Mariano Cano

The problem seems to be that the order is always stored with a notBefore and notAfter, even if the client didn't request any, and it has a hardcoded backdate of...

One thing to take into account is that a layer 7 proxy even with haproxy won't support the current renew/rekey endpoints. According to the spec, there's some information about the...

So it's actually using the transport layer (4) with some metadata in a "header", it is not an layer 7 proxy.

I'm also a +1 on supporting the proxy protocol v2. And yes is true that you cannot selectively expose certain endpoints, at least directly, it will be possible to authenticate...

@dopey It's here, as the error is wrapped you will need to look at the base error https://github.com/smallstep/certificates/blob/8d229b9a60a8e58c93e2479a7c9547ebeaf7d16f/authority/tls.go#L116-L121

It's possible to test this by installing a profile with the root certificate, it can be done by visiting the roots.pem endpoint (https://ca.local/roots.pem) and then installing the ACMECertificate profile (acme.mobileconfig)...

@hslatman I think it is a good idea to start merging this; it will make it easy to improve on it. For example, to add tests on the new methods...

@mmalone Currently a combination of ACME and the X5C provisioners can be used to sign an SSH certificate: ```sh step ca certificate internal.smallstep.com internal.crt internal.key step ssh certificate --host --x5c-cert...

@gzm55 One option is to verify the X509 SANs with the principals. The main problem is that we're not doing it right now. So we have a couple of options,...

Good point, as you say we currently only support filtering by resource groups, but not subscription ids, but the logic should be pretty similar. We'll bring this to our next...