Goodbye self-signing certs

Calling this 2.0 because we're breaking backwards compatibility. You can no longer sign your own requests.

Didn't make this configurable to try to keep this change simple. Thanks @Arvanaghi for the PR.

Fix parsing of private key fingerprints

Fixing the brokenness of 1.7.0

Google Cloud KMS Signing

Google's Cloud KMS supports asymmetric sign operations. ssh-cert-authority now supports using one of these keys as the signer/issuer for certificates. The README was updated with a how to of sorts.

Build enhancements

This version includes changes to the Makefile and docker building environment.
We also move to go 1.9 and the Docker containers are based on ubuntu 16.04
instead of 15.10

The May 2017 Release!

There are lots of small changes here and one of them may cause backwards compatibility problems. There's no real theme to this release, however.

Backwards Incompatible Change:

• The daemon no longer binds to 0.0.0.0:8080 by default. Instead it binds to 127.0.0.1 by default which further enforces that you should run this service behind a real web server. If you want the old behavior you need to call runserver with --listen-address 0.0.0.0:8080. Thanks @shatil for the commit.

Backwards Compatible Changes:

• Documentation prefers that cert requesters use PublicKeyPath rather than fingerprints. A lot of folks find fingerprints confusing.
• If you're using an environment that's configured for auto-signing and a cert is auto-signed the get cert function will automatically download and try to add it to the agent. This saves the requester a call to get cert with the request id. Convenience!
• The serial number on the cert is no longer a sequential integer starting at 0. Instead the serial number is random and actually matches the request id. The request id continues to be base32 encoded, however, if you end up base32 decoding this yourself know that you'll need to pad it (I truncate the trailing == to make it look pretty).

Server embedded CriticalOptions

With this release a new feature is introduced: the ability to configure that the server embed certain CriticalOptions on any certificate for a given environment. This means that the owner of the server can require, for example, that all certs issued specify that they are only valid from certain IP addresses (perhaps your local network subnet or subnets) or that only a specific command may be run on the remote server (perhaps locking a user down to a restricted shell).

Fix request id in slack posts when auto signing

A singular bug fix.

ed25519, golang 1.7

This release includes support for the ed25519 curve (it was added to golang in 1.6). And now that 1.7 is out we're building against golang 1.7.

If you were using auto signing in a previous release the log messages were broken, they were logging the CA key fingerprint, not the user fingerprint. This has been fixed.

This has been pushed to Docker hub as cloudtools/ssh-cert-authority:v1.4.

Ability to generate encrypted CA keys

You don't have to jump through an ssh-keygen hoop anymore. Also on Docker hub https://hub.docker.com/r/cloudtools/ssh-cert-authority/

Automatically load encrypted private keys

With this release the signing daemon is able to load CA signing keys that had previously been encrypted using Amazon's KMS.