(not released)
==============
* Add AuthorityKeyIdentifier extension in CRLs.
* Accept user certificates signed by non-current CA.
* Name CA certificates after their AuthorityKeyIdentifier keyid extension instead of their serial.
* Produce one CRL per CA certificate, as some ssl-using services fail when there is no CRL signed by the same CA as the certificate being validated.

0.9.8 (2020-06-29)
==================
* Add support for python3.
* Add support for one-CA-cert-per-file layout. For services which do not support loading multiple CA certificates from a single file.
* Fix caucase.sh authenticated usage (was broken by 0.9.4 "Make caucased https CA certificate safer").
* Avoid busy-loop in caucase-updater when it thinks a renewal is due but caucased does not offer a newer version.
* Fix tests timeouts on slower machined. Anything faster than a Raspberry Pi 1 should now pass.

0.9.7 (2020-06-04)
==================
* Fix CRL renewal:
  * teach caucased to renew CRLs ahead of their expirations.
  * make caucase-updater check CRL expiration date.
* Grant extra permissions in license.

0.9.6 (2019-05-27)
==================
* Do not use a 128bits OID arc for caucase internal use, as it is not widely supported.
* Assorted CLI usability improvements.

0.9.5 (2019-01-24)
==================
* Add --version support.
* Logging is reworked to reduce verbosity (especially in tests).
* Fix caucased sometimes crashing when renewing its https certificate.
* Make caucased logs more apache-like.
* Make caucased responses more standard-compliant ("Allow" header in 405 response and "Date" header in all responses).
* Fix unintended dependency on system timezone.

0.9.4 (2018-11-14)
==================
* Improved documentation.
* Tentative web-friendliness (not used in real life yet, so practicality is still uncertain):
  * Make caucased https CA certificate safer for adding in a trust store (ex: browser) by constraining the certificates it can sign.
  * cookie-based CORS access control with crude UI.
  * API is self-documenting using application/hal+json format.
* Tentative python3 friendliness, there may still be file IO encoding issues.

0.9.3 (2018-09-21)
==================
* Add support for listening to multiple specific addresses in caucased.
* shell implementation does not rely on an external file anymore.
* Do not start listening on https port before wrapping sockets with an ssl context
* Make caucase-updater usable by anonymous services (ex: they only need to connect to a caucase-certified service, without authenticating themselves using caucase)
* Use stricter file permissions for caucased sqlite database.
* Include caucase version in user agent header.
* Make caucased logging format more similar to apache's default.
* Fix caucased https certificate renewal. Fixes a crash which happens every 2 months.
* Make caucase-updater retry on network errors. Fixes crashes on transient network error.

0.9.2 (2017-11-03)
==================
* Add support for migrating an existing CA to caucase: import CA cert and CRLs.
* Require CRL signature checks (bumps cryptography module version requirements).
* Provide CRL distribution point extension in CA certificates.
* Play nicer with http:
  * Catch more errors to provide nice status codes
  * Add support for "Transfer-Encoding: chunked"
  * Add support for "Expect: 100-continue"
* Produce TLS-compliant certificates (domain name must be in an alternative name extension, subject is not enough).
* Reduce speed requirements in tests.
* Add shell implementation of "caucase" command.
* Certificate renewal bypasses pending CSR limits.
* caucase-manage: new command for offline database maintenance.

0.9.1 (2017-09-21)
==================
* Documentation improvements
* Packaging improvements

0.9.0 (2017-08-02)
==================
* implement the "cau" half of "caucase"
* massive rework: removal of flask dependency, removal of HTML UI, rework of
  the REST API, rework of the CLI tools, rework of the WGSI application,
  incomatible redesign of the database.

0.1.4 (2017-07-21)
==================
* caucase web parameter 'auto-sign-csr-amount' can be used to set how many csr must be signed automatically.

0.1.3 (2017-06-30)
==================

* add support for backup caucase database to cli
* serial is a random unique formatted hexadecimal number get from the csr_id
* allow to set custom subject (X509Name) when signing a certificate
* add new cliweb command which when required will download/update crl file from caucase web

0.1.2 (2017-05-12)
==================
* cliweb: renew now takes threshold option to check if renew is required and optional on-renew script to run after certificate renewal

0.1.1 (2017-04-27)
==================

 * initial implementation of certificate authority