Softpedia >Mac >Security >EJBCA >  Changelog

EJBCA Changelog

What's new in EJBCA 6.2.0

Jun 19, 2014
  • Completely reworked command handling of local command line interface (CLI) (See note 2)
  • It's now possible to import and export Certificate and End Entity Profiles from the GUI
  • VA machines can be created using a CRL
  • Certificate and End Entity Profiles can now be imported and exported form the Web GUI
  • SCEP configuration has been implemented from the Web GUI

New in EJBCA 6.1.1 (Apr 8, 2014)

  • OCSP improvements and new features related to RFC 6960, minimizing size of OCSP responses (see note below).
  • Implemented OCSP signing algorithm including client requested algorithms.
  • CVC certificate profiles (ePassport PKI) now supports EAC 2.10 access control templates.
  • Improvements to Key Recovery enabling encryption key rollover and providing more information about encryption keys.
  • Windows build/install is now working.
  • ManagementCA created during a default install now uses SHA256WithRSA.
  • EJBCA now compiles (deployment/running not supported however) on WildFly 8 and Glasshish 4, also using Java 8.
  • EJBCA can now use certificate serial number longer than 64 bits.
  • Minor improvements and fixes to make life easier for everyone.

New in EJBCA 4.0.16 (Jun 27, 2013)

  • Bug:
  • [ECA-2495] - Exception in view old log
  • [ECA-3059] - Database rolled back for failed CRL publishings instead of put in queue
  • Improvement:
  • [ECA-3050] - Base64CertData table

New in EJBCA 4.0.14 (Feb 15, 2013)

  • Bug:
  • [ECA-2897] - Wrong example of external SSL port number in web.properties
  • Improvement:
  • [ECA-2882] - Do not store active certificates in queue for ValidationAuthorityPublisher that only publish revoked
  • [ECA-2890] - GUI: Better link from Public Web to Administration Web, via reverse proxy
  • [ECA-2899] - Do not display passwords in stdout during build
  • New Feature:
  • [ECA-2907] - Add cache for Publishers

New in EJBCA 4.0.12 (Aug 16, 2012)

  • New Feature:
  • [ECA-2705] - OCSP key renewal at absolute times
  • [ECA-2706] - Allow Certificate Expiration Notification Service to specify Certificate Profiles
  • [ECA-2709] - Publisher for sampling of issued certificates
  • Improvement:
  • [ECA-2069] - Better log message when querying for not existing CA and default responder CA does not exist
  • [ECA-2714] - Hide the HARDTOKEN profiles in "Certificate Expiration Checker" configuration if "Issue Hardware Tokens" hasn't been enabled
  • [ECA-2724] - When deleting a Certificate Profile, list which end entities/end entity profiles that use it.
  • Bug:
  • [ECA-2077] - OCSP rekeying does not work on JBoss 6.1.0 and JBoss EAP5
  • [ECA-2719] - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames
  • Task:
  • [ECA-2625] - Language tool for developers and localizers

New in EJBCA 4.0.11 (Jun 20, 2012)

  • New Feature:
  • [ECA-2629] - Add Japanese language file
  • [ECA-2696] - Custom revocation date in EJBCA
  • Task:
  • [ECA-2579] - Help message keys refactoring
  • Bug:
  • [ECA-2662] - Strip whitespace from username entered in public web
  • [ECA-2664] - Cleartext links (http) in documentation
  • [ECA-2699] - ejbca.sh CLI exportprofiles function can't handle special characters in filename
  • Improvement:
  • [ECA-1979] - GUI: End-Entity (profile, add, edit) forms usability
  • [ECA-2577] - GUI: Configuration forms improvement
  • [ECA-2583] - GUI: LDAP Publishers form layout improvement
  • [ECA-2584] - GUI: Improvement of in-line help in all forms
  • [ECA-2627] - Process CA: forms layout improvement, and message keys refactoring
  • [ECA-2633] - GUI: Improve Services form
  • [ECA-2634] - GUI: View Certificate popup improvement
  • [ECA-2661] - Possible to use aliases for CRL Naming in RFC4387 CRL Store
  • [ECA-2675] - JBOSS with APR makes EJBCA deploy fail

New in EJBCA 4.0.10 (Mar 14, 2012)

  • New Feature:
  • [ECA-2590] - Possibility to only publish revoked certificates to external VA DB
  • [ECA-2603] - "unknown is good" changed for some URLs used in the OCSP request.
  • Bug:
  • [ECA-2564] - CMP: Correct the CrmfKeyUpdateTest
  • [ECA-2594] - XSS issues
  • Improvement:
  • [ECA-2563] - CMP: clean up CMP tests
  • [ECA-2575] - GUI: Administrator groups page headers improvement
  • [ECA-2580] - GUI: Improve View CA table layout (rows: header, sections, footer)
  • [ECA-2585] - GUI: Change Rename button in all Object lists

New in EJBCA 4.0.9 (Feb 13, 2012)

  • [ECA-2574] - Minor XSS issue

New in EJBCA 4.0.6 (Nov 18, 2011)

  • New Feature:
  • [ECA-2368] - CMP, Implement message type KeyUpdateRequest
  • Bug:
  • [ECA-2369] - NestedMessageContentTest does not clean up the test certificates it creates
  • [ECA-2380] - Minor XSS issue
  • [ECA-2383] - Cannot import empty CRL via CLI

New in EJBCA 4.0.5 (Nov 3, 2011)

  • New Feature:
  • [ECA-2332] - Admin GUI ServletFilter for client certificate emulation
  • Improvement:
  • [ECA-2325] - Add custom cert serno and extension parsing the generatenewuser WS command
  • Bug:
  • [ECA-2297] - NestedMessageContent implements version RFC2510 instead of RFC4210
  • [ECA-2302] - Publishing Queue Fails on slow publishers
  • [ECA-2338] - CMP End entity certificate authentication module does not work in client mode
  • [ECA-2346] - Certificate issuance verification does not detect when CAs public key (in HSM) does not match CA certificate
  • [ECA-2354] - Should not be possible to run service initialization after start

New in EJBCA 4.0.4 (Oct 6, 2011)

  • Improved CMP with many new authentication modules in both client and RA mode, and support for Nested content
  • Support for custom certificate extensions with raw or RA defined values.
  • Many small bug fixes.

New in EJBCA 4.0.3 (Jun 1, 2011)

  • [ECA-2090] - Can not browser enroll with IE

New in EJBCA 4.0.0 (Mar 4, 2011)

  • It is now possible to easily upgrade from EJBCA 3.6.x to 3.11.x
  • Fixed a MySQL mapping that did not work when using the MyISAM storage engine and UTF-8 encoding.
  • ETSI QC value limit can now have the value zero.
  • Admin GUI improvements from David Carella of Linagora.
  • Added a favicon to the EJBCA web interfaces.
  • Fixed an issue causing cached end entity profiles (not default) to be changed for some actions in the admin GUI.
  • Fixed an issue where session information spilled over to other edits when using the "Back to certificate profiles" link.
  • Fixed an issue where using the required flag on Cardnumber in a end entity profile gave error about missing unstructured address.
  • This also resolved an issue where the DN field Unstructured Address did not work.

New in EJBCA 3.11.0 (Nov 30, 2010)

  • Possibility to configure CA not to use certificate and user store, meaning that CA can issue certificates without having to access database after service startup.
  • External OCSP responder can now function as a validation authority serving OCSP, CRLs and CA certificates.
  • Certificate store access via HTTP according to RFC4387 standard.
  • Possibility in WebService Interface to specify extended information when editing users.
  • Possibility to specify custom certificate serial number for end entities using CMP protocol. CMP RA secret can now also be specified per CA.
  • Upgrade database schema to be consistent across databases.
  • Add a few new columns to database tables, a preparation to be used in EJBCA 4.0.
  • Improvements in the Glassfish support, now also usable with Oracle database.
  • Several other new features and extended key usages, GUI improvements and performance enhancements – many of which are contributed by Linagora.

New in EJBCA 3.10.6 (Nov 26, 2010)

  • ExtendedInformation, such as issuance revocation reason, can now be added when editing users with the WebService API.

New in EJBCA 3.10.5 (Sep 21, 2010)

  • Fixed admin GUI error running on JBoss 5.
  • Fixed some issues with audit and approvals when using admin certificates issued by an external CA.
  • Harmonized admin GUI and improved looks. Contributed by David Carella of Linagora.
  • Added and improved caches of profiles and CAs, improves performance. CLI for clearing caches.
  • Fixed installation issue on Windows when JBoss installed in root directory.
  • Fixed re-publishing of certificates when CertReqHistory is not used. CertReqHistory is enabled by default for new CAs.
  • Updated German translation, contributed by Atos Origin.
  • Support unrevocation using WS-API.

New in EJBCA 3.10.4 (Aug 12, 2010)

  • Possibility to specify custom certificate serial number for end entities.
  • Possibility to configure CA to not use CertReqHistory to increase performance.
  • Harmonized admin GUI and improved looks. Contributed by David Carella of Linagora.
  • Other performance optimizations. More than 100 certificates per second can now be issued under certain conditions.
  • WS API did not work with external administrator certificates.
  • Mitigate potential XSS vulnerabilities in admin GUI.
  • Fixed bug when creating CRLs for CAs with single quote in the DN.
  • Other admin GUI improvements with better error messages in some cases.

New in EJBCA 3.10.3 (Jun 24, 2010)

  • EAC CVC Document Verifiers using ECC keys did not work properly. This was fixed and new test cases was added to the test suite.
  • Removed requirement to use ‚ÄúBatch generation‚Äù when using CMP RA mode.
  • Fixed issue that revocation in admin gui did not work with CAs using accented characters.
  • Added code to mitigate potential cross site scripting in admin gui. Note that client certificate authentication was still needed so it was not publicly exploitable.
  • Added UTF-8 URI encoding for the public http port (8080). It was previously only enabled for the https ports.

New in EJBCA 3.10.2 (Jun 17, 2010)

  • CMP proxy module.
  • Improved transaction isolation and performance in CMP.
  • Improvements for JBoss 5.
  • Possibility to Enforce unique SubjectDN Serial Number.
  • Framework for validation of the contents of end entity fields.
  • Fixed some regressions in the admin GUI related to cross certification and CV certificates.
  • Possible to define custom CN of superadmin on install.
  • Update pre-defined windows smart card logon profiles.
  • Output the servers time to the first page of the Admin GUI.
  • Supervision of the OCSP responder certificate validity in the standalone OCSP responder.
  • Many minor bug fixes related to the big restructure in 3.10.0.
  • Minor security enhancements.

New in EJBCA 3.10.1 (May 4, 2010)

  • New WS-API methods for renewing CAs. This enables the possibility for automated SPoCs in an EAC ePassport PKI.
  • New CMP proxy module letting you have a separate server terminating CMP connections and then forwarding them to the CA.
  • Possibility to renew CAs without activating new keys, enabling the CA to continue working until a new certificate is imported.
  • Support for SHA384WithECDSA signature algorithm.
  • Fixed deployment on JBoss EAP 5.0.0.
  • Fixed admin GUI bug with problems selecting privileges for RA administrators.
  • Fixed some issues with cli and renewal of expired CAs.
  • Fixed a bug with cli for getting delta CRLs.
  • Other minor bug fixes.

New in EJBCA 3.10.0 (Apr 8, 2010)

  • Restructuring and refactoring to improve maintainability, prepare for the EJBCA 4 release and Common Criteria certification.
  • Web Service method for creation or update of a user and creation of a certificate in a single transaction.
  • Enforcement of unique public keys and subject DNs.
  • New External RA API GUI for browser enrollment without ingoing traffic to the CA.
  • Support for Ingres 9.3.

New in EJBCA 3.9.4 (Jan 20, 2010)

  • Improvement
  • [ECA-1518] - Language files encoded in UTF-8
  • Task
  • [ECA-1521] - Document how to use of Brainpool curves for EAC
  • Bug
  • [ECA-1441] - Old CA cert published to LDAP after CA renewal.
  • [ECA-1443] - Bogus CRL published to LDAP at some occations.
  • [ECA-1471] - Don't publish certificates for inactive CA services
  • [ECA-1514] - CMP requests with DN characters requiring escaping fails
  • [ECA-1519] - Not possible to renew soft CA ECC CA keys
  • [ECA-1524] - Unable to renew expired CAs (regression)
  • [ECA-1525] - SafeNetLunaCAToken (old class) does not work
  • [ECA-1526] - SecConst.CERT_EXPIRED, should not be used, Import cert cli uses EXPIRED instead of ARCHIVED.
  • [ECA-1527] - OCSP responder returns good for expired and archived certificate

New in EJBCA 3.9.3 (Dec 30, 2009)

  • New Feature
  • [ECA-1389] - Make it possible to add several notifications for expiring certificates.
  • [ECA-1439] - End date for certificate profile and CA.
  • [ECA-1480] - Possible to generate EC certificate requests with explicit parameters
  • [ECA-1492] - Add configuration of allowed signing algorithms to certificate profiles
  • Task
  • [ECA-1312] - Test browser enrollment with Windows 7
  • [ECA-1483] - Update database schema at ejbca.org
  • Improvement
  • [ECA-1386] - Generate new keys on HSM in Admin GUI does not support ECC
  • [ECA-1400] - New navigation menu GUI
  • [ECA-1401] - GUI improvement with IE fixes CSS
  • [ECA-1417] - name CV certificates .cvcert instead of .crt when downloading from public web
  • [ECA-1440] - Configureable error output on admin gui error page.
  • [ECA-1449] - Rename "Download to Internet Explorer" to "Download binary/to IE"
  • [ECA-1451] - Display EC public key in view certificate pop-up
  • [ECA-1453] - WS command to get length of queue for an issuer.
  • [ECA-1455] - Possibility to change DN of superadmin user created by 'ant install'
  • [ECA-1456] - clientToolBox createCertReq should handle ECC keys as well
  • [ECA-1493] - Possibility to use part of user data in LDAP DN but not in certificate DN when publishing certificate to LDAP
  • Bug
  • [ECA-1429] - Renewing keys on a CA in admin GUI forces reload of all CAs
  • [ECA-1436] - Export CA keystore, download issues with IE
  • [ECA-1442] - Mail Expiration Checker cannot send mail for user SYSTEMCERT
  • [ECA-1444] - CertificateExpirationWorker does not work with CV certificates
  • [ECA-1445] - Java 5's XMLEncoder breaks when using Collections.EMPTY_LIST
  • [ECA-1447] - InvalidKeyException f√∂r HSM during deploy or startup under load
  • [ECA-1448] - When issuing certificates, sometimes it is not checked if CA is off-line, only CA token
  • [ECA-1450] - NullpointerException making CA offline if CAToken can not be created
  • [ECA-1454] - p11slot keeps adding numerous tokens
  • [ECA-1457] - ECC brainpool curves does not work due to Sun certificate provider
  • [ECA-1458] - Can not import exported ECC CVCA
  • [ECA-1460] - Approval and finishuser settings missing from CVC CA configuration
  • [ECA-1461] - Exception on import CA keystore
  • [ECA-1463] - ca info cli command does not work for cvc CAs
  • [ECA-1464] - Having a trailing '' at the end of a field (e.g. username) gives a StringIndexOutOfBoundsException on search
  • [ECA-1471] - Don't publish certificates for inactive services
  • [ECA-1473] - CAFingerprint in database not set correctly for SubCAs
  • [ECA-1475] - OutOfMemory when failing to publish large CRLs with connection closed error
  • [ECA-1481] - Not possible to get PUK from issued card of the type "turkish profile" with WS
  • [ECA-1485] - Remove StdErr logging when editing approvals in certificate profiles
  • [ECA-1496] - End Entity Profile check fails for CMP requests with E in subject DN
  • [ECA-1502] - Remove ocsp from bin/ejbca.sh
  • [ECA-1504] - clientToolBox.bat does not work with space in path
  • [ECA-1509] - cert-cvc: ECPoint can be wrongly encoded in 1 out of 2^16 keys
  • [ECA-1517] - Notification status interferes with "Search/edit end entities"

New in EJBCA 3.8.2 (Apr 1, 2009)

  • Add street and pseudonym DN attributes.
  • OCSP improvements, RFC 5019, nextUpdate, support for requests using GET, improved configuration and error handling.
  • Correct coding of optional Issuing Distribution Point in CRLs.
  • Possible to publish userPassword in LDAP.
  • A few minor fixes.
  • [ECA-552] - Add support for nextUpdate, thisUpdate and producedAt in OCSP responses
  • [ECA-1124] - Configurable to use HTTP headers for standalone OCSP
  • [ECA-1053] - Pseudonym as a subject DN attribute
  • [ECA-1133] - Configurable in ExternalOCSPPublisher to only publish certificates with and OCSP URI extension.
  • [ECA-1123] - Create dummy object for TransactionLogger and AuditLogger
  • [ECA-1088] - Default public exponent for lunaHSM.sh should be 65537 (0x1001)
  • [ECA-1055] - Support OCSP by HTTP GET
  • [ECA-1117] - Use info instead of error messages in Standalone OCSP Responder.
  • [ECA-1144] - Add "userPassword" attribute in LDAP publisher
  • [ECA-1114] - Add street DN component
  • [ECA-1096] - Improve handling of invalid requests and streams in OCSP responder
  • [ECA-1146] - Stress Test does not print out no of failed tests
  • [ECA-748] - Order certificates in view certificates with newest first
  • [ECA-1121] - Unnecessary signing operations
  • [ECA-1158] - CA-certificate, but no signing key from a CA on the external OCSP generates an Exception
  • [ECA-1141] - CRL Distribution Point in CRLs must be encapsulated into an Issuing Distribution Point
  • [ECA-1092] - Code not thread-safe in certificate-request Servlet
  • [ECA-1154] - Concurrency issue when reloading soft keys for external OCSP responder
  • [ECA-1113] - JCE error on JBoss 5 on some platforms
  • [ECA-1148] - ServiceData cached in bean making synchronization between cluster nodes fail.
  • [ECA-1090] - Wrong encoding of issuer DN on retrieval public web pages
  • [ECA-1150] - Wrong language tag for "Certificate Validity End Time" in viewendentity.jsp
  • [ECA-1095] - Allow comma in directoryName subject alt names
  • [ECA-1145] - CvcRequestMessage not serializable
  • [ECA-1143] - Freshest CRL is lost when creating a new CA