Adds per-certificate rotation policies, requires a database migration. The default rotation policy for all certificates is 30 days. Every certificate will gain a policy regardless is auto-rotation is used.
Note
This version is not yet released and is under active development
This release is most notable for dropping support for python2.7. All Lemur versions >0.4 will now support python3.5 only.
Big thanks to neilschelly for quite a lot of improvements to the lemur-cryptography plugin.
Other Highlights:
- Closed #501 - Endpoint resource as now kept in sync via an
expiration mechanism. Such that non-existant endpoints gracefully fall out of Lemur. Certificates are never removed from Lemur. * Closed #551 - Added the ability to create a 4096 bit key during certificate creation. Closed #528 to ensure that issuer plugins supported the new 4096 bit keys. * Closed #566 - Fixed an issue changing the notification status for certificates without private keys. * Closed #594 - Added replaced field indicating if a certificate has been superseded. * Closed #602 - AWS plugin added support for ALBs for endpoint tracking.
Special thanks to all who helped with with this release, notably:
- RcRonco
- harmw
- jeremyguarini
See the full list of issues closed in 0.5.
Note
This release will need a slight migration change. Please follow the documentation to upgrade Lemur.
There have been quite a few issues closed in this release. Some notables:
- Closed #284 - Created new models for Endpoints created associated
AWS ELB endpoint tracking code. This was the major stated goal of this milestone and should serve as the basis for future enhancements of Lemur's certificate 'deployment' capabilities.
- Closed #334 - Lemur not has the ability
to restrict certificate expiration dates to weekdays.
Several fixes/tweaks to Lemurs python3 support (thanks chadhendrie!)
This will most likely be the last release to support python2.7 moving Lemur to target python3 exclusively. Please comment on issue #340 if this negatively affects your usage of Lemur.
See the full list of issues closed in 0.4.
Note
This release will need a slight migration change. Please follow the documentation to upgrade Lemur.
This is quite a large upgrade, it is highly advised you backup your database before attempting to upgrade as this release requires the migration of database structure as well as data.
Please follow the documentation to upgrade Lemur.
The dictionary returned from a source plugin has changed keys from public_certificate to body and intermediate_certificate to chain.
This release may break your plugins, the keys in issuer_options have been changed from camelCase to under_score. This change was made to break a undue reliance on downstream options maintains a more pythonic naming convention. Renaming these keys should be fairly trivial, additionally pull requests have been submitted to affected plugins to help ease the transition.
Note
This change only affects issuer plugins and does not affect any other types of plugins.
- Closed #63 - Validates all endpoints with Marshmallow schemas, this allows for
- stricter input validation and better error messages when validation fails.
- Closed #146 - Moved authority type to first pane of authority creation wizard.
- Closed #147 - Added and refactored the relationship between authorities and their
- root certificates. Displays the certificates (and chains) next the the authority in question.
- Closed #199 - Ensures that the dates submitted to Lemur during authority and
- certificate creation are actually dates.
- Closed #230 - Migrated authority dropdown to a ui-select based dropdown, this
- should be easier to determine what authorities are available and when an authority has actually been selected.
- Closed #254 - Forces certificate names to be generally unique. If a certificate name
- (generated or otherwise) is found to be a duplicate we increment by appending a counter.
- Closed #254 - Switched to using Fernet generated passphrases for exported items.
- These are more sounds that pseudo random passphrases generated before and have the nice property of being in base64.
- Closed #278 - Added ability to specify a custom name to certificate creation, previously
- this was only available in the certificate import wizard.
- Closed #281 - Fixed an issue where notifications could not be removed from a certificate
- via the UI.
- Closed #289 - Fixed and issue where intermediates were not being properly exported.
- Closed #315 - Made how roles are associated with certificates and authorities much more
- explicit, including adding the ability to add roles directly to certificates and authorities on creation.
- Closed #234 - Allows export plugins to define whether they need
- private key material (default is True)
- Closed #231 - Authorities were not respecting 'owning' roles and their
- users
- Closed #228 - Fixed documentation with correct filter values
- Closed #226 - Fixes issue were import_certificate was requiring
- replacement certificates to be specified
- Closed #224 - Fixed an issue where NPM might not be globally available (thanks AlexClineBB!)
- Closed #221 - Fixes several reported issues where older migration scripts were
- missing tables, this change removes pre 0.2 migration scripts
- Closed #218 - Fixed an issue where export passphrases would not validate
- Fixed bug with search not refreshing values
- Cleaned up documentation, including working supervisor example (thanks rpicard!)
- Closed #165 - Fixed an issue with email templates
- Closed #188 - Added ability to submit third party CSR
- Closed #176 - Java-export should allow user to specify truststore/keystore
- Closed #176 - Extended support for exporting certificate in P12 format
- Closed #120 - Error messages not displaying long enough
- Closed #121 - Certificate create form should not be valid until a Certificate Authority object is available
- Closed #122 - Certificate API should allow for the specification of preceding certificates
- You can now target a certificate(s) for replacement. When specified the replaced certificate will be marked as 'inactive'. This means that there will be no notifications for that certificate.
- Closed #139 - SubCA autogenerated descriptions for their certs are incorrect
- Closed #140 - Permalink does not change with filtering
- Closed #144 - Should be able to search certificates by domains covered, included wildcards
- Closed #165 - Cleaned up expiration notification template
- Closed #160 - Cleaned up quickstart documentation (thanks forkd!)
- Closed #144 - Now able to search by all domains in a given certificate, not just by common name
- SECURITY ISSUE: Switched from use a AES static key to Fernet encryption. Affects all versions prior to 0.1.5. If upgrading this will require a data migration. see: Upgrading Lemur