Releases: Venafi/vcert
v5.6.0 Beta for service account authentication in VCP platform
This is a beta release and feature is subject to change.
Added a new authentication method for VCP: service account.
The getcred
command gets two new attributes: --tenant-id
and --externalJWT
to request an access token from a TLSPC service account.
All other commands now accept an access token in combination with --platform tlspc
to use the token as authentication mechanism instead of API key
a394ec7e2cde082a798a09dbd83e336ff2248f93 vcert_v5.6.0_darwin.zip
53c0fb558ee7f6e9fe46142c156558beed6bdd6e vcert_v5.6.0_darwin_arm.zip
bbb0a3f473810c2c18a429c54786fe2b9a00fb1c vcert_v5.6.0_linux.zip
1335e012814d6f8afc03d28f37e738ebe2d359fa vcert_v5.6.0_linux86.zip
181ebe64edf8f682e7535606000dd848cfe8ed20 vcert_v5.6.0_linux_arm.zip
271ee89df0c472804819e5f24540962b6f062bd9 vcert_v5.6.0_windows.zip
b718b5a316a0c66928e0610b6fa4fda3f6559c4f vcert_v5.6.0_windows86.zip
ddd1323b511e97dd0c71fa4e6e509bbc61718b76 vcert_v5.6.0_windows_arm.zip
v5.5.0 Adding WorkToDoTimeout support with Timeout request wrapper for TPP Connector during certificate request process (SDK)
It was added the support to provide WorkToDoTimeout
by using the Timeout
request wrapper during the Request Certificate process. Here the TPP documentation that contains information about this feature.
Important
This improvement it's available only for SDK layer.
e7a7a063ecce4ee301acb46b28c755ebe717e242 vcert_v5.5.0_darwin.zip
e390d96d7f11c1abcc9e117f4d36c43cfbccdc16 vcert_v5.5.0_darwin_arm.zip
d6ad91e61b9a6cba1322394a572a23465ad3680c vcert_v5.5.0_linux.zip
c3ef9f1e164adaa62a38703a18a76d74ffea9d27 vcert_v5.5.0_linux86.zip
7ffd0cd52fa00d4b13ecebae4f19a7655852f4f3 vcert_v5.5.0_linux_arm.zip
e6345f0dd94a394799c1dc592f63937e1ea39d76 vcert_v5.5.0_windows.zip
839800905babaa21404a157f416e42b81dc6bfcc vcert_v5.5.0_windows86.zip
fe868168b0696a9be8e4400a2426aa3e82eadd2c vcert_v5.5.0_windows_arm.zip
v5.4.0 Adding Contacts support to TPP Connector for the Request Certificate process (SDK)
It was added the support to provide Contacts
for the Request Certificate process. Here the TPP documentation related to this feature.
Important
This improvement it's available only for SDK layer.
60034b004202e46253bd3c21c180958f0e06b743 vcert_v5.4.0_darwin.zip
69763471069058adb943e02f2b8b4c12cf78b1f1 vcert_v5.4.0_darwin_arm.zip
7ed0dcfadec626c0e78d0ccfc8827d285b84ac0b vcert_v5.4.0_linux.zip
379bc3c5ca0263db2b1c4a8b4b89a88fe1031e1f vcert_v5.4.0_linux86.zip
e709eae940d5d510d0f6f81b1fc1a387df27c8a0 vcert_v5.4.0_linux_arm.zip
009c247cbf8242a698b404ac135123a7cb8c3f6a vcert_v5.4.0_windows.zip
1e54ff587079942286693864e4082b5e7b48f72d vcert_v5.4.0_windows86.zip
46559829cbf7d8a558542faec1b82ff549a8df89 vcert_v5.4.0_windows_arm.zip
v5.3.0 Upgrading PKCS#12 password-based encryption algorithms
PLEASE READ BEFORE UPGRADING TO THIS VERSION (OR HIGHER)
Strating this version we upgraded the encryption algorithms for PKCS#12 keystore exporting for VCert CLI [GH#412] as starting OpenSSL 3.0 deprecated MD2 and DES which are considered old and weak algorithms and thus moved to legacy provider:
The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 have been moved to the legacy provider.
ref:
- https://www.openssl.org/docs/man3.0/man7/migration_guide.html
- https://github.com/openssl/openssl/blob/master/CHANGES.md
Now our PKCS#12 exported keystores uses modern encryption algorithms by default.
The usage of those weak algorithms is strongly discouraged. We have added a legacy flag for retro-compatibility:
legacy-pkcs12
(analogous to OpenSSL 3.x -legacy flag)
d53b985d1fdbceb8f94a3ef58a7b8df8140efbd8 vcert_v5.3.0_darwin.zip
a4d2caef92340462febbe7eeb19e37861d7a1605 vcert_v5.3.0_darwin_arm.zip
b6395e30a2b058c04257e91feabdb70dd30a04ad vcert_v5.3.0_linux.zip
1dbed80355c4c35f0ce2fdc6bf4d8e695b82a968 vcert_v5.3.0_linux86.zip
3a25af4ec011ff71a90d3bbc1c23fb97b6ff1835 vcert_v5.3.0_linux_arm.zip
beae0c11d548b2a06e0da9974adbbd17dc0f37bb vcert_v5.3.0_windows.zip
8e9cbf8ee44e912bb8f0b00c86acdac19a34b38e vcert_v5.3.0_windows86.zip
58cc849bf9df491959d540dbcb57d34e394f7730 vcert_v5.3.0_windows_arm.zip
v5.2.1
Fixes:
- Fixed a bug that prevented enrolling certificates with ECDSA keys in VCert Playbook feature [GHI#407] [GH#411]
4dcb8c4e132e01f9ae316b6903926fd54e1d6204 vcert_v5.2.1_darwin.zip
6cd087e7dd22d11518b26c64d937e55494c1e873 vcert_v5.2.1_darwin_arm.zip
bcf47d55e15682a430e6bdb82e1db0c49b87c995 vcert_v5.2.1_linux.zip
8fca2c5d6b17efd58a3897987d379859dabfefb4 vcert_v5.2.1_linux86.zip
f81b50080603e908145d6238bdb0be8278ae02f4 vcert_v5.2.1_linux_arm.zip
f87d6bc86d19255a064c3706e858cd68c3690c09 vcert_v5.2.1_windows.zip
41cf22525c6d945bca3f68ce73d742fbecd3ce1a vcert_v5.2.1_windows86.zip
0bf87ccfe069c8d7c31058e5ae3a7c1a8d189c61 vcert_v5.2.1_windows_arm.zip
v5.2.0: Signed (Authenticode) embedded scripts and more
Features:
- Signed (Authenticode) embedded scripts in Playbook functionality to fix issue when Windows prevents running scripts that are not signed and trusted [GH# N/A: internally generated and added]
- Enhanced
gencsr
command in order to enable request certificates with no subject and only a single URI SAN [GH#403] - Add ability to specify a policy folder on associated device locations (Playbook functionality) [GH#405]
Fixes:
- Fixed a bug that caused the Device Flow Grant for Firefly was not working properly [GH#396]
3235c111f9925c786d214728522f843344d53f10 vcert_v5.2.0_darwin.zip
4fec9448e431e02d5c6c079496e614fe641409b8 vcert_v5.2.0_darwin_arm.zip
697a9a0afc2b89d2aaff5a57a507a299773c7c4f vcert_v5.2.0_linux.zip
0381fc67f903d62d219b695000c963e8cc5c7208 vcert_v5.2.0_linux86.zip
938d2c0f38ec45e258a2dd08b35523c164d4ed5e vcert_v5.2.0_linux_arm.zip
79518e528950b8d7badbeebcd6371611ea57661c vcert_v5.2.0_windows.zip
19cc5f2c6f9222945d79ab6ba74e0d115945c1bd vcert_v5.2.0_windows86.zip
79b96c68eafb721e43b6a6714f1c173c3d1a0bdb vcert_v5.2.0_windows_arm.zip
v5.1.1: CAPI installation fixes
General Fixes
- Added support for Windows ARM chipset. A new binary is available starting this version that supports Windows ARM.
VCert CLI
- Added default value to
--key-curve
flag when platform isfirefly
and keyType isECDSA
. Default isP256
.
VCert Playbook Fixes
- Fixed regression issue in v5.1.0 whereby
p12Task
field was ignored and therefore the task referenced would not be used for authentication toTLSPDC
platform. - Fixed an issue in CAPI installation whereby the root and intermediate certificate would be installed in the "My" store all the time. (This will cause unintended results on Windows)
- Fixed an issue in CAPI installation whereby logs that printed the install location were empty. Now they print the location of the certificate in the CAPI store
- Added
capiFriendlyName
field tocertificateTask.installation
object, this field will be used to set a friendly name for the certificate in the CAPI store. When nocapiFriendlyName
is set, thecertificate.subject.commonName
will be used instead (NOT RECOMMENDED). - Added
capiLocation
field tocertificateTask.installation
object. This field will sunsetlocation
in a future release. If nocapiLocation
is set,will be used instead.location
- Deprecated
location
field fromcertificateTask.installation
object - Added warning when using deprecated
certificateTask.installation.location
field - Added warning when
certificateTask.installation.capiFriendlyName
is not set - Updated Playbook examples to use
certificateTasks.request.subject.state
instead of(deprecated)certificateTasks.request.subject.province
- Updated Playbook documentation to reflect new fields and present field usage more clear
f53afc747ecd4d701550e5cd6d585906ff35211a vcert_v5.1.1_darwin.zip
b249cc8c5615b307c906342f92bfc122dc291e1d vcert_v5.1.1_darwin_arm.zip
3890a433b8b8fa73613b9ca7c117ac15193d6799 vcert_v5.1.1_linux.zip
71bdaca9c0f1d7d474c0aba64c463669e1a8bd27 vcert_v5.1.1_linux86.zip
f3ab4c7deae2be6991b0c617c6adccc5c0b20002 vcert_v5.1.1_linux_arm.zip
988cf4843b69d1dc305234a6e77b96fc8f51a7b1 vcert_v5.1.1_windows.zip
5e3e4d77dbe1561f9506507468934af06c921d5a vcert_v5.1.1_windows86.zip
de301a90de3b0ea1f923cd8c90f0c42ba4705720 vcert_v5.1.1_windows_arm.zip
v5.1.0
NEW FEATURE: Support for Firefly Issuer
- Added new feature that allows users to request certificates from the new Venafi Firefly platform.
- Added support for OIDC authorization. Now is possible to request auth tokens from any server that supports OIDC
- Added support for Venafi Firefly Issuer on Playbook
- Added support for the following Firefly environment variables :
VCERT_PLATFORM
- The platform VCert will run the command against: TLSPDC, TLSPC, OIDC, FIREFLY
VCERT_USER
- The user to be authorized to an OIDC platform
VCERT_PASSWORD
- The password of the user to be authorized to an OIDC platform
VCERT_CLIENT_SECRET
- The client secret to be authorized to an OIDC platform
VCERT_CLIENT_ID
- The client id to be authorized to an OIDC platform
VCERT_DEVICE_URL
- The url to request a device code to authorize a device to an OIDC platform - Added support for Firefly attributes in vcert config file:
firefly_url
firefly_zone
oauth_token_url
oauth_access_token
oauth_client_id
oauth_client_secret
oauth_user
oauth_password
oauth_device_url
oauth_audience
oauth_scope
General Fixes
- Fixed issue whereby vcert version is unknown when using
vcert --help
VCert Playbook Fixes
- Fixed issue whereby when
csr
is set tolocal
, vcert attempts to retrieve the key from the Venafi platform and failed. Private Key is already on client's side, so no need to request it from Platform - Removed the
keyPassword
field from thecertificateTask.request
object and moved it into thecertificateTask.installation
object. This means now each installation can declare its own password.
⚠️ This is a BREAKING CHANGE that was done in the interest of polishing the use case before mass adoption occurs - Added
keyPassword
tocertificateTask.installation
object to define the password for the private key when format is PEM - Added
p12Password
tocertificateTask.installation
object to define the password for the PKCS12 bundle when format is PKCS12
Known Issues
- There is an issue whereby using the
getcred
command to create a new TLSPC account and retrieve an TLSPC api key, and the environment variableVCERT_TOKEN
is set, then an error is thrown with the following message:
vCert: 2023/08/30 16:51:57 only one of either --username, --p12-file, -t or --email can be specified
The workaround is to unset the VCERT_TOKEN
environment variable
Hash Values
83469f9af465ab36f5294f762a28e30d85d6801a vcert_v5.1.0_darwin.zip
30f3ba35e69786e83d57da12753fd5e24e5283ec vcert_v5.1.0_darwin_arm.zip
f0f4636802a754faca31a78a44d73dd214406098 vcert_v5.1.0_linux.zip
4a595568a6ede24072fd03245305942ec1ed102c vcert_v5.1.0_linux86.zip
548352b4a9df46fdc47b865f4a9cb8943aa584eb vcert_v5.1.0_linux_arm.zip
e4ddefacedab0e88957ee03bf03e99c52cc8d670 vcert_v5.1.0_windows.zip
c57f1d4883ed67bc0f5aecff24678f35654b4e7d vcert_v5.1.0_windows86.zip
v5.1.0-rc2
bf80bd0387599c7836704cb33b8490183e8d9624 vcert_v5.1.0-rc2_darwin.zip
15b47d8dc467c73268f6207817793bf3d3639d98 vcert_v5.1.0-rc2_darwin_arm.zip
2abfbb5c4d077cc32980cd0afb8b23937d44a5b5 vcert_v5.1.0-rc2_linux.zip
7039dac68ce840dc70a830fb029a9d9c449cb124 vcert_v5.1.0-rc2_linux86.zip
727d5b8f1e22cb5ac2e69dfd5f06e31839da0b57 vcert_v5.1.0-rc2_linux_arm.zip
e3b32bf44c4d49733236fdb69e80b2e7c08b5c81 vcert_v5.1.0-rc2_windows.zip
392c1a8434618d95268a0a2da1a55d3b087dc1ae vcert_v5.1.0-rc2_windows86.zip
v5.1.0-rc1: Support for Firefly Issuer
NEW FEATURE: Support for Firefly Issuer
- Added new feature that allows users to request certificates from the new Venafi Firefly platform.
- Added support for OIDC authorization. Now is possible to request auth tokens from any server that supports OIDC
- Added support for Venafi Firefly Issuer on Playbook
General Fixes
- Fixed issue whereby vcert version is unknown when using
vcert --help
VCert Playbook Fixes
- Fixed issue whereby when
csr
is set tolocal
, vcert attempts to retrieve the key from the Venafi platform and failed. Private Key is already on client's side, so no need to request it from Platform
19cdd417d6fbc3e77d79a9493bd99d2cbbfd0b90 vcert_v5.1.0-rc1_darwin.zip
264b9fa9dae9186f6cd352be08f00743e573050f vcert_v5.1.0-rc1_darwin_arm.zip
a09880dd2f71aa10d1c62010f760b2d670790331 vcert_v5.1.0-rc1_linux.zip
79f82cc7a496da7ba5543e95fe0265197bcce555 vcert_v5.1.0-rc1_linux86.zip
99edcf63550e899d63ae1491066e4a2682136ced vcert_v5.1.0-rc1_linux_arm.zip
56b0749778be69cc283d6166f0be77f3cb66c253 vcert_v5.1.0-rc1_windows.zip
b21f530e6449ba39492f4d75e58bc16067bdeb51 vcert_v5.1.0-rc1_windows86.zip