EJBCA 7.0.1 Release Notes

Hot on the heels of EJBCA 7.0, we'd like to present the release of EJBCA 7.0.1 - implementing a ton of neat functionality that didn't make the cut for the main release. On top of the list of most commonly requested features is PSD2 support, but please read on to find all the reasons to upgrade to EJBCA 7.0.1!

Full PSD2 Support

EJBCA 7.0.1 provides full support for the Payment Services Directive as defined by EU Directive 2015/2366. PSD2 allows eIDAS Trusted Certificate Providers to issue PSD2 QWAC certificates to third party FinTech companies, which in turn gives them access to financial APIs hosted by European banks. To enable PSD2 in your instance of EJBCA, scroll down to the QC Statements extension of your certificate profile and enable the PSD2 option.

images/2.bp.blogspot.com/-40ZWvC4i-V0/W8SQ4x5_KZI/AAAAAAAAMLs/Yq7B_iQfkMgNZmsj78LS1loPkTQ1rKUEwCLcBGAs/s1600/psd2.png

This will enable PSD2 fields in the RA UI during enrollment.

images/2.bp.blogspot.com/-Bx3MxBsUvWk/XG_8h8SGZmI/AAAAAAAAM2E/IMpbjtQIwJkfRp0y1dqeFiMcxH0pfEk4QCEwYBhgL/s1600/psd2-6.png

If you'd like to read more about PSD2, we've written blog post about it on PrimeKey's blog and our own development blog.

Domain Blacklist Validator

As a request from some of our CABF-customers, we've implemented a Domain Blacklist Validator. The new Validator takes a list of partial and complete domain names, and can be configured to either block them outright (if run during the data phase) or cause an approval action to be triggered in the final approval step (if approvals are activated).

images/download/attachments/50626618/domain_blacklist_validator.png

All of the approving RA administrators in the final approval step will be shown the following warning before the approval passes:

images/download/attachments/50626618/blacklist_warning.png

dnsName SAN can be Automatically Populated by the CN

We've added a setting to End Entity Profiles to allow the dnsName Subject Alternative Name field in a certificate to be filled in by the Common Name (CN) value in the Subject DN.

images/download/attachments/50626618/dnsname_from_cn.png

Configurable SN Entropy, Default Value Raised to 20 Octets

CA/B Forum requires the use of 64 bit entropy when generating serial numbers (see CABF Ballot 164[external link]). Due to only positive values being valid serial numbers, 8 octets will only result in 63 bit entropy as the most-significant-bit will always be 0, hence we recommend larger sizes than 8 octets. Previously this was set using the property ca.serialnumberoctetsize in cesecore.properties, which has now been dropped and the value is instead set directly in the CA.

images/download/attachments/50626618/octet_size.png

Possible values may range between 4 and 20 octets, and the default for all new CAs is 20 while upgraded CA's will retain whatever value was set in ca.serialnumberoctetsize, or 8 if none was set.

Downloadable CSRs

In EJBCA 7.0.1 we've started storing CSRs along with the associated certificate (instead of only the last submitted CSR as it was earlier), so you now have access to download and review all CSRs submitted and processed in the past.

images/download/attachments/50626618/csr_download.png

URL Metadata Type Added to Approvals

Upon popular request, we've added a URL metadata type to the partitioned approval profiles. It allows the approving RA administrator to enter a URL while performing the approval, e.g pointing to a file upload at an external location.

images/download/thumbnails/50626618/url_metadata.png

Upon later review of the approval, it will show up as a hyperlink:

images/download/attachments/50626618/url_file_type.png

Experimental: Configuration Checker

Lastly, we're trying out an experimental new feature in EJBCA 7.0.1, the Configuration Checker. It displays an (incomplete) list of common configuration issues on the front page.

images/download/thumbnails/50626618/cc_frontpage.png

If you'd like to try it out, it can be activated in its own tab under the System Configuration:

images/download/attachments/50626618/cc_systemconfig.png

Roadmap Update

Common Criteria

Our common criteria process is ongoing - the Security Target (ST) is now complete and has been sent for evaluation. Preliminary date for a certified version of EJBCA is still projected to be at the end of this summer.

Appliance Release

EJBCA 7.0.1 will be available on Appliance 3.3.0, due at the end of March/beginning of April.

Up Next

The teams are rearing to go to work on EJBCA 7.1. Main features are going to be Partitioned CRLs, multi-value RDN support and a couple of surprises. See you then!

Upgrade Information

Read the EJBCA Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.0.1, refer to our JIRA Issue Tracker.

Issues Resolved in 7.0.1

Released on 4 March 2019

New Features

ECA-4991 - Allow configuration of serial number octet size per CA

ECA-5865 - Add a summary of visible prior approval steps before final approval

ECA-6052 - Add Domain Blacklist validator

ECA-7206 - End Entity Profile setting to allow dnsName SAN field to be automatically populated by the CN in a CSR

ECA-7340 - PSD2 GUI support when adding end entity

ECA-7770 - Database protection for CSR in CertificateData

ECA-7779 - Implement test function in SCP Publisher

ECA-7780 - Implement EJBCA Issue Checker Framework

ECA-7808 - Add Domain Blacklist Validator class with basic structure

ECA-7809 - Persistance of Domain Blacklists

ECA-7810 - Show warning at validation failure in Approval process

ECA-7860 - New Approval issuance phase for Validators

ECA-7861 - Implement DomainBlacklistAsciiLookalikeNormalizer

ECA-7863 - Implement Domain Blacklist Checker classes

Improvements

ECA-5438 - English translations for ErrorCodes in the RA

ECA-5667 - Add a file link metadata type to Approvals

ECA-6075 - RA Web: Improve validator error messages

ECA-7526 - Add a description field to Certificate and End Entity Profiles

ECA-7607 - Optimize ejbca-db-cli speed when verifying audit log

ECA-7693 - CSR download and clear buttons in Ra Web

ECA-7709 - Update tag library schemas for JEE7

ECA-7756 - Improve error message when CA signingkey was changed without renewing CA certificate

ECA-7782 - Add documentation for the EJBCA Issue Checker

ECA-7783 - Attach access control logic to tickets

ECA-7791 - Update to JEE7 API library

ECA-7793 - Log4j priority is deprecated

ECA-7803 - Label the EJBCA Issue Checker as experimental

ECA-7812 - Unit tests for matching against Blacklists

ECA-7817 - Add autocomplete=off to all h:inputSecret fields

ECA-7826 - Wrap tickets descriptions in a class

ECA-7837 - Make Dynamic UI Property handle empty lists

ECA-7838 - Include two choosable head banners for test and acc systems

ECA-7840 - Implement Integer multiple-choice for DynamicUiProperty

ECA-7842 - System test for "Approval" validation phase

ECA-7843 - EJBCA startup does full table analysis on Oracle causing timeout issue during startup

ECA-7852 - Change the menu option "View Log" into "Audit Log"

ECA-7854 - Rename "Constraints" label in CT logs to "Log Sharding"

ECA-7862 - Investigate and fix shouldConvertToCorrectEndEntityInformation test failure.

ECA-7870 - Introduce a ValidatorsHelper for UI tests

ECA-7871 - Add more path examples for windows paths in properties files

ECA-7872 - Update the documentation tags and improve labels for roles pages

ECA-7882 - Sort Admin UI lists ignoring case

ECA-7883 - Rename "Issue Checker" to "Configuration Checker"

ECA-7887 - Improve Domain Blacklist checkers

ECA-7889 - Syntax check of domains in domain blacklists

ECA-7897 - Disallow "Abort certificate issuance" option for Approval Request issuance phase

ECA-7898 - Disallow Approval Request issuance phase for CAA Validators

ECA-7900 - Show matching blacklist entry when a domain is blacklisted

Bug Fixes

ECA-5326 - SCEP RA mode should not require batch generation checkbox in EE profile

ECA-7608 - CSR stored in End Entity is never cleared but re-used

ECA-7664 - Regression: Cannot enable CMS for existing CA

ECA-7717 - Trying to save P11 crypto token with incorrect PIN makes EJBCA think token already exists

ECA-7758 - Fix WebTest failures

ECA-7759 - Regression: Widgets gone missing in JSF conversion - End Entity Profiles -> notifications

ECA-7772 - Avoid foreign key constraints creation for obsolete AccessRulesData and AdminEntityData

ECA-7773 - Hide harmless alter table error from DB CLI import command

ECA-7775 - ziprelease-cesecore-src and ziprelease-cesecore-bin build targets broken

ECA-7776 - ConfigDump: Publish Queue Process Service configs are being exported as "Renew CA Service" Workers

ECA-7777 - Can't view end entity with deleted profile in RA

ECA-7786 - Regression: not possible to export CA keystore

ECA-7787 - Regression: Edit CA page does not show key aliases from Statedumps correctly

ECA-7794 - SCP Publisher does not store/load the password properly

ECA-7796 - Fix FindBugs warnings

ECA-7804 - Update MySQLDialect since it uses MyISAM instead of InnoDB with upgraded Hibernate libs

ECA-7805 - Fix failures in ConfigdumpCoreUnitTest and YamlWriterUnitTest

ECA-7806 - NPEs during scanning

ECA-7807 - NumberFormatException during scan

ECA-7821 - Regression: CA key types not updated when creating CA and selecting signature algorithm

ECA-7850 - Fix checks for numeric IDs

ECA-7855 - SHA384 missing from algorithms selection when returning signed CMP messages

ECA-7858 - Not all certificate profiles shown in Issue Checker for limited admins

ECA-7859 - Regression: addendentity CLI command can not be used for auto-generated passwords

ECA-7873 - Regression: CA cert list in CA Structure & CRLs changes order causing CRL generation to fail

ECA-7874 - InstantiationException when trying to view JSP pages

ECA-7876 - Cannot create CVC CA on JBoss EAP 7.1

ECA-7877 - View Certificate in Edit CA screen not available for CV Certificates

ECA-7879 - Regression: list of CAs is sorted case sensitive

ECA-7885 - Upload controls on Edit Validator page does not work

ECA-7888 - DynamicUiProperty of label type cause NPE on post back to server

ECA-7890 - Missleading error message in adminweb when Domain Blacklist Validation fails

ECA-7896 - EditCAsMBean.initApprovalRequestItems() doesn't init any request item types

ECA-7899 - Increase POST Size for New Blacklist Validator

ECA-7901 - Blacklist validator classes are no longer found ini GUI

Tasks

ECA-7764 - Add a Magnum-CI job that tests trunk on an HSM enabled installation.

ECA-7813 - Check upload file size limit on Appliance

ECA-7816 - Place holder issue for GUI testing of Domain Blacklist Validator

ECA-7820 - Remove installation documentation for WildFly 8,9 and Glassfish

ECA-7864 - DOCUMENTATION: please add FIPS same key restriction

ECA-7880 - Document the Domain Blacklist Validator