Skip to content

Releases: Venafi/vcert

v5.6.0 Beta for service account authentication in VCP platform

28 Mar 20:17
c50e2fc
Compare
Choose a tag to compare

This is a beta release and feature is subject to change.

Added a new authentication method for VCP: service account.

The getcred command gets two new attributes: --tenant-id and --externalJWT to request an access token from a TLSPC service account.
All other commands now accept an access token in combination with --platform tlspc to use the token as authentication mechanism instead of API key

a394ec7e2cde082a798a09dbd83e336ff2248f93  vcert_v5.6.0_darwin.zip
53c0fb558ee7f6e9fe46142c156558beed6bdd6e  vcert_v5.6.0_darwin_arm.zip
bbb0a3f473810c2c18a429c54786fe2b9a00fb1c  vcert_v5.6.0_linux.zip
1335e012814d6f8afc03d28f37e738ebe2d359fa  vcert_v5.6.0_linux86.zip
181ebe64edf8f682e7535606000dd848cfe8ed20  vcert_v5.6.0_linux_arm.zip
271ee89df0c472804819e5f24540962b6f062bd9  vcert_v5.6.0_windows.zip
b718b5a316a0c66928e0610b6fa4fda3f6559c4f  vcert_v5.6.0_windows86.zip
ddd1323b511e97dd0c71fa4e6e509bbc61718b76  vcert_v5.6.0_windows_arm.zip

v5.5.0 Adding WorkToDoTimeout support with Timeout request wrapper for TPP Connector during certificate request process (SDK)

28 Feb 22:36
58d09e8
Compare
Choose a tag to compare

It was added the support to provide WorkToDoTimeout by using the Timeout request wrapper during the Request Certificate process. Here the TPP documentation that contains information about this feature.

Important

This improvement it's available only for SDK layer.

e7a7a063ecce4ee301acb46b28c755ebe717e242  vcert_v5.5.0_darwin.zip
e390d96d7f11c1abcc9e117f4d36c43cfbccdc16  vcert_v5.5.0_darwin_arm.zip
d6ad91e61b9a6cba1322394a572a23465ad3680c  vcert_v5.5.0_linux.zip
c3ef9f1e164adaa62a38703a18a76d74ffea9d27  vcert_v5.5.0_linux86.zip
7ffd0cd52fa00d4b13ecebae4f19a7655852f4f3  vcert_v5.5.0_linux_arm.zip
e6345f0dd94a394799c1dc592f63937e1ea39d76  vcert_v5.5.0_windows.zip
839800905babaa21404a157f416e42b81dc6bfcc  vcert_v5.5.0_windows86.zip
fe868168b0696a9be8e4400a2426aa3e82eadd2c  vcert_v5.5.0_windows_arm.zip

v5.4.0 Adding Contacts support to TPP Connector for the Request Certificate process (SDK)

02 Feb 21:29
ff937a0
Compare
Choose a tag to compare

It was added the support to provide Contacts for the Request Certificate process. Here the TPP documentation related to this feature.

Important

This improvement it's available only for SDK layer.

60034b004202e46253bd3c21c180958f0e06b743  vcert_v5.4.0_darwin.zip
69763471069058adb943e02f2b8b4c12cf78b1f1  vcert_v5.4.0_darwin_arm.zip
7ed0dcfadec626c0e78d0ccfc8827d285b84ac0b  vcert_v5.4.0_linux.zip
379bc3c5ca0263db2b1c4a8b4b89a88fe1031e1f  vcert_v5.4.0_linux86.zip
e709eae940d5d510d0f6f81b1fc1a387df27c8a0  vcert_v5.4.0_linux_arm.zip
009c247cbf8242a698b404ac135123a7cb8c3f6a  vcert_v5.4.0_windows.zip
1e54ff587079942286693864e4082b5e7b48f72d  vcert_v5.4.0_windows86.zip
46559829cbf7d8a558542faec1b82ff549a8df89  vcert_v5.4.0_windows_arm.zip

v5.3.0 Upgrading PKCS#12 password-based encryption algorithms

20 Dec 18:33
d5b37ae
Compare
Choose a tag to compare

PLEASE READ BEFORE UPGRADING TO THIS VERSION (OR HIGHER)

Strating this version we upgraded the encryption algorithms for PKCS#12 keystore exporting for VCert CLI [GH#412] as starting OpenSSL 3.0 deprecated MD2 and DES which are considered old and weak algorithms and thus moved to legacy provider:

The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 have been moved to the legacy provider.

ref:

Now our PKCS#12 exported keystores uses modern encryption algorithms by default.

The usage of those weak algorithms is strongly discouraged. We have added a legacy flag for retro-compatibility:

  • legacy-pkcs12 (analogous to OpenSSL 3.x -legacy flag)

⚠️ This is a breaking change (upgrade issue) that was done in the interest of improved security

d53b985d1fdbceb8f94a3ef58a7b8df8140efbd8  vcert_v5.3.0_darwin.zip
a4d2caef92340462febbe7eeb19e37861d7a1605  vcert_v5.3.0_darwin_arm.zip
b6395e30a2b058c04257e91feabdb70dd30a04ad  vcert_v5.3.0_linux.zip
1dbed80355c4c35f0ce2fdc6bf4d8e695b82a968  vcert_v5.3.0_linux86.zip
3a25af4ec011ff71a90d3bbc1c23fb97b6ff1835  vcert_v5.3.0_linux_arm.zip
beae0c11d548b2a06e0da9974adbbd17dc0f37bb  vcert_v5.3.0_windows.zip
8e9cbf8ee44e912bb8f0b00c86acdac19a34b38e  vcert_v5.3.0_windows86.zip
58cc849bf9df491959d540dbcb57d34e394f7730  vcert_v5.3.0_windows_arm.zip

v5.2.1

14 Nov 00:05
fcd04c1
Compare
Choose a tag to compare

Fixes:

  • Fixed a bug that prevented enrolling certificates with ECDSA keys in VCert Playbook feature [GHI#407] [GH#411]
4dcb8c4e132e01f9ae316b6903926fd54e1d6204  vcert_v5.2.1_darwin.zip
6cd087e7dd22d11518b26c64d937e55494c1e873  vcert_v5.2.1_darwin_arm.zip
bcf47d55e15682a430e6bdb82e1db0c49b87c995  vcert_v5.2.1_linux.zip
8fca2c5d6b17efd58a3897987d379859dabfefb4  vcert_v5.2.1_linux86.zip
f81b50080603e908145d6238bdb0be8278ae02f4  vcert_v5.2.1_linux_arm.zip
f87d6bc86d19255a064c3706e858cd68c3690c09  vcert_v5.2.1_windows.zip
41cf22525c6d945bca3f68ce73d742fbecd3ce1a  vcert_v5.2.1_windows86.zip
0bf87ccfe069c8d7c31058e5ae3a7c1a8d189c61  vcert_v5.2.1_windows_arm.zip

v5.2.0: Signed (Authenticode) embedded scripts and more

18 Oct 00:08
d785595
Compare
Choose a tag to compare

Features:

  • Signed (Authenticode) embedded scripts in Playbook functionality to fix issue when Windows prevents running scripts that are not signed and trusted [GH# N/A: internally generated and added]
  • Enhanced gencsr command in order to enable request certificates with no subject and only a single URI SAN [GH#403]
  • Add ability to specify a policy folder on associated device locations (Playbook functionality) [GH#405]

Fixes:

  • Fixed a bug that caused the Device Flow Grant for Firefly was not working properly [GH#396]
3235c111f9925c786d214728522f843344d53f10  vcert_v5.2.0_darwin.zip
4fec9448e431e02d5c6c079496e614fe641409b8  vcert_v5.2.0_darwin_arm.zip
697a9a0afc2b89d2aaff5a57a507a299773c7c4f  vcert_v5.2.0_linux.zip
0381fc67f903d62d219b695000c963e8cc5c7208  vcert_v5.2.0_linux86.zip
938d2c0f38ec45e258a2dd08b35523c164d4ed5e  vcert_v5.2.0_linux_arm.zip
79518e528950b8d7badbeebcd6371611ea57661c  vcert_v5.2.0_windows.zip
19cc5f2c6f9222945d79ab6ba74e0d115945c1bd  vcert_v5.2.0_windows86.zip
79b96c68eafb721e43b6a6714f1c173c3d1a0bdb  vcert_v5.2.0_windows_arm.zip

v5.1.1: CAPI installation fixes

06 Sep 23:58
5b249c2
Compare
Choose a tag to compare

General Fixes

  • Added support for Windows ARM chipset. A new binary is available starting this version that supports Windows ARM.

VCert CLI

  • Added default value to --key-curve flag when platform is firefly and keyType is ECDSA. Default is P256.

VCert Playbook Fixes

  • Fixed regression issue in v5.1.0 whereby p12Task field was ignored and therefore the task referenced would not be used for authentication to TLSPDC platform.
  • Fixed an issue in CAPI installation whereby the root and intermediate certificate would be installed in the "My" store all the time. (This will cause unintended results on Windows)
  • Fixed an issue in CAPI installation whereby logs that printed the install location were empty. Now they print the location of the certificate in the CAPI store
  • Added capiFriendlyName field to certificateTask.installation object, this field will be used to set a friendly name for the certificate in the CAPI store. When no capiFriendlyName is set, the certificate.subject.commonName will be used instead (NOT RECOMMENDED).
  • Added capiLocation field to certificateTask.installation object. This field will sunset location in a future release. If no capiLocation is set, location will be used instead.
  • Deprecated location field from certificateTask.installation object
  • Added warning when using deprecated certificateTask.installation.location field
  • Added warning when certificateTask.installation.capiFriendlyName is not set
  • Updated Playbook examples to use certificateTasks.request.subject.state instead of certificateTasks.request.subject.province (deprecated)
  • Updated Playbook documentation to reflect new fields and present field usage more clear
f53afc747ecd4d701550e5cd6d585906ff35211a  vcert_v5.1.1_darwin.zip
b249cc8c5615b307c906342f92bfc122dc291e1d  vcert_v5.1.1_darwin_arm.zip
3890a433b8b8fa73613b9ca7c117ac15193d6799  vcert_v5.1.1_linux.zip
71bdaca9c0f1d7d474c0aba64c463669e1a8bd27  vcert_v5.1.1_linux86.zip
f3ab4c7deae2be6991b0c617c6adccc5c0b20002  vcert_v5.1.1_linux_arm.zip
988cf4843b69d1dc305234a6e77b96fc8f51a7b1  vcert_v5.1.1_windows.zip
5e3e4d77dbe1561f9506507468934af06c921d5a  vcert_v5.1.1_windows86.zip
de301a90de3b0ea1f923cd8c90f0c42ba4705720  vcert_v5.1.1_windows_arm.zip

v5.1.0

30 Aug 22:25
58e528f
Compare
Choose a tag to compare

NEW FEATURE: Support for Firefly Issuer

  • Added new feature that allows users to request certificates from the new Venafi Firefly platform.
  • Added support for OIDC authorization. Now is possible to request auth tokens from any server that supports OIDC
  • Added support for Venafi Firefly Issuer on Playbook
  • Added support for the following Firefly environment variables :
    VCERT_PLATFORM - The platform VCert will run the command against: TLSPDC, TLSPC, OIDC, FIREFLY
    VCERT_USER - The user to be authorized to an OIDC platform
    VCERT_PASSWORD - The password of the user to be authorized to an OIDC platform
    VCERT_CLIENT_SECRET - The client secret to be authorized to an OIDC platform
    VCERT_CLIENT_ID - The client id to be authorized to an OIDC platform
    VCERT_DEVICE_URL - The url to request a device code to authorize a device to an OIDC platform
  • Added support for Firefly attributes in vcert config file:
    firefly_url
    firefly_zone
    oauth_token_url
    oauth_access_token
    oauth_client_id
    oauth_client_secret
    oauth_user
    oauth_password
    oauth_device_url
    oauth_audience
    oauth_scope

General Fixes

  • Fixed issue whereby vcert version is unknown when using vcert --help

VCert Playbook Fixes

  • Fixed issue whereby whencsr is set to local, vcert attempts to retrieve the key from the Venafi platform and failed. Private Key is already on client's side, so no need to request it from Platform
  • Removed the keyPassword field from the certificateTask.request object and moved it into the certificateTask.installation object. This means now each installation can declare its own password.
    ⚠️ This is a BREAKING CHANGE that was done in the interest of polishing the use case before mass adoption occurs
  • Added keyPassword to certificateTask.installation object to define the password for the private key when format is PEM
  • Added p12Password to certificateTask.installation object to define the password for the PKCS12 bundle when format is PKCS12

Known Issues

  • There is an issue whereby using the getcred command to create a new TLSPC account and retrieve an TLSPC api key, and the environment variable VCERT_TOKEN is set, then an error is thrown with the following message:
vCert: 2023/08/30 16:51:57 only one of either --username, --p12-file, -t or --email can be specified

The workaround is to unset the VCERT_TOKEN environment variable

Hash Values

83469f9af465ab36f5294f762a28e30d85d6801a  vcert_v5.1.0_darwin.zip
30f3ba35e69786e83d57da12753fd5e24e5283ec  vcert_v5.1.0_darwin_arm.zip
f0f4636802a754faca31a78a44d73dd214406098  vcert_v5.1.0_linux.zip
4a595568a6ede24072fd03245305942ec1ed102c  vcert_v5.1.0_linux86.zip
548352b4a9df46fdc47b865f4a9cb8943aa584eb  vcert_v5.1.0_linux_arm.zip
e4ddefacedab0e88957ee03bf03e99c52cc8d670  vcert_v5.1.0_windows.zip
c57f1d4883ed67bc0f5aecff24678f35654b4e7d  vcert_v5.1.0_windows86.zip

v5.1.0-rc2

29 Aug 02:36
e0a2bfd
Compare
Choose a tag to compare
v5.1.0-rc2 Pre-release
Pre-release
bf80bd0387599c7836704cb33b8490183e8d9624  vcert_v5.1.0-rc2_darwin.zip
15b47d8dc467c73268f6207817793bf3d3639d98  vcert_v5.1.0-rc2_darwin_arm.zip
2abfbb5c4d077cc32980cd0afb8b23937d44a5b5  vcert_v5.1.0-rc2_linux.zip
7039dac68ce840dc70a830fb029a9d9c449cb124  vcert_v5.1.0-rc2_linux86.zip
727d5b8f1e22cb5ac2e69dfd5f06e31839da0b57  vcert_v5.1.0-rc2_linux_arm.zip
e3b32bf44c4d49733236fdb69e80b2e7c08b5c81  vcert_v5.1.0-rc2_windows.zip
392c1a8434618d95268a0a2da1a55d3b087dc1ae  vcert_v5.1.0-rc2_windows86.zip

v5.1.0-rc1: Support for Firefly Issuer

22 Aug 18:53
8ca51c5
Compare
Choose a tag to compare
Pre-release

NEW FEATURE: Support for Firefly Issuer

  • Added new feature that allows users to request certificates from the new Venafi Firefly platform.
  • Added support for OIDC authorization. Now is possible to request auth tokens from any server that supports OIDC
  • Added support for Venafi Firefly Issuer on Playbook

General Fixes

  • Fixed issue whereby vcert version is unknown when using vcert --help

VCert Playbook Fixes

  • Fixed issue whereby whencsr is set to local, vcert attempts to retrieve the key from the Venafi platform and failed. Private Key is already on client's side, so no need to request it from Platform
19cdd417d6fbc3e77d79a9493bd99d2cbbfd0b90  vcert_v5.1.0-rc1_darwin.zip
264b9fa9dae9186f6cd352be08f00743e573050f  vcert_v5.1.0-rc1_darwin_arm.zip
a09880dd2f71aa10d1c62010f760b2d670790331  vcert_v5.1.0-rc1_linux.zip
79f82cc7a496da7ba5543e95fe0265197bcce555  vcert_v5.1.0-rc1_linux86.zip
99edcf63550e899d63ae1491066e4a2682136ced  vcert_v5.1.0-rc1_linux_arm.zip
56b0749778be69cc283d6166f0be77f3cb66c253  vcert_v5.1.0-rc1_windows.zip
b21f530e6449ba39492f4d75e58bc16067bdeb51  vcert_v5.1.0-rc1_windows86.zip