EJBCA Release Notes Summary
The following lists release notes for all EJBCA versions released.
For information on features and improvements implemented per release, see the EJBCA Release Notes. The EJBCA Release Notes also include a change log, listing all issues resolved in the release and a cross-reference to our JIRA Issue Tracker for full details on issues resolved in the release.
EJBCA 7.4 Release Notes
EJBCA 7.4.3
REST Endpoints for End Entity Management
We've added new commands for end entity management to our REST API with contributions from Roman Cinkais at 3Key Company. If you'd like to try them out, take a look at our Swagger UI which is automatically deployed on non-production instances.
Plugin for Hashicorp Vault
As part of a greater effort to extend interoperability and a serve as an integral part of any PKI ecosystem, we've released a plugin for Hashicorp Vault on GitHub. HashiCorp Vault is a product to manage secrets and when using microservices at scale, there are many services and secrets to manage. The plugin allows you to use EJBCA instead of the built-in Vault's CA in order to combine the usability and dynamics of the Vault with the compliance, scalability, and performance of EJBCA.
CVC Enrollment in EJBCA RA
It's now possible to enroll for Card Verifiable Certificates in the EJBCA RA UI. This improvement is part of our continued effort to deprecate the old Public Web.
Trident HSM Support
We've added some default properties to our configuration files to allow for easy configuration if the HSM driver is installed on the system.
Root Program Compliance Issues
Two issues have been reported that may cause incidents with CAs that conform to the Browser Root program and CA/Browser-Forum requirements.
In previous releases, OCSP responses without extensions were sent with an empty singleExtensions list, while the proper behavior is to omit the list entirely. The issue is now resolved and we recommend that all root program compliant customers upgrade to EJBCA 7.4.3 or later.
It has been found that EJBCA does not calculate the time between notBefore and notAfter correctly, adding an extra second to validity of certificates and OCSP responses than intended by the RFC. While we recommend customers to keep well within any required limits, this issue has been solved in EJBCA 7.4.3.
Security Issue - Domain Security over EST
As a part of our penetration testing, a security issue was found when enrolling with EST while proxied through an RA over the Peers protocol. As a part of EJBCA's domain security model, the peer connector allows the restriction of client certificates (for the RA, not the end user) to a limited set of allowed CAs, thus restricting the accessibility of that RA to the rights it has within a specific role. While this works for other protocols such as CMP, it was found that the EJBCA enrollment over EST implementation bypasses this check, allowing enrollment with a valid client certificate through any functioning and authenticated RA connected to the CA. We consider this issue minor as it does not bypass any of the many other security checks in place, but as per our common policy this issue will be submitted as a CVE two weeks from the release of EJBCA 7.4.3.
EJBCA 7.4.2
CertBot 1.4.0 through 1.6.0 supported
EJBCA support for ACME CertBot was limited to version 1.3.0. From this release, EJBCA also supports versions 1.4.0 through 1.6.0.
OCSP Responses no longer include Unspecified reason code
Due to changes in the CA/B Forum Baseline Requirements version 1.7.1, effective as of 2020-09-30, the behavior of the VA has been changed so that OCSP responses where the certificate is revoked with the "Unspecified" reason code, the reply will no longer include the reason code attribute.
Additional RDNs allowed in ACME Requests
In our initial implementation of the ACME protocol, only the CN field and dnsName SANs were processed. In order to allow for the issuance of other types of certificates from ACME, we now allow the inclusion of additional fields by enabling Allow subject DN override using CSR in the certificate profile.
EJBCA 7.4.1
Microsoft Intune Device Enrollment
Intune is Microsoft's cloud-based device management solution, and EJBCA can be configured as the CA backend to allow devices to enroll for certificates. Intune support has previously been provided through a 3rd party connector, but from EJBCA 7.4.1 devices can be set up to directly request certificates from the EJBCA RA. This is set up using SCEP aliases, and we provide a guide for setting up your enterprise for Intune Device Enrollment from start to finish.
Ability to have Multiple DVCAs with the same Holder Country and Mnemonic
In the context of CV certificates, EJBCA has traditionally used the holder mnemonic and requesting country code to build the Subject DN, causing a uniqueness constraint. EJBCA 7.4.1 allows multiple DVCAs to share the same country and mnemonic fields. For more information, see Managing CVC CAs.
Security Issue
As a part of standard testing, we found a minor security issue which has been fixed in this version of EJBCA. When employing a client certificate to authenticate an EST client, we've discovered that no check is performed on the status of this certificate, allowing a revoked client to still request certificates over EST. The vulnerability only affects EST, and can be mitigated by removing the affected client certificate from the roles which allows it to perform enrollments. This vulnerability will be published as a CVE two weeks following the release of EJBCA 7.4.1 and the distribution of security announcements to customers.
EJBCA 7.4.0
Pre-produced OCSP Responses
A commonly requested feature through the years, the EJBCA VA can now produce pre-produced OCSP responses in accordance with RFC6960. This feature has two potential benefits for your VA infrastructure - it allows you to pre-sign OCSP responses during low times for use during peaks, and CAs under requirement to do so can be set to produce responses valid after the CA's expiration.
Ed25519 and Ed448 Support
EdDSA is now supported for software crypto tokens, with support for both Ed25519 and Ed448.
Approvals added to SCEP
When using SCEP in RA mode, it's now possible to use approvals during enrollment.
Google Safe Browsing Validator
We've added a new validator type to check against the Google Safe Browsing API.
Cloud PKI Support
EJBCA 7.4.0 has added encryption for SCEP with Azure Key Vaults and support for AWS Key Management Service (KMS).
EJBCA 7.3 Release Notes
EJBCA 7.3.1.4
This patch release fixes regressions that were discovered as a result of the security fixes done in EJBCA 7.3.1.2.
Upgrade Information
Review the EJBCA 7.3.1.4 Upgrade Notes for important information about this release.
EJBCA 7.3.1.3
This maintenance release contains a fix for Elliptic Curve (EC) keys wrongly being generated with explicit EC parameters by default while using the "P11NG" provider. The issue only affects users of the EJBCA eIDAS edition.
EJBCA 7.3.1.2
This maintenance release resolves several vulnerabilities found in EJBCA during penetration testing, and we recommend that all customers upgrade their installations if they are affected and cannot otherwise mitigate.
EJBCA 7.3.1.1
This maintenance release fixes a security issue when SCEP enrollment is used.
EJBCA 7.3.1
View Queued Publisher Item Information
Items published with a publisher in EJBCA can be placed in a queue if direct publishing fails or because the publisher is configured to only use a queue for publishing.
The Publisher Queue Status table on the EJBCA CA Web home page has up until now only listed the number of queued events per publisher. Under certain circumstances, entries in the queue may not be able to publish for example, due to a network outage or denied authorization from the target.
As of EJBCA 7.3.1, you can view status information about the queued events indicating why they are still queued, information on the latest updates and links to the relevant object. For more information, see CA Operations Guide.
Persistence of Precertificate
Following a discussion in the mozilla.dev.security.policy group it has been determined that CAs using Certificate Transparency (typically applicable for public CAs) should be able to respond with proper status for CT precertificates. EJBCA has previously been able to partly do this by having the OCSP reply 'good' for non-existing certificates. However, this doesn't entirely meet the new requirements.
With EJBCA 7.3.1, precertificates will be stored in the database and published to configured VA databases. This allows for better control, history, and most importantly, OCSP lookup for precertificates. Specifically in cases where a precertificate has been generated and no final certificate was issued, which for example may occur if an insufficient number of signed certificate timestamps (SCTs) were received from the configured CT logs.
For more information, see Persisting Precertificates and OCSP in Certificate Transparency.
EJBCA 7.3.0
ACME RFC Support
Up until now, EJBCA has supported IETF draft 12 of ACME. As of March 2019, IETF standardized the ACME protocol as RFC 8555. We are happy to announce that EJBCA now complies with the RFC standard. Having the standardized protocol supported will facilitate usage from an integration point of view as more ACME clients will work "out of the box" and the uncertainty whether the protocol will change again in the future is mitigated.
For a complete list of supported ACME operations and workflow examples, see the latest EJBCA ACME documentation.
ConfigDump Import
You may be familiar with our ConfigDump export tool, used for exporting the current state of your installation in a human-readable (YAML) format. The export tool is useful for auditing purposes and comparing configuration changes made in EJBCA.
The new ConfigDump import feature enables the reversed functionality, importing parts of or a complete configuration from an existing configuration dump.
The provided CLI tool allows you to target a configuration for import into EJBCA whether it contains a set of profiles, CAs, a complete configuration, or any other previously exported object. Since the configuration dump itself is human-readable, you can edit the fields in each object (for example, change the subject DN of an end entity profile) before import.
For more information on using the tool, see the ConfigDump documentation.
OCSP Archive Cutoff
The OCSP archive cutoff extension (RFC 6960 section 4.4.4.) was previously configured per EJBCA instance in ocsp.properties, by setting the property ocsp.expiredcert.retentionperiod to the retention period in seconds.
This setting is now configured per CA, by editing the corresponding OCSP key binding. This allows for different archive cutoff settings being used for different CAs. We have also added a setting to base the archive cutoff date on the issuer's notBefore date (instead of the retention period and the producedAt date of the OCSP response) as mandated by ETSI EN 319 411-2, CSS-6.3.10-08.
For more information, see Archive Cutoff and for important notes to be aware of when upgrading, see EJBCA 7.3 Upgrade Notes.
Certificate Transparency Sharding
It is now also possible to define a validity interval accepted by Certificate Transparency ( CT) log servers. The new setting allows limiting the scope of acceptable certificates to a date range and is configured in the CA Web, under System Configuration > Certificate Transparency Logs, by editing an existing CT log.
For more information on Sharded CT logs, see Certificate Transparency.
Azure Key Vault Crypto Token
Microsoft Azure provides a cloud "Key Vault" for HSM storage of cryptographic keys. As of EJBCA 7.3.0, Azure Key Vault can be set up as a Crypto Token in EJBCA, leveraging the advantages of cloud-stored keys. For detailed information and configuration instructions, see the EJBCA Cloud Documentation.
EJBCA 7.2 Release Notes
EJBCA 7.2.1.1
This patch release contains fixes for two issues:
An issue that prevented upgrades from 7.1.x and older when using database protection.
An error when EST name generation was set to USERNAME.
EJBCA 7.2.1
AWS S3 Publisher
The AWS S3 (Amazon Simple Storage Service) Publisher allows for publishing certificates and CRL files to an AWS S3 bucket.
The publisher uses the AWS CLI to perform the S3 bucket operations. The AWS CLI is installed by default on the AWS EJBCA Cloud instance, and may be installed separately on other EJBCA software installations.
You will find it among the other Publisher types in EJBCA Admin Web. For more information regarding the AWS S3 Publisher, refer to the EJBCA Cloud documentation.
EST Name Generation Enhancements
Up until now, End Entity username has been randomly generated for every 'simpleenroll' request using EST, making certificate life cycle management slightly challenging using the protocol. This has been addressed by introducing a configurable name generation scheme for EST, similar to how CMP aliases can be configured. The name generation scheme may be configured as follows:
DN: Use the desired part of DN (CN, SN etc.) from the CSR as End Entity username.
RANDOM: Generates a random username for each request. (Default behavior. Enforced in previous versions of EJBCA).
FIXED: Username pre-defined for all requests using the EST alias.
USERNAME: Uses entire request DN as End Entity username.
Renewal
End Entity username can now be determined using EST, an authenticated 'simpleenroll' request matching an already existing username (e.g. CN part of DN) and will be treated as certificate renewal. Requests matching an existing End Entity will result in a new certificate issued for it.
For more information, see EST.
IPv6 Support
Though EJBCA has supported IPv6 up until now, there has been a few limitations to it. As of EJBCA 7.2.1, IPv6 has been thoroughly tested and improved for certain use cases.
EJBCA 7.2.0
Persistent Storage of Certificate Transparency SCT Responses
Persistent caching of Certificate Transparency SCTs (Signed Certificate Timestamps), in the form of a database-backed storage, has been added in addition to the existing in-memory caching. This reduces the number of requests to the CT log server and increases the performance. Additionally, the default configuration was changed to rate-limit connections to logs that are down or return error codes. This reduces the load on both log servers and EJBCA. For example, if a CT log rate-limits EJBCA, then EJBCA will back off for 1 second by default. For more information, see Certificate Transparency.
Crypto Token and CA Management REST API
The EJBCA REST API has so far been limited to Certificate Management operations. We've now extended the REST API, adding resources for CA administration as well. This allows simpler remote integration and management as an option to the GUI.
The new endpoints are disabled by default, requiring activation via Protocol Configuration before use. For more details and endpoint documentation, see EJBCA REST Interface.
EJBCA 7.1 Release Notes
EJBCA 7.1.0
Partitioned CRLs
Long and enduringly requested, EJBCA 7.1 is now capable of producing partitioned CRLs. Activated under the CA configuration, the number of partitions per CRL is dynamically configurable, allowing new partitions to be added as the CRL grows, and assignment to older partitions to be suspended in order to allow for future growth. CDP partition assignment is random in order to allow for even distribution of certificates, and partition definition can be looked up in the CDP extension as defined in RFC5280.
For those of you not wishing to use partitioned CRLs life will mostly move on as usual while for those of you applying partitioned CRLs to existing installations you will retain a legacy CRL for pre-existing certificates (as the CDP can't be changed retroactively) while newly issued certificates will be issued to partitions.
Deprecation and Removal of Hard Token Support
In an effort to relieve ourselves of maintaining little-used features we have chosen in this release to deprecate and remove support of hard tokens, after analyzing that it has little to no use among PrimeKey customers. Naturally this will have no impact on existing installations, but we have provided scripts for those of you wishing to remove the relevant tables from the database. See the upgrade notes for more details.
VA and RA Specific Distributions
As a response to market interest, we've enhanced our build process and modularization in order to produce VA and RA specific builds of EJBCA, each capable of acting in their specific roles but not as a CA. This allows PrimeKey to offer a more dynamic model for Appliance and Cloud users who would like to add RA and VA instances to their PKIs but find it prohibitive to pay for the full fee for the complete distribution. The standard CA distribution still retains the full VA and RA capabilities as before. If you're interested in finding out more, please contact sales@primekey.com
EJBCA 6.15.2 CE Available on Docker Hub
As some of you already know, as part of our ongoing containerization project we've added a docker container to Docker Hub, built on a sneak-peek of the coming release of EJBCA 6.15.2 Community Edition.
If you're interested in moving your PKI towards containerization, please go ahead and have a look, and feel free to give us any feedback!
EJBCA 7.0 Release Notes
EJBCA 7.0.1
Full PSD2 Support
EJBCA 7.0.1 provides full support for the Payment Services Directive as defined by EU Directive 2015/2366. PSD2 allows eIDAS Trusted Certificate Providers to issue PSD2 QWAC certificates to third party FinTech companies, which in turn gives them access to financial APIs hosted by European banks. To enable PSD2 in your instance of EJBCA, scroll down to the QC Statements extension of your certificate profile and enable the PSD2 option. When enabled, three PSD2 fields will be made in the RA UI during enrollment.
For more information about PSD2, refer to our blog post about it on the PrimeKey's blog and our own development blog.
Domain Blacklist Validator
We've implemented a Domain Blacklist Validator. The new Validator takes a list of partial and complete domain names, and can be configured to either block them outright (if run during the data phase) or cause an approval action to be triggered in the final approval step (if approvals are activated). All of the approving RA administrators in the final approval step will be shown a warning before the approval passes.
dnsName SAN can be Automatically Populated by the CN
We've added a setting to End Entity Profiles to allow the dnsName Subject Alternative Name field in a certificate to be filled in by the Common Name (CN) value in the Subject DN.
Configurable SN Entropy, Default Value Raised to 20 Octets
CA/B Forum requires the use of 64 bit entropy when generating serial numbers (see CABF Ballot 164[external link]). Due to only positive values being valid serial numbers, 8 octets will only result in 63 bit entropy as the most-significant-bit will always be 0, hence we recommend larger sizes than 8 octets. Previously this was set using the property ca.serialnumberoctetsize in cesecore.properties, which has now been dropped and the value is instead set directly in the CA.
Possible values may range between 4 and 20 octets, and the default for all new CAs is 20 while upgraded CA's will retain whatever value was set in ca.serialnumberoctetsize, or 8 if none was set.
Downloadable CSRs
In EJBCA 7.0.1 we've started storing CSRs along with the associated certificate (instead of only the last submitted CSR as it was earlier), so you now have access to download and review all CSRs submitted and processed in the past.
URL Metadata Type Added to Approvals
We've added a URL metadata type to the partitioned approval profiles. It allows the approving RA administrator to enter a URL while performing the approval, e.g pointing to a file upload at an external location.
Upon later review of the approval, the specified External URL will show up as a hyperlink.
Experimental: Configuration Checker
Lastly, we're trying out an experimental new feature in EJBCA 7.0.1, the Configuration Checker. It displays an (incomplete) list of common configuration issues on the front page.
If you'd like to try it out, it can be activated in its own tab under the System Configuration.
Appliance Release
EJBCA 7.0.1 will be available on Appliance 3.3.0, due at the end of March/beginning of April.
EJBCA 7.0.0
Technology Leap to JDK8/JEE7
Probably the most impactful change of upgrading to EJBCA 7 is that we're dropping support of JDK7, and by extension JEE6 reliant application servers. In essence, from here on in that means that the minimum supported application server is JBoss EAP7/Wildfly 10. If your current installation is running on an earlier JDK or application server we recommend upgrading those first, going through an intermediate release of EJBCA if necessary. The EJBCA Upgrade guide has detailed instructions for which workflow to follow if this applies to you.
This leap is partly motivated by the end of professional support for JDK7 from Oracle coming this summer, but also because it both allows us to upgrade older libraries (which have long since ceased receiving security updates) and to be able to make use of much of the newer technology which has been developed in the intervening years in order to improve your user experience.
JDK11 Support
While not completely tried and tested yet, we've begun implementing support for JDK11, and have it working in our test environment. For production environments, we recommend sticking to JDK8 for the time being, but for the adventurous among you, we would by all means appreciate any feedback.
Appliance Release
EJBCA 7 (or a later minor release) will be included in Appliance version 3.3.0 and is scheduled towards the end of Q1.
EJBCA 6.15 Release Notes
EJBCA 6.15.1
Multi Group Publishing
In order to facilitate for users administrating large numbers of publishers referenced in multiple certificate profiles, we've implemented the Multi Group Publisher.
By referencing Multi Group Publishers instead of the affected publishers directly, actions such as adding or removing VAs can quickly permeate throughout all affected certificate profiles. The publisher also allows splitting referenced publishers into groups, which establishes parallel publishing queues.
SCP Publishing and VA Population
Due to popular demand for an alternative to the Peer Publisher in environments where establishing a Peer Connection between CA and VA isn't an option, we've created the SCP Publisher, which publishes certificates and CRLs to a remote location over SCP.
Conversely, in order to import certificates and CRLs exported by the SCP Publisher a VA, we've implemented the Certificate and CRL Reader Service.
GDPR Adapted Legacy VA Publisher
Just like we did for the Peer VA Publisher back in EJBCA 6.13, we've GDPR adapted the Legacy VA Publisher.
By enabling the new Don't store certificate meta data option at the bottom, VA publishing can be performed without writing any identifying information to the VA.
Revocation Time added to CertSafe Publisher
The output of the CertSafe Publisher has been amended to include revocation time.
EJBCA 6.15.0
Version 6 of EJBCA is beginning to near its end, and the team are looking forward with great anticipation to be able to give you all a look at what's coming with EJBCA 7. That said, we're sending off the last feature release of EJBCA 6 with a helluva bang: full support for the ACME REST protocol!
ACME Support
Nearly done by the release of 6.14 but not quite there, EJBCA 6.15's main feature is our support for the ACME protocol, up unto and including all mandatory features in draft 12. Naturally we've implemented it with full support for proxying communications over Peers through our RA, and support for multiple configurations using aliases as we do with other protocols.
Our implementation has been verified against Certbot, PJAC and ACME Tiny, and our ACME documentation describes how to configure them.
Wildcards for Custom Certificate Extensions
We've added two minor features to Custom Certificate Extensions. Firstly, we've added wildcards (identified by an '*') to the OID field, which allows a defined extension to match against any array of extensions defined in an incoming request (e.g. in the above example, any request containing an extension ending in .123. The second addition is the Required property, which is by default checked. Unchecking this property makes an extension available to be requested in the enrollment request but not necessary.
EJBCA 6.14 Release Notes
EJBCA 6.14.1
This minor EJBCA 6.14.1 release primarily fixes some issues that some users reported when running EJBCA 6.14 on JBoss 7.1.1GA, due to some race conditions and library collisions in that particular version that didn't come up during testing. We also took the chance to fix some other minor issues that came up late during QA that we believe should hold you over for the time being. For a full list of new features and implemented improvements in EJBCA 6.14, see the EJBCA 6.14 Release Notes.
EJBCA 6.14.0
It's with no small amount of pride that we'd like to announce the release of EJBCA 6.14, one of the most feature rich releases to come out in a long while.
The Certificate Management REST API
A long requested and requested feature is for EJBCA to support a spick and span new REST API, and EJBCA 6.14 introduces the first iteration of our Certificate Management REST Interface.
So far we've only implemented basic certificate management methods, and we'll be slowly moving on with implementing more powerful features in the near future. You'll find the complete offline API as a part of our documentation here, or deployed locally with your EJBCA installation. For those of you wishing to integrate with EJBCA using REST we deploy Swagger on non-production installations in order to expose the API. Just like with all new protocols added to EJBCA, the REST API is disabled by default and needs to be manually activated.
Complete Proxification of the EJBCA Web Services API
A huge milestone for the EJBCA, we put in a huge effort into providing proxification for nearly all EJBCA WS calls. This means that CAs relying on communication with 3rd party applications can now be placed behind an outgoing-only firewall, with communications being relayed through an EJBCA RA.
EJBCA 6.13 Release Notes
EJBCA 6.13.0
What now, another feature release so soon? Fear not, all is well - instead we felt that some of the work we've put in to the trunk should be made available as soon as possible.
We hope that as many of you as possible have had a chance to check out the ConfigDump tool we released with EJBCA 6.12, please give us any available feedback that we can plug in to future versions.
The EJBCA VA is GDPR Ready
We've added an option to the VA Peer Publisher restrict publishing identifying certificate metadata from the CA to VA, such as subject DN, SAN or usernames.
Key Ceremony Utilities added to the RA Web
During key ceremonies, auditors typically require a copy of all CA Certificate fingerprints. To spare you the process of downloading CA certificates and computing the fingerprints manually using a third-party tool, we've added the following functionality to the RA Web:
Download Fingerprints: Downloads a YAML text document with the CA Certificate fingerprints of all CAs you have access to.
Download Certificate Bundle: Downloads a compressed zip file containing the CA certificates of all CAs you have access to.
For more information, see RA Web CA Certificates and CRLs.
EJBCA 6.12 Release Notes
EJBCA 6.12.0
The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.12, and a small step but important step forward in the development of EJBCA.
Revamped Documentation
We have shifted the documentation over to Confluence instead of the ancient xdoc format as a first step towards a far more organized, updated and user friendly documentation.
Major changes to take notice to are that the Release Notes (this document), Change Log and Upgrade Notes have all been moved in here as well. They're still available offline from within the doc folder in the release zip, but are now also published both online and deployed with EJBCA to the application server.
Configurable OCSP Extensions
The OCSP Extensions configuration is now configured in the UI instead of in the ocsp.properties configuration file, and is set up to act per keybinding. Any existing extensions defined in the configuration files will automatically be added to existing OCSP keybinding configurations, but please read more about that and more in the EJBCA 6.12 Upgrade Notes.
ConfigDump Export and Audit Tool
Our StateDump tool for exporting and importing installations has been remade from the ground up, and the first iteration of the tool is now publicly available. The new ConfigDump Export and Audit tool is useful for change handling and auditing and is built and run from the command line using ant configdump.
The export files are sorted by type and are serialized and normalized as yaml objects. Any UID references are replaced with their human-readable names.
Additional Proxying Capabilities in the RA
As response to external demand, we've added two new features to the RA:
The ability to proxy SCEP requests, much as is done with CMP and EST already
We added forwarding of revocation and revocation status requests over SOAP. The full list of methods in the EJBCA WS that can be proxied via the RA are:
certificateRequest
checkRevokationStatus
getLastCertChain
keyRecover
keyRecoverEnroll
revokeCert
EJBCA 6.11 Release Notes
EJBCA 6.11.1
Now is the winter of our new content, made glorious summer by our developers' hard work. EJBCA 6.11.1 is a brand new minor release containing some cool new features. We've upgraded the underlying BouncyCastle library version 1.59, which adds support for SHA3 signature algorithms.
The main feature of this release is a modification of how vendor certificates are handled in CMP. Previously we restricted CMP clients to enroll to the same subject DN and issuer as specified in the vendor certificate, while we now allow enrolling to a number of different certificates based on the same vendor certificate. The purpose of this change is to be able to use the same vendor certificate to enroll a device with several keys with different purposes.
We've fixed a few neat bugs, amongst which being a performance sink in the display of crypto tokens in the CA GUI, some minor issues related to EST and a case where a CA might incorrectly fail a CAA issuance check for some corner cases.
Being a minor release, this release involves no upgrade steps or notable database changes.
EJBCA 6.11.0.1
Patch release with some last minute fixes before the release of Appliance 2.7.2. Found issues include:
A couple of minor regressions in relation to handling Approval Profiles in the CA and RA GUIs
Improved re-authentication checks in the CA and RA GUIs
Allowing the EC Key Validator to pass keys encoded with algorithm name "EC", as well as "ECDSA"
EJBCA 6.11.0
First and foremost, EJBCA 6.11 introduces a long awaited feature: support for the EST protocol. For those of you now in the know, EST is an enrollment protocol similar to SCEP. Much like CMP and SCEP, EST can be configured through multiple aliases, and can like CMP also have calls proxied from an RA up a CA using the Peers Protocol.
The second main feature of this release is the concept of External Validators, a feature which has been widely requested by quite a few of our enterprise users. An External Validator functions much like the existing validators (RSA, CAA, etc), but it runs on either a certificate or pre-certificate object and calls on local script on the local system.
We've also added a few of features to make VA/RA installations more secure in the DMZ. In order to guard against possible 0-days or protocol vulnerabilities we've added the Protocol Configuration-tab to System Configuration. Through this tab all incoming protocols or servlets can be disabled. Additionally, we've added access rules to allow prohibiting CMP and WS calls being sent from the RA/VA to the CA via Peers in case the RA/VA runs the risk of being compromised. The second security feature is connected to the External Validator, adding a configuration value under System Configuration that disables both it and the General Purpose Custom Publisher. This configuration value is set to be disabled by default unless you're currently running a GeneralPurpose Custom Publisher in your installation.
Lastly, we've updated the VA so that SHA1WithRSA and SHA1WithECDSA are no longer acceptable signature algorithms for an OCSP responder, see the UPGRADE document for more information.
EJBCA 6.10 Release Notes
EJBCA 6.10.1.1
Patch release for ECA-6426, in which the database version was set incorrectly for fresh installations.
EJBCA 6.10.1
This minor release introduces a couple of cool new features and above all a big performance improvement. We've added certificate extensions to CV certificates; these can be managed just like standard custom certificate extensions under System Configuration.
We've made a big change to how we handle CT logs. In 6.10.0 we added the option to make certain logs mandatory in anticipation to Google's enforcement of their updated CT specification in April 2018. Looking back we weren't entirely satisfied with our design, so have instead introduced the concept of CT Log Labels in order to group sets of logs. Instead of choosing a series of logs in the Certificate Profile you may choose a series of labels. Upon issuance all logs from those labels will be queried to, and the first n SCTs will be written to the certificate, where n is the max number of SCTs allowed and there will be at least one SCT per label. For those of you using the 'Mandatory'-option since 6.10, your logs will be automatically upgraded, which is documented further in the UPGRADE document.
Speaking of upgrading, you may have caught the EJBCA 6.3.2.6 Intermediate Release issued recently in order to facilitate upgrades from versions of EJBCA earlier than 5.0. In this release we've ironed out the last remaining upgrade bugs, as well as forbidding upgrades from versions of EJBCA prior to 5.0 in order to avoid errors in the future.
Lastly, we've put some time into optimizing certificate issuance in EJBCA. In comparison to 6.10, EJBCA 6.10.1 has about twice the throughput and half the latency in our benchmark environment for high volumes of certificate issuance.
EJBCA 6.10.0.2/6.10.0.3
Patch release covering one issue where an issuewild record on a DNS would cause checks for non-wildcard domains to fail.
EJBCA 6.10.0.1
This patch release fixes several corner cases in CAA issuing, a regression in the CMP Proxy where we forgot to update the name of an upgraded library, as well as a minor regression where a newly created Role doesn't show up as 'Custom' by default.
EJBCA 6.10.0
Happy Halloween to all, we the Plucky Khobolds of PKI have been toiling away at another release.
Speaking of costumes and dressing up, EJBCA 6.10 introduces an extremely neat feature to the RA web: not only the ability to upload custom stylesheets and logos on the CA web to be used in the RA, and not only setting these per role, but having these transmitted to a remote RA over the Peers protocol. This means that the look-and-feel of an RA placed in an entirely different country than the CA can be modified CA-side without even requiring a restart of the RA, and it can be done for multiple users depending on their role.
On the theme of scares and frights, we're sure that nobody missed the ROCA vulnerability that was made public this month. While EJBCA has never used Infineon libraries for key generation (and to the best of our knowledge, none of our supported HSM vendors do either), we've still been capable of signing weak keys submitted from other sources. Fortunately since we introduced the RSA Key Validator back in EJBCA 6.9, adding a ROCA check there as well was trivial. For those of you running or planning on running RSA Key validation, we strongly recommend activating checking for ROCA weak keys.
On the CMP side we've added the concept of Central Key Generation which allows for a request for a keypair generated CA side to be transmitted and returned over CMP. Certificate Transparency has been given the ability to specify, apart from the minimum number of required logs, which logs which are considered mandatory to write to - this in anticipation of new requirements from Chrome coming in 2018. We've also kept working on our CAA validator, hammering out various corner cases and parallelizing DNS lookups for certificates containing multiple DNSNames.
From an upgrade perspective we're happy to see many legacy installations (EJBCA 4.0 and older) beginning to upgrade towards more modern versions of EJBCA, and have received some bug reports specific to older deployments which we've fixed in this release. Currently we support upgrading directly from EJBCA 5.0.16 or later. EJBCA 6.10 introduces no database changes, so upgrading from 6.9.x doesn't involve any automatic or manual upgrade steps.
EJBCA 6.9 Release Notes
EJBCA 6.9.1
For the first time in a while we're releasing a standard minor release, mainly concentrating on bug fixes and feedback from implements of our CAA Validator. All in all we've made the CAA Validator far more configurable, allowing features such as whitelisting some domains (excluding them from CAA checks), allowing the validator to ignore specific Top Level Domains and making recursion depth configurable. We've also added caching and robustness to DNS lookups in order to deal with the results query throttling from the resolvers. Add to that, we've also included a couple of minor performance improvements in connection to certificate issuance.
As the CAA standard is still involving we're not counting on our work in this field being finished quite yet, but for the moment we're hoping that you're all looking forward to all the neat new features coming in EJBCA 6.10 in a few weeks.
EJBCA 6.9.0.6
Patch release fixing issues with CAA.
EJBCA 6.9.0.5
Patch release for ECA-6107, which fixed an issue in which CAA lookups weren't properly handled for wildcarded domains with subdomains.
EJBCA 6.9.0.4
Patch release for ECA-6106, which allows a CAA lookup to continue up the domain tree even if the lookup for a subdomain failed.
EJBCA 6.9.0.3
Patch release for ECA-6099, where adding an EE from the Admin Web or WS and then enrolling using the RA would lead to an NPE.
EJBCA 6.9.0.2
Database creation scripts referred to PublicKeyBlacklistData instead of BlacklistData.
EJBCA 6.9.0.1
In the final stages of testing of 6.9.0 we found ECA-6088, which could potentially lead to caching issues for installations running clusters. Was fixed before EJBCA 6.9.0 was released to the wild.
EJBCA 6.9.0
Greetings to all, and welcome back after a long summer. Just in time for CAA to go live on September 8th, we'd like to present to you all the release of EJBCA 6.9.0. All in all we've fixes about 90 issues during the summer, but we'd like to highlight the four major features of this release:
Delegated Keypair Generation: As requested by some customers running EJBCA instances as RAs over Peers, this feature is similar to the key recovery feature long used in EJBCA in that it stores generated soft keys encrypted in the database, but with the purpose that the soft keys are generated on the RA (instead of on the CA). The purpose of this is security - where the owner of the RA doesn't wish for the keys to ever be transmitted to the CA but merely be signed. Since this feature requires an EJBCA instance running as RA, it only applies to Enterprise customers.
RSA/ECC Key Validation: A long requested feature, we've now created an API for running validators during certificate creation. Foremost we've implemented Key Validators, which can be applied to a CA to reject incoming signing requests based on inadequate key length or poorly chosen exponents.
BlackList Validators: We've also developed an API for blacklisting signing requests based on known information. In EJBCA 6.9.0 we've implemented a Key Blacklist Validator, which will check incoming certificate requests against a user defined blacklist of known bad keys.
CAA: Last and absolutely not least, EJBCA 6.9.0 can perform CAA checks during or after certificate issuance. This has partly been implemented as a Validator (which is run during certificate issuance) or as a manual CLI tool which can be used by an RA administrator after issuance. CAA support is an Enterprise only feature.
EJBCA 6.8 Release Notes
EJBCA 6.8.0.1
This is a patch release for ECA-6056, where Certificate Profiles using Approval Profiles would cease working if database protection was activated for the CertificateProfileData table.
EJBCA 6.8.0
Just in time for the Swedish summer (all three days of it), we here at PrimeKey Solutions are very proud to release EJBCA 6.8.0, with a bunch of new features that we sincerely hope you'll enjoy. All in all, 190 issues that have been fixed for this release.
First and foremost, we've made some changes to Roles and Access Rules (see the UPGRADE document for technical details). Among these changes and improvements, we'd like to highlight the following:
Managing rules in the Admin UI has been simplified, with a simpler Allow/Deny/Inherit-from-previous structure that we feel is way more intuitive and easy to overview. Rules are now normalized, meaning that when saved the rule set is simplified to the most simple common structure.
The Advanced Rules page now has an Summary screen, which displays only the set rules for a Role
Setting Role Members has been simplified. Match Operators have been hard coded for different value types in order to make the process less error prone.
We have introduced the concept of Role Namespaces, allowing administrators to sort Roles into groups. An logged in administrator may thus only see the Roles in the namespace in which they themselves belong, while being a member of a Role belonging to the "blank" namespace gives access to all. The purpose of this is to allow several different organizational units to be using their own CA, each creating their own Roles with similar names, but without interfering with each other.
Last but not least, roles management has been built into the EJBCA RA as well, allowing RA users working on a proxy RA to administrate their own roles without needing access to the CA.
Speaking of the EJBCA RA, we have added API calls for proxying CMP requests and a limited subset of the WS interface to it. This allows the RA to act as a proxy for both CMP calls far more efficiently than the old asynchronous CMP Proxy, as well as act as a proxy for the MS Autoenrollment Gateway which was released with EJBCA 6.7.0.
Approval profiles in CAs and Certificate Profiles can now be set per action, allowing one approval profile to be used for e.g. Adding/Editing end entities and another for revoking.
Some passwords can be configured to be stored in an encrypted form in the database. From EJBCA 6.8.0 and on encryption can be configured with a stronger setting than the default by modifying the password.encryption.key in cesecore.properties. Only change this value when you are sure that all nodes that will store passwords (end entity clear text passwords and crypto token auto activation codes) are upgraded and can read the new format.
EJBCA 6.7 Release Notes
EJBCA 6.7.0.1
This is a patch release for ECA-5853, where upgrade to 6.7.0 from certain versions of EJBCA failed due to an NullPointerException in Certificate Profiles.
EJBCA 6.7.0
We are pleased to release EJBCA 6.7.0. This release adds official support for MS Autoenrollment, implemented as an enrollment Proxy/Gateway, which is delivered as a separate component. In addition to this, there are many security fixes and enhancements in this release, plugging a few holes and making it harder than ever to misuse EJBCA. All in all, 82 issues that have been fixed for this release The most notable changes are:
Features
Native Windows Autoenrollment, using a separate autoenrollment proxy component.
Support for CT logs that use RSA instead of ECC.
Ability to search for approval requests in the new RA interface.
Ability to limit which Extension OIDs are acceptable to Override, gives better control over RAs.
Improvements
Ordering of configured CT logs is now kept, and there is a possibility to re-order them.
Additional security hardening, including updated library dependencies.
Not requiring '@' in rfc822Name improves integration with Cisco ISE.
Allowing native CAs to be Vendor CAs for CMP testing.
A new field for "Default CA issuer URI" in the CA configuration makes some use cases more efficient.
Bug Fixes
Security fixes
Lots of minor usability issues fixed.
EJBCA 6.6 Release Notes
EJBCA 6.6.4
This release of EJBCA fixes two issues related to upgrades in specific cases.
EJBCA 6.6.3
PrimeKey Solutions is very proud to present the final EJBCA release for 2016: EJBCA 6.6.3. This release fixes nine minor issues which we were dying to make live before our next feature release due for Q1, and primarily fixes issues which cropped up when using ExternalRA since 6.6.0, a bug in the upgrade script for Oracle databases and a bug which caused an inability to create CRLs on MSSQL.
As with all minor releases, no upgrade steps are required.
EJBCA 6.6.2
This release of EJBCA fixes one single issue to improve stability of submissions for Certificate Transparency logs.
This feature is only related to issuance of publicly trusted TLS certificates.
Bugfixes:
CT Log submission could fail in certain circumstances when it should not
EJBCA 6.6.1
The first patch release in the 6.6 branch, EJBCA 6.6.1 brings a few bugfixes and several improvements, both in functionality and in performance.
The most notable changes are:
Features
New features related to Validity. You can now configure certificate validity down to minutes and seconds, and certificate start offset which was previously default to -10 minutes is now configurable. There are many new options related to validity, check the documentation.
Certificate expiration can now be configured to prevent expiration on specific week days.
Added an option to keep expired certificates on the CRL instead of removing them, which is the default and still recommended behavior.
Added a new CLI command to change crypto token for a CA.
Improvements
When CA certificates are revoked, OCSP responder will respond revoked for leaf certificates only if CA revocation reason indicates a CA compromise (from EJBCA 6.5.4).
Several performance optimizations has been done to boost issuing speed.
You can now add multiple PDS URIs in the Admin GUI, for Qualified Certificate statement
EJB timers are now non-persistent, no need to clean JBoss timer directory on restart anymore.
Bugfixes
CT log timeout are configurable again
Legacy OCSP signer renewal is now prevented from from processing the same entry twice
Prevent change, triggered by changing hostname while running, of audit log node id once sequence is initialized
Updates to imported CA certificates is now persisted properly in the CertificateData table.
Documentation
Updated Quick Start documentation
EJBCA 6.6.0
PrimeKey Solutions is very pleased to release EJBCA 6.6.0. Being the release with the most number of issue fixed ever, this release of EJBCA 6.6.0 adds a completely new RA architecture, including a brand new RA GUI.
Together with all other improvements, bugfixes and security enhancements, this is a leap forward for EJBCA and many man years of work has gone into making this release.
New RA GUI with configurable approval work-flow and administrator edit capabilities.
The RA can work as an integrated RA or as a standalone external RA (EJBCA Enterprise only subject to separate license).
Running as an External RA there are only outgoing network connections from the CA, using Peer Connectors.
User friendly Certificate search in the new RA GUI with free text search on both subject DN and altName (see note below regarding altName search).
Location based access control for the new RA, different RAs can have different access combined with the administrators access.
Easy to configure user and administrator privileges for the RA during the Peer Connector setup.
Full GUI support for the new eIDAS standard (QC statement extension in certificates)
Completely reworked Approvals with multiple approvals, ordered or not, with flexible approval notifications.
Support for RegisteredID (rfc5280), xmppName (rfc6120) and srvName (rfc4985) subject alternative names.
Now allows longer subject DN and altName by default in new installations.
Additional CVC OIDs for SHA512 and SHA384
Add support for Services that run on all hosts to enable HSM Keepalive Service to run on all nodes in a cluster
Additional security hardening and improvements
Lots of bug fixes and improvements
During issuance of X.509 certificates, the Subject Alternative Name can be stored in a searchable database column. This is enabled for all new Certificate Profiles, but not for existing profiles.
The CertificateData table has three new columns "notBefore", "endEntityProfileId" and "subjectAltName". A CA upgrade using direct database publishing to VA also requires schema changes on the connected VAs. Please see the UPGRADE document for details.
EJBCA 6.5 Release Notes
EJBCA 6.5.5
EJBCA 6.5.5 is a patch release fixing one bug and making one improvement. These fixes mostly facilitates OCSP operations under certain circumstances.
Update of imported CA certificate is not persisted to the CertificateData table
Internal Key Binding: certificate import should not use the current CA certificate if public key does not match
EJBCA 6.5.4
An autumn patch release to the so far stable EJBCA 6.5 branch, EJBCA 6.5.4 adds a few fixes to issues that showed up during production, as well as two new features and a couple of improvements.
All in all, this release contains 10 bug fixes and improvements.
Features
Support for RegisteredID in subject alternative name.
Ability to use variables in email subject for email expiration services.
Improvement: ICAO CSCA
Issuer altName is now automatically set when creating a new Root CA.
Improvement: OCSP
When CA certificates are revoked, OCSP responder will respond revoked for leaf certificates only if CA revocation reason indicates a CA compromise.
Bugs
CMP revocation requests failed CA authorization, if issuer CA had X.500 ordering.
clientToolbox did not start when using PKCS#11 and there was no JAVA_HOME set.
Verification of database integrity protection did not work for custom certificate extensions.
EJBCA 6.5.3
Just in time for Midsummer in Sweden, what's better on a holiday than deploying a new version of EJBCA? This release of EJBCA 6.5.3 adds a couple of security fixes, corrects a few bugs that hit a couple of rare cases, and improves the EJBCA Database CLI. Not to mention an updated Japanese translation. All in all, this release contains 14 bug fixes and improvements.
Security
Fix two security issues, and tighten a couple of cases that could cause unnecessary load.
CMP
If issuing using CMP, using the Single Active Certificate Constraint, and OCSP publishing, the revocations were not published to OCSP.
CLI
Improve the ejbca-db-cli verify command to be more flexible and powerful, and fix a small documentation flaw in the regular EJBCA cli.
Administration UI
Update Japanese translation.
EJBCA 6.5.2
Winter is coming they say, but in the PrimeKey offices in Stockholm it seems to be a far way away. While we're busy toiling away at our new feature set for this autumn, we're ever intent on making sure that the 6.5 branch of EJBCA is the best it can be in terms of stability and performance. This release makes EJBCA 6.5.2 fully eIDAS compliant, fixes a breakage in CMP introduced in 6.5.1, patches one minor security issue and fixes a slew of user input handling improvements in the UI. All in all, this release contains 18 bug fixes, features and improvements.
Administration UI
A minor script injection vector has been plugged.
Administrators attempting to log in without having access to a Role (but having a valid certificate) will be audit logged as failed attempts.
CMP
A bug fix in 6.5.1 caused a major breakage in CMP.
eIDAS
Added the new ETSI DN attribute "organizationIdentifier"
OCSP
Certificates revoked by being under the Single Active Certificate Constraint certificate profile setting weren't published
Read the full change log for details, and see the UPGRADE document for all functionality changes and upgrade instructions.
A selection of known issues
One test failure on DB2: ECA-3298
End entity profiles can't be deleted in high volume databases: ECA-4158
Some ECDSA key specifiers missing in drop down menu for crypto tokens using PKCS#11 after JDK update: ECA-4251
Race condition when multiple RA threads are requesting certificates for the same user: ECA-4347
ClientToolBox is unable to verify signature when testing more exotic EC keys in HSM: ECA-4596
Profiles export fail if hard tokens are enabled: ECA-5003
Root access required to save system configuration: ECA-5005
KeyBindings do not work if there's a CVC CA or uninitialized CA available: ECA-5072
EJBCA 6.5.1
Spring is in the air, and we here at PrimeKey are busy working on a very exciting new feature to be released with EJBCA 6.6.0 in Q3 of 2016.
Meanwhile, we've also been hard at work shoring up and fixing bugs in our 6.5 branch, ever intent in making sure that bugs get squashed faster than they can appear. All in all, we've fixed 35 bugs and improvements for this minor release.
Administration UI
A minor information leakage, to the client, of preset end entity password was patched up.
Due to hardening implemented in 6.5.0, CertificatePolicy objects were omitted from being imported with certificate profiles. This has been rectified.
Several pages that didn't render correctly in WildFly 10 have been fixed.
Log Export
A regression was fixed in the CmsCaService due to the signing key alias for CA's being changed in EJBCA 6.4.1/6.5.0
CMP
Due to a change in how End Entity Profile references to CMP aliases are saved, the deprecated method of setting the EEP to "KeyID" to support CMP Unid (which hasn't been possible since 6.0.0) is no longer supported. This will be rectified in a future release.
External RA
A caching bug in the CMP Proxy was fixed
The CMP Proxy message signer chain and issuer chain were mistakenly implemented as one and the same in 6.5.0.
OCSP
The optional Nonce sent in OCSP requests has been limited to 32 bytes to counter potential future issues. A request containing a Nonce larger than 32 bytes will now result in an error returned from the OCSP server.
Read the full change log for details, and see the UPGRADE document for all functionality changes and upgrade instructions.
A selection of known issues
One test failure on DB2: ECA-3298
End entity profiles can't be deleted in high volume databases: ECA-4158
Some ECDSA key specifiers missing in drop down menu for crypto tokens using PKCS#11 after JDK update: ECA-4251
Race condition when multiple RA threads are requesting certificates for the same user: ECA-4347
ClientToolBox is unable to verify signature when testing more exotic EC keys in HSM: ECA-4596
EJBCA 6.5.0.5
Patch release for a few issues during upgrade from EJBCA 4.0, and a contributed patch for script based auto enrollment.
EJBCA 6.5.0.4
Patch release for pages broken in WildFly 10 and post-upgrade in EJBCA Community.
EJBCA 6.5.0.3
Patch release for ECA-4931 and ECA-4955
EJBCA 6.5.0
PrimeKey Solutions is very pleased to release EJBCA 6.5.0 into the wild. This release has primarily focused on tuning up the UI and responding to security developments in the Java EE world in the last few months. We've shifted plenty of focus to QA during this period, so this version is the most stable we've released yet. All in all, we've fixed 145 new features, bugs and improvements.
Administration UI
Certificate profiles can now be set to restrict key algorithms, curves (for EC) and key length.
The CSCA "CA Name Change" feature from ICAO 9303 7th part 12 has been implemented.
Removed a possible XML exploit from the administration web.
De-serialization has been significantly hardened.
Fixed a possible information leakage in the administrative web in regards to certificate and end entity profiles.
Auditor default role has been given access to additional pages in the UI.
General Cryptography
The underlying BouncyCastle library has been upgraded to version 1.54
Documentation
All return and error codes from the CMP servlet have been documented.
OCSP
OCSP responder can now cache the revocation status of client certificates (used to sign requests) for limited time periods.
External RA
CMP Proxy now checks for message signatures, HMAC and checks revocation status for signing certificates, relieving the CA of handling unauthorized messages.
Certificate Transparency
CT logs can now be submitted to log servers in parallel.
Read the full change log for details, and see the UPGRADE document for all functionality changes and upgrade instructions.
A selection of known issues
One test failure on DB2: ECA-3298
End entity profiles can't be deleted in high volume databases: ECA-4158
Some ECDSA key specifiers missing in drop down menu for crypto tokens using PKCS#11 after JDK update: ECA-4251
Race condition when multiple RA threads are requesting certificates for the same user: ECA-4347
EJBCA 6.4 Release Notes
EJBCA 6.4.2
This maintenance release contains 4 bug fixes and improvements. Below is a selection of the most noteworthy. Upgrading to this version will require no manual upgrade steps, but some rules will automatically be added to existing Auditor roles and analogs.
GUI
Bug: A backport introduced in 6.4.1 broke the Certificate Transparency configuration page.
Improvement: The Auditor Role has been extended, and now has read access to End Entities, all configurations and roles.
Bug: PKCS#11 crypto token page was incorrectly formatted
OCSP
Improvement: X-Forwarded-For is now logged if present in OCSP requests
Read the full change log for details, and see the UPGRADE document for all functionality changes and upgrade instructions.
A selection of known issues
One test failure on DB2: ECA-3298
End entity profiles can't be deleted in high volume databases: ECA-4158
Some ECDSA key specifiers missing in drop down menu for crypto tokens: ECA-4251
Certificate profile key length restriction ignored when creating CA: ECA-4310
Race condition when multiple RA threads are requesting certificates for the same user: ECA-4347
Standard superadmin shows up as 'Custom' in Basic Access Rules View: ECA-4663
Audit log conditions 'starts with'/'ends with' return no results: ECA-4677
EJBCA 6.4.1
This maintenance release contains 14 new features, bug fixes and improvements. Below is a selection of the most noteworthy. Upgrading to this version will require no manual upgrade steps.
Improvements
Apache commons-collections library has been upgraded to version 3.2.2
Bug Fixes
Fixed checking CA authorization in CMP RA mode when using EndEntityCertificate authentication module
Regression: A technology upgrade cause relevant information to not be displayed in the approvals screen.
Regression: A usability issue regarding Notifications in End Entity Profiles has been solved.
A selection of known issues
One test failure on DB2: ECA-3298
End entity profiles can't be deleted in high volume databases: ECA-4158
Some ECDSA key specifier missing in drop down menu for crypto tokens: ECA-4251
Certificate profile key length restriction ignored when creating CA: ECA-4310
Race condition when multiple RA threads are requesting certificates for the same user: ECA-4347
EJBCA 6.4.0
Only our second major release for 2015, EJBCA 6.4.0 represents a huge step into the future for EJBCA, introducing a slew of new features and improving usability in the UI across the board. We have also ramped up QA efforts for this release, which makes us confident to the stability of this release.
This major release contains 134 new features, bug fixes and improvements. Below is a selection of the most noteworthy:
New Features
Granular control has been added to DN and SAN elements in End Entity Profiles. Inputed values can be controlled using regular expressions.
Most of the UI has been given read-only rights, and a new role template (named Auditor) can be created and built upon to allow an auditor to view but not modify.
Custom Certificate Extensions and Extended Key Usages can now be added on the fly from the UI, so no longer is a JBoss restart required when new ones are added.
WildFly8 and WildFly9 are now supported platforms.
Upgrade procedure has been improved, and EJBCA now tracks its own version, allowing many steps that were previously performed as part of manual upgrades to be performed automatically instead. In future versions, manual upgrades will be available from the UI as well as the CLI.
Improvements
System Configuration has been split into sections and tabs
"Exclude Active Manually-Activated CryptoTokens" check box is checked by default in System Configuration, meaning that clearing caches won't by default deactivate all crypto tokens.
Bug Fixes
An XSS issue
Fixed a NullPointerException when Client Certificate Renewal was performed over SCEP under certain circumstances.
Setting "Allow merge DN Web Services" in the End Entity Profile caused SAN to be dropped.
Remote EJB de-serialization of collections of certificates failed on JBoss 7.1.1 GA
SCEP Client Certificate Renewal allowed renewal of expired certificates
Information leakage pertaining to usernames from the public web
ExternalRA GUI password was leaked to the logs
Technology Changes
Support for XKMS has been removed and is no longer available.
Underlying BouncyCastle Library has been upgraded to version 1.53
Support has been dropped for JDK6.
Support has been dropped for JBoss5
Security notice
The Xalan 2.7.1 library previously bundled with EJBCA is subject to a potential security issue (CVE-2014-0107). EJBCA does not by itself use the vulnerable functions from Xalan and there is thus no real vulnerability in EJBCA. We have anyway chosen to remove this bundled library from EJBCA.
As the application server also uses Xalan, users are recommended to upgrade to JBoss EAP 6.3 or later which includes the newer Xalan version. Alternatively, Red Hat provides patches for earlier EAP versions. For JBoss AS 7.1.1 it is possible to follow our instructions in the installation guide for how to instead use the libraries bundled with EJBCA.
Read the full Changelog for details.
A selection of known issues
One test failure on DB2: ECA-3298
End entity profiles can't be deleted in high volume databases: ECA-4158
Some ECDSA key specifier missing in drop down menu for crypto tokens: ECA-4251
Certificate profile key length restriction ignored when creating CA: ECA-4310
Race condition when multiple RA threads are requesting certificates for the same user: ECA-4347
EJBCA 6.3 Release Notes
EJBCA 6.3.2.5
This patch release fixes one bug and introduces a new feature
A small bug where soft crypto tokens generated during CA creation had auto-activate set during cache reload, even if that property had been set false.
Custom order of DN in issued certificates can now be defined in Certificate Profiles
Read the full Changelog for details.
EJBCA 6.3.2.4
This patch release fixes two bugs
An issue in SCEP Client Certificate Renewal in regards to renewing a certificate with the same issuing date as its issuing certificate
A change to the enforcement of Single Active Certificate Constraints, where certificates where revoked by subjectdn+issuer instead of by username
Read the full Changelog for details.
EJBCA 6.3.2.3
This patch release primarily fixes bugs and adds missing functionality with respect to Client Certificate Renewal via SCEP.
Read the full Changelog for details.
EJBCA 6.3.2.2
This patch release primarily fixes the issue of the DirectoryName component of subjectAltName not being included in certificates.
Read the full Changelog for details.
EJBCA 6.3.2.1
This patch release primarily fixes the issue of certain elliptic curves having different human readable names in the JDK vs BouncyCastle.
Read the full Changelog for details.
EJBCA 6.3.2
This maintenance release contains 23 new features, bug fixes and improvements, in addition to all fixes made in 6.2.10. Below is a selection of the most noteworthy.
Upgrading to this version will require a post-upgrade step.
New Features
CA certificate rollover via SCEP has been implemented in accordance to draft-nourse-scep-23
Improvements
VA Publisher and External RA have become Enterprise features
Build times have been improved
Read the full Changelog for details.
A selection of known issues
One test failure on DB2: ECA-3298
CA Certificates using brainpool curves can't be imported from the ClI. GUI works though: ECA-4022
End entity profiles can't be deleted in high volume databases: ECA-4158
Some ECDSA key specifier missing in drop down menu for crypto tokens: ECA-4251
No HTTP Header 'Content-Type' in the Renew public web page: ECA-2844
EJBCA 6.2 Release Notes
EJBCA 6.2.10
This maintenance release contains 32 features, bug fixes and improvements, below is a selection of the most noteworthy. This branch was released in parallel with EJBCA 6.3.2.
New Features
Certificate Profile settings have been added for optimizing environments without certificate storage, both not storing certificates to the database at all (like the already existent CA setting) and for writing all meta data, but not the certificate itself.
A CLI command has been added to remove publishers and all references to those publishers.
Improvements
EJBCA was upgraded to BouncyCastle 1.52
Bug Fixes
Security: POP was not verified properly in WebService requests
Regression: HealthCheck can again be automatically set for new CAs
Regression: Certificate keyUsage was invalid when using the allowKeyUsage setting in certificate profiles.
Regression: Caching in crypto tokens could cause adhoc upgrades of OCSP responders to fail
Fixed an issue where deleting an HSM slot rendered the GUI unusable
Read the full Changelog for details.
A selection of known issues
One test failure on DB2: ECA-3298
CA Certificates using brainpool curves can't be imported from the ClI. GUI works though: ECA-4022
End entity profiles can't be deleted in high volume databases: ECA-4158
Some ECDSA key specifier missing in drop down menu for crypto tokens: ECA-4251
No HTTP Header 'Content-Type' in the Renew public web page: ECA-2844
EJBCA 6.3.1
This maintenance release contains 17 new features, bug fixes and improvements, in addition to all fixes made in 6.2.8 and 6.2.9.
Below is a selection of the most noteworthy.
New Features
Now possible to create CAs and issue End Entity certificates through the Web Service API.
SCEP Client Certificate Renewal.
Web Service API calls for monitoring certificate expiration.
Single Active Certificate Constraint has been added to Certificate Profiles, allowing for automatic revocation of old certificates, as new ones are issued.
Improvements
All Audit Log messages have been properly JavaDoc:ed.
Read the full Changelog for details.
A selection of known issues
External RA GUI cannot handle SubCA certificates with critical CDP: ECA-2138
One test failure on DB2: ECA-3298
Regression: Healtcheck is not enabled for new CAs by default: ECA-3999
CA Certificates using brainpool curves can't be imported from the ClI. GUI works though: ECA-4022
End entity profiles can't be deleted in high volume databases: ECA-4158
JDK patches for RSAWithMGF1 is not working on newer java: ECA-4175
EJBCA 6.2.9
This maintenance release contains 18 bug fixes and improvements, below a selection of the most noteworthy.
Improvements
The main feature of EJBCA 6.2.9 is an optimization for certificate signing that has reduced certificate signing time with approximately 10% for low workloads and 70% for intensive workloads. Numbers are compared to EJBCA 5 and EJBCA 6.
Bug Fixes
A minor regression introduced in 6.2.7 where trying to create a Browser Certificate in the External RA GUI failed.
A selection of known issues
External RA GUI cannot handle SubCA certificates with critical CDP: ECA-2138
One test failure on DB2: ECA-3298
Regression: Healtcheck is not enabled for new CAs by default: ECA-3999
CA Certificates using brainpool curves can't be imported from the ClI. GUI works though: ECA-4022
End entity profiles can't be deleted in high volume databases: ECA-4158
JDK patches for RSAWithMGF1 is not working on newer java: ECA-4175
EJBCA 6.2.8
The goal of this release has primarily been optimization of our OCSP responder, fixing usability issues, tightening up security and heavy GUI testing. We've also snuck in a brand new feature which web service users may find useful.
This maintenance release contains 42 bug fixes, features and improvements, below a selection of the most noteworthy:
Read the full Changelog for details.
Improvements
OCSP responder has been widely optimized.
OCSP responder now caches SCTs, improving response times when using Certificate Transparency.
EJBCA has been upgraded to use BouncyCastle 1.51
HealthCheck memory monitor now reports on total amount of free memory instead of allocated free memory.
New Features
Web service calls for issuing certificates can now override EJBCA's default subject DN order with their own.
Bug Fixes
A minor security escalation issue has been fixed affecting explicit rule access denial.
A selection of known issues
EJBCA 6.3.0
EJBCA 6.3.0 introduces a powerful new feature for Enterprise and Appliance users: the EJBCA Peer System protocol. The purpose is to allow secure communication over TLS between peered installations of EJBCA, doing away with the need of direct database publishing in order to propagate certificates and certificate information. This means that direct and synchronous communication is now possible between a Certificate Authorities and their associated Verification Authorities, also enabling verification of synchronization status and health.
EJBCA Peer System represents a step forward in how setup up complex multi-system installations, and we have great hopes for what we will be able to make possible in EJBCA in the future.
This is a major release with new features, bug fixes and improvements. All in all, 106 issues have been fixed.
Noteworthy changes
Introduction of the EJBCA Peer System protocol.
Fully localized in French, thanks to David Carella of Linagora.
A selection of known issues
External RA GUI cannot handle SubCA certificates with critical CDP ECA-2138
One test failure on DB2: ECA-3298
ant install is known to fail on Windows machines running JDK >= 7.21 ECA-3602
Wrong CA key used when decrypting SCEP requests ECA-3807
Importing an externally produced certificate with empty DN fields fails ECA-4018
CA Certificates using brainpool curves can't be imported from the ClI. GUI works though. ECA-4022
EJBCA 6.2.7
This, the first release of 2015, is a minor release primarily geared towards optimization and stabilization of the 6.2 branch. We have primarily optimized GUI behavior in regard to cryptotokens referencing many keys, as well as sorted out some documentation issues. QA procedures have also been revised and improved, which is the "known issues" list below is longer than in previous releases.
All in all, 24 issues have been fixed or implemented for this release.
Behavior of OCSP responder has been changed slightly in order to improve performance. Status of the OCSP signing certificate's CA is now only checked when the cache is reloaded, instead of at every request. If unsure how long the timeout is set for, check the value ocsp.signingCertsValidTime in ocsp.properties.
A selection of known issues
External RA GUI cannot handle SubCA certificates with critical CDP ECA-2138
One test failure on DB2: ECA-3298
ant install is known to fail on Windows machines running JDK >= 7.21 ECA-3602
Wrong CA key used when decrypting SCEP requests ECA-3807
Importing an externally produced certificate with empty DN fields fails ECA-4018
CA Certificates using brainpool curves can't be imported from the ClI. GUI works though. ECA-4022
EJBCA 6.2.6.8
EJBCA 6.2.6.8 is a patch release for ECA-2842 and ECA-2843, out of the box support for the OtherNames xmppAddr and srvName in subject alternative name.
EJBCA 6.2.6.7
EJBCA 6.2.6.7 is a patch release for ECA-5322, Ability to use variables in email subject for email expiration service.
EJBCA 6.2.6.6
EJBCA 6.2.6.6 is a patch release for ECA-5279, Adding support for RegisteredID subject alternative name.
EJBCA 6.2.6.5
EJBCA 6.2.6.5 is a patch release for ECA-4947
EJBCA 6.2.6.4
EJBCA 6.2.6.4 is a patch release for ECA-4885
EJBCA 6.2.6
EJBCA 6.2.6 is a maintenance release, primarily fixing two major issues and quite a few smaller ones.
Noteworthy changes
The OCSP default responder behavior introduced in 6.2.4 was buggy when CAs were set as the default responder. ECA-3969
Saving symmetric keys in a crypto token cause the GUI page to crash ECA-3933
A bug causing CertSafe publisher creation was fixed ECA-3958
For certificate profiles only specifying a single keylength, the default keylength was used instead ECA-3935
SSLv3 protocol has been disabled for use in JBoss7 due to the POODLE vulnerability ECA-3862
All in all, 23 issues have been fixed in this release.
Known issues
EJBCA 6.2.5
This minor release mainly centers around a bug found in the upgrade procedure when automatically upgrading CATokens to modern CryptoTokens. Due to a bug in 4.0.x, working CATokens could be created even with incorrect configurations, and these were then incorrectly processed. Since 6.2.5 the upgrade procedure will fail gracefully, allowing administrators to fix the configuration before proceeding.
Also, the CT log publisher will now use the the java system settings for http_proxy, which were previously ignored.
Known issues
One test failure on DB2: ECA-3298
SSLv3 is still available for use, but is considered vulnerable due to the POODLE exploit
EJBCA 6.2.4
This is a maintenance release introducing two new features, foremost of which are Private Domains for the Certificate Transparency (CT) Protocol and a change in the behavior of the OCSP default responder. All in all, 19 issues have been fixed.
Noteworthy changes
The OCSP default responder is now configurable from the GUI. Old configurations in ocsp.properties will automatically be migrated, and the configuration
line should be removed from ocsp.properties.The OCSP default responder will now reply for all external CAs that don't have a specific OCSP keybinding set. See UPGRADE document and documentation for further information.
CertSafe publisher now works in JDK6
An annoying but harmless error message which appeared in ant install has been removed.
Known issues
One test failure on DB2: ECA-3298
SSLv3 is still available for use, but is considered vulnerable due to the POODLE exploit
EJBCA 6.2.3
This is a maintenance release with a new feature, a couple of major and some minor bug fixes and improvements. All in all, 8 issues have been fixed.
Noteworthy changes
Regression: The new Certificate Profile GUI page caused information from one profile to bleed into others due to incorrect scoping
Regression: The install command failed if a certificate profile or token properties file was specified in install.properties due to a couple of missing switches
New functionality: A publisher for Cert-Safe has been implemented
Known issues
One test failure on DB2: ECA-3298
EJBCA 6.2.2
This is a maintenance release with one new feature, some minor bug fixes and minor improvements. All in all, 23 issues have been fixed.
Noteworthy changes
The OCSP responder now supports requests containing Certificate IDs hashed in SHA256
A minor regression where Certificate and CRL caches were not automatically refilled after server restart
CLI no longer prompts twice when asked to prompt for the CLI password
Several issues improving the upgrade procedure
An information leakage issue in the public web concerning end entities sharing the same keys
Known issues
One test failure on DB2: ECA-3298
EJBCA 6.2.1
This is a maintenance release with only bug fixes and minor improvement. All in all, 40 issues have been fixed.
Noteworthy changes
The autoactivate parameter in for the CLI command 'cryptotoken create' has been changed from "
A" to the more explicit "-autoactivate".An XSS issue in the Public Web was patched
Regression: CPS and User Notice defined in Certificate Policy Extensions weren't being written to the relevant certificates
Regression: Soft keystores for CAs created using the CLI were always created with the default password
Known issues
One test failure on DB2: ECA-3298
EJBCA 6.2.0
This is a major release with new features, bug fixes and improvements. All in all, 76 issues have been fixed.
The biggest news in this release is a rework of the local CLI (command line interface), bringing the CLI up to the most modern standard with option handling and manual pages.
Noteworthy changes
Completely reworked command handling of local command line interface (CLI) (See note 2)
It's now possible to import and export Certificate and End Entity Profiles from the GUI
VA machines can be created using a CRL
Certificate and End Entity Profiles can now be imported and exported form the Web GUI
SCEP configuration has been implemented from the Web GUI
If you are customizing the EJBCA public web to be embedded in a frame, note that EJBCA now uses the X-FRAME-OPTIONS HTTP header, preventing web GUIs from being framed in modern browsers.
Some CLI commands have changed names, though legacy support for the old names still remains. Some commands have had to undergo syntax changes, and they are as follows:
General - Explicit password flag for CLI user password has been changed to '--clipassword'
All CLI commands' help pages can be summoned with the '--help' switch
CaImportCACommand - Command performs two different tasks depending on the number of arguments, which are mostly mutually exclusive and unswitched, hence impossible to identify.
CaImportCertCommand - The optional values e-mail, cert profile and ee profile must be used with a switch.
CaInitCommand - The catokenproperties is now optional (no need to substitute with null if unused)
CaRenewCACommand - The <regenerate keys> argument has been turned into a flag (-R), and a switch was added for the Custom Not Before value.
InternalKeyBindingCreateCommand - The "-property" switch is no longer needed. Instead optional properties are loaded dynamically, but must be entered with a "" preceding the property name.
InternalKeyBindingModifyCommand - Multiple "-addtrust" and "-removetrust" are no longer allowed, instead a separator "," may be used. Also, the --property switch is no longer used, instead properties are loaded dynamically and used like with InternalKeyBindingCreateCommand
AddEndEntityCommand - Password parameter now input with --password flag, leaving blank will prompt. subjectAltName and email have been made optional and equipped with flags. certificateprofile, endentityprofile and hardtokenissuer have been given flags. hardtokenissuer options won't appear at all unless hard tokens been turned on.
Services - The -listFields|-listProperties switched have been turned into commands instead
ServiceCreateCommand/ServiceEditCommand - properties are sent in as a single command instead, at least until Services can be properly refactored and made more dynamic.
Known issues:
One test failure on DB2: ECA-3298
EJBCA 6.1 Release Notes
EJBCA 6.1.3
This is a maintenance release with only minor bug fixes. In all 4 issues have been fixed.
Noteworthy changes
Fixed a small typo and some localizations in a few GUI messages.
Backport some fixes to the statedump command (Enterprise only).
EJBCA 6.1.2
This is a maintenance release with only one bug fixes. In all 1 issue have been fixed.
Noteworthy changes
Fixed an issue where browser enrollment link was generated with incorrect encoding
See the notes, and known issues, for 6.1.0 below.
EJBCA 6.1.1
This is a maintenance release with a few bug fixes. In all 4 issues have been fixed.
EJBCA 6.1.0 was never distributed publicly.
Noteworthy changes
Fixed some regressions that prevented 6.1.0 from functioning optimally.
See the notes, and known issues, for 6.1.0 below.
EJBCA 6.1.0
This is a major release with new features, bug fixes and improvements. In all 32 issues have been fixed.
The biggest news in this release are support for EAC 2.10 access control templates, more OCSP improvements as well as improvements for Key Recovery.
Noteworthy changes
OCSP improvements and new features related to RFC 6960, minimizing size of OCSP responses (see note below).
Implemented OCSP signing algorithm including client requested algorithms.
CVC certificate profiles (ePassport PKI) now supports EAC 2.10 access control templates.
Improvements to Key Recovery enabling encryption key rollover and providing more information about encryption keys.
Windows build/install is now working.
ManagementCA created during a default install now uses SHA256WithRSA.
EJBCA now compiles (deployment/running not supported however) on WildFly 8 and Glassfish 4, also using Java 8.
EJBCA can now use certificate serial number longer than 64 bits.
Minor improvements and fixes to make life easier for everyone.
Note 1: OCSP responses no longer includes the Root CA Certificate, unless the Root CA is the OCSP signer, and it is configured to include the signer certificate. Having OCSP responses as small as possible is an important performance feature, and since the
client must have the root certificate as trusted there is no need to include the root certificate in the chain.
Note 2: In EJBCA 6.1.0 the Public Web interface logo filename was changed. If you have customized your own logo, you need to rename the logo filename from 'logotype.png' or 'ejbca_pki_by_primekey_logo.png' to 'banner_ejbca-public.png'.
Known issues
EJBCA 6.0 Release Notes
EJBCA 6.0.4
This is a maintenance release with new features, bug fixes and improvements. In all 53 issues have been fixed.
The biggest news in this release is support for Certificate Transparency in EJBCA Enterprise.
Apart from that all issues reported from installations of EJBCA 6.0.3 has been fixed.
One of the fixes is a security fix. The security issue is rated as low, and can lead only to excessive CPU usage, if exposed to untrusted networks.
Noteworthy changes
Support for Certificate Transparency, RFC6962 (EJBCA Enterprise only).
Support for JBoss EAP 6.2 that changed default behaviour when creating datasources.
SCEP GetCACaps command now works from iOS.
Ensure that OCSP RFC5019 responses with nonces are not cached.
Minor Command Line improvement.
Fixed most issues reported from installations of EJBCA 6.0.3.
Known issues
EJBCA 6.0.3
This is a maintenance release with bug fixes, new features and improvements. In all 21 issues have been fixed.
Noteworthy changes
Support for OCSP extended revoked status compliant with RFC6960.
Ensure OCSP RFC5019 responses with unknown response code are not cached, compliant with CABForum discussions.
Add OCSP archive cutoff date for expired certificates.
Speedups starting the Command Line Interface.
Bug fixes for Internal Key Bindings.
Known issues
EJBCA 6.0.2
This is a maintenance release with bug fixes and improvements. In all 12 issues have been fixed.
Noteworthy changes
Fix some issues with, and improve, OCSP signing cache reloading.
Fix rotation of safer log4j logs.
Support returning revoked for non issued certificates, instead of unknown (RFC6960).
Minor CMP improvements, including full chain in responses and improve GUI.
EJBCA 6.0.1
This is a maintenance release with bug fixes and improvements. In all 13 issues have been fixed.
Noteworthy changes
Improve statedump command (Enterprise).
Fix bug causing OCSP healthcheck to always return error.
Minor security fix and improvement.
EJBCA 6.0.0
EJBCA 6.0.0 is the latest major release of EJBCA, and both introduces and redefines a number of core concepts. Foremost amongst these are:
Main Changes
The concept of Crypto Tokens has been introduced in order to separate CAs from the keys tied to them. Crypto Tokens allow for reuse of keystores between CAs or for other services like OCSP, and make configuration of keystores, both hard and soft, far simpler.
For additional information see Admin Guide and http://blog.ejbca.org/2013/08/whats-new-in-ejbca-6-part-1-crypto.html
CMP is now fully configurable in the Admin GUI, and you can simultaneously use multiple different CMP configurations, called CMP aliases. For additional information see Admin Guide and http://blog.ejbca.org/2013/09/whats-new-in-ejbca-6-part-2-cmp-aliases.html
There is a new concept of Internal Key Bindings to bind a Crypto Token to a certificate for different usages, OCSP signing and TLS authentication. For additional information see User Guide and http://blog.ejbca.org/2013/10/whats-new-in-ejbca-6-part-3-internal.html
The merging of EJBCA and VA deployments. VA deployments are no longer anemic versions of EJBCA, instead all VA functionality has been merged into EJBCA proper. This for a single installation procedure, and for a machine to function as a CA and a VA simultaneously.
Other Noteworthy Changes
Internal OCSP services are no longer configurable from the CA, but are instead automatically set up and always active.
OCSP code has been brought up to CESeCore standard
The installation work-flow and ant targets have changed to be more logical for deployment and installation.
'Certificate Request History' is now disabled by default for new CAs.
PKCS11 crypto tokens can now be managed by slot label (in addition to slot number and index)
JBoss 7.1 and EAP 6 are now supported
Java 7 is now the default recommended Java version.
Minor Changes
The term 'Admin Group' has been mostly purged and replaced with 'Role', as has the term 'User' been replaced by 'End Entity'
Changes to certificate profiles:
The PKIX QCSyntax-v1 identifier from RFC3739 has been removed and will never be generated.
If "PKIX QCSyntax-v2" in the Certificate Profile is unchecked, no QCStatement with QCSyntax will be generated (new behavior).
If "PKIX QCSyntax-v2" in the Certificate Profile is checked, a QCStatement with PKIX QCSyntax-v2 will be generated (same as before).
The default management CA has been renamed from AdminCA to ManagementCA.
Many many minor features, improvements and bug fixes (over 300 issues are resolved for this release)
Known issues
EJBCA 5.0 Release Notes
EJBCA 5.0.14
This is a maintenance release with only minor bug fixes. In all 2 issues have been fixed.
Noteworthy changes:
Fix problem, in some cases, when adding administrators with similar names.
Default CA in OCSP responder can now handle CA DNs of any order.
EJBCA 5.0.13
This is a maintenance release with only minor bug fixes, where one is a security fix. In all 4 issues have been fixed.
The security issue is rated as low, and can lead only to excessive CPU usage, if exposed to untrusted networks.
Noteworthy changes:
Some versions of MySQL picks bad index mixing OR and AND, so we make two generically safe queries instead.
Fixed a regression where using a sun config file for PKCS11 (not the normal case) did not work.
EJBCA 5.0.12
This is a maintenance release with only security fixes.
Two cross site scripting vulnerabilities were discovered in EJBCA and fixed accordingly.
The vulnerabilities are rated as low, with a CVSS score between 1 and 3 (depending on subjective assessments).
The complexity to exploit the vulnerabilities is considered high and requires knowledge of the internal CA network as well as social engineering, or malicious internal super administrators.
The consequences of an exploit is considered low, as no administrator credentials can be stolen, and full audit logs of all actions are preserved.
We recommend that you assess the need to upgrade based on your particular deployment of EJBCA. Most CA deployments are largely
immune due to environmental isolation.
EJBCA 5.0.11
This is a maintenance release with new features, improvements and bug fixes. In all 12 issues have been fixed.
Noteworthy changes:
Possibility to store the Base64 certificate data in a separate table.
Fixed possible database rollback when CRL publishing failed.
Support for multiple Vendor CA in CMP for 3GPP/LTE networks.
Allow to use token label to reference PKCS#11 slots.
Support ECDSA for automatic key renewal in OCSP responder.
Added a new WS keyrecovery method for specified certificates.
Add hostname in startup log.
Add configuration option for forbidden characters.
EJBCA 5.0.10
This is a maintenance release with new features, improvements and bug fixes. In all 20 issues have been fixed.
Noteworthy changes:
Added lots of CLI improvements to create subCA signed by external CAs, edit CAs and profiles, and add and edit services.
It is now possible to create CAs, using the CLI, with explicit ECC key encoding in CA certificate. Useful for ePassport installations.
When creating link certificates they are now issued using the same certificate profile as the CA is using.
Improved support for Elliptic Curve Cryptography (ECC) using the CMP protocol. You can now use CMP in a Suite B compliant way.
The LDAP publisher now supports STARTTLS extension, in addition to pure TLS connections.
The batch enrollment GUI can now use JKS keystores, in addition to PKCS#12 keystores.
Healthcheck messages are now logged in debug log, for easier troubleshooting.
EJBCA 5.0.9
This is a maintenance release with improvements and bug fixes. In all 14 issues have been fixed.
This release contains a minor security fix.
Noteworthy changes:
New ClientToolbox sub-command: 'batchgenerate'
CMP vendor certificate authorization
Cache for publishers
EJBCA compiles and runs on JDK7
Fixed upgrade failure
Fixed revocation not performing as expected in all circumstances
Fixed renewal not always persisting the keys
Minor bugfixes and improvements
Please notice the upgrade of BC jars if you are using Oracle JDK.
EJBCA 5.0.8
This is a maintenance release with improvements and bug fixes. In all 12 issues have been fixed.
Noteworthy changes:
Improved robustness of 'ejbca.sh ca importcertdir' command.
It is now possible to obfuscate log signer key password.
Fixed a but with CMP certificate authentication.
Minor bugfixes.
Please notice the upgrade of BC jars if you are using Oracle JDK.
EJBCA 5.0.7
This is a maintenance release with only a security fix.
Noteworthy changes:
Fixed minor administrator escalation issue
Please notice the upgrade of BC jars if you are using Oracle JDK.
EJBCA 5.0.6
This is a maintenance release with a few bug fixes but also new features. In all, 35 issues have been resolved.
Noteworthy changes
- Support for German CertHash OCSP extension for Common PKI.
- Add rate limit for health check queries.
- Add Extended Key Usage for WiFi EAP.
- Fixed download of CA certificates with plus character in CA DN.
- Fixed key recovery when CA signed by External CA.
- Fixed a few upgrade glitches when upgrading from EJBCA 4.
- Fixed re-activation of suspended certificates through VA-publisher.
- Fixed potential privilege escalation issue for certain, non default, configurations.
- Fixed many other minor issues making deployment smoother.
Please notice the upgrade of BC jars if you are using Oracle JDK.
EJBCA 5.0.5
This is a maintenance release with a few bug fixes and new features. In all, 26 issues have been resolved.
Noteworthy changes
- Index recommendations have changed.
- CVC CAs can now be created from the Command Line Interface.
- EJBCA now supports Japanese localization
- Fixed bug where recursive deny rules caused deny for system user.
- Overall performance increases
- Removed redundant and excessive logging to audit logs
EJBCA 5.0.4
This is a maintenance release with a few bug fixes and new features. In all, 20 issues have been resolved.
Noteworthy changes
- OCSP: Possibility to only publish revoked certificates to Validation Authority.
- OCSP: Possibility to treat "non existing is good" based on URI on the Validation Authority.
- Do not allow creation of CAs using weak keys.
- Add Kerberos extended key usages.
- Add possibility to specify certificate profile to CA init CLI command.
- Fix a few more tests on windows platform.
- Fixed minor security issues in admin web.
- Fixed a few cosmetic issues improving usability.
EJBCA 5.0.3
This is a maintenance release with a few bug fixes and new features. In all, 16 issues have been resolved.
Noteworthy changes
- CMP: SenderKeyID no longer needs to be set in the request if it is not needed.
- CMP: KeyUpdateRequest works in RA mode as well as in client mode.
- CMP: It is now possible to skip verification of a CertConfRequest if desired.
- CMP: The CMP Proxy can now debug logging actual CMP messages.
- Approvals now work when approval requests were created using the CLI.
- Fixed all tests running on Glassfish and Windows platform.
- Fixed few minor XSS issues and other minor bugs
EJBCA 5.0.2
This minor release primarily addressed issues that cropped up during manual testing for Common Criteria
certification. Quite some effort was also put into stabilizing the 5.0.x release.
Noteworthy changes
- Support has been added for incorporating external plugins in the EJBCA EAR file at build time.
- Some XSS issues have been corrected.
- Authorization checks have tightened up in accordance to Common Criteria demands.
- Access rules for logging have finally been reconciled between CESeCore and EJBCA. The implication of this is
that the old EJBCA rules have been converted to the newer CESeCore rules, while those rules lacking application
in the new Secure Audit logging have been removed (all old rules matching /log_functionality/view_log/*_entries).
Thus in the new logging system it is no longer possible to add rules to a role allowing that rule to only view a
certain type of log event depending on what entry that event was registered as. Old rules are upgraded during
<ant post-upgrade>, which means that Supervisor roles won't work until this step is performed. Installations made in
5.0.0 or 5.0.1 need to be upgraded manually (see UPGRADE document), while installations upgraded from 4.0.x will have
their rules upgraded as part of the standard upgrade procedure.
- Chinese characters are now supported in DN attributes for End Entity Profiles.
- Lots of small bug fixes.
EJBCA 5.0.1
This minor release primarily fixed some CMP issues, one regression that was introduced in 5.0.0 and introduced
support for functionality from RFC4043 and RFC4325.
Noteworthy changes
- Support for Permanent Identifiers (RFC4043)
- Support for authorityInformationAccess in CRLs (RFC4325)
- Split xdocs in two separate sites, ejbca.org site and documentation site
- Documentation of EJBCA Djigzo integration
EJBCA 5.0.0
This major release marks a new step as EJBCA is now built on the Common Criteria certified secure core: CESeCore. The
negative implications of this for the end customer should be minimal, as database changes are few and far between, and
there is a clear upgrade path from EJBCA 4.0.x
CESeCore primarily provides two new features that will be of interest to the end user:
- The old database audit log system has been removed and replaced by a new security audit function that is capable of storing integrity protected audit records in the database.
- Integrity protection has been introduced to essential tables. This means that rows in these tables can't be modified through direct database interaction without invalidating the row.
Additionally, the following feature has been introduced.
- The Command Line Interface now uses authentication. Users are drawn from the standard End Entities list, and have the same respective roles. A default CLI user is created as a part of startup/upgrade in order to allow allow the CLI to be used without authentication,
and can be turned off from the Administration Interface. This user is defined in ejbca.properties
For administrators, the following changes are worth noting:
- When upgrading from 4.x to 5.x new approval requests created in a 5.x instance can not be read in a 4.x instance. So if you require uptime and roll-back capabilities, only allow to create new approval requests from an 4.x host.
- A "Super Administrator Role" is created during either bootstrap or upgrade to create a role for the default CLI user.
- 'Admin Groups' have been renamed 'Roles'. Relevant database tables remain unchanged.
- 'Admin Entities' are now referred to as 'Access User Aspects'.
- 'Users' are now ubiquitously referred to as 'End Entities'.
- Usage of access rules have in some cases changed, and some new access rules have been added (edit publishers). After an upgrade to 5.0, verify your roles and privileges.
EJBCA 4.0 Release Notes
EJBCA 4.0.16
This is a maintenance release containing a new feature and two bug fixes. In all 3 issues have been resolved.
Noteworthy changes
- Possibility to store the Base64 certificate data in a separate table.
- Fixed possible database rollback when CRL publishing failed.
EJBCA 4.0.15
This is a maintenance release containing a few new features and improvements. In all 5 issues have been resolved.
Noteworthy changes
- Possibility to create link certificates using the same certificate profile as the CA.
- LDAP publisher can publish certificate serialnumber to special object class inetOrgPersonWithCertSerno.
- Add missing variables C and UID to end user notification emails, by David Carella.
Note: There is a change in the LdapPublisher class API. Custom publishers overriding the LdapPublisher must be updated.
EJBCA 4.0.14
This is a maintenance release containing a few new features and improvements. In all 5 issues have been resolved.
Noteworthy changes
- Active certificates published to a VA publisher that only publishes revoked certificates are no longer stored in the queue.
- Publishers are cached for improved performance.
- New and fixed settings that makes EJBCA work better behind an Apache using ProxyPass, by David Carella.
- Some passwords are not displayed in the console during build anymore, by David Carella.
EJBCA 4.0.13
This is a maintenance release containing a few new features and improvements. In all 25 issues have been resolved.
Noteworthy changes
- New self-registration work-flow available in the public web.
- Added extended key usage for WiFi EAP authentication.
- Some build improvements to avoid issues on some platforms (no javascript, no jasper).
- More minor GUI improvements by David Carella of Linagora.
- Minor bug fixes.
EJBCA 4.0.12
This is a maintenance release containing a few new features and improvements.
Noteworthy changes
- Possibility for External OCSP responder key renewal at absolute times.
- Certificate expiration notifier can now filter on certificate profiles, not only CAs.
- A publisher for sampling of issued certificates.
- Added user friendly output of certificate profile dependencies when deletion can not be done.
- A new language tool for developers and localizers, by David Carella of Linagora.
- OCSP rekeying now works on JBoss 6.1.0 and JBoss EAP5
EJBCA 4.0.11
This is a maintenance release containing a few new features, GUI improvements and support for Japanese.
Noteworthy changes:
- Support for Japanese in the admin GUI, by OGIS-RI Co.
- Possibility to use custom revocation dates.
- Possibility to use aliases in RFC4387 CRL download links.
- Fixed support for special characters in filenames in export profiles cli command.
- Admin GUI improvements for looks and consistency, by David Carella of Linagora.
EJBCA 4.0.10
This is a maintenance release containing 1 new VA publisher feature, 1 security fix and GUI improvements..
Noteworthy changes:
- Possibility to only publish revoked certificates to VA.
- Possibility for OCS to handle "non existing is good" different depending on OCSP uri.
- Fixed XSS issue in admin GUI.
- Admin GUI improvements for looks and consistency.
David Carella has contributed many GUI improvements for the last few releases.
- forms and tables are colored according to consistent rules.
- all forms and tables are split in several logical sections.
- all similar fields (e.g. “[_] Use”, “[_] Critical”, “[_] Required”, “[_] Modifiable”, etc.) are vertically aligned.
- all check boxes (and radio boxes) can be checked by clicking on its label,
- two rules for in-line help for PKI administrators and RA officers.
- forms are globally more compact (the page heights are smaller).
- naming of certain object are more consistent across the web.
EJBCA 4.0.9
This is a maintenance release containing 1 security bug fix.
Noteworthy changes
- Fixed XSS issues in admin GUI.
EJBCA 4.0.8
This is a maintenance release with a few bug fixes and new features. In all, 16 issues have been resolved.
Noteworthy changes
- CMP: SenderKeyID no longer needs to be set in the request if it is not needed.
- CMP: KeyUpdateRequest works in RA mode as well as in client mode.
- CMP: It is now possible to skip verification of a CertConfRequest if desired.
- CRL: More efficient CRL download
- AdminGUI: Improvement in the appearance.
- Fixed few minor XSS issues and other minor bugs
EJBCA 4.0.7
This is a maintenance release with a few bug fixes and a new feature. In all 10 issues have been resolved.
Noteworthy changes
- Fixed a bug reading large OCSP requests over HTTP 1.1 using chunked encoding.
- Fixed a few minor XSS issues.
- Fixed an issue where building the Validation Authority (VA) failed on specific platforms.
- The VA health-check URL is now what it is claimed to be in the property file. You will need to reconfigure devices monitoring this URL.
- Documented EJBCA integration with Djigzo
- Added a plug-in build system.
- Improved support for Chinese in the admin GUI.
EJBCA 4.0.6
This is a maintenance release with a few bug fixes and a new feature. In all 4 issues have been resolved.
Noteworthy changes
- Improved CMP by supporting KeyUpdate requests is client mode.
- Fixed importing empty CRL via CLI
- Fixed two minor bugs
EJBCA 4.0.5
This is a maintenance release with a few improvements and bug fixes. In all 7 issues have been resolved.
Noteworthy changes
- Correct comparison of public key in HSM and CA certificate
- Fixed regression during republish
- Many small bug fixes.
EJBCA 4.0.4
This is a maintenance release with a few new features and bug fixes. In all 33 issues have been resolved.
Noteworthy changes
- Improved CMP with many new authentication modules in both client and RA mode, and support for Nested content
- Support for custom certificate extensions with raw or RA defined values.
- Many small bug fixes.
EJBCA 4.0.3
This is a maintenance release with a few improvements and bug fixes. In all 5 issues have been resolved.
Noteworthy changes
- Improved CMP interoperability, with minor improvement and bugfixes.
- Fixed a bug that made it impossible to delete end entity profile on certain databases, in particular hsql (test database).
EJBCA 4.0.2
This is a maintenance release with many improvements and fixes. In all 44 issues have been resolved.
Noteworthy changes
- Internal optimizations makes this the fastest version of EJBCA ever, capable of issuing > 400 certificates/second (depending on configuration).
- Certificate enrollment now works also with Safari and Chrome browsers.
- Support for PrivateKeyUsagePeriod certificate extension.
- Fixed a time zone bug issuing CVC certificates where the date was encoded using local timezone instead of GMT in certificates.
- More admin console and public web improvements from David Carella of Linagora.
- Now uses ISO8601 date format consistently when entering dates in admin console.
- Automatic generation of Norwegian UNID numbers from CMP requests.
- Many small bug fixes and improvements.
The ISO8601 date format (yyyy-MM-dd HH:mm:ssZZ) is used in the Admin GUI and EJBCA WS interface, so clients no longer have to be aware of in what time zone the CA servers are located.
The old format (in US Locale) will still work for incoming requests in the WS, but any returned UserDataVOWS containing custom start and end date will use the new format.
If you get a "java.lang.NoSuchMethodError" in the admin GUI it is because JBoss does not clean temporary files very good.
Delete the directories JBOSS_HOME/server/default/tmp and JBOSS_HOME/server/default/work and restart JBoss to get it working.
EJBCA 3.11 Release Notes
EJBCA 3.11.5
This is a maintenance release containing 1 security bug fix.
Noteworthy changes
- Fixed XSS issues.
EJBCA 3.11.4
This is a maintenance release containing 1 security bug fix.
Noteworthy changes
- Fixed XSS issues in admin GUI.
EJBCA 3.11.3
This is a maintenance release containing 3 bug fixes.
Noteworthy changes
- Certificate enrollment now works also with Safari and Chrome browsers. (Backport from EJBCA 4.0.2.)
EJBCA 3.11.2
This is a maintenance release containing 11 bug fixes, and 12 new features/improvements.
Noteworthy changes
- Several bug fixes
- Increased algorithm support on PKCS11 HSMs
- Added a webservice based RA written by Daniel Horn
- Possibility to disable the command line interface
- New CA CLI commands to import CRLs and certificates which are useful when migrating to EJBCA
EJBCA 4.0.1
This is a maintenance release - only one issue is resolved.
Noteworthy changes
- Fixed failure to perform web browser enrollment with Internet Explorer.
EJBCA 4.0.0
EJBCA 4 uses Java Enterprise Edition (JEE) 5 instead of J2EE. This release is a major improvement of the core, modularization, portability and packaging, but you will not notice many functional
differences.
The database schema is fully defined through the Java Persistence API and table create scripts are provided for all the supported databases.
The Ingres database can now be used with EJBCA without patching the code.
Many bugs have been corrected. For example EJBCA Services will run more stable in a clustered environment.
The interface ICustomPublisher has been modified, via removal of the number parameter from the storeCRL method. Any custom classes implementing this interface need to be modified.
Java 1.6 and Ant 1.7.1 or higher is required from this version on.
For upgrade instructions, please see UPGRADE and have a look in the installation instructions for notes on how to configure your application server.
Known issues (see EJBCA issue tracker for a more updated version):
- XKMS Signature validation does not work. (ECA-2078)
- OCSP re-keying on JBoss 6.0.0.FINAL does not work. (ECA-2077)
EJBCA 3.11.1
This is a maintenance release - 16 issues have been resolved. Only fixes and layout improvements, no new features.
This release fixes an upgrade issue from 3.6.x to 3.11.x and also a MySQL/MyISAM related issue in the 3.11.0 release.
A few uncaught regressions from 3.10.x and 3.11.0 were fixed, and as usual David Carella of Linagora added some Admin GUI layout improvements.
Noteworthy changes
- It is now possible to easily upgrade from EJBCA 3.6.x to 3.11.x
- Fixed a MySQL mapping that did not work when using the MyISAM storage engine and UTF-8 encoding.
- ETSI QC value limit can now have the value zero.
- Admin GUI improvements from David Carella of Linagora.
- Added a favicon to the EJBCA web interfaces.
- Fixed an issue causing cached end entity profiles (not default) to be changed for some actions in the admin GUI.
- Fixed an issue where session information spilled over to other edits when using the "Back to certificate profiles" link.
- Fixed an issue where using the required flag on Cardnumber in a end entity profile gave error about missing unstructured address.
This also resolved an issue where the DN field Unstructured Address did not work.
NOTE: If you have been using the SEIS Cardnumber extension in End Entity Profiles (not default), this setting had an internal collision with the UnstructuredAddress DN field, so they could not be used at the same time. There was a problem using the UnstructuredAddress lately.
The issue was resolved by changing the internal number for Cardnumber. This is not possible to upgrade automatically.
* If you used SEIS Cardnumber * you must manually edit your end entity profiles and re-check the 'use' checkbox after upgrade to 3.11.1.
This should affect a very small number of users.
EJBCA 3.11.0
This is a major release with several new features - 47 issues have been resolved.
One major goal with this release is to prepare for a seamless migration to EJBCA 4.0. To make the migration path to EJBCA 4.0 a simple plug-in upgrade, EJBCA 3.11 introduces database changes needed to make the schema fully compatible and consistent across all supported databases.
Upgrade to EJBCA 3.11 should be simple as usual, just follow the instructions in doc/UPGRADE.
Noteworthy changes
- Possibility to configure CA not to use certificate and user store, meaning that CA can issue certificates without having to access database after service startup.
- External OCSP responder can now function as a validation authority serving OCSP, CRLs and CA certificates.
- Certificate store access via HTTP according to RFC4387 standard.
- Possibility in WebService Interface to specify extended information when editing users.
- Possibility to specify custom certificate serial number for end entities using CMP protocol. CMP RA secret can now also be specified per CA.
- Upgrade database schema to be consistent across databases.
- Add a few new columns to database tables, a preparation to be used in EJBCA 4.0.
- Improvements in the Glassfish support, now also usable with Oracle database.
- Several other new features and extended key usages, GUI improvements and performance enhancements - many of which are contributed by Linagora.
Important notes
1. If you have a very large database (>1 million issued certificates) you can probably not run the database schema upgrade scripts automatically, but you want better control of the changes. You can then run the upgrade SQL statements manually. You can find them under src/upgrade/310_311, with an individual sql file for your database.
2. The external OCSP responder module have many added features in this release. This has caused some configuration file changes. See VA Installation documentation. Specifically the CA Publisher datasource configuration has moved from ocsp.properties to va-publisher.properties, a much better location. Health check settings has moved from ocsp.properties to va.properties.
3. The database schema has changed. If you run an external OCSP responder the database schema on that must also be updated for the VA/OCSP publisher to work. The two new columns rowVersion and rowProtection does not have to be set to any specific value.
4. The error message when publishing fails has changed from "EXTERNAL OCSP ERROR" to "Validation Authority ERROR". If you have scripts monitoring this, they must be updated.
EJBCA 3.10 Release Notes
EJBCA 3.10.6
This release is a very small maintenance release to mark the end of the 3.10 branch, anticipating 3.11.0 to be released withing a few days.
If you are running 3.10.5 with no issues, there is no real reason to upgrade to 3.10.6.
Noteworthy changes
- ExtendedInformation, such as issuance revocation reason, can now be added when editing users with the WebService API.
The release also fixes four minor or exotic bugs.
Note: The WebService WSLD has changed for adding ExtendedInformation in the UserDataVOWS object.
Old WS clients without this should still work and we have tested with older EJBCA clients.
However if you depend on the WS-API you must test in your environment before bringing this new version in production.
EJBCA 3.10.5
This is a maintenance release with 37 issues resolved, both features and bug fixes.
Noteworthy changes
- Fixed admin GUI error running on JBoss 5.
- Fixed some issues with audit and approvals when using admin certificates issued by an external CA.
- Harmonized admin GUI and improved looks. Contributed by David Carella of Linagora.
- Added and improved caches of profiles and CAs, improves performance. CLI for clearing caches.
- Fixed installation issue on Windows when JBoss installed in root directory.
- Fixed re-publishing of certificates when CertReqHistory is not used. CertReqHistory is enabled by default for new CAs.
- Updated German translation, contributed by Atos Origin.
- Support unrevocation using WS-API.
There were many changes in the admin GUI for this release. Please let us know if you encounter any regressions using the admin GUI.
EJBCA 3.10.4
This is a maintenance release with 23 issues resolved, both features and bug fixes.
Noteworthy changes
- Possibility to specify custom certificate serial number for end entities.
- Possibility to configure CA to not use CertReqHistory to increase performance.
- Harmonized admin GUI and improved looks. Contributed by David Carella of Linagora.
- Other performance optimizations. More than 100 certificates per second can now be issued under certain conditions.
- WS API did not work with external administrator certificates.
- Mitigate potential XSS vulnerabilities in admin GUI.
- Fixed bug when creating CRLs for CAs with single quote in the DN.
- Other admin GUI improvements with better error messages in some cases.
One known issue from 3.10.4 is https://jira.primekey.se/browse/ECA-1779
There were many changes in the admin GUI for this release. Please let us know if you encounter any regressions using the admin GUI.
EJBCA 3.10.3
This is a maintenance release with only 6 issues fixed.
The release was primarily done to fix a regression for EAC CVC CAs using ECC keys.
Noteworthy changes
- EAC CVC Document Verifiers using ECC keys did not work properly. This was fixed and new test cases was added to the test suite.
- Removed requirement to use "Batch generation" when using CMP RA mode.
- Fixed issue that revocation in admin gui did not work with CAs using accented characters.
- Added code to mitigate potential cross site scripting in admin gui. Note that client certificate authentication was still needed so it was not publicly exploitable.
- Added UTF-8 URI encoding for the public http port (8080). It was previously only enabled for the https ports.
EJBCA 3.10.2
This is a maintenance release with a new features, improvements and several bug fixes. 36 issues in total have been resolved.
With this release 3.10.2 is the preferred release for all installations.
We believe that most regressions resulting from the large restructuring in 3.10.0 is resolved.
Noteworthy changes
- CMP proxy module.
- Improved transaction isolation and performance in CMP.
- Improvements for JBoss 5.
- Possibility to Enforce unique SubjectDN Serial Number.
- Framework for validation of the contents of end entity fields.
- Fixed some regressions in the admin GUI related to cross certification and CV certificates.
- Possible to define custom CN of superadmin on install.
- Update pre-defined windows smart card logon profiles.
- Output the servers time to the first page of the Admin GUI.
- Supervision of the OCSP responder certificate validity in the standalone OCSP responder.
- Many minor bug fixes related to the big restructure in 3.10.0.
- Minor security enhancements.
In EJBCA 3.10.2 the Exception handling for NotFoundExceptions when a user does not exist was slightly overhauled.
This effected some WS-API calls (findCerts, getLastCertChain and getHardTokenData). The behavior of the methods are unchanged, but if
you have handling for such errors you should double check the error handling anyhow. Javadoc has been updated where it was previously not clear.
EJBCA 3.10.1
This is a maintenance release with a few new features, some improvements and several bug fixes. 33 issues in total have been resolved.
Noteworthy changes:
- New WS-API methods for renewing CAs. This enables the possibility for automated SPoCs in an EAC ePassport PKI.
- New CMP proxy module letting you have a separate server terminating CMP connections and then forwarding them to the CA.
- Possibility to renew CAs without activating new keys, enabling the CA to continue working until a new certificate is imported.
- Support for SHA384WithECDSA signature algorithm.
- Fixed deployment on JBoss EAP 5.0.0.
- Fixed admin GUI bug with problems selecting privileges for RA administrators.
- Fixed some issues with cli and renewal of expired CAs.
- Fixed a bug with cli for getting delta CRLs.
- Other minor bug fixes.
Note that there is a new access rule for "Renew CA". An administrator with renew CA privileges is authorized to renew CA and import certificate response (from an external CA). Previously only super administrator was allowed to to this.
CA administrators bye default has this new privilege. If you do not want them to have this privilege you can disable it in Advanced mode in the edit privileges section of the admin GUI.
The new privileges can be used together with the new WS-API functions and CLI to renew specified CAs.
To be authorized the administrator need both the new "Renew CA" privilege and and be authorized to the specific CAs.
The methods in CAAdminSessionBean that have changed privileges are renewCA, makeRequest and receiveResponse.
EJBCA 3.10.0
This is a major release with lots of internal reorganisations, new features and fixes.
NOTE:
A user that is requesting a certificate with same public key or subject DN as an existing certificate issued to another user is now denied the certificate. If this will result in any problem in your installation you may disable any of these checks on the "Edit CA" page. You can read more about it in the user guide.
Noteworthy changes
- Restructuring and refactoring to improve maintainability, prepare for the EJBCA 4 release and Common Criteria certification.
- Web Service method for creation or update of a user and creation of a certificate in a single transaction.
- Enforcement of unique public keys and subject DNs.
- New External RA API GUI for browser enrollment without ingoing traffic to the CA.
- Support for Ingres 9.3.
This version removes the SafeNet Luna JCE class for use as a CA Token. You must now use the more generic, and well tested, PKCS#11 CA token type instead.
The usage of PKCS11 CA tokens is well documented in the Admin Guide.
EJBCA 3.9 Release Notes
EJBCA 3.9.10
This is a maintenance release with one backported fix from 4.0.
Changes:
- Better handling of X.500 DN order with multiple attributes (e.g. DC, OU)
EJBCA 3.9.9
This is a maintenance release with one new feature and a few backported fixes from 3.10.
Changes:
- ExtendedInformation, such as issuance revocation reason, can now be added when editing users with the WebService API.
- Added correct URIEncoding also for port 8080 in Tomcat's server.xml.
- Fixed Issuer CA DN HTML escaping when revoking through Admin GUI.
Note: The WebService WSLD has changed for adding ExtendedInformation in the UserDataVOWS object.
Old WS clients without this should still work and we have tested with older EJBCA clients.
However if you depend on the WS-API you must test in your environment before bringing this new version in production.
EJBCA 3.9.8
This is a maintenance release with only three fixes.
Changes:
- Supervision of the validity time of the signing certificates for the OCSP responder.
- The CAR of a CV Certificate can hold an incorrect sequence number (which makes the CAR incorrect).
- Upgrade may cause "use authority information access" to be enabled though it was not before in certificate profile.
EJBCA 3.9.7
This is a maintenance release with only four fixes.
Noteworthy changes
- Fixed an error when creating DVs signed by external CVCAs (EAC ePassport only).
- Give better error message when the same public key is passed in initial CVC request (EAC ePassport only).
- Log OCSP responder startup and shutdown.
- Fix possible NullpointerException in EjbcaWS.getAvailableCertificateProfiles.
EJBCA 3.9.6
This is a maintenance release with two new features, and five minor fixes.
Noteworthy changes
- New WS-API methods for renewing CAs. This enables the possibility for automated SPoCs in an EAC ePassport PKI.
- When renewing CA keys for CAs signed by external CAs you can now choose to not activate the new keys. This enables your CAs to continue working uninterrupted until a certificate response is received and imported.
- Errors when using approval notifications are fixed.
- The getcrl cli command can now also retrieve delta CRLs.
- Two other minor fixes for CA renewal.
Note that there is a new access rule for "Renew CA". An administrator with renew CA privileges is authorized to renew CA and import certificate response (from an external CA). Previously only super administrator was allowed to to this.
CA administrators bye default has this new privilege. If you do not want them to have this privilege you can disable it in Advanced mode in the edit privileges section of the admin GUI.
The new privileges can be used together with the new WS-API functions and CLI to renew specified CAs.
To be authorized the administrator need both the new "Renew CA" privilege and and be authorized to the specific CAs.
The methods in CAAdminSessionBean that have changed privileges are renewCA, makeRequest and receiveResponse.
EJBCA 3.9.5
This is a maintenance release with minor fixes and improvements.
Noteworthy changes
- Fixed a performance regression for the OCSP service that could lower throughput from 400 to 200 req/s.
- Added process time parameter to OCSP transaction logging.
- Fixed and improved usage of the optional IAIK PKCS#11 provider.
- Improve sequence handing for EAC CVC CAs.
- Fixed a bug when renewing CA keys on HSMs.
- Fixed that you could not use a dot in pre-set usernames in end entity profiles.
- Added possibility to install directly with external admin CA, initializing authorization module in importcacert cli command.
- Added possibility to prompt for keystore password during install so you never have to write it anywhere.
EJBCA 3.9.4
This is a minor release with only a few minor fixes.
Noteworthy changes
- Fixed a bug where OCSP responder would not return correct status for archived (expired) certificates.
- Fixed a regression for the (deprecated) SafeNet JCE CA token.
- Fixed a regression where you could not renew expired CAs
- It's not possible to renew soft ECC CA keys in the admin GUI
- All language files are now encoded in UTF-8
- Fixed corner cases where bogus CRLs and certs could be published to LDAP
EJBCA 3.9.3
This is a minor release but packed with new minor features and fixes, 41 issues have been resolved.
Some minor features and options and some bug fixes and stabilizations.
Noteworthy changes
- Fixed a regression in 3.9.2 where you could not upload files in the admin GUI.
- Certificate profiles can now specify a different signature algorithm than the CA. Useful to start migrating SHA1 CAs to issue SHA256 certificates.
- Possibility to use part of user data in LDAP DN but not in certificate DN when publishing certificate to LDAP.
- Possibility to set fixed end date of certificates in certificate profile and CA configuration.
- Possibility to configure several notification services for expiring certificates, notifying at different times, i.e. 30 days, 7 days, etc.
- Browser enrollment tested with Windows 7.
- ECC improvements and fixes for CAs and HSMs, CA renew keys, CA import, brainpool curves, explicit ec parameters, clientToolBox etc.
- GUI improvement to the admin GUI with nicer navigation menu and CSS. Contributed by Linagora, France.
- cert-cvc: fixed rare possibility to get bad encoding of EC points in certificates. Contributed by DGBK, Netherlands.
- CVC CA fixes and improvements for EAC PKI, approvals, import CAs, fix cli info command, .cvcert instear of .crt when downloading certs, etc.
- Don't publish certificates for inactive CA services to LDAP.
- Fix so renewing CA keys in admin GUI does not reload all CA tokens.
- Fixed an OutOfMemory error when failing to publish large CRLs with connection closed error.
- Fix download issues with IE for exported CA keystores.
- Many small optimizations, fixes and improvements.
EJBCA 3.9.2
This is a minor release but packed with new minor features and fixes, 38 issues have been resolved.
Some minor features and options and many bug fixes and stabilizations.
Noteworthy changes
- Sign and verify of files with clientToolBox when the private key is stored on a HSM.
- Possible to limit signing keys for an external OCSP responder to keys within a set of key aliases.
- Add support for the TSL signer extended key usage
- Use improved validity period parsing in Certificate Profiles
- Add option to use publisher queue or not for CRLs and certificates
- Document MS application policies extension
- Fixes for ejbcaClientToolBox.bat for windows platform
- Timeouts for LDAP publishers to handle unstable LDAP servers
- For issue where CRL service may stop running if database is stopped for some period
- Change so that Issuing Distribution Point on CRLs is not used by default in CA configuration
- Fix issue using IAIK provider with several CAs
- Fix slow revocation if a user have many certificates
- cert-cvc: getting expiration date returns 00.00 hours but it means it's valid the whole day
- cert-cvc: bad encoding of EC points in certificates in rare cases where affineX and affineY is not same size
- Many small optimizations, fixes and improvements.
EJBCA 3.9.1
This is a minor release but packed with new minor features and fixes, 46 issues have been resolved.
Noteworthy changes
- Improvements to public enrollment process including automatic renewal.
- Ability to specify approvals on certificate profiles.
- Configurable list of extended key usages.
- Dynamic update of max-age and nextUpdate for OCSP responders, also per certificate profile.
- In CRL update service you can select which CAs to generate CRLs for.
- Possible to schedule CRLs more often than hourly.
- Possible to remove soft CA key and possibility to import it back again.
- Possibility to remove passwords from properties files.
- Support for CRL distribution points with URI:s containing semicolon.
- Transaction log for web service certificate issuance.
- Possibility to specify Any CA in end entity profiles.
- More flexible configuration of CA validity, years, months days.
- Improved error message in GUI when HSM activation fails.
- Many small optimizations, fixes and improvements.
EJBCA 3.9.0
This is a major release adding many new features and improvements, and fixing numerous bugs.
126 issues have been resolved for this release. Check the changelog, there is a good chance that your favorite issue has been resolved.
Noteworthy changes
- Support for CAs using DSA keys. EJBCA now supports all major algorithms; RSA, DSA and ECDSA.
- External RA improvements. CA service running as an EJBCA services gives full cluster functionality and support for multiple external RAs. As a bonus it is now much easier to install and configure.
- Robust re-publishing mechanism for publishers that fail, running as an EJBCA service.
- OCSP responder improvements with performance improvements and support for on-line renewal of OCSP responder keys and certificates.
The external OCSP responder can now saturate high performance HSMs.
- OCSP monitoring tool for monitoring synchronization between EJBCA and external OCSP responders.
- GUI for configuring the external OCSP publisher with new options.
- Possible to change OCSP signing keys in a running external OCSP responder.
- New commands and stress tests in the client toolbox.
- A new admin web gui front page with status overview panels.
- Possible to configure status of certificates issued for end entities, i.e. issue certificate revoked "on hold".
- New DN attribute, Name.
- Performance improvement by caching and lowering number of database queries.
- XKMS now works also on Java 6.
- Possibility to set user validity start and end time in WS API.
- Lots of small fixes and improvements to the admin GUI.
- Lots of small bugfixes.
- Keon CA to EJBCA migration guide.
Note that the configuration of External RA changed dramatically (to the better). If using the external RA, please read the manual how to install and configure the RA CA service in EJBCA 3.9.
Note that this version brings database changes. Read the UPGRADE document for upgrade instructions.
This release should, as always, work on JBoss, Glassfish, Weblogic and OC4J, together with most available databases.
EJBCA 3.8 Release Notes
EJBCA 3.8.3
This is a minor release with only a few fixes
- Fixed unability to deploy on PostgreSQL + Glassfish combination.
- Fixed possible extensive CPU usage for crafted messages to CMP RA service (not default config).
- Fixed Ugly error message in LDAP publisher if no certificate to remove exists.
EJBCA 3.8.2
This is a minor release adding improvements and bugfixes
- Add street and pseudonym DN attributes.
- OCSP improvements, RFC 5019, nextUpdate, support for requests using GET, improved configuration and error handling.
- Correct coding of optional Issuing Distribution Point in CRLs.
- Possible to publish userPassword in LDAP.
- A few minor fixes.
EJBCA 3.8.1
This is a minor release, targeted for adding support for JBoss 5 and fixing a mistake that caused install on Glassfish to fail.
It also adds a few minor improvements and bugfixes.
- Add support for JBoss 5.
- Fix support for Glassfish caused by a forgotten commit in 3.8.0.
- Improve support for Weblogic 10.3.
- Fix support for IPv6 subject alternative names.
- A few minor CMP, OCSP and CVC fixes.
EJBCA 3.8.0
This is a major release, particularly focusing on support for administrators to log in with certificates from other CAs, not in EJBCA.
Noteworthy changes
- Restructure administrator validation to allow admins using externally issued certificates.
- Add a CLI subcommand to add an administrator in an admin group using the serial number.
- Drop administrator flag in end entities, it's not needed, makes configuration easier together with remade admin GUI.
- Possible to generate CA PKCS#10 request without giving CA certificate.
- Add support for SEIS Card Number extension.
- Added KRB5PrincipalName subjectAltName.
- Option in certificate profiles for reversing DN order.
- Enroll for CV certificate on public web.
- Upload PEM or binary certificate requests on public web.
- Possible to sign releases and deployed code.
- Enhanced basic custom certificate extension.
- Command to list objects in Luna HSM partition.
- Some bug fixes.
NOTE: There are database upgrades in this release, so read UPGRADE carefully.
Because there are binary files in EJBCA_HOME/lib changed there is no patch file for upgrading
EJBCA 3.7.x to 3.8.0. Use the full package from EJBCA 3.8.0 and follow the upgrade instructions in UPGRADE.
Note that if using JBoss, you need JBoss 4.2.x or later to run EJBCA 3.8.x.
EJBCA 3.7 Release Notes
EJBCA 3.7.5
This is a minor release that makes a few minor changes in the CVC WS-API and adds a variable in OCSP audit log.
- Allow logging of REPLY_TIME in both audit and transaction logs
- Fixed CVC certificate requests with error leaves user status as new
- Fixed that cvcgetchain does not return latest cert
- Add brazilian portuguese translation of admin GUI
- A few minor bugs
This is a plug-in upgrade from 3.7.x. See UPGRADE for the simple instructions.
EJBCA 3.7.4
This is a minor release that replaces 3.7.3 where initial install was broken. It has a few additional fixes from 3.7.3 as well.
- Substitute email from- and to- as well in user notifications
- Create a built-in Server certificate profile
- OCSP improvements
This is a plug-in upgrade from 3.7.x. See UPGRADE for the simple instructions.
EJBCA 3.7.3
This is a minor release mainly put out to fix building on Glassfish that broke in 3.7.2.
- Fix on Glassfish that was broken in 3.7.2
- Glassfish support for PostgreSQL
- A couple of trivial fixes.
This is a plug-in upgrade from 3.7.x. See UPGRADE for the simple instructions.
EJBCA 3.7.2
This is a minor release with focus on fixing making OCSP optimizations, introducing some minor features and fixing a few annoying bugs.
- Add Intel AMT extended key usage
- Optimize OCSP servlet for better performance
- OCSP responder improvements: reload of p11 when connection broken, return error of audit logging fails.
- CA certificates with SerialNumber in DN does not work with External OCSP
- WS-API, make mathtype contains with with matchwith username
- Key length changes when editing CA in admin-GUI
- Minor GUI fixes.
This is a plug-in upgrade from 3.7.x. See UPGRADE for the simple instructions.
EJBCA 3.7.1
This is a minor release with major focus on enhancements to CVC CA support for EU EAC ePassport PKIs.
- Support for both RSA and ECC with all EAC algorithms.
- Interoperability fixes tested with other implementation at the Prague 2008 event.
- Usability enhancements for CVC PKIs, for example download and import of binary certificates.
- Changes to the CVC cli to mimic the WS-API functions.
- Fixed that upgrade from 3.6 to 3.7 causes error when autogenerated password are used
- Other minor bugfixes.
This is a plug-in upgrade from 3.7.x. See UPGRADE for the simple instructions.
Because there are binary files in EJBCA_HOME/lib changed there is no patch file for upgrading
EJBCA 3.7.0 to 3.7.1. Use the full package from EJBCA 3.7.1 and follow the upgrade instructions in UPGRADE.
EJBCA 3.7.0
This is a major release, particularly focusing on support for CVC certificates as used in EU EAC ePassport PKI.
Read the changelog for details.
Noteworthy changes
- Support for CV Certificates (CVC) for EU EAC ePassports, you can now build a CVC PKI for EU ePassport using EJBCA.
- Upgrade of jaxb jars using for Webservice API, and new WS-API calls.
- Support for error codes in Exceptions from Webservice API.
- New service to automatically renew expiring CAs.
- Possible to use IAIK PKCS#11 provider as well as Sun PKCS#11.
- Client Tool box with client CLI tools easy to deploy stand-alone on other machines.
- Minor fixes and enhancements.
There are no database upgrades in this release.
Because there are binary files in EJBCA_HOME/lib changed there is no patch file for upgrading
EJBCA 3.6.x to 3.7.0. Use the full package from EJBCA 3.7.0 and follow the upgrade instructions in UPGRADE.
EJBCA 3.6 Release Notes
EJBCA 3.6.4
This is a minor release, only fixing one single issue.
- [ECA-921] - EjbcaHealthCheck does not work on OC4J
This is a plug-in upgrade from 3.6.x. See UPGRADE for the simple instructions.
EJBCA 3.6.3
This is a minor release, targeted for fixing a few annoying bugs.
- Upgrade fails to set internal state of CA expire time for externally signed CAs
- Key length changes when editing CA in admin-GUI
- TestProtectedLog fails if ProtectedLogDevice is not enabled in configuration
- PKCS11 support problem on OCSP responder
- LdapPublisher searches for old objects on certDN instead of Ldap DN
This is a plug-in upgrade from 3.6.x. See UPGRADE for the simple instructions.
EJBCA 3.6.2
This is a minor release but with a record amount of fixes for a point release. New features, improvements and a lot of bugfixes
rounding a lot of rough edges.
Noteworthy changes
- Major improvements to the External OCSP responder with more configuration options and
completely new Audit and Account logging. With the new, highly configurable, logging it is
suitable for using as a service charging for, and auditing, requests.
- New documentation feature with on-line documentation deployed in the Web interface by default.
Question mark links from options that are hard to understand in the Admin-GUI are now possible.
- Lots of improvements to the Admin-GUI with configuration for autogenerated passwords and fixing a lot of small GUI bugs and quirks.
- Fail over mechanism for the LDAP publisher.
- Improved documentation for more HSMs, Admin-GUI, etc.
- Improvements for other app servers apart from JBoss.
- MS document signing extended key usage, and tool for importing certificates from MS CA.
- Lots and lots of small bugfixes.
- Updated translations.
This is a plug-in upgrade from 3.6.x. See UPGRADE for the simple instructions.
EJBCA 3.6.1
This is a minor release with a few new features, from EJBCA 3.5.6, and some minor fixes.
Apart form the fixes from EJBCA 3.5.6 nCipherHSM.sh now hides the password the user enters and
an index collision in profilemappings.properties is fixed. Also an error when enrolling with approvals
activated was fixed.
This is a plug-in upgrade from 3.6.x. See UPGRADE for the simple instructions.
EJBCA 3.6.0
This is a major release with many new interesting features and framework improvements.
Noteworthy changes
- New (optional) fully clusterable log system with advanced log signing.
- Support for more extensions (FreshestCRL, caIssuers, more extended key usages, multiple policy statements)
- More WebService API commands.
- Support for Oracle Application Server and Websphere, improvements for Weblogic.
- Support for DB2 database.
- Support for delta CRLs
- Auto-enroll certificates for Microsoft systems (see ejbca.org->Howto).
- Improved PKCS#11 support for HSMs.
- OCSP improvements, support for PKCS#11 HSMs on external OCSP responder.
- External RA improvements, better configuration and SCEP improvements.
- LDAP publisher improvements.
- User notification improvements.
- New Wiki web, wiki.ejbca.org.
There are database upgrades in this release so please pay attention!
Because there are binary files in EJBCA_HOME/lib and many massive changes there is no patch file for upgrading EJBCA 3.5.x to 3.6.0. Use the full package from EJBCA 3.6.0 and follow the upgrade instructions in UPGRADE.
For the Oracle database we have made a switch from the deprecated type LONG to CLOB. Do not fear though, EJBCA 3.6 still works if you continue to use the LONG data type (i.e. does not make any changes to your database). If you decide to migrate, there is a migration sql script in src/upgrade/35_36/oracle-long-to-clob.sql.
EJBCA 3.5 Release Notes
EJBCA 3.5 Release Notes
EJBCA 3.5.12
This is a minor release, fixing a performance issue with getCerts webservice call when a single user have lots of certificates, and also an issue with authorization in UserDataSource.
- Optimize performance of findCerts WS call
- Serious bug in UserDataSource Authorization
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.11
This is a minor release, fixing two minor issues with webservice calls used by HardTokenMgmt.
- Change genTokenCertificates WS call behavior to not temporary revoke certificates for MS logon
- Fix error in EJBCAWS.genTokenCertificate temporary cards aren't revoked properly
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.10
This is a minor release, only backorting a fix done in 3.6.
- CertificateExpirationNotifier service not working on Weblogic-Oracle
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.9
This is a minor release, targeted for fixing a few annoying bugs.
- Upgrade fails to set internal state of CA expire time for externally signed CAs
- Key length changes when editing CA in admin-GUI
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.8
This is a minor release, adding two minor improvements.
- Option to Health Check to perform sign test on CA token
- Attempt to revoke a certificate.user that is already revoked generates an error
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.7
This is a minor release, fixing a few bugs.
- Deadlock under stress test involving revocation
- Importing certificate to CA with off-line token did not work
- NPE issuing some sparecard with HTMF
- Error enrolling certificate using SSL with client cert
- CRL generation for CAs waiting for certificate response throws exception
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.6
This is a minor release, fixing a few bugs and adding a new activation page to the admin-GUI.
- New activation page to effectively be able to activate many CAs quickly
- Possibility to exclude CAs from monitoring by the HealthCheckServlet
- Improve generation of CRL with the CRL worker
- Fix bugs listing many log or user entries
- Fix WS issues and a few other issues affecting hard token administration
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.5
This is a minor release, fixing a few bugs and adding support for dual authentication for CATokens.
- LDAPPublisher initialized the fakeCRL incorrectly
- Add support for the fields PostalCode and BusinessCategory, now natively supported by BouncyCastle.
- Add Approval option for activation of CAToken
EJBCA 3.5.4
This is a minor release, fixing a few bugs.
- A configuration file according to the Sun notation can now be used when creating keys on PKCS11 HSMs.
- A DB synchronization bug is fixed. Before two EJBCAs could update the log table with same sequence number.
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.3
This is a minor release, fixing a few bugs and introducing a new tool.
Noteworthy changes
- Support for AEP KeyPer HSM using the EJBCA tools.
- Fix for broken pkcs11HSM.sh.
- A new tool for stress testing over the WS-API.
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.2
This is a minor release, fixing some bugs and introducing some minor improvements.
Noteworthy changes
- Support for Luna HSM was broken
- Files for building debian package included
- Portugeese translation of Admin-GUI
- Optimized CRL generation for generating CRLs with more than 100.000 revoked certificate
- Possible to use altNames in External RA SCEP service, and require a specific password
- Several bugfixes related to using external CAs
- and other minor fixes...
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.1
This is a minor fix release, fixing an installation issue with 3.5.0 and some other minor bugs.
This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.
EJBCA 3.5.0
This is a major release with many new interesting features and framework improvements.
Noteworthy changes
- PKCS#11 interface to HSMs, support for Utimaco CryptoServer, and improved auto-activation of HSMs.
- Much enhanced Webservice API for administration.
- Import CA function supports HSM, possible to create initial CA on HSM and initial admin on smart card.
- Soft CA keystores uses same framework as HSMs, possible to give private password to every soft CA.
- New options for specifying certificate validity, per end entity, fixed date etc.
- Possible to keep configuration/modifications in an external directory.
- Possible to use different profiles in CMP RA mode.
- you can now require approvals for revocation.
- Support multiple email altNames in admin-GUI.
- Option to choose reverse DN for a CA.
- Root-less install, using custom SSL truststore for JBoss/Tomcat.
- Lots of other small fixes and improvements, 69 issues resolved.
Because there are binary files in EJBCA_HOME/lib and many massive changes there is no patch file for upgrading
EJBCA 3.4.x to 3.5.0. Use the full package from EJBCA 3.5.0 and follow the upgrade instructions.
EJBCA 3.4 Release Notes
EJBCA 3.4.5
This is a patch release with only minor fixes.
Noteworthy changes
- Now it is configurable which interface JBoss http service listens to, eases hardening.
- Fixed a bug where path validation failed when using a MS-CA as External Root CA.
This is a plug-in upgrade from 3.4.x. See UPGRADE for the simple instructions.
EJBCA 3.4.4
This is a patch release with only minor fixes.
Noteworthy changes
- You can now use empty password to activate a HSM CA, which means that you can have operator cards without passwords, or that you can use module protected keys on the HSM (nCipher lingo).
- The interesting function for generating OpenVPN installers automatically for users have a fix so it works and is tested again.
This is a plug-in upgrade from 3.4.x. See UPGRADE for the simple instructions.
EJBCA 3.4.3
This is a patch release with some fixes and minor new features.
Noteworthy changes
- Support for JBoss 4.2.x
- Support RSASHA256WithRSAAndMGF1 again, this algorithm was temporarily removed for a few versions due to code cleanups.
Used mostly for electronic passports in EU.
- Support for JavaDB/Derby
The release contains binary file changes (new BC JCE provider) so no patch file is provided.
If you upgrade to JBoss 4.2.0 and have a customized conf/web.properties, remove web.jsfimpl from your conf/web.properties.
This is a plug-in upgrade from 3.4.x. See UPGRADE for the simple instructions.
Since there is a new version of the BC provider, you should run tests for yourself before upgrading in production. We have run alot of tests, but can not guard against everying related to your environment.
EJBCA 3.4.2
This is a patch release with several fixes and minor new features. There are more issues fixed then normal in a patch release, but they are mostly minor features and supposedly safe fixes.
Noteworthy changes
- many enhancements for running EJBCA smoothly on both Weblogic and Glassfish
- fixes for enrollment in windows vista
- possibility to export a soft CA keystore
- a new publisher for publishing certificates and CRL with custom made scripts
- support for SCEP RA polling mode using the external RA module
- lots of small bug fixes
This is a plug-in upgrade from 3.4.x. See UPGRADE for the simple instructions.
EJBCA 3.4.1
This is a minor release with only two bug fixes.
This is a plug-in upgrade from 3.4.x. See UPGRADE for the simple instructions.
EJBCA 3.4.0
This is a major release with many new interesting features and framework improvements.
Because there are binary files in EJBCA_HOME/lib and many massive changes there is no patch file for upgrading EJBCA 3.3.x to 3.4.0. Use the full package from EJBCA 3.4.0 and follow the upgrade instructions.
Noteworthy changes
In EJBCA 3.4.0 the default ASN.1 string encoding for DNs are now UTF8. In EJBCA 3.3.x and earlier, the default encoding was PrintableString, unless the character set forced the usage of UTF8 (international characters).
Now DN components are always encoded as UTF8 (except for components that does not allow UTF8 such as C and SerialNumber).
See UPGRADE for information regarding upgrading from an old CA, and how the behaviour can be configured.
If you used to deploy with 'deploywithjbossservices', this is now done using the regular 'deploy', but you have to set an option in conf/ejbca.properties.
EJBCA 3.3 Release Notes
EJBCA 3.3.3
This is a minor release with some improvement, most notably for LDAP.
This is a plug-in upgrade from 3.3.x. See UPGRADE for the simple instructions.
EJBCA 3.3.2
This is a minor release with some bugfixes, most notably for oracle and weblogic.
This is a plug-in upgrade from 3.3.x. See UPGRADE for the simple instructions.
EJBCA 3.3.1
This is a minor release with some bugfixes, most notably for Luna HSM.
This is a plug-in upgrade from 3.3.0. See UPGRADE for the simple instructions.
EJBCA 3.3.0
This is a major release with new features, improvements and bugfixes.
This is a plug-in upgrade from 3.2.2. See UPGRADE for the simple instructions.
EJBCA 3.2 Release Notes
EJBCA 3.2.2
This is a minor release with minor improvements and some bugfixes, mostly for MS-SQL.
This is a plug-in upgrade from 3.2.1. See UPGRADE for the simple instructions.
EJBCA 3.2.1
This is a minor release with one new features and some bugfixes.
This is a plug-in upgrade from 3.2.0. See UPGRADE for the simple instructions.
EJBCA 3.2.0
This is a release with new enterprise features and an internal restucturing of the code base.
There are database upgrades in this version (from 3.1.x).
See doc/UPGRADE for instruction how to upgrade your database.
You MUST do that!
Otherwise simply keep/copy ejbca.properties from the earlier installation.
Merge changes from ejbca.properties.sample into your ejbca.properties,
specially datasource.jndi-name and datasource.jndi-name-prefix if you changed them from the default values.
Copy the directory 'p12' from the earlier installation and 'ant deploy'
(or deploywithjbossservice) this new one.
Because there are binary files in EJBCA_HOME/lib and many massive changes there is no patch file for upgrading
EJBCA 3.1.3 to 3.2.0. Use the full package from EJBCA 3.2.0 and follow the upgrade instructions.
EJBCA 3.1 Release Notes
EJBCA 3.1.4
This is a minor release with some new features and some bugfixes.
This is a plugin-upgrade from 3.1.3. Except for the following:
Merge changes from ejbca.properties.sample into your ejbca.properties,
specially datasource.jndi-name and datasource.jndi-name-prefix if you changed them from the default values.
Otherwise simply keep/copy ejbca.properties from the earlier installation.
Merge changes from ejbca.properties.sample into your ejbca.properties.
Copy the directory 'p12' from the earlier installation and 'ant deploy'
(or deploywithjbossservice) this new one.
EJBCA 3.1.3
This is a minor release with some new features and some bugfixes.
This is a plugin-upgrade from 3.1.2.
Simply keep/copy ejbca.properties from the earlier installation, copy the directory 'p12' from the earlier installation and 'ant deploy' (or deploywithjbossservice) this new one.
Note that to fix ECA-144, 148 and 75, new version of lib/bcmail*.jar and lib/bcprov*.jar are used. Since they are binary files they are not included in the patch from version 3.1.2 to 3.1.3. You can use the patch and manually replace the jar-files from the full distribution.
The 3.1.3 release have support for RSASSA-PSS signatures to conform to the Swedish standard for MRTD certificates (Electronic Passports).
The RSASSA-PSS parameters can be seen and edited in the file src/java/se/anatom/ejbca/ca/caadmin/ExtendedX509Util.java.15
IMPORTANT, compliation using jdk1.5 is required for this algorithm.
Otherwise this algorithm option won't show up
Enhanced support for international characters in the adminweb gui (Add/Edit pages).
Should work with most languages now.
It's now also possible to select a subset of a users SubjectDN and SubjectAltName fields used in a particular kind of certificate. This is defined in the certificate profiles
EJBCA 3.1.2
This is a minor release with two new features and some bugfixes.
This is a plugin-upgrade from 3.1/3.1.1. Simply keep ejbca.properties from the earlier release, and 'ant deploy' this new one.
Note that to fix ECA-126, a new version of lib/bcmail-jdk14.jar and lib/bcprov-jdk14.jar are used. Since they are binary files they are not included in the patch from version 3.1 to 3.1.2. You can use the patch and manually replace the jar-files.
EJBCA 3.1.1
This is a minor release with a few small bugfixes found in the 3.1 release.
This is a plugin-upgrade from 3.1.
EJBCA 3.1
This is a major release including many new features, improvements, and bug fixes.
We are very proud of this release and recommend an upgrade.
This is mostly a plugin-upgrade from 3.0.7, no database changes needed.
Since the changes are massive, no patch file is provided.
To upgrade from 3.0.x follow doc/UPGRADE.
EJBCA 3.0 Release Notes
EJBCA 3.0.7
This is a plugin-upgrade from 3.0.6 or 3.0.5.
Apply patch, build and redeploy.
EJBCA 3.0.6
This is a plugin-upgrade from 3.0.5.
Apply patch, build and redeploy.
If you are using the hard token stuff on MySQL (which you probably aren't or you would have noticed
this bug), you should drop the table HardTokenData and restart JBoss to recreate the table.
EJBCA 3.0.5
This is a plugin-upgrade from 3.0.4.
Apply patch, build and redeploy.
For users of MS SQL 2000 you should note the column name 'rule_' (earlier 'rule' which is
a reserved word) in the table AccessRulesData.
EJBCA 3.0.4
This is a plugin-upgrade from 3.0.3.
Apply patch, build and redeploy.
EJBCA 3.0.3
The database table 'hardtokenprofiledata' using the database HypersonicSQL changed.
If you are using the hardtoken functionality on the HypersonicSQL database
(which you should not be doing in production), the table must be removed and
recreated. No migration script is provided since we don't anticipate anyone using
this combination in production.
EJBCA 3.0
EJBCA 3.0 is a major new release taking the Open Source CA to new heights.
The most important improvment is that it is now possible to run several
PKI infrastructures within one single instance of EJBCA. Among other major improvements are also
complete support for OCSP, enanced Hard token interface and flexible
LDAP configuration through the Web-GUI.
This is a plugin-upgrade from beta3.
This release is not backwards compatible with EJBCA 2.1 without database upgrade.
Upgrade instructions must be followed if upgrading from EJBCA 2.1,
backup your database before trying any upgrades.
EJBCA 3.Beta3
This is a plugin-upgrade from beta2.
There is an upgrade function from EJBCA2->EJBCA3 for the MySQL database, see doc/UPGRADE.
EJBCA 3.0Beta2
Thanks to a bug in Beta1 the database table 'HardTokenPropertyData' has changed. If you have been
using the HardToken features in Beta1, or plan to use them in the future, this table must be rebuilt.
'drop table hardtokenpropertydata' will delete and rebuild the table (data must be entered again).
Apart from this, it is a plug-in upgrade.
EJBCA 3.0beta1
EJBCA 3.0 is a major new release taking the Open Source CA to new heights.
The most noteworthy change is that it is now possible to run a complete (or several)
PKI infrastructure within one single instance of EJBCA.
This release is not backwards compatible with EJBCA 2.1 without database upgrade.
Upgrade instructions must be followed if upgrading from EJBCA 2.1,
backup your database before trying any upgrades.
The (default) LDAP schema has been changed to follow RFC 2256. If using LDAP,
the schema should be checked. You can configure the schema
(in ca/ca/META-INF/ejb-jar.xml) to be the same as before if needed.
EJBCA 2.1 Release Notes
EJBCA 2.1.2
This is a plugin upgrade from V2.1.
The (default) LDAP schema has been changed to follow RFC 2256. If using LDAP,
the schema should be checked. You can configure the schema
(in ca/ca/META-INF/ejb-jar.xml) to be the same as before if needed. See HOWTO-LDAP.txt.
EJBCA 2.1.1
This is a plugin upgrade from V2.1.
EJBCA 2.1
New method to revoke certificates with external publishers.
EJBCA 2.0 Release Notes
EJBCA 2.0.1
Except from notes below this is a plugin upgrade from v2.0.
Java >= 1.4 is now required.
Delete bcmail-jdk13*, jce-jdk13*, ldap.jar and regexp1_0_0.jar
from $JBOSS_HOME/server/default/lib.
EJBCA 2.0
Name of initial temporary super administrator changed from "CN=Walter" to "CN=SuperAdmin". A new must be created.
All defined administrator privileges must be redefined.
Certificate profiles should be redefined.
Drop tables GlobalConfigurationData, AdminGroupData,AdminEntityData,AccessRulesData and EndEntityProfileData to flush configuration and administrator privileges (actually deleting the content would be enough but you
might as well drop the tables).
Delete bcmail-jdk13-116.jar, jce-jdk13-116.jar, ldap.jar and regexp1_0_0.jar from $JBOSS_HOME/server/default/lib.
EJBCA 2.0B1
We have moved to EJB 2.0. JBoss 3 is now required. A complete reinstall from EJBCA 1.x is required, old jars, wars and ears must be deleted.
Database schema has changed, old data in the database must be migrated.
A Web GUI for administration is available through https, see doc/README for installation instructions.
EJBCA 1.0 Release Notes
EJBCA 1.3
This is a plugin upgrade from v1.2 or 1.1. Just build and deploy the new files.
EJBCA 1.2
This is a plugin upgrade from v1.1. Just build and deploy the new files.
EJBCA 1.1
Upgrading from version 1.0:
If upgrading from version 1.0 the database tables need to be migrated if the DN attributes L or ST have been used. This is because the ordering of those attributes have changed (for string matching the order must be defined).
If L or ST have not been used in DNs, migration is NOT needed.
What need to be done are to:
1. Read column with DN to me migrated from table.
2. Run 'newDN=CertTools.stringToBCDNString(oldDN)'.
3. Update column with DN in table.
Columns that need updating are:
issuerDN in table CRLData
subjectDN, issuerDN in table CertificateData
subjectDN in table UserData.
If a tool is needed to perform the migration, please contact us. See http://sourceforge.net/projects/ejbca