v1.2.0

Welcome to the next VaulTLS release. This release includes two community requested features, ACME and translation. Without the hard work of @jordanruthe these features would not have been possible. Thank you a lot!

ACME (@jordanruthe)

VaulTLS now can act as an Automatic Certificate Management Environment (ACME) CA, enabling the automatic issuance and revocation of TLS certificates using tools such as acme.sh. Features include:

• External Account Binding (EAB): Securely tie ACME registrations to your VaulTLS accounts.
• Domain Restrictions: Define "Allowed Domains" for each ACME account, supporting exact matches (example.com), single-level subdomains (*.example.com), and multi-level depth (**.example.com).
• Challenge Support: Supports both HTTP-01 and DNS-01 challenges, including support for wildcard certificates.
• Security & Control: Built-in rate limiting (default 20 orders/24h) and optional email notifications for every issued certificate.
• Flexible DNS Validation: Custom DNS resolver support (UDP, DoT, and DoH) for DNS-01 challenge verification.

How to get started:

1. Enable ACME by setting the environment variable VAULTLS_ACME_ENABLED=true (or via the Admin UI).
2. Create an ACME account in the new ACME tab to receive your EAB credentials.
3. Point your ACME client to https://<your-vaultls-instance>/api/acme/directory.

For detailed configuration examples for Traefik, acme.sh, and more, check out the ACME Documentation.

Web UI Translations (@jordanruthe)

VaulTLS is now available in Spanish! You can configure both the current as well as default language used by VaulTLS. If you think you can contribute, I would appreciate your PRs, every language is appreciated! While the French language is currently already selectable in the web UI there are no translations available yet.

Minor Changes

• It is now possible again to delete SSH certificates. Thanks for bringing this up @madkoin.
• The password field in the web UI now has a copy button and adjusted style. Thanks for your contribution @raspberrydev.

Dependency Updates

A lot of dependencies were again updated, so it is advisable to update to the latest version as soon as possible.

v1.1.1

Small hotfix release that adjust the Authority Key Identifier (AKI) of the Certificate Revocation List (CRL) to match the Subject Key Identifier (SKI) of the Certificate Authority (CA). There was a mismatch between OpenSSL and rcgen in the hash algorithm used to derive the identifier. In the long run OpenSSL should probably be replaced fully with rcgen. Also expand CRL test to test by connecting to a TLS server with a revoked certificate (which must fail). Also update dependencies.

v1.1.0

Welcome to the next release of VaulTLS. It includes a few nice quality of life improvements and important dependency updates.

Add support for CRLs in PEM format

Some reverse proxies such as Nginx require the Certificate Revocation List (CRL) to be in PEM format (default is DER binary format). Add an option to the API and front end to specify which format you want to download your CRL as.
For the API access PEM CRLs as follows: /api/certificates/ca/<id>/crl?format=pem/

Add env variables to reset password

So far it was not (easily) possible to change the password of any user that forgot their password. Starting with this release you can specify a VAULTLS_ACCOUNT_EMAIL and VAULTLS_ACCOUNT_PASSWORD to change someones password (password can also be specified as a secret file if desired). VaulTLS will handle this during start up and then exit. It is not possible to properly run VaulTLS with these env variables set.

Improve TLS CA and certificate properties

When using mTLS with Authentik, it requires certain extensions to be set in the CAs and certificates used (RFC 5280). Namely the CA extension must be set as critical for CAs. Furthermore the Subject Key Indentifier (SKI) and Authority Key Identifier (AKI) extensions must be set. Since VaulTLS uses a very basic key hierarchy with no CAs besides the root CA, this is not super important, but necessary to comply. Thank you @XPvf16Cjgg3brCH1qFzT for your PR (#152) to improve this!

Add env variable to use non secure cookies

I am a strong advocate that VaulTLS should be setup behind a reverse proxy to handle HTTPS. In release 1.0.0 I therefor added the secure property for any authentication cookies which tells browsers to not send back the authentication cookie on a non-secure connection (i.e. requiring HTTPS). However, for users that run VaulTLS without it, this made it difficult to login, since the browser will query authenticated API endpoints without including the session cookie. While not advised, I added an env variable VAULTLS_INSECURE which must be set to true to disable the secure property.

Update dependencies

This release also contains a few dependency updates for packages that contained some exploits such as ones for Vite, picomatch and yaml.

v1.0.1

Certificate Revocation Lists

Hi and welcome to v1.0.1. This release finally bring support for Certificate Revocation Lists (CRLs) to revoke TLS certificates. They are created on a per CA basis. You can access the CRL files either under /app/data/crl , via the web interface or directly through the open API endpoint /api/certificates/ca/{id}/crl. The Overview tab now contains a dedicated section for revoked certificates. To delete a certificate now, you first need to revoke it. However, pay attention, if a certificate is deleted it will not be included in the CRL anymore. To use the CRL consult your reverse proxy documentation. For example for client certificate validation with Caddy you will need a custom build with a client certificate validator plugin.

Other Changes

The web UI now features a dark theme. Furthermore a few functionality and security related bugs where fixed to shape up VaulTLS for it's 1.0.1 release. In addition dependencies where updated which also included security fixes. So I advise everyone to update as soon as possible.

Thanks for your support, it means a lot to me. 1.0.0 feels like such a big thing, even though it is just a different number. I will now probably keep new features flow rather slow and focus more on maintaining a stable application.

v1.0.0-rc1 - Support for CRLs

The first major version jump finally includes Certificate Revocation Lists (CRLs). Each CA has its own file, which can be queried via the API/Frontend, but it is also stored as a file under ./crl. Certificates now can be revoked, which moves them to a separate table on the Overview page. I will add some more details with the proper release of v1.0.0. This pre-release can contain some bugs. Please please have a working backup before switching to this pre-release. If you encounter any please open an issue. Thanks!

Furthermore this release contains a night mode for the web interface (bottom of the sidebar). Furthermore I added some security improvements and general code refactoring and updated dependencies. I hope you all enjoy. Thanks for using VaulTLS :)

The container image for this pre-release should be available under vaultls:v1.0.0-rc1 or vaultls:rc

v0.11.1

This is a super small maintenance release to bump dependencies. It also includes a CVE fix for Axios (JS API library),

What's Changed

• Bump rustls from 0.23.35 to 0.23.36 in /backend by @dependabot[bot] in #126
• Bump jsonwebtoken from 10.2.0 to 10.3.0 in /backend in the cargo group across 1 directory by @dependabot[bot] in #127
• Bump rand_core from 0.9.3 to 0.9.5 in /backend by @dependabot[bot] in #122
• Bump axios from 1.13.2 to 1.13.5 in /frontend in the npm_and_yarn group across 1 directory by @dependabot[bot] in #128
• Bump vite from 7.2.4 to 7.3.1 in /frontend by @dependabot[bot] in #125
• Bump @vitejs/plugin-vue-jsx from 5.1.2 to 5.1.3 in /frontend by @dependabot[bot] in #123
• Bump @playwright/test from 1.56.1 to 1.58.1 in /frontend by @dependabot[bot] in #121
• Bump @tsconfig/node22 from 22.0.3 to 22.0.5 in /frontend by @dependabot[bot] in #119
• Bump rollup from 4.43.0 to 4.59.0 in /frontend in the npm_and_yarn group across 1 directory by @dependabot[bot] in #130
• Bump the cargo group across 1 directory with 2 updates by @dependabot[bot] in #129

Full Changelog: v0.11.0...v0.11.1

v0.11.0

Welcome to the next release on the road to v1.0.0. I added some requested features and quality of life changes to this version. Furthermore a good mix of bug fixes and dependency updates.

New Features

• Add granularity to validity: Before the validity of certificates and CAs could only be chosen in years. Now there is a huge span of units all the way from hours to years. Thanks for the request @Mr-win7. 1c2fb50
• Add OU field to X509 certificates: As requested @samphonic I added the OU name field to the TLS certificate creation that can be used for example to specify group memberships of a user. bf7bc51)

QoL

• Add retry for OIDC discovery: Sometimes VaulTLS starts before the OIDC service becomes available. Now when a user tries to use OIDC based login, VaulTLS will retry discovery if it is configured but has not been successful so far. 625577b
• Improve frontend error message: The API already reports better error messages, but they have not been included in the displayed error message so far. Append the API error to the displayed message so you better know whats going on without looking into the console. ccc8879

Bugs

• Fix saving settings on frontend: When settings are saved, it puts data to two endpoints: settings and users. The users endpoint has been configured wrong leading to an error message when trying to save the settings. Adjust frontend users API interface to match backend. e85eea0
• Remove auto-renewal for CAs: When a user created a certificate without specifying a CA and the certificate would be valid for longer than the CA, VaulTLS would auto renew the CA in the hopes that then the CA would live long enough. While this was intended behavior, in hindsight this approach is too in transparent. Creating CAs without the users active knowledge is probably not desireable so I removed this ¨feature¨. c62045f

Dependency updates

• Lots of dependencies were updates

I appreciate all your support! Thank you so much :)

Full Changelog: v0.10.0...v0.11.0

v0.10.0

While I wish this were the 1.0.0 release, I just felt VaulTLS was at a point where I would like to call it that. Life has been very busy, so finding time has become way harder.

SSH Certificates

Anyway, this release's focus is on SSH certificates. While not envisioned by me initially, demand seemed to be there.

• Add SSH CAs:
  • OpenSSH uses a significantly simpler PKI. The CA is a key pair used to sign SSH certificates.
  • The downloadable CA file is thus just a public key that can be integrated with your SSH clients.
  • The CA also does not cryptographically expire.
  • To use SSH certs, please generate an SSH CA in the Certificate Authorities tab
• Add SSH Certificates:
  • The certs consist of a public certificate and a private key.
  • Since OpenSSH does not have a PKCS#12-like cert-key bundle option, downloading a user cert from VaulTLS gives a ZIP file including both files.
  • During creation, principals can be specified that limit the applicability of a specific cert (such as to a specific user or host)
  • While technically possible, as of right now, SSH certificates can not be automatically renewed

Dependencies

This release also includes a bunch of dependency updates. Even if you will not be using SSH certs please update to this release.

v0.9.3

Welcome to perhaps the last release before 1.0.0. This will probably take some time, since it will include two larger features with Certificate Revocation Lists and SSH certificate management. But anyway, back to this minor release.

Multiple Certificate Authorities

This release adds support for multiple CAs. If you don't care about that, not much changes.

• Add API endpoints to get a list of all CAs, create, download, and delete specific CAs
• If no CA is specified during certificate creation, the newest will be used
• A new CA will be created if a new certificate would outlive the CA
• All CAs are now stored in ./ca/

Fix Logout

Before this release, the session token given out was not properly invalidated, meaning it always remained valid for the entire 1-hour lifetime. This release introduces a whitelist, with only current JWT tokens allowed to be used for authentication.

v0.9.2

This release fixes a bug in the database connection pool for encrypted databases. The bug led encrypted database setups to become unresponsive after 30 minutes.