What's new in EJBCA 6.2.0
Jun 19, 2014
- Completely reworked command handling of local command line interface (CLI) (See note 2)
- It's now possible to import and export Certificate and End Entity Profiles from the GUI
- VA machines can be created using a CRL
- Certificate and End Entity Profiles can now be imported and exported form the Web GUI
- SCEP configuration has been implemented from the Web GUI
New in EJBCA 6.1.1 (Apr 8, 2014)
- OCSP improvements and new features related to RFC 6960, minimizing size of OCSP responses (see note below).
- Implemented OCSP signing algorithm including client requested algorithms.
- CVC certificate profiles (ePassport PKI) now supports EAC 2.10 access control templates.
- Improvements to Key Recovery enabling encryption key rollover and providing more information about encryption keys.
- Windows build/install is now working.
- ManagementCA created during a default install now uses SHA256WithRSA.
- EJBCA now compiles (deployment/running not supported however) on WildFly 8 and Glasshish 4, also using Java 8.
- EJBCA can now use certificate serial number longer than 64 bits.
- Minor improvements and fixes to make life easier for everyone.
New in EJBCA 4.0.16 (Jun 27, 2013)
- Bug:
- [ECA-2495] - Exception in view old log
- [ECA-3059] - Database rolled back for failed CRL publishings instead of put in queue
- Improvement:
- [ECA-3050] - Base64CertData table
New in EJBCA 4.0.14 (Feb 15, 2013)
- Bug:
- [ECA-2897] - Wrong example of external SSL port number in web.properties
- Improvement:
- [ECA-2882] - Do not store active certificates in queue for ValidationAuthorityPublisher that only publish revoked
- [ECA-2890] - GUI: Better link from Public Web to Administration Web, via reverse proxy
- [ECA-2899] - Do not display passwords in stdout during build
- New Feature:
- [ECA-2907] - Add cache for Publishers
New in EJBCA 4.0.12 (Aug 16, 2012)
- New Feature:
- [ECA-2705] - OCSP key renewal at absolute times
- [ECA-2706] - Allow Certificate Expiration Notification Service to specify Certificate Profiles
- [ECA-2709] - Publisher for sampling of issued certificates
- Improvement:
- [ECA-2069] - Better log message when querying for not existing CA and default responder CA does not exist
- [ECA-2714] - Hide the HARDTOKEN profiles in "Certificate Expiration Checker" configuration if "Issue Hardware Tokens" hasn't been enabled
- [ECA-2724] - When deleting a Certificate Profile, list which end entities/end entity profiles that use it.
- Bug:
- [ECA-2077] - OCSP rekeying does not work on JBoss 6.1.0 and JBoss EAP5
- [ECA-2719] - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames
- Task:
- [ECA-2625] - Language tool for developers and localizers
New in EJBCA 4.0.11 (Jun 20, 2012)
- New Feature:
- [ECA-2629] - Add Japanese language file
- [ECA-2696] - Custom revocation date in EJBCA
- Task:
- [ECA-2579] - Help message keys refactoring
- Bug:
- [ECA-2662] - Strip whitespace from username entered in public web
- [ECA-2664] - Cleartext links (http) in documentation
- [ECA-2699] - ejbca.sh CLI exportprofiles function can't handle special characters in filename
- Improvement:
- [ECA-1979] - GUI: End-Entity (profile, add, edit) forms usability
- [ECA-2577] - GUI: Configuration forms improvement
- [ECA-2583] - GUI: LDAP Publishers form layout improvement
- [ECA-2584] - GUI: Improvement of in-line help in all forms
- [ECA-2627] - Process CA: forms layout improvement, and message keys refactoring
- [ECA-2633] - GUI: Improve Services form
- [ECA-2634] - GUI: View Certificate popup improvement
- [ECA-2661] - Possible to use aliases for CRL Naming in RFC4387 CRL Store
- [ECA-2675] - JBOSS with APR makes EJBCA deploy fail
New in EJBCA 4.0.10 (Mar 14, 2012)
- New Feature:
- [ECA-2590] - Possibility to only publish revoked certificates to external VA DB
- [ECA-2603] - "unknown is good" changed for some URLs used in the OCSP request.
- Bug:
- [ECA-2564] - CMP: Correct the CrmfKeyUpdateTest
- [ECA-2594] - XSS issues
- Improvement:
- [ECA-2563] - CMP: clean up CMP tests
- [ECA-2575] - GUI: Administrator groups page headers improvement
- [ECA-2580] - GUI: Improve View CA table layout (rows: header, sections, footer)
- [ECA-2585] - GUI: Change Rename button in all Object lists
New in EJBCA 4.0.9 (Feb 13, 2012)
- [ECA-2574] - Minor XSS issue
New in EJBCA 4.0.6 (Nov 18, 2011)
- New Feature:
- [ECA-2368] - CMP, Implement message type KeyUpdateRequest
- Bug:
- [ECA-2369] - NestedMessageContentTest does not clean up the test certificates it creates
- [ECA-2380] - Minor XSS issue
- [ECA-2383] - Cannot import empty CRL via CLI
New in EJBCA 4.0.5 (Nov 3, 2011)
- New Feature:
- [ECA-2332] - Admin GUI ServletFilter for client certificate emulation
- Improvement:
- [ECA-2325] - Add custom cert serno and extension parsing the generatenewuser WS command
- Bug:
- [ECA-2297] - NestedMessageContent implements version RFC2510 instead of RFC4210
- [ECA-2302] - Publishing Queue Fails on slow publishers
- [ECA-2338] - CMP End entity certificate authentication module does not work in client mode
- [ECA-2346] - Certificate issuance verification does not detect when CAs public key (in HSM) does not match CA certificate
- [ECA-2354] - Should not be possible to run service initialization after start
New in EJBCA 4.0.4 (Oct 6, 2011)
- Improved CMP with many new authentication modules in both client and RA mode, and support for Nested content
- Support for custom certificate extensions with raw or RA defined values.
- Many small bug fixes.
New in EJBCA 4.0.3 (Jun 1, 2011)
- [ECA-2090] - Can not browser enroll with IE
New in EJBCA 4.0.0 (Mar 4, 2011)
- It is now possible to easily upgrade from EJBCA 3.6.x to 3.11.x
- Fixed a MySQL mapping that did not work when using the MyISAM storage engine and UTF-8 encoding.
- ETSI QC value limit can now have the value zero.
- Admin GUI improvements from David Carella of Linagora.
- Added a favicon to the EJBCA web interfaces.
- Fixed an issue causing cached end entity profiles (not default) to be changed for some actions in the admin GUI.
- Fixed an issue where session information spilled over to other edits when using the "Back to certificate profiles" link.
- Fixed an issue where using the required flag on Cardnumber in a end entity profile gave error about missing unstructured address.
- This also resolved an issue where the DN field Unstructured Address did not work.
New in EJBCA 3.11.0 (Nov 30, 2010)
- Possibility to configure CA not to use certificate and user store, meaning that CA can issue certificates without having to access database after service startup.
- External OCSP responder can now function as a validation authority serving OCSP, CRLs and CA certificates.
- Certificate store access via HTTP according to RFC4387 standard.
- Possibility in WebService Interface to specify extended information when editing users.
- Possibility to specify custom certificate serial number for end entities using CMP protocol. CMP RA secret can now also be specified per CA.
- Upgrade database schema to be consistent across databases.
- Add a few new columns to database tables, a preparation to be used in EJBCA 4.0.
- Improvements in the Glassfish support, now also usable with Oracle database.
- Several other new features and extended key usages, GUI improvements and performance enhancements – many of which are contributed by Linagora.
New in EJBCA 3.10.6 (Nov 26, 2010)
- ExtendedInformation, such as issuance revocation reason, can now be added when editing users with the WebService API.
New in EJBCA 3.10.5 (Sep 21, 2010)
- Fixed admin GUI error running on JBoss 5.
- Fixed some issues with audit and approvals when using admin certificates issued by an external CA.
- Harmonized admin GUI and improved looks. Contributed by David Carella of Linagora.
- Added and improved caches of profiles and CAs, improves performance. CLI for clearing caches.
- Fixed installation issue on Windows when JBoss installed in root directory.
- Fixed re-publishing of certificates when CertReqHistory is not used. CertReqHistory is enabled by default for new CAs.
- Updated German translation, contributed by Atos Origin.
- Support unrevocation using WS-API.
New in EJBCA 3.10.4 (Aug 12, 2010)
- Possibility to specify custom certificate serial number for end entities.
- Possibility to configure CA to not use CertReqHistory to increase performance.
- Harmonized admin GUI and improved looks. Contributed by David Carella of Linagora.
- Other performance optimizations. More than 100 certificates per second can now be issued under certain conditions.
- WS API did not work with external administrator certificates.
- Mitigate potential XSS vulnerabilities in admin GUI.
- Fixed bug when creating CRLs for CAs with single quote in the DN.
- Other admin GUI improvements with better error messages in some cases.
New in EJBCA 3.10.3 (Jun 24, 2010)
- EAC CVC Document Verifiers using ECC keys did not work properly. This was fixed and new test cases was added to the test suite.
- Removed requirement to use “Batch generation” when using CMP RA mode.
- Fixed issue that revocation in admin gui did not work with CAs using accented characters.
- Added code to mitigate potential cross site scripting in admin gui. Note that client certificate authentication was still needed so it was not publicly exploitable.
- Added UTF-8 URI encoding for the public http port (8080). It was previously only enabled for the https ports.
New in EJBCA 3.10.2 (Jun 17, 2010)
- CMP proxy module.
- Improved transaction isolation and performance in CMP.
- Improvements for JBoss 5.
- Possibility to Enforce unique SubjectDN Serial Number.
- Framework for validation of the contents of end entity fields.
- Fixed some regressions in the admin GUI related to cross certification and CV certificates.
- Possible to define custom CN of superadmin on install.
- Update pre-defined windows smart card logon profiles.
- Output the servers time to the first page of the Admin GUI.
- Supervision of the OCSP responder certificate validity in the standalone OCSP responder.
- Many minor bug fixes related to the big restructure in 3.10.0.
- Minor security enhancements.
New in EJBCA 3.10.1 (May 4, 2010)
- New WS-API methods for renewing CAs. This enables the possibility for automated SPoCs in an EAC ePassport PKI.
- New CMP proxy module letting you have a separate server terminating CMP connections and then forwarding them to the CA.
- Possibility to renew CAs without activating new keys, enabling the CA to continue working until a new certificate is imported.
- Support for SHA384WithECDSA signature algorithm.
- Fixed deployment on JBoss EAP 5.0.0.
- Fixed admin GUI bug with problems selecting privileges for RA administrators.
- Fixed some issues with cli and renewal of expired CAs.
- Fixed a bug with cli for getting delta CRLs.
- Other minor bug fixes.
New in EJBCA 3.10.0 (Apr 8, 2010)
- Restructuring and refactoring to improve maintainability, prepare for the EJBCA 4 release and Common Criteria certification.
- Web Service method for creation or update of a user and creation of a certificate in a single transaction.
- Enforcement of unique public keys and subject DNs.
- New External RA API GUI for browser enrollment without ingoing traffic to the CA.
- Support for Ingres 9.3.
New in EJBCA 3.9.4 (Jan 20, 2010)
- Improvement
- [ECA-1518] - Language files encoded in UTF-8
- Task
- [ECA-1521] - Document how to use of Brainpool curves for EAC
- Bug
- [ECA-1441] - Old CA cert published to LDAP after CA renewal.
- [ECA-1443] - Bogus CRL published to LDAP at some occations.
- [ECA-1471] - Don't publish certificates for inactive CA services
- [ECA-1514] - CMP requests with DN characters requiring escaping fails
- [ECA-1519] - Not possible to renew soft CA ECC CA keys
- [ECA-1524] - Unable to renew expired CAs (regression)
- [ECA-1525] - SafeNetLunaCAToken (old class) does not work
- [ECA-1526] - SecConst.CERT_EXPIRED, should not be used, Import cert cli uses EXPIRED instead of ARCHIVED.
- [ECA-1527] - OCSP responder returns good for expired and archived certificate
New in EJBCA 3.9.3 (Dec 30, 2009)
- New Feature
- [ECA-1389] - Make it possible to add several notifications for expiring certificates.
- [ECA-1439] - End date for certificate profile and CA.
- [ECA-1480] - Possible to generate EC certificate requests with explicit parameters
- [ECA-1492] - Add configuration of allowed signing algorithms to certificate profiles
- Task
- [ECA-1312] - Test browser enrollment with Windows 7
- [ECA-1483] - Update database schema at ejbca.org
- Improvement
- [ECA-1386] - Generate new keys on HSM in Admin GUI does not support ECC
- [ECA-1400] - New navigation menu GUI
- [ECA-1401] - GUI improvement with IE fixes CSS
- [ECA-1417] - name CV certificates .cvcert instead of .crt when downloading from public web
- [ECA-1440] - Configureable error output on admin gui error page.
- [ECA-1449] - Rename "Download to Internet Explorer" to "Download binary/to IE"
- [ECA-1451] - Display EC public key in view certificate pop-up
- [ECA-1453] - WS command to get length of queue for an issuer.
- [ECA-1455] - Possibility to change DN of superadmin user created by 'ant install'
- [ECA-1456] - clientToolBox createCertReq should handle ECC keys as well
- [ECA-1493] - Possibility to use part of user data in LDAP DN but not in certificate DN when publishing certificate to LDAP
- Bug
- [ECA-1429] - Renewing keys on a CA in admin GUI forces reload of all CAs
- [ECA-1436] - Export CA keystore, download issues with IE
- [ECA-1442] - Mail Expiration Checker cannot send mail for user SYSTEMCERT
- [ECA-1444] - CertificateExpirationWorker does not work with CV certificates
- [ECA-1445] - Java 5's XMLEncoder breaks when using Collections.EMPTY_LIST
- [ECA-1447] - InvalidKeyException för HSM during deploy or startup under load
- [ECA-1448] - When issuing certificates, sometimes it is not checked if CA is off-line, only CA token
- [ECA-1450] - NullpointerException making CA offline if CAToken can not be created
- [ECA-1454] - p11slot keeps adding numerous tokens
- [ECA-1457] - ECC brainpool curves does not work due to Sun certificate provider
- [ECA-1458] - Can not import exported ECC CVCA
- [ECA-1460] - Approval and finishuser settings missing from CVC CA configuration
- [ECA-1461] - Exception on import CA keystore
- [ECA-1463] - ca info cli command does not work for cvc CAs
- [ECA-1464] - Having a trailing '' at the end of a field (e.g. username) gives a StringIndexOutOfBoundsException on search
- [ECA-1471] - Don't publish certificates for inactive services
- [ECA-1473] - CAFingerprint in database not set correctly for SubCAs
- [ECA-1475] - OutOfMemory when failing to publish large CRLs with connection closed error
- [ECA-1481] - Not possible to get PUK from issued card of the type "turkish profile" with WS
- [ECA-1485] - Remove StdErr logging when editing approvals in certificate profiles
- [ECA-1496] - End Entity Profile check fails for CMP requests with E in subject DN
- [ECA-1502] - Remove ocsp from bin/ejbca.sh
- [ECA-1504] - clientToolBox.bat does not work with space in path
- [ECA-1509] - cert-cvc: ECPoint can be wrongly encoded in 1 out of 2^16 keys
- [ECA-1517] - Notification status interferes with "Search/edit end entities"
New in EJBCA 3.8.2 (Apr 1, 2009)
- Add street and pseudonym DN attributes.
- OCSP improvements, RFC 5019, nextUpdate, support for requests using GET, improved configuration and error handling.
- Correct coding of optional Issuing Distribution Point in CRLs.
- Possible to publish userPassword in LDAP.
- A few minor fixes.
- [ECA-552] - Add support for nextUpdate, thisUpdate and producedAt in OCSP responses
- [ECA-1124] - Configurable to use HTTP headers for standalone OCSP
- [ECA-1053] - Pseudonym as a subject DN attribute
- [ECA-1133] - Configurable in ExternalOCSPPublisher to only publish certificates with and OCSP URI extension.
- [ECA-1123] - Create dummy object for TransactionLogger and AuditLogger
- [ECA-1088] - Default public exponent for lunaHSM.sh should be 65537 (0x1001)
- [ECA-1055] - Support OCSP by HTTP GET
- [ECA-1117] - Use info instead of error messages in Standalone OCSP Responder.
- [ECA-1144] - Add "userPassword" attribute in LDAP publisher
- [ECA-1114] - Add street DN component
- [ECA-1096] - Improve handling of invalid requests and streams in OCSP responder
- [ECA-1146] - Stress Test does not print out no of failed tests
- [ECA-748] - Order certificates in view certificates with newest first
- [ECA-1121] - Unnecessary signing operations
- [ECA-1158] - CA-certificate, but no signing key from a CA on the external OCSP generates an Exception
- [ECA-1141] - CRL Distribution Point in CRLs must be encapsulated into an Issuing Distribution Point
- [ECA-1092] - Code not thread-safe in certificate-request Servlet
- [ECA-1154] - Concurrency issue when reloading soft keys for external OCSP responder
- [ECA-1113] - JCE error on JBoss 5 on some platforms
- [ECA-1148] - ServiceData cached in bean making synchronization between cluster nodes fail.
- [ECA-1090] - Wrong encoding of issuer DN on retrieval public web pages
- [ECA-1150] - Wrong language tag for "Certificate Validity End Time" in viewendentity.jsp
- [ECA-1095] - Allow comma in directoryName subject alt names
- [ECA-1145] - CvcRequestMessage not serializable
- [ECA-1143] - Freshest CRL is lost when creating a new CA