v1.0.1

Important

I had to pull release 1.0.0 since it contained a severe bug in the settings parsing. If you have started VaulTLS in v1.0.0 your settings will probably have been reset and needs to be restored from a file backup or manually recreated. If you have backed up the VaulTLS volume you can replace the settings.json file with a pre-update version

v1.0.1

Certificate Revocation Lists

Hi and welcome to v1.0.1. This release finally bring support for Certificate Revocation Lists (CRLs) to revoke TLS certificates. They are created on a per CA basis. You can access the CRL files either under /app/data/crl , via the web interface or directly through the open API endpoint /api/certificates/ca/{id}/crl. The Overview tab now contains a dedicated section for revoked certificates. To delete a certificate now, you first need to revoke it. However, pay attention, if a certificate is deleted it will not be included in the CRL anymore. To use the CRL consult your reverse proxy documentation. For example for client certificate validation with Caddy you will need a custom build with a client certificate validator plugin.

Other Changes

The web UI now features a dark theme. Furthermore a few functionality and security related bugs where fixed to shape up VaulTLS for it's 1.0.1 release. In addition dependencies where updated which also included security fixes. So I advise everyone to update as soon as possible.

Thanks for your support, it means a lot to me. 1.0.0 feels like such a big thing, even though it is just a different number. I will now probably keep new features flow rather slow and focus more on maintaining a stable application.

v1.0.0-rc1

v1.0.0-rc1 - Support for CRLs

The first major version jump finally includes Certificate Revocation Lists (CRLs). Each CA has its own file, which can be queried via the API/Frontend, but it is also stored as a file under ./crl. Certificates now can be revoked, which moves them to a separate table on the Overview page. I will add some more details with the proper release of v1.0.0. This pre-release can contain some bugs. Please please have a working backup before switching to this pre-release. If you encounter any please open an issue. Thanks!

Furthermore this release contains a night mode for the web interface (bottom of the sidebar). Furthermore I added some security improvements and general code refactoring and updated dependencies. I hope you all enjoy. Thanks for using VaulTLS :)

The container image for this pre-release should be available under vaultls:v1.0.0-rc1 or vaultls:rc

v0.11.1

v0.11.1

This is a super small maintenance release to bump dependencies. It also includes a CVE fix for Axios (JS API library),

What's Changed

• Bump rustls from 0.23.35 to 0.23.36 in /backend by @dependabot[bot] in #126
• Bump jsonwebtoken from 10.2.0 to 10.3.0 in /backend in the cargo group across 1 directory by @dependabot[bot] in #127
• Bump rand_core from 0.9.3 to 0.9.5 in /backend by @dependabot[bot] in #122
• Bump axios from 1.13.2 to 1.13.5 in /frontend in the npm_and_yarn group across 1 directory by @dependabot[bot] in #128
• Bump vite from 7.2.4 to 7.3.1 in /frontend by @dependabot[bot] in #125
• Bump @vitejs/plugin-vue-jsx from 5.1.2 to 5.1.3 in /frontend by @dependabot[bot] in #123
• Bump @playwright/test from 1.56.1 to 1.58.1 in /frontend by @dependabot[bot] in #121
• Bump @tsconfig/node22 from 22.0.3 to 22.0.5 in /frontend by @dependabot[bot] in #119
• Bump rollup from 4.43.0 to 4.59.0 in /frontend in the npm_and_yarn group across 1 directory by @dependabot[bot] in #130
• Bump the cargo group across 1 directory with 2 updates by @dependabot[bot] in #129

Full Changelog: v0.11.0...v0.11.1

v0.11.0

v0.11.0

Welcome to the next release on the road to v1.0.0. I added some requested features and quality of life changes to this version. Furthermore a good mix of bug fixes and dependency updates.

New Features

• Add granularity to validity: Before the validity of certificates and CAs could only be chosen in years. Now there is a huge span of units all the way from hours to years. Thanks for the request @Mr-win7. 1c2fb50
• Add OU field to X509 certificates: As requested @samphonic I added the OU name field to the TLS certificate creation that can be used for example to specify group memberships of a user. bf7bc51)

QoL

• Add retry for OIDC discovery: Sometimes VaulTLS starts before the OIDC service becomes available. Now when a user tries to use OIDC based login, VaulTLS will retry discovery if it is configured but has not been successful so far. 625577b
• Improve frontend error message: The API already reports better error messages, but they have not been included in the displayed error message so far. Append the API error to the displayed message so you better know whats going on without looking into the console. ccc8879

Bugs

• Fix saving settings on frontend: When settings are saved, it puts data to two endpoints: settings and users. The users endpoint has been configured wrong leading to an error message when trying to save the settings. Adjust frontend users API interface to match backend. e85eea0
• Remove auto-renewal for CAs: When a user created a certificate without specifying a CA and the certificate would be valid for longer than the CA, VaulTLS would auto renew the CA in the hopes that then the CA would live long enough. While this was intended behavior, in hindsight this approach is too in transparent. Creating CAs without the users active knowledge is probably not desireable so I removed this ¨feature¨. c62045f

Dependency updates

• Lots of dependencies were updates

I appreciate all your support! Thank you so much :)

Full Changelog: v0.10.0...v0.11.0

v0.10.0

v0.10.0

While I wish this were the 1.0.0 release, I just felt VaulTLS was at a point where I would like to call it that. Life has been very busy, so finding time has become way harder.

SSH Certificates

Anyway, this release's focus is on SSH certificates. While not envisioned by me initially, demand seemed to be there.

• Add SSH CAs:
  • OpenSSH uses a significantly simpler PKI. The CA is a key pair used to sign SSH certificates.
  • The downloadable CA file is thus just a public key that can be integrated with your SSH clients.
  • The CA also does not cryptographically expire.
  • To use SSH certs, please generate an SSH CA in the Certificate Authorities tab
• Add SSH Certificates:
  • The certs consist of a public certificate and a private key.
  • Since OpenSSH does not have a PKCS#12-like cert-key bundle option, downloading a user cert from VaulTLS gives a ZIP file including both files.
  • During creation, principals can be specified that limit the applicability of a specific cert (such as to a specific user or host)
  • While technically possible, as of right now, SSH certificates can not be automatically renewed

Dependencies

This release also includes a bunch of dependency updates. Even if you will not be using SSH certs please update to this release.

v0.9.3

v0.9.3

Welcome to perhaps the last release before 1.0.0. This will probably take some time, since it will include two larger features with Certificate Revocation Lists and SSH certificate management. But anyway, back to this minor release.

Multiple Certificate Authorities

This release adds support for multiple CAs. If you don't care about that, not much changes.

• Add API endpoints to get a list of all CAs, create, download, and delete specific CAs
• If no CA is specified during certificate creation, the newest will be used
• A new CA will be created if a new certificate would outlive the CA
• All CAs are now stored in ./ca/

Fix Logout

Before this release, the session token given out was not properly invalidated, meaning it always remained valid for the entire 1-hour lifetime. This release introduces a whitelist, with only current JWT tokens allowed to be used for authentication.

v0.9.2

v0.9.2

This release fixes a bug in the database connection pool for encrypted databases. The bug led encrypted database setups to become unresponsive after 30 minutes.

v0.9.1

v0.9.1 - Security critical update

This release fixes a password-based login security flaw. It is advised to update as soon as possible. For further details, see GHSA-pjfr-pj3h-cw8m

v0.9.0

v0.9.0

This release brings the certificate renewal feature. Furthermore, a lot of the backend was reworked, making it more thread safe and reducing complexity.

Certificate Renewal

When creating a certificate, a renewal method can be specified. Options are:

• Remind: A week before expiry, the user owning the certificate will be notified
• Renew: A week before expiry, a new certificate will be issued, copying most attributes from the old one.
• Renew and Notify: Like renew, just that the user is also notified about the renewed certificate.

As of right now, old certificates can not be updated to have a renewal method. I consider adding this for the next release.

Backend reworks

Both the settings as well as database structures were reworked to internalize thread safety. Furthermore, certificate generation has been split into a builder-like pattern, reducing code duplication.

Dependencies

• Bump form-data from 4.0.3 to 4.0.4 in /frontend in the npm_and_yarn group by @dependabot[bot] in #62
• Bump @vitejs/plugin-vue from 6.0.0 to 6.0.1 in /frontend by @dependabot[bot] in #68
• Bump vite from 7.0.0 to 7.0.6 in /frontend by @dependabot[bot] in #69
• Bump vue-tsc from 2.2.10 to 3.0.4 in /frontend by @dependabot[bot] in #67
• Bump vite-plugin-vue-devtools from 7.7.7 to 8.0.0 in /frontend by @dependabot[bot] in #65
• Bump typescript from 5.8.3 to 5.9.2 in /frontend by @dependabot[bot] in #66

v0.8.1

v0.8.1

This minor release fixes a security-critical bug in the axios API library used by VaulTLS in the Vue frontend (axios/axios#6970). It is advised to update as soon as possible.