For loads, this is treated as broken configuration, and the startup failed. For
reloads detected via spec mtime changing, if the new spec conflicts with any paths
known to certmgr, that spec is rejected and the old is continued to be used.
Published by ferringb over 5 years ago
certmgr 2.0.0
This release breaks API compatibility with certmgr-1.x and has much more strict
validation logic for what certmgr tolerates.
Specifically:
svcmgr
or action
or service
- this is fine, it just means nothing isThere has been significant enhancement to the handling of on disk PKI since 1.6.4.
Major improvements are thus:
Finally, other major improvements that aren't PKI related:
Published by terinjokes over 5 years ago
Published by ferringb over 5 years ago
This is a bugfix release that users are advised to upgrade if running 1.6.1, 1.6.2, or 1.6.2.
See https://github.com/cloudflare/certmgr/commit/8f8c98ae593957474d9a235354aa0a080a11e448 for particulars; when the remote CA changes, certmgr doesn't internally maintain state correctly and will invoke the spec's 'action' on every wake.
Published by cbroglie almost 6 years ago
Published by cbroglie almost 6 years ago
Published by terinjokes over 6 years ago
Published by terinjokes over 6 years ago
Published by terinjokes over 6 years ago
Published by terinjokes almost 7 years ago
Published by terinjokes about 7 years ago
Published by terinjokes about 7 years ago
Published by terinjokes about 7 years ago
Published by terinjokes about 7 years ago