Softpedia >Linux >Internet >HTTP (WWW) >EJBCA >  Changelog

EJBCA Changelog

What's new in EJBCA 6.0.3

Jan 4, 2014
  • Support for OCSP extended revoked status compliant with RFC6960.
  • Ensure OCSP RFC5019 responses with unknown response code are not cached, compliant with CABForum discussions.
  • Add OCSP archive cutoff date for expired certificates.
  • Speedups starting the Command Line Interface.
  • Bug fixes for Internal Key Bindings.

New in EJBCA 4.0.7 (Dec 26, 2011)

  • This version fixes a bug reading large OCSP requests over HTTP 1.1 using chunked encoding.
  • It fixes a few minor XSS issues.
  • It fixes an issue where building the Validation Authority (VA) failed on specific platforms.
  • The VA health-check URL is now what it is claimed to be in the property file.
  • You will need to reconfigure devices monitoring this URL.
  • This release documents EJBCA integration with Djigzo.
  • It adds a plug-in build system.
  • It has improved support for Chinese in the admin GUI.

New in EJBCA 4.0.5 (Nov 3, 2011)

  • This version corrects comparison of public keys in HSM and CA certificates, fixes regression during republishing, and adds many small bugfixes.

New in EJBCA 3.11.0 (Nov 30, 2010)

  • This version implements RFC4387.
  • It adds extended information to edit user WS-API.
  • It has a GUI application for batch-enrollment from CSR.
  • The external OCSP responder is also a CRL Distribution point.
  • Options to issue certificates without database storage.
  • Supplies a custom certificate serial number over CMP in RA mode, supports one CMP RA secret per CA.
  • Adds SSH and MS code signing extended key usage.
  • Optimizations, GUI improvements, and minor bugfixes.

New in EJBCA 3.10.4 (Aug 12, 2010)

  • Adds EAC ePassport support

New in EJBCA 3.10.3 (Jun 24, 2010)

  • This release adds EAC ePassport support!

New in EJBCA 3.10.0 (Mar 29, 2010)

  • Bug:
  • [ECA-1050] - Revoke and renew button on OCSP/XKMS/CMS extended services only revokes and does not renew
  • [ECA-1536] - Extra test client does not compile with JBoss 5
  • [ECA-1578] - Use of DN from CA data when searching for last CRL number.
  • [ECA-1579] - Root CA certificate could have different subject and issuer DN.
  • [ECA-1583] - EJBCA EJB CLI is not working with JBoss 5
  • [ECA-1584] - PublisherQueue process service does not work in PostgreSQL
  • [ECA-1590] - Hash of a CA certificates can not be used to get "CA" if the subject DN of the certificate is not the same as the subject DN of the CA data.
  • Improvement:
  • [ECA-668] - Possibility to change keyStorePassword in an already installed setup
  • [ECA-892] - WS-cli should work with pkcs12 file as well in addition to jks files.
  • [ECA-1237] - External RA: possibility to deploy to other deploy directory
  • [ECA-1239] - Build ClientToolBox without application server present
  • [ECA-1251] - Name returned certificates from public web after the username
  • [ECA-1336] - Add Spanish commonly used OID's NIF/CIF
  • [ECA-1380] - Use commons configuration for all configuration
  • [ECA-1381] - Use JPA in ExtRA client library
  • [ECA-1383] - Separate system and functional JUnit tests
  • [ECA-1396] - Create new WS and bean method that creates/edits user and issues a certificate in a single transaction
  • [ECA-1428] - More effective stress test.
  • [ECA-1432] - Refactor and create new module for EJBCA's remote EJB CLI
  • [ECA-1469] - Rename LogEntryDataBean comment and comment_ column to logComment for all database types
  • [ECA-1488] - Property in mail.properties for setting SMTP port missing
  • [ECA-1495] - Enforce dependency check for all components of the EJBCA core and improve structure
  • [ECA-1505] - Optimize isRevoked method in CertificateStoreSessionbean
  • [ECA-1537] - Display min and max time for stress test jobs
  • [ECA-1575] - Get length of message from ASN1 length value.
  • [ECA-1576] - Default certificate profile should not allow key usage override
  • [ECA-1596] - Possibility to run SCEPTest directly against EJBCA.
  • [ECA-1599] - EJBCA EJB CLI subcommand 'encryptpwd' should not echo password
  • New Feature:
  • [ECA-1530] - Support signing NewWithOld after CA key rollover
  • [ECA-1557] - Enforcement of Unique Public keys
  • [ECA-1566] - External RA: Web based GUI for enrolling entites
  • [ECA-1567] - Enforcement of Unique Distinguished Name
  • [ECA-1589] - Support for Ingres 9.3
  • Task:
  • [ECA-1465] - Preparations for EJBCA 4
  • [ECA-1466] - Build ejbca-util with a minimal number of classes
  • [ECA-1467] - Move the ejbca-ws build to modules
  • [ECA-1468] - Move the ejbca-xkms build to modules
  • [ECA-1470] - Deprecate ProtectedLog
  • [ECA-1476] - Move external RA to modules
  • [ECA-1482] - Update JavaDoc build
  • [ECA-1484] - Disable XKMS service by default
  • [ECA-1531] - Restructure documentation into separate admin and user guides
  • [ECA-1550] - Internal OCSP responder should always use the CA signing certificate to sign responses
  • [ECA-1582] - Upgrade bouncycastle to 1.45

New in EJBCA 3.9.5 (Mar 5, 2010)

  • Fixed a performance regression for the OCSP service that could lower throughput from 400 to 200 req/s.
  • Added process time parameter to OCSP transaction logging.
  • Fixed and improved usage of the optional IAIK PKCS#11 provider.
  • Improve sequence handing for EAC CVC CAs.
  • Fixed a bug when renewing CA keys on HSMs.
  • Fixed that you could not use a dot in pre-set usernames in end entity profiles.
  • Added possibility to install directly with external admin CA, initializing authorization module in importcacert cli command.
  • Added possibility to prompt for keystore password during install so you never have to write it anywhere.

New in EJBCA 3.9.4 (Jan 7, 2010)

  • Added EAC ePassport support

New in EJBCA 3.9.1 (Aug 17, 2009)

  • Improvements to the public enrollment process with automatic renewal.
  • The ability to specify approvals on certificate profiles.
  • A configurable list of extended key usages.
  • Dynamic updating of max-age and nextUpdate for OCSP responders.
  • Selection of which CAs to generate CRLs for in CRL service.
  • Scheduling of CRLs more often than hourly.
  • Removal of the soft CA key with the ability to import it back again.
  • Removal of passwords from properties files.
  • CRL distribution points with semicolons.
  • A transaction log for Web service certificate issuance, Specify Any CA in end entity profiles.
  • Better configuration of CA validity.
  • Improved error messages.

New in EJBCA 3.9.0 (Jun 5, 2009)

  • Support for CAs using DSA keys. EJBCA now supports all major algorithms; RSA, DSA and ECDSA.
  • External RA improvements. CA service running as an EJBCA services gives full cluster functionality and support for multiple external RAs.
  • As a bonus it is now much easier to install and configure.
  • Robust re-publishing mechanism for publishers that fail, running as an EJBCA service.
  • OCSP responder improvements with performance improvements and support for on-line renewal of OCSP responder keys and certificates.
  • The external OCSP responder can now saturate high performance HSMs.
  • OCSP monitoring tool for monitoring synchronization between EJBCA and external OCSP responders.
  • GUI for configuring the external OCSP publisher with new options.
  • Possible to change OCSP signing keys in a running external OCSP responder.
  • New commands and stress tests in the client toolbox.
  • A new admin web gui front page with status overview panels.
  • Possible to configure status of certificates issued for end entities, i.e. issue certificate revoked "on hold".
  • New DN attribute, Name.
  • Performance improvement by caching and lowering number of database queries.
  • XKMS now works also on Java 6.
  • Possibility to set user validity start and end time in WS API.
  • Lots of small fixes and improvements to the admin GUI.
  • Lots of small bugfixes.
  • Keon CA to EJBCA migration guide.

New in EJBCA 3.8.2 (Mar 27, 2009)

  • New Feature:
  • [ECA-552] Add support for nextUpdate, thisUpdate and producedAt in OCSP responses
  • [ECA-1124] Configurable to use HTTP headers for standalone OCSP
  • ECA-1053] Pseudonym as a subject DN attribute
  • ECA-1133] Configurable in ExternalOCSPPublisher to only publish certificates with and OCSP URI extension.
  • Improvement:
  • ECA-1123] Create dummy object for TransactionLogger and AuditLogger
  • ECA-1088] Default public exponent for lunaHSM.sh should be 65537 (0x1001)
  • ECA-1055] Support OCSP by HTTP GET
  • ECA-1117] Use info instead of error messages in Standalone OCSP Responder.
  • ECA-1144] Add "userPassword" attribute in LDAP publisher
  • ECA-1114] Add street DN component
  • ECA-1096] Improve handling of invalid requests and streams in OCSP responder
  • ECA-1146] Stress Test does not print out no of failed tests
  • ECA-748] Order certificates in view certificates with newest first
  • ECA-1121] Unnecessary signing operations
  • Bug:
  • ECA-1158] CA-certificate, but no signing key from a CA on the external OCSP generates an Exception
  • ECA-1141] CRL Distribution Point in CRLs must be encapsulated into an Issuing Distribution Point
  • ECA-1092] Code not thread-safe in certificate-request Servlet
  • ECA-1154] Concurrency issue when reloading soft keys for external OCSP responder
  • ECA-1113] JCE error on JBoss 5 on some platforms
  • ECA-1148] ServiceData cached in bean making synchronization between cluster nodes fail.
  • ECA-1090] Wrong encoding of issuer DN on retrieval public web pages
  • ECA-1150] Wrong language tag for "Certificate Validity End Time" in viewendentity.jsp
  • ECA-1095] Allow comma in directoryName subject alt names
  • ECA-1145] CvcRequestMessage not serializable
  • ECA-1143] Freshest CRL is lost when creating a new CA

New in EJBCA 3.8.1 (Jan 29, 2009)

  • Broken support for Glassfish was fixed.
  • Support for JBoss 5.0 was added.
  • Support for Weblogic 10.3 was improved.
  • IPv6 subject alternative names were fixed.
  • A few minor bugs were fixed.

New in EJBCA 3.8.0 (Dec 15, 2008)

  • Restructure administrator validation to allow admins using externally issued certificates.
  • Add a CLI subcommand to add an administrator in an admin group using the serial number.
  • Drop administrator flag in end entities, it's not needed, makes configuration easier together with remade admin GUI.
  • Possible to generate CA PKCS#10 request without giving CA certificate.
  • Add support for SEIS Card Number extension.
  • Added KRB5PrincipalName subjectAltName.
  • Option in certificate profiles for reversing DN order.
  • Enroll for CV certificate on public web.
  • Upload PEM or binary certificate requests on public web.
  • Possible to sign releases and deployed code.
  • Enhanced basic custom certificate extension.
  • Command to list objects in Luna HSM partition.
  • Some bug fixes.

New in EJBCA 3.7.4 (Nov 18, 2008)

  • Email from- and to- is also substituted in user notifications.
  • The default ENDUSER Certificate Profile was fixed.
  • A built-in Server certificate profile was created.
  • External RA SCEP service fails on a Cisco message with a wrongly encoded request extension.
  • The missing ErrorCode class in ejbca-util.jar was replaced.
  • OCSP should not respond with responseBytes when an error code is sent.
  • OCSP responder should answer with OCSP error MalformedRequest when a badly encoded request is received.

New in EJBCA 3.7.3 (Nov 7, 2008)

  • Fix on Glassfish that was broken in 3.7.2
  • Glassfish support for PostgreSQL
  • A couple of trivial fixes

New in EJBCA 3.7.2 (Oct 31, 2008)

  • This release adds Intel AMT extended key usage, gives an OCSP error if audit logging fails, optimizes the OCSP service, reloads the pkcs11 session on OCSP if it is disconnected, and has bugfixes and minor improvements.

New in EJBCA 3.7.1 (Sep 16, 2008)

  • Support for both RSA and ECC with all EAC algorithms.
  • Interoperability fixes tested with other implementation at the Prague 2008 event.
  • Usability enhancements for CVC PKIs, for example download and import of binary certificates.
  • Changes to the CVC cli to mimic the WS-API functions.
  • Fixed that upgrade from 3.6 to 3.7 causes error when autogenerated password are used.
  • Other minor bugfixes.

New in EJBCA 3.7.0 (Aug 30, 2008)

  • This release adds support for CV Certificates (CVC) for EU EAC ePassports, new WS-API calls and better error codes, a new service to automatically renew expiring CAs, the ability to use IAIK PKCS#11 provider as well as Sun PKCS#11, and a client toolbox with client CLI tools that are easy to deploy stand-alone on other machines.