.png){kind=logo}
EJBCA Change Log Summary
The following lists change logs for all EJBCA versions released, sorted by date and listed per release in the table of contents below.
For more information on a specific release, see the respective EJBCA Release Notes for details on issues resolved in the release.
EJBCA 9.5
EJBCA 9.5.1
Released March 2026
ECA-14636 Composite PKCS7 generation over SOAP fails if keys are stored on HSM
EJBCA 9.5.0
Released February 2026
New Features
ECA-13197 Add a button for configuring (most) fields for Auth0
ECA-13344 Update CVC Terminal Authentication bits to v.2.2 of BSI TR-03110
ECA-13665 Support Bull Proteccio in the EJBCA container set
ECA-13666 Support Thales TCT Luna in the EJBCA container set
ECA-13877 Add SCEP encryption and signing certificate fields to configdump
ECA-14158 Should be able to use separate encryption/decryption keys when in CA mode too.
Improvements
ECA-12954 Allow Wildfly session encryption key to be derived by PBKDF from a environment variable in HA mode
ECA-13198 Add kf.roles as a valid OIDC claim
ECA-13229 Use first name and family name as display name if available
ECA-13235 Configdump import of Auth0 Provider
ECA-13250 Make it possible to use pipe character in "Match value"
ECA-13251 Add email as a valid OIDC claim
ECA-13305 Create unit tests for LDAPAttributeHelper
ECA-13448 Duplicate token type declarations
ECA-13477 Unable to change email or UPN in AD and perform MSAE certificate renewal
ECA-13825 Migrate forbidden.characters from cesecore.properties into system configuration
ECA-13954 Introduce cache for certificate templates
ECA-13977 Cleanup: remove org.ejbca.ui.web.admin.certprof.CertProfilesBean.LEGACY\_FIXED\_MARKER
ECA-14027 Add option to not enforce name constraints check by CA to be able to comply with GSMA SGP 22 v2
ECA-14028 Encode server generated PKCS12 files with definite length encoding
ECA-14029 Add non-production mode support to containers
ECA-14090 Cancel pipelines if additional commits are pushed to release branches
ECA-14091 P11NG-CLI: Remove debug printout when generating ML-DSA-keys
ECA-14113 Upgrade Nimbus JOSE\+JWT to nimbus-jose-jwt-10.5.jar
ECA-14120 Normalize System Configuration tabs: Protocol Configuration, Extended Key Usages, Custom Certificate Extensions
ECA-14125 Missing base64 validation for binary string in globalconfig configdump import
ECA-14151 Update BC to 1.83
ECA-14206 Cleanup: replace references to AuthorityKeyIdentifier.getKeyIdentifier
ECA-14209 Cleanup: Clear out warnings in CrudCTLog
ECA-14216 Cleanup: clean warnings in PublisherDataUtil
ECA-14219 Investigate and fix value discrepancy in CrudCTLog
ECA-14220 Convert ScepRaCertificateIssuer into a session bean
ECA-14223 Cleanup: Remove the finalize() reference from GeneralPurposeCustomPublisher
ECA-14279 Cleanup: Add deprecation suppression for Role in RaMasterAPI classes
ECA-14282 Upgrade RestEasy to 7.0.0
ECA-14288 Code Coverage: Additional system tests for getCACert SCEP operation
ECA-14303 ant clean doesn't clean all modules
ECA-14320 Clarify SCEP documentation in relationship to Android/jscep
ECA-14334 Upgrade Apache Kerby to version 2.1.1
ECA-14340 Add option to importcertdir CLI command to specify an earlier CA certificate
ECA-14346 Prevent combined hybrid/composite CAs/certificates
ECA-14348 Cleanup: remove non-static reference warnings from StressTestCommandBase
ECA-14354 Cleanup: replace remaining references to X509Certificate.getSubjectDN and getIssuerDN
ECA-14372 Enable composite key handling in BaseCryptoToken and crypto token implementation classes
ECA-14377 Normalize OCSP Responders page
ECA-14378 Cleanup: Update deprecated references to Schema.required
ECA-14382 Normalize OCSP Responder page (Add/Edit/View)
ECA-14384 Normalize Remote Authenticator pages
ECA-14389 Cleanup: remove reference to jakarta.faces.component.html.HtmlInputFile.setSize(int)
ECA-14390 Cleanup: Upgrade references to new BasicThreadFactory.Builder()
ECA-14391 Cleanup: Upgrade references to java.security.Provider.Provider(String, double, String)
ECA-14393 Cleanup: remove references to unused fields
ECA-14403 Update styles for existing add/edit/view forms
ECA-14413 Migrate ocsp.warningBeforeExpirationTime into GlobalOcspConfiguration
ECA-14417 Apply style updates to the remaining parts of Admin Web
ECA-14425 Scale down the forms and simplify CSS
ECA-14427 Cleanup: Resolve warnings in ConfigdumpRoleData
ECA-14431 Deploy RA and VA containers for main branch
ECA-14433 Upgrade commons-lang3 to 3.20
ECA-14434 Upgrade commons-configuration to 2.13
ECA-14451 From Adminweb allow keyEncryptKey of a X509CA to be set to None on creation and editable post creation
ECA-14455 Upgrade the EJBCA container to use WildFly 39
ECA-14456 Upgrade Undertow to 2.3.22 or later
ECA-14474 Community contribution: L10n: Admin GUI French update (based on 9.3.7) Fully translated
ECA-14475 Consolidate all PQC-related nomenclature
ECA-14497 Update readme.md
ECA-14499 Add prefix and suffix option for automatic username generation for end entity profile
ECA-14500 Improve Approval Profiles
ECA-14505 Upgrade HSM sidecar versions for the 9.5.0 release
ECA-14510 Security: Upgrade log4j to 2.25.3 (CVE-2025-68161)
ECA-14515 Performance tuning in Wildfly using environment variables for thread pool size and time outs
ECA-14527 Label font size alignment in smaller forms
ECA-14544 RA GUI French update from 9.3.7
Bug Fixes
ECA-9209 Authority Key ID missing from Link Certificate if not asserted in Root CA cert profile
ECA-10966 Refreshing page can delete another Crypto Token
ECA-11641 Space in Validator name field
ECA-11643 'Save' button on Validators page needs to be pressed twice to work
ECA-11704 ROOTCA shows for new End Entity Profiles and goes away when you edit anything
ECA-12154 Can not use Download PEM keystore in RA Web if end entity is in status key recovery
ECA-12235 Crypto Tokens Disappear from the list when you get session timed out
ECA-12377 Admin Web - Services - NPE for Remote Internal Key Binding Updater
ECA-12444 RA Web - Roles - Overlapping error messages when role name is empty
ECA-13315 v1/certificate/certificaterequest mismatched request and requesttype throws NPE in Peer Environment
ECA-13490 Enrollment fails when optional/modifiable OU field is empty and comes before required/unmodifiable fields in EEP configuration
ECA-13622 [HA] Session times out very often using at least two nodes
ECA-13726 Improper REST API error handling
ECA-13783 Requester's Role's CA access must match or exceed profile's CA access or profile cannot be used
ECA-13885 RA Web - Menu - Tools option badly displayed when no active CA
ECA-13892 Editing an EE over RA web leads to unwanted disabling of Batch generation (clear text pwd storage) checkbox
ECA-13990 Multiple CertIds in OCSP requests are not logged properly in AuditLog
ECA-14052 Fix parsing for Certificate Template with spaces on ejbca.sh importcertsms
ECA-14080 Change error message for rest api endpoint
ECA-14116 Database Maintenance Worker can delete key binding certificates, leading to NPEs
ECA-14127 A validation bypass caused by leading whitespace
ECA-14137 Adding a Comma to the End Entity Username results in not being able to delete or revoke the end entity via the Admin Web
ECA-14138 Don't create obsolete tables in new installations
ECA-14156 Configdump imports random or incorrect values for CVC access rights (Authentication Terminal).
ECA-14179 Obsolete UserDataSourceData table is still being generated on new installations
ECA-14196 Approval Profile: Doesn't correctly display notifications fields
ECA-14213 SCEP enrollment with separate signing keys over peers (with denied access to unknown CAs) is denied
ECA-14214 ConfigDump import attempts to treat global-ct-configuration.yaml like a log
ECA-14218 Doc link html page points to non-existing web page
ECA-14226 IncompleteIssuanceJournalData is not cleaned up when CT log is used and certificate is issued successfully
ECA-14266 Admin Web - Remote Authenticator - Validation error while selecting key pair from HSM
ECA-14267 CA mode with separate keys fails when "Allow Client Certificate Renewal" enabled
ECA-14289 Configdump import of EKU overwrites existing values
ECA-14290 Default Certificate Profiles Actions should be greyed out (disabled)
ECA-14301 Regression: clientToolBox EjbcaWsRaCli fails with java.lang.ClassNotFoundException: org.apache.commons.lang.StringUtils
ECA-14304 Remove usage of Unmodifiable Maps in additional details during Audit logging
ECA-14305 Configdump CA Import Fails: "CMP RA Authentication Secret" incorrectly required to be mandatory
ECA-14321 EJBCA may be unable to start when HSM returns an error on initialization
ECA-14345 End entity DNSSAN validation (regex) bypassed
ECA-14359 Admin UI end entity max login attempts not populated on first render
ECA-14360 Reduce some certificate peer publish logs to debug to avoid confusion
ECA-14363 Validity offset does not work as expected
ECA-14371 SCEP certificate renewal fails on Mysql/Mariadb 5.x
ECA-14387 Keystore generation under some circumstances throw NullPointerException due to transaction issues
ECA-14388 Admin Web - Remote Authentication - Next key pair always set to the current key pair
ECA-14402 Enable Domain Allow List Validator to validate email Rfc822Names
ECA-14420 EST client Reenrollment fails with SAN mismatch error, GUID related
ECA-14424 False-negative CAA related system tests
ECA-14440 Superadmin p12 cannot be enroll in EJBCA container
ECA-14443 User notification fails during Key recovery approval process
ECA-14458 Regression: Key recovery doesn't work with the CLI
ECA-14463 Approval Profile: Doesn't correctly display partitional approval
ECA-14469 NPE when creating Azure Key Vault through the CLI
ECA-14470 Regression - Community Edition container does not start
ECA-14473 Regression: Revert removal of lazy-upgrade code to CertificateProfile.getStoreSubjectAlternativeName
ECA-14494 Configdump OCSPCONFIG with 'defaults=true' throws NPE
ECA-14526 Maximum number of failed login from End Entity Profile is not applied when creating end entity via REST API
ECA-14538 Regression: LDAP publisher removes cert based on base name instead of name
ECA-14541 Nginx sidecar file upload limit
ECA-14542 Fix ConfigdumpScepConfigurationUnitTest compilation issues
ECA-14563 System test EjbcaWSSystemTest.test03\_4GeneratePkcs10Request verifies against wrong error message
ECA-14581 Fix ConfigDump --initialize option for Composite keys
ECA-14573 Composite NPE on `isKeyInitialized`
EJBCA 9.4
EJBCA 9.4.2
Released December 2025
Bug Fixes
ECA-14267 CA mode with separate keys fails when Allow Client Certificate Renewal enabled
ECA-14292 ConfigDump returns error for SCEPCONFIG
ECA-14294 Use separate keys for SCEP decryption doesn't render keys on p11ng tokens
ECA-14296 SCEP add/edit alias fail on first page load when p11ng crypto token exists
ECA-14297 Wrong error message when no CA is selected in SCEP alias
EJBCA 9.4.1
Released December 2025
New Features
ECA-14158 Should be able to use separate encryption/decryption keys when in CA mode too
Improvements
ECA-13419 Update Helm README and Chart.yaml files
Bug Fixes
ECA-12494 Intune enrolment is failing for renewals
ECA-14162 ConfigDump doesn't translate name/Id for access rules
ECA-14164 Internal SCEPENCRYPTOR and SCEPSIGNER certificate profiles are exposed in some endpoints
ECA-14166 Regression: Certificate Profile Import is failing
ECA-14191 Editing MSAE alias breaks CEP policy after cache renewal
ECA-14199 CaCertificateCache doesn't load signing certificate validity time properly
ECA-14213 SCEP enrollment with separate signing keys over peers (with denied access to unknown CAs) is denied
ECA-14230 RaMasterApi breakage
ECA-14237 Approval management not backwards compatible from 9.4.X
ECA-14241 RA node does not have import button to import CA
EJBCA 9.4.0
Released December 2025
New Features
ECA-12415 ML-DSA and LMS with Utimaco and P11NG
ECA-12614 ML-DSA with Thales TCT and P11NG
ECA-12616 ML-DSA with Thales Luna and P11NG
ECA-12836 ConfigDump support for S3 publisher
ECA-12851 Add ConfigDump support for global CT settings
ECA-12960 Enable EJBCA Containers to support TLS connection to Postgres Db
ECA-13066 Automate Git hook setup
ECA-13068 Configure Git hooks
ECA-13071 Ability to create Hybrid CAs with ca init CLI
ECA-13164 Allow CT logs to be imported through ConfigDump
ECA-13336 p11ng-cli: Add gencsr command
ECA-13348 QA: Create a testing container for use of testing/developing the SCP publisher
ECA-13362 Implement SFTP as an alternative transfer method to SCP
ECA-13385 Extend ACME order object with 'replaces'
ECA-13386 UI configuration for ACME ARI "Retry-after"
ECA-13443 ACME ARI - configurable suggestion policy
ECA-13444 ACME ARI - Explanation URL
ECA-13592 ML-DSA with AWS KMS
ECA-13607 Create ProtocolData Entity/ORM
ECA-13608 Create ProtocolSession CRUD Bean
ECA-13633 AWS KMS status fix
ECA-13663 Support Thales DPoD in the EJBCA container set
ECA-13664 Support Utimaco u.trust Anchor in the EJBCA container set
ECA-13700 Enable CAA validation for Mark certificates
ECA-13738 Spike: figure out how to validate licenses and log on admin side
ECA-13756 ConfigDump Global CA Configuration
ECA-13757 ConfigDump Global End Entity Profile Configuration
ECA-13758 ConfigDump Global CT-log Configuration
ECA-13759 ConfigDump Global OCSP Configuration
ECA-13760 ConfigDump Global System Configuration
ECA-13770 Test ML-DSA with Entrust nShield 5c and P11NG
ECA-13844 Create an allow list for OAuth hostnames
ECA-13854 Construct OAuth redirect URL dynamically
ECA-13867 ConfigDump GlobalCesecoreConfiguration
Improvements
ECA-12474 Allow Custom EKU Human Readable Name in ConfigDump
ECA-12553 Add general EAB import/export to ConfigDump
ECA-12683 Enable Remote Internal Key Binding Updater to initial issuance to remote OCSP keybindings
ECA-12758 Use service-manifest-builder in Gradle
ECA-12929 Align CAA with RFC 8659
ECA-13046 Migrate EJBCA pipelines from Jenkins X to GitLab CI
ECA-13067 Refactor existing checks into standalone scripts
ECA-13069 Document the Git hook solution
ECA-13115 Normalize Certificate Authorities Page
ECA-13116 Normalize Certificate Profiles Page
ECA-13117 Normalize Publishers Page
ECA-13118 Normalize End Entity Profiles Page
ECA-13120 Normalize Crypto Tokens Page
ECA-13175 Normalize Services Page
ECA-13176 Add a Configuration tab to OCSP responders page
ECA-13210 Replace unneeded getters in GlobalConfiguration with static values
ECA-13217 Move global CT settings into their own Global Config
ECA-13234 Make the auto-generated end entity enrollment code configurable with the end entity profile for MSAE
ECA-13256 Document how to use Workload Identities with Azure SQL
ECA-13326 Increase test coverage for SignSessionBean
ECA-13347 Allow SCP Publisher to function independently of a local known_hosts
ECA-13349 Allow SCP Publisher to use crypto token keys instead of file system keys
ECA-13368 Improve Admin UI message for alternative signature algorithm
ECA-13374 Remove upgrade code for upgrading from > EJBCA 6.1.0.1 or earlier
ECA-13378 Cleanup: Remove all references to legacy EndEntityManagementSession.addUser
ECA-13437 Move global CA configuration to GlobalCaConfiguration
ECA-13458 Move ocsp.includecertchain and ocsp.includesignercert into System Configuration
ECA-13469 Replace RoleCache with the new Repository
ECA-13475 Remove upgrade code for upgrading to EJBCA 6.2.4
ECA-13479 Cleanup: Replace deprecated references to ExpectedException.none()
ECA-13484 Remove upgrade code for upgrading to EJBCA 6.3.2
ECA-13507 Cleanup: Remove startup warning from AddEndEntityMBean
ECA-13509 Cleanup: P12toPEM is mainly scrap code
ECA-13520 Remove upgrade code for upgrading to EJBCA 6.4.2
ECA-13523 Remove orphaned classes
ECA-13528 Cleanup: Close streams in BasicCertificateExtensionUnitTest
ECA-13529 Update commons-collections to 4.5.0
ECA-13530 Cleanup: Close streams in ECAUtils
ECA-13532 Convert ocsp.nonexistingis* into a single value
ECA-13541 Allow Cryptotoken public key to be exported in SSH key format for SCP Publisher v2
ECA-13556 Apply a common look and feel to normalized pages
ECA-13566 Cleanup: close streams in X509CACrlUnitTest
ECA-13567 Clean warnings in SerObjectMerger and SerObjectAnalyzer
ECA-13577 Remove upgrade code for upgrading to EJBCA 6.5.1
ECA-13584 Remove upgrade code for upgrading to EJBCA 6.6.1
ECA-13586 Improve documentation in regards to zero downtime and upgrades
ECA-13602 Enable dynamic UI element rendering for SCP Publisher fields
ECA-13606 Support CMP client mode with vendor certificate using p10cr commands
ECA-13619 Cleanup: Change deprecated references to org.apache.commons.lang3.StringEscapeUtils.escapeXml(String)
ECA-13626 Remove upgrade code for upgrading to EJBCA 6.8.0
ECA-13630 Cleanup: get rid of deprecated methods in EjbcaWebBean
ECA-13640 Cosmetic changes to the new UI style
ECA-13689 MSAE request fails if there is a processor active on the associated CA
ECA-13692 Build ejbca-caa-cli with Gradle
ECA-13725 Improve Home Page
ECA-13744 EJBCA 9.4.0 Alpha 1: Adding DOM IDs to heal legacy/MONT Appliance Test Automation Pipelines
ECA-13746 Normalize CA Activation Page
ECA-13749 Improve Crypto Token page
ECA-13751 Upgrade all references to commons-lang to commons-lang3.
ECA-13752 Update to BC 1.82
ECA-13765 Certificate profile UI defaults, remove CRLIssuer and forbid ECC encryption key usage
ECA-13766 Add pagination to Admin Web home page tables
ECA-13771 Forbid ECC encryption key usage should apply too all sign-only algorithms including PQC
ECA-13774 Document limitation of “Use explicit ECC parameters” causing ECDSA key generation failures via enrollkeystore REST API
ECA-13780 Apply different style for disabled buttons
ECA-13784 Normalize CA Structure & CRLs Page
ECA-13792 Cleanup: update references to AESEngine and CCMBlockCipher
ECA-13811 Rename RA Name generation prefix/postfix to drop RA
ECA-13816 Cleanup: remove references to end entity profile printing settings
ECA-13822 Clarify Hardware Module Name labeling and details in RA Web
ECA-13834 ConfigDump exports CA and Crypto token as id instead of name for SCPPublisher
ECA-13842 Cleanup: Update references to org.bouncycastle.asn1.crmf.CertReqMsg.getPopo()
ECA-13845 Use Helm chart to provide license file
ECA-13846 Modify ant and/or gradle build script to build releasable zip release and CE without license validation logic
ECA-13848 Remove (soon to be) deprecated references to FileTools.createTempDirectory
ECA-13851 Trigger license validation logic StartupSingletonSessionBean during startup for early validation
ECA-13852 Finalize the license validation logic
ECA-13863 Create a Configuration tab under the Manage CA's page and use it to store global CA settings
ECA-13884 Improve error output in ConfigdumpSessionBean.performExport(AuthenticationToken, ConfigdumpSetting)
ECA-13887 Improve Post Upgrade label text
ECA-13889 Documentation for Module Protected slots in nCipher is missing an environment variable
ECA-13890 Remove upgrade code for upgrade to 6.10.1
ECA-13895 UI Cleanup: Change all references of "Certification Authorit[y|ies]" to "Certificate Authority"
ECA-13896 Migrate ocsp.reqsigncertrevcachetime into system configuration
ECA-13908 Remove upgrade code for upgrade to 6.11
ECA-13912 Reorganize OCSP Global Configurations page
ECA-13932 Remove upgrade code for upgrade to 6.12
ECA-13937 Remove upgrade code for upgrade to 6.14 and 6.15
ECA-13942 Update myfaces-api to 4.1.1
ECA-13943 Cleanup: remove warnings in CachedDatabaseUnitTest
ECA-13945 Move "Enable OCSP Responses Cleanup" from System Configuration to OCSP Configuration page
ECA-13951 Cleanup: Remove warnings from CmpRaThrowAwaySystemTest
ECA-13953 Update to BC 1.82 - Composite Epic Branch
ECA-13957 Migrate ocsp.signingCertsValidTime from ocsp.properties into GlobalOcspConfiguration and GlobalCaConfiguration
ECA-13962 Cleanup: Remove references to ocsp.signtrustvalidtime and ocsp.keys.cardPassword
ECA-13963 Replace popup with error message for empty crypto token name
ECA-13966 Change input validation for session timeout
ECA-14008 Combine and place ACME ARI controls in the ACME alias
ECA-14009 Make the 'Enable Renewal Info Endpoint' switch effective
ECA-14020 Remove contact email from license messages
ECA-14026 Add the replaces attribute to the ACME newOrder resource response.
ECA-14051 Relocate the license implementation
ECA-14058 Upgrade HSM container version in Helm chart for luna and nshield to 0.5.0
ECA-14061 Fix ConfigDump import command system test
ECA-14093 Documentation of ACME ARI
ECA-14109 Upgrade the EJBCA container to use WildFly 38
Bug Fixes
ECA-6886 Security Issue
ECA-8805 ConfigExport of CertCrlService Doesn't Allow "None" Signing CA
ECA-12132 RA Web doesn't identify URI in SubjectAlt Name from the CSR
ECA-12324 Admin Web - Create EST alias - Misleading error message
ECA-12363 Admin Web - Services - No error message while cloning object using the same name
ECA-12535 Admin Web - ACME protocol page - Target Unreachable, identifier 'resourceBean' resolved to null
ECA-12724 Admin Web - Add End Entity - Unhandled rollback exception when SubjectDN char limit is exceeded
ECA-12869 Admin Web - Custom Certificate Extensions - system allows for duplications
ECA-12875 Admin Web - Custom Certificate Extensions - OID change is not blocked for incorrect values
ECA-13104 PKI Metal Validator - Button for uploading certificate is disabled
ECA-13124 Inappropriate Value in RA UI
ECA-13225 OCSP Responder Key Pair Alias list isn't refreshed when Crypto Token is changed if name is empty
ECA-13228 Fix NumberFormatException in EndEntityProfileSessionBean.getAuthorizedEndEntityProfileIdsWithMissingCAs
ECA-13354 EXTERNAL_ACCOUNT_BINDING_ID duplicated in openapi.json
ECA-13365 Fix the case sensitivity problem in the User Data native query
ECA-13423 AD publisher does not remove the user object or the certificate
ECA-13478 Secrets are not imported by ConfigDump
ECA-13485 Admin Web - Whitespace is not trimmed in EEP name, causing loss of access to add end entity page
ECA-13488 Add missing Gradle dependency
ECA-13495 Hibernate errors when using Microsoft SQL Server with EJBCA 9.2+ / WildFly 35
ECA-13524 ACME EAB fails if an EAB with asymmetric keys is configured first.
ECA-13549 EJBCA container not restarting when startup fails
ECA-13559 Publish Queue Process Service doesn't DonfigDump properly
ECA-13561 Validators sets field incorrectly on ConfigDump import
ECA-13563 Throwing exceptions in @PostConstruct-annotated method leads to warn output on startup
ECA-13571 Fix Normalized CA page in HA
ECA-13576 Ed25519 on nShield stopped working after HSM FW update
ECA-13579 Peer systems synchronization checkbox "Ignore newer entries at peer" has inverted text label
ECA-13588 End Entity Profile edit/view page does not work with HA(possibly)
ECA-13590 CMP page has a extra cell in UI
ECA-13618 All bugs related to the new Publisher layout/flow
ECA-13629 Regression: Can't edit end entity profile if some CA ID have gone missing
ECA-13634 Fix the View/Edit CA functions in Gradle builds
ECA-13680 Post upgrade is required on fresh EJBCA installation
ECA-13684 EJBCA is not starting with JDK21 since 2025/07/02
ECA-13685 EJBCA CE is not building after merging recent repository changes (failing since 2025/07/01)
ECA-13710 SQL Scripts - certificatedata_idx_san index not created in the postgresql database
ECA-13711 [CE] Admin Web - Cloning publisher process is broken
ECA-13745 [ConfigDump] Exported default RSA validator throws error on import
ECA-13762 Services attempt to run many times if canWorkerRun throws an exception
ECA-13764 Edit End Entity is broken again
ECA-13777 Admin Web - Manage Crypto Tokens - NPE because "flashInfo" is null
ECA-13803 In CRLUpdateWorker InvalidKeyException should be ignored just as an offline token
ECA-13804 REST API Documentation issue
ECA-13806 SCEP getcrl cannot override default content encryption algorithm
ECA-13821 S3 Publisher doesn't handle "." in the bucket name
ECA-13841 [HA] Admin Web - Cannot open Crypto Token Edit form due to existing bugs
ECA-13843 ConfigDump - secrets being exported incorrectly
ECA-13871 OCSP Keybindings with errors not reported in health check due to being ignored on signing cache reload
ECA-13894 Remove double resource definitions from the Helm chart
ECA-13901 Add SHA512withRSAandMGF1 to OCSP Responder Algorithms
ECA-13925 Fix NullPointer in Msae templates list
ECA-13969 Fix ConfigDump test fail caused by Allow OAuth host name feature
ECA-13971 Lack of input validation when configdumping EKUs
ECA-13973 Publicweb search cgi does not list CAs CRL when the chain begins with a non-root CA
ECA-13979 Investigate and fix container automation test failures
ECA-13994 Always execute the CodeQualityUnitTest
ECA-14018 RA authentication password field not properly displayed when "Authenticate through Microsoft Intune" is enabled
ECA-14023 CAA DNSSEC validation fails for some multi-label domains
ECA-14067 RA Web does not allow proper end entity creation with clear text password
ECA-14083 Suggested Renewal Time Window Start/End does not normalize correctly if only hours are mentioned, normalization fails.
ECA-14100 Add a null guard to org.ejbca.configdump.objects.ConfigdumpCertificateProfile.validateEKUs(List<String>)
EJBCA 9.3
EJBCA 9.3.6
Released November 2025
Bug Fixes
ECA-14267 CA mode with separate keys fails when Allow Client Certificate Renewal enabled
ECA-14292 ConfigDump returns error for SCEPCONFIG
ECA-14294 Use separate keys for SCEP decryption doesn't render keys on p11ng tokens
ECA-14297 Wrong error message when no CA is selected in SCEP alias
EJBCA 9.3.5
Released November 2025
New Features
ECA-14158 Enable use of separate encryption/decryption keys in CA mode
Improvements
ECA-13419 Update Helm README and Chart.yaml files
Bug Fixes
ECA-12494 Intune enrollment is failing for renewals
ECA-14164 Internal SCEPENCRYPTOR and SCEPSIGNER certificate profiles are exposed in some endpoints
ECA-14191 Editing MSAE alias breaks CEP policy after cache renewal
ECA-14213 SCEP enrollment with separate signing keys over peers (with denied access to unknown CAs) is denied
EJBCA 9.3.4
Released October 2025
New Features
ECA-13874 Create encryption and signing certificates on SCEP configuration save
ECA-13875 Return encryption certificate in GetCaCert response
ECA-13876 Use encryption and signing certificate when processing SCEP request
ECA-13879 Create SCEP encryption and signing certificate renewal service.
ECA-13952 Administrator should be able to choose the signature algorithm
Improvements
ECA-5985 SCEP servlet should take default values from end entity profile into account
ECA-13434 Import end entity key recovery keys even if p12 contains a CA certificate
ECA-13540 Cover missing edge case of authentication cache checks in ECA-13456
ECA-13572 Add Utimaco R3 default driver locations
ECA-13703 Upgrade PostgreSQL JDBC driver in container
ECA-13750 Upgrade commons-lang3 to 3.18
ECA-13782 CVE: Upgrade Apache CXF to 4.1.3
ECA-13832 Improve concurrency control for CEPService's oidLookup cache to avoid NPE and race conditions.
ECA-13839 Update to BC 1.80.2
ECA-13975 Upgrade nimbus-jose to 9.37.4 due to CVE-2025-53864
ECA-13987 Upgrade P11ng for Ed25519 nShield support
Bug Fixes
ECA-12516 EJBCA WebService cacertresponse asks for CA token password again even if password is provided in command
ECA-13515 Certificate Data Synchronization can fail if clock has moved backwards on CA
ECA-13552 "Forbid encryption usage for ECC keys" is not taken into account when client generates keypair
ECA-13599 Imported SCEP profiles are missing fields
ECA-13651 NPE on RA web for "CA Certificate and CRLs" Navigation menu
ECA-13662 Approvals requests for ACME over peers are not created
ECA-13677 ACME Endpoints duplicate request Lock
ECA-13790 In AWS S3 Publisher, all information meant to be store in cert bucket are stored in CRL bucket
ECA-13794 PKIMetal Validator filters out OCSP-related certificate profiles when cleaning responses related to OCSP responses
ECA-13830 Printable string in CSR is signed wrongly as UTF-8
ECA-13835 MSAE - GetPolicies response require enrollment permissions
ECA-13858 Security: RA web allows certificate renewal without authorization checks
ECA-13860 MSAE alias configuration override
ECA-13866 Incorrect SCEP auth passwords are logged in clear text
ECA-13959 CA SubjectDN with escaped special characters
ECA-13965 EJBCA Helm repo point to the old repo
ECA-13969 Fix ConfigDump test fail caused by Allow OAuth host name feature
ECA-14014 End entity for SCEP RA certificates should CA ID based
ECA-14034 SCEP RA end entity needs to be in GENERATED state
EJBCA 9.3.3
Released July 2025
New Features
ECA-13526 MSAE - LDAPS through RA (SocketFactory for CA certificate based trust)
Improvements
ECA-13040 Allow customers to import trusted CA certificates in container
ECA-13075 MSAE - LDAPS through RA (UI)
ECA-13486 Improve oAuth key upload from url logging
ECA-13527 MSAE - LDAPS through RA (Backend)
ECA-13582 Upgrade commons-fileupload2 to 2.0.0-M4
Bug Fixes
ECA-9062 ejbca-db-cli leaks memory
ECA-12780 A second SAN DNS name is not inserted into the certificate if Use entity CN field is enabled
ECA-13294 Allow revocation reason for issuance to be set from end entity profile for non-RA Web methods
ECA-13328 Regression: REST response format is null
ECA-13346 VA Peer Sync Failure for SSH certificates
ECA-13370 RA Web fails to populare UI altName field of type DirectoryName
ECA-13375 MSSQL Deadlocks during UserData update
ECA-13395 Certificate gets partition 0 when imported to EJBCA
ECA-13427 Fix misleading role claim
ECA-13428 Make PKIMessage.PKIHeader.senderKID optional for PBE/PBMAC1
ECA-13432 Regression: Admin web add/edit end entity page name constraints and extension data fields don't show as expected
ECA-13442 CMP message signature verification fails when PSS is used
ECA-13456 Cached authentication tokens can remain in use even after role member change on different node
ECA-13480 Missing Url Encoding in username for admin UI
ECA-13513 CVC issuance via REST API doesn't allow alphanumeric sequenceNr
EJBCA 9.3.2
Released June 2025
Included in this release are also the changes made in EJBCA 9.3.0 and 9.3.1, which were released internally.
Bug Fixes
ECA-13441 Possible break of 100% uptime due to ClassCastException
EJBCA 9.3.1
Released Internally June 2025
Bug Fixes
ECA-13373 Serial number should become a Sequence number for CVC certificate with Rest enroll request
ECA-13382 Renewal of encryption certificates (key archival) with MSAE
EJBCA 9.3.0
Released Internally June 2025
New Features
ECA-9981 REST: ability to specify subject DN validity override and additional data in pkcs10enroll call
ECA-11574 Change key recovery encryption algorithm to RSA-OAEP instead of RSA PKCS1.5
ECA-12475 New REST endpoint to submit public key instead of PKCS10 to get a certificate issued
ECA-12575 Allow EC CAs to use RSA keyEncrypt keys
ECA-12579 Add support for LMS certificates
ECA-12618 ML-DSA and LMS with Securosys
ECA-12820 LMS with Fortanix
ECA-12866 Key migration - REST Endpoint
ECA-12868 Key migration - Backend implementation
ECA-12995 Enable server side support for ACME dns-account-01 challenge
ECA-13012 Automatic populate blocklist with key related to cert revoked as "keyCompromise"
ECA-13071 Ability to create Hybrid CAs with CLI
ECA-13114 SLH-DSA support - Soft CryptoToken
ECA-13134 SunP11 to P11NG - Soft Migration
ECA-13160 Allow OCSP responder to sign from previous CA generations
ECA-13205 Add Workload Identity auth support for Azure SQL databases
ECA-13332 Documentation for Key Compromise Blocklist
Improvements
ECA-12427 Parametrized integration of HSM containers in Helm chart
ECA-12563 SNI support for Azure and Intune authentication
ECA-12777 Make sure log output is available through all endpoints
ECA-12779 Remove linter limitations for pkimetal Validator.
ECA-12813 Upgrade to BC 1.80, and KFC for ML-DSA and LMS
ECA-12835 Change all SHA1PRNG SecureRandom calls
ECA-12841 Remove User Data Sources
ECA-12867 Key migration - Error handling
ECA-12878 Add profile EKU, Key Usage, and Validity Period to /v2/certificate/profile/{profile_name}
ECA-12900 Enable Internal CAs to be exported as External CAs for convenient import in Peers
ECA-12934 MSAE Kerberos Token Extra Sid Group Membership
ECA-12937 Improve event tracking in log-file
ECA-12967 Upgrade Apache CXF to 4.0.6 or later
ECA-12974 Upgrade libraries used by EJBCA for 9.3.0
ECA-12983 Hide field "If Validator was not applicable" on Validator pages if not required
ECA-12991 Admin Web - MPIC Validator - API Key field should be disabled in the view mode
ECA-12998 Improve event tracking in log-file for OCSP
ECA-13007 Allow CV cert issuance public key request
ECA-13016 Add support for imported keys and certificates in the existing key recovery process
ECA-13047 Enable Server Name Indicator (SNI) based with Ingress at Helm Chart for secure end to end communication with EJBCA
ECA-13049 Improve helptext for importcertsms CLI command
ECA-13119 Fix MSAE key archival issue with HSM
ECA-13122 Remove unused imports from adding RandomHelper class usage to EJBCA
ECA-13123 Clean up certificates after web tests and add dynamic OCSP port
ECA-13132 Fix typo in debug message
ECA-13138 Add missing translation labels for incoming peer connections
ECA-13146 EE edit page in adminweb is shown wrong in CSR section
ECA-13147 Improve handling of date in ExpiredCertsOnCRL (OID 2.5.29.60)
ECA-13149 Fix Acme alias MPIC configuration validation + logic
ECA-13150 Update jsch to latest version 0.2.24
ECA-13155 Publisher description with swedish character(å, ä and ö)
ECA-13174 Remove intresources.* from cesecore.properties and non-English language files
ECA-13192 Remove ca.doPermitExtractablePrivateKeys
ECA-13193 ML-DSA with Fortanix
ECA-13211 Cleanup: Fix warnings in VaPeerStatusServlet and VaPeerStatusServletSystemTest
ECA-13212 Fix CA & CRLs pages loading time
ECA-13216 Reduce unwanted logs in ClientToolBox
ECA-13224 Upgrade PrimeFaces library to version 15.0.1 or newer
ECA-13237 Build clientToolBox with Gradle
ECA-13266 MPIC 3.3.0 Support - ACME http-01/dns-01
ECA-13282 Enable using all supported database types with Gradle
ECA-13298 Fix pull request template path
ECA-13300 Update French language
ECA-13311 Log recipients of emails in EmailSender
Bug Fixes
ECA-8088 SCP Publisher does not detect certain errors
ECA-9990 OAuth role members not fully working in ConfigDump
ECA-11953 Key recovery using EC with P11NG key not working
ECA-12185 OCSP Issuer Hash Lookup Fails for SubCAs with Microsoft CA Compatibility Mode Enabled
ECA-12380 OAuth Provider can not be imported from JSON ConfigDump
ECA-12658 Some CertificateData fields are not published to the VA
ECA-12732 Regression: Fix end entity profile username for manual enrollment
ECA-12754 CommonCacheBase is not synchronized
ECA-12927 IODEF code is prone to race conditions
ECA-12946 Renovate handling of NSEC3 opt-out
ECA-12947 MSAE alias changes in a cloned alias are carried over to the source alias
ECA-12976 CA with softKeys ML-DSA-xx can't be exported as P12
ECA-12988 End entity password edit fails from adminweb when it uses keystore based enrollment
ECA-13027 Fix number of allowed requests in RA Web
ECA-13032 Error in OCSP due to SERIALNUMBER property
ECA-13034 Docker 'latest' tag is not pointing to the latest main version anymore
ECA-13048 Character encoding issue of text field in Edit Publisher page
ECA-13060 Some configuration alternatives from the EE profile missing when enrolling from Ra Web
ECA-13083 Password bit strength calculation error gives one bit lower than documented
ECA-13108 Regression: ejbca.cmd file has wrong path for ejbca-ejb-cli.jar and logging jar
ECA-13124 Inappropriate Value in RA UI
ECA-13166 UNID-FNR doesn't work with database protection, due to too short data type
ECA-13187 DESKPRO-1490 Incorrect url redirect in RAWeb with OAuth
ECA-13195 Post upgrade broken since 9.0
ECA-13207 End entity information contains keys with "__zzz_" in the name
ECA-13214 Fix Bouncy Castle version in jboss-deployment-structure.xml
ECA-13223 MPIC validator sends wrong type for wildcard certificates
ECA-13226 Rest endpoint checks if CA/CP/EEP is present only locally
ECA-13248 PII Log Redaction Leak detected by Jenkins
ECA-13253 Regression: CMP Name Generation pre and postfix missing for client mode
ECA-13275 Admin Web - Creation of Role Member stopped working (Community Edition)
ECA-13290 SCP Publisher loses exception stack traces and messages
ECA-13322 v1/certificate/enrollKeyStore endpoint checks CA exists locally
ECA-13343 MSAE Key Archival Recovery fails when HSM doesn't Support Triple DES (DES-EDE3-CBC) cipher algorithm
ECA-13358 Utimaco HSM template can not be used with templates
ECA-13360 Helm chart template version of Luna is a version old and the current version has bugfix
ECA-13377 Change default "Key encrypt padding algorithm" to RSA-OAEP instead RSA PKCS1.5
EJBCA 9.2.3
Released April 2025
Improvements
ECA-13147 Improve handling of date in ExpiredCertsOnCRL (OID 2.5.29.60)
Bug fixes
ECA-13119 Fix MSAE key archival issue with HSM
EJBCA 9.2.2
Released March 2025
Improvement
ECA-13149 Fix ACME alias MPIC configuration validation and logic
EJBCA 9.2.1
Released February 2025
Bug Fixes
ECA-12946 Renovate handling of NSEC3 opt-out
ECA-12978 Regression: Change in AdminWeb - System Configuration - My Preferences breaks ConfigDump
ECA-12988 End entity password edit fails from adminweb when it uses keystore based enrollment
ECA-13052 Statedump export fails if there's an MPIC Validator
ECA-13055 MPIC Validator import not supported by ConfigDump
ECA-13083 Password bit strength calculation error gives one bit lower than documented
ECA-13100 Regression: DN ordering issue in CMP protocol using EJBCA 9.2
EJBCA 9.2
Released January 2025
New Features
ECA-10221 Add REST endpoint /v1/endentity/{endentity_name}/edit
ECA-12498 Add timout for ACME challenge requests
ECA-12785 Update Amazon S3 publisher to no longer require AWS CLI
ECA-12799 Add new MPIC Validator
ECA-12818 MPIC ACME integration
ECA-12822 Implement ConfigDump support for pkimetal Validator
Improvements
ECA-12501 Add P12 cipher option for PBES2, PBKDF2, AES-256-CBC
ECA-12571 MSAE support "Merge DN for all interfaces"
ECA-12598 Support Worker Properties for OAuth Key Update Worker in ConfigDump
ECA-12708 Drop unused properties from ejbca.properties
ECA-12709 Drop unused properties from jaxws.properties
ECA-12710 Drop unused properties from ocsp.properties
ECA-12718 Cleanup: X509Certificate.getSubjectDN and .getIssuerDn have been deprecated
ECA-12733 Compare subjects of end entities and CSR for EST vendor mode independent of the sequence of their DN attributes
ECA-12738 Replace configurable header JSP file path with a header selection/upload and remove unused ones.
ECA-12748 EJBCA EE SSH Principal order non-deterministic
ECA-12764 Add RFC4108 Hardware Module Name to SAN field in the end entity profile
ECA-12775 Change pkimetal profile select from single to multiple
ECA-12781 Remove support for keystore.use_legacy_pkcs12
ECA-12784 Extend v1/certificateRequest with additional requestTypes
ECA-12806 Upgrade xstream to 1.4.21
ECA-12809 Cleanup: Remove references to CertTools.genCertForPurpose
ECA-12811 Update Apache Commons Libs
ECA-12814 Cleanup: Infer generics in CaRestResourceSystemTest
ECA-12816 Add public key request type to clientToolBox certificaterequest
ECA-12821 Update EJBCA with x509-common-util 5.0.6
ECA-12842 Cleanup: Remove static methods from CertReqHistoryData
ECA-12847 Added OpenSSF Best Practices badge in README
ECA-12853 Change Unknown Active Directory OIDs warning to debug
ECA-12858 Update documentation for JDK21 support
ECA-12895 Increase number of threads available for REST based crypto tokens
ECA-12923 Update french language
ECA-12926 Optimize latest end entity certificate fetch from database (DESKPRO-1286)
ECA-12933 Cosmetic ordering in dncomponents.properties
ECA-12939 Add new 2024 IANA DNSSEC default trust anchor
ECA-12967 Upgrade Apache CXF to 4.0.6 or later
Bug Fixes
ECA-12750 Certificate Validity Start/End Time is not visible in Approval Requests
ECA-12753 Outgoing peer connections that time out causes unrelated publishers to fail
ECA-12757 Fix SCEP config "Allow Legacy Digest Algorithms in Response" to be updated by configdump
ECA-12760 Forbidden characters is initialized in the wrong order, leading to property being ignored
ECA-12761 RA Admins Unable to Approve Requests After Revocation by Another RA Admin in Partitioned Approval
ECA-12765 Regression in handling DN with trailing whitespace
ECA-12767 SCEP config value Authenticate through MS Intune always return true in configdump
ECA-12770 Certificate fails to generate with DN override when the CSR contains Subject DN fields not present in the EEP
ECA-12771 Optional end entity fields can not be left blank in the CA UI / AdminWeb, if Validation is enabled
ECA-12772 Change misleading error message.
ECA-12773 Ouath configs are not not updated in EjbcaWebBean when updated by Worker.
ECA-12774 Admin web search End Entities Apostrophe Encoding Problem
ECA-12787 Regression: Admin Web - Create Crypto Token - GOST algorithm leftovers
ECA-12812 "External Scripts" gets unchecked after saving CT Log config (with or without changes)
ECA-12827 Unable to use clientToolBox stress test command with EC or EdDSA
ECA-12838 Regression: Edit EE in Admin Web doesn't set password
ECA-12840 Missing null guard in AcmeOrderSessionBean.processReadyOrder
ECA-12845 Possible NPE listing certificates (upgrade x509-common-util)
ECA-12848 CLI remove admin from role by email address not implying the right type
ECA-12854 RA Web - Make Request - GOST algorithms appearing in the key algorithm list (randomly)
ECA-12860 ACME /cert response shouldn't have "explanatory text" lines in PEM chain
ECA-12861 Fix 403 Error: Unauthorization error for enrollkeystore via REST API
ECA-12901 Admin Web - Update Certificate Profile - jakarta.el.PropertyNotWritableException
ECA-12905 Regression: Admin Web - ECC Key Validator - GOST algorithm leftovers
ECA-12908 PKIMetal validator is not available when EJBCA is built with Gradle
ECA-12912 pkimetal validator does not fill transitive fields when instantiated
ECA-12913 False negative validations
ECA-12925 Ping is misbehaving
ECA-12930 Prevent enrollment of certificates with invalid emails in the SAN in RA UI
ECA-12935 MPIC Validator - Issuance is allowed in case of misconfiguration
ECA-12953 JSONObject.toString() cannot be used for comparison
ECA-12989 EC curve based stress test stopped working
EJBCA 9.1
Released November 2024
Included in this release are also the changes made in EJBCA 9.1.0, which was released internally.
EJBCA 9.1.1
Released November 2024
Bug Fixes
ECA-12782 Regression: Few chiper suites not moved after dropping cesecore unused properties
ECA-12805 Issuance of wildcard certificate is incorrectly allowed when CAA issue ";" record is present
EJBCA 9.1.0
Internal release November 2024
New Features
ECA-12327 Add Matter IoT specific DN components for Node Operational Certificates
ECA-12371 Implement building and running unit tests
ECA-12453 nShield Connect integration with EJBCA container in Kubernetes
ECA-12576 Render PQC \(alternative\) public keys for hybrid certificates in RA Web view certificate screen
ECA-12599 Securosys Primus HSM REST API CryptoToken
ECA-12659 Issuance of ML-KEM certificate with CMP v3 using encrCert proof of possession
ECA-12759 Enable changing serial number generator algorithm in the Container
Improvements
ECA-12044 Render ML-DSA and ML-KEM public parameters in RA Web certificate checker
ECA-12084 Remove deprecated certificate profile specific ocsp functionality
ECA-12270 Network policy for EJBCA Helm chart
ECA-12326 Remove support for GOST and DSTU
ECA-12423 Allow OCSP Nonce of up to 128 bytes as per RFC9654
ECA-12578 Upgrade to BC 1.79 final
ECA-12645 An email address in the RA Web - Make New Request is required, but not marked as such
ECA-12653 Use DNS name for filename when NO subject DN is used
ECA-12666 Return alternative key algo through /v2/certificate/profile/
ECA-12693 Improve logging for certain EST errors
ECA-12699 Drop unused properties from cesecore.properties
ECA-12704 Document how to export and import data removed by database-housekeeping.sql
ECA-12706 Remove LegacySoftCryptoToken and attendant classes
ECA-12712 Remove Sample Code from src directory
ECA-12736 Ignore entries without alias in P11NG-CLI listkeypair, update p11ng to 0.25.1
ECA-12743 Cleanup: CertTools.genSelfCertForPurpose is deprecated and references should be removed
ECA-12755 Fix CMP test failures after encrCert ML-KEM merge
Bug Fixes
ECA-12394 Proper handling of Public Access Role Members during container startup
ECA-12471 The infinite token glitch
ECA-12523 RA Web - Inspect Certificate - Public Key not being presented correctly when PQ algorithm is used
ECA-12529 Caches are not updated after external configurations have been reloaded
ECA-12608 Admin Web - New Crypto Token - NPE while creating new pkcs#11NG token \(error message improvement\)
ECA-12691 Admin Web - Create CA - CVC available, but disabled \(CE inconsistency\)
ECA-12692 REST andpoint v1/cas return wrong issuerDN for three \(or more\) level hierarchies
ECA-12719 KF command REST response are not being read fully during Proxy CA enrollments
ECA-12726 EJBCA CE - PKCS#11 not working after upgrading EJBCA to JDK17
ECA-12729 Regression: APPSERVER\_USE\_MANAGED\_ID
ECA-12734 Update BC version in jboss-deployment-structure.xml
EJBCA 9.0
Released October 2024
New Features
ECA-12286 Allow ACME dns-01 challenge with IPv6
ECA-12460 Add support for "issuemail" property tag in CAA Validator
ECA-12493 Add SDN support for Mark Certificates
ECA-12545 Implement check for close primes in RSA key validator
Improvements
ECA-10173 'mappedName' in annotations is not supported
ECA-11888 Ability to not read certificates on some P11NG crypto tokens \(CloudHSM\), use heuristic attribute buffer size when reading CKAs
ECA-12262 Replicated Database in CA
ECA-12365 Allow multiple EST templates to enroll using a Keyfactor Enroll CA
ECA-12395 "cryptotoken setpin" command should prompt twice for new password for confirmation
ECA-12401 Update cryptotoken libs
ECA-12408 Upgrade jee-api
ECA-12412 Specify version of the NGINX sidecar
ECA-12418 Use the CA certificate uploaded in EJBCA for Keyfactor Enrollment CA during EST getcacert
ECA-12436 Fix compilation error in Gradle \(after Jakarta 10 upgrade\)
ECA-12443 Upgrade xmlns to Jakarta EE version \(xhtml pages\)
ECA-12455 Convert view ee page to JSF
ECA-12470 Convert Edit EE page to JSF
ECA-12476 Reject issuance if using CAA with both serverAuth and emailProtection in profile
ECA-12483 Add support for S/MIME CAA lookups on ejbca-caa-cli
ECA-12484 Add support for port and protocol ejbca-caa-cli
ECA-12489 Migrate EST list of aliases page from JSF to primefaces
ECA-12490 Migrate My preferences page from JSF to primefaces
ECA-12500 Rewrite CAA Test to use the Test DNS Container
ECA-12524 MSAE LDAP connections should go through RA to outside world.
ECA-12550 Implement and document multiple TLS certifcate support in NGINX sidecar
ECA-12559 Fix typo in javadoc in EndEntityCertificateAuthenticationModule
ECA-12587 VA Peer Publisher throws NPE if CertificateData.base64cert is null.
ECA-12589 L10n: Admin GUI language fix \(ACME\)
ECA-12590 L10n: RA GUI French update \(based on 8.3.2\)
ECA-12591 L10n: Admin GUI French update \(based on 8.3.2\) Fully translated
ECA-12592 Fix help text for removeadmin CLI command
ECA-12593 Fix code typos paramter to parameter
ECA-12594 Fix typo in findendentity cli help
ECA-12619 Upgrade Apache CXF to 4.0.5
ECA-12624 Improve RA GUI layout
ECA-12629 Upgrade dnsjava to 3.6.1
ECA-12631 Upgrade undertow-core to 2.3.16/17
ECA-12632 Upgrade xnio-\* to 3.8.16
ECA-12647 Update CONTRIBUTING.md with test instructions
ECA-12648 Change doc link to new url
ECA-12672 L10n: French GUI fix \(Peer Systems\)
Bug Fixes
ECA-11540 "CMP Authentication Secret" field on Edit CA page gets auto-completed
ECA-12075 Add ACME Alias overwrites the old one if the same name is used
ECA-12288 Admin Web - Search End Entities - multi selection possible, but not working
ECA-12289 Admin Web - Search End Entities - Buttons are activated only after clicking on checkbox
ECA-12309 Admin Web - Certification Authority - Cannot download binary file of certificate request
ECA-12323 Invalid SQL for PostgreSQL when dropping index in UpgradeSessionBean
ECA-12359 Fix RSA-PSS on Windows in p11ng and update p11ng
ECA-12402 Bump Ingress max request body size
ECA-12422 External RA Cannot Query Peered CA Certificate Profiles
ECA-12425 Regression: KEC cache exception when clearing cache on Community
ECA-12428 Upgrade JDBC drivers used by EJBCA containers
ECA-12432 Output proper error message to CMP client when validation fails
ECA-12437 Importing a krb5.conf file for an MSAE alias erases all user input not stored
ECA-12438 CertificateRequest REST API fails after issuing certificate for invalid CA name
ECA-12440 SSH REST certificaterequest adds source\_address only if critical\_option is present
ECA-12459 Configdump - importing SSH CA does not allow CA healthcheck field to be specified
ECA-12461 Cannot create hybrid CA certificate with non-default CA certificate profiles
ECA-12463 UI Exception: javax.faces.Integer
ECA-12466 Certificate enrollment with the RA web inserts the e-mail into the RFC822name if checkbox is disabled
ECA-12468 REST API deployment issue with javassist lib
ECA-12469 A missing certificate lets EJBCA fail to startup if DEBUG / TRACE logging is enabled
ECA-12478 Get certificate profiles over peers in MSAE CESService
ECA-12487 Regression: Configdump - creating crypto token and soft keys
ECA-12488 Remove comma after CA name in Certification Authorities page
ECA-12492 Fix issues with addoauthprovider and oauthproviderkey CLI commands
ECA-12497 RA Web - Make Request - UI got deformed when too many SDN fields are used
ECA-12504 Table already exists warning with EJBCA 9
ECA-12508 Log reloaded properties on server log
ECA-12517 Regression: Download for CSR of newly created External CA fails with error 404
ECA-12518 Regression: p11ng-cli commands gives CRYPTOKI\_NOT\_INITIALIZED or CKR\_DEVICE\_ERROR
ECA-12519 clientToolBox does not work with edward curves
ECA-12549 Cannot delete oAuth configuration
ECA-12551 Resolve SLF4J logger warnings
ECA-12554 Database CLI is broken
ECA-12561 Cannot select ECC key in keyEncryptKey dropdown with p11ng crypto token
ECA-12580 Regression in username validation
ECA-12586 End entity list option is not sorted
ECA-12588 L10n: RA GUI English fix back \(regression\)
ECA-12596 RA Web - View EE displays link to certificates with adjacent username
ECA-12600 EST RA mode settings show up in client mode
ECA-12612 Incorrect CAA Validator message when issuance is prohibited
ECA-12622 Post-upgrade hangs when crldata\_idx3 or crldata\_idx4 exist
ECA-12626 EJBCA errors when deleting keys from a cloudshm v5 HSM
ECA-12627 SnakeCaseConverter is not working in Swagger UI
ECA-12635 Incorrect version of slf4j in settings.gradle.kts
ECA-12638 CAA S/MIME validation is not applied to SAN In extension in request
ECA-12639 Environment variable expansion breaks ConfigDump import
ECA-12640 REST API /v1/certificate/pkcs10enroll fails with CA with name null does not exist
ECA-12644 Statedump is not working with Java 17
ECA-12651 Regression: RA Web - Inspect CSR - Unhandled error while uploading empty file
ECA-12660 Regression - Statedump fails with IllegalArgumentException when CryptoToken KeyPairInfo KeyUsage is null.
ECA-12662 EJBCA container test for- Statedump is not working with Java 17
ECA-12667 Fix NPE at cryptotoken init
ECA-12670 Update cert-cvc to fix very rare padding issue with EC signatures
ECA-12673 Regression: Admin Web - Publishers - Edit Form gets deformed when many publishers available
ECA-12674 Ejbca-Db-Cli "verify" throws exception and "export" commands has issues with ampersand character in database.url
ECA-12684 Port the Statedump Java 17 fix to the container
EJBCA 8.3
EJBCA 8.3.2
Released June 2024
Improvements
ECA-12472 - Improve error message in RA Web, if a user accidentally uploads a certificate instead of a CSR
ECA-12418 - Use the CA certificate uploaded in EJBCA for Keyfactor Enrollment CA during EST getcacert
ECA-12365 - Allow multiple EST templates to enroll using a Keyfactor Enroll CA
ECA-12493 - Add SDN support for Mark Certificates
Bug Fixes
ECA-12482 - Upgrade commons-configuration
ECA-12481 - Upgrade protobuf-java to 3.25.3
ECA-12478 - Get certificate profiles over peers in MSAE CESService
ECA-12466 - Certificate enrollment with the RA web inserts the e-mail into the RFC822name if checkbox is disabled
ECA-12461 - Cannot create hybrid CA certificate with non-default CA certificate profiles
ECA-12459 - CA health check field can't be specified when importing an SSH CA using ConfigDump
ECA-12435 - SSH Enrollments IPv6 Principal Values Segmenting
ECA-12359 - Fix RSA-PSS on Windows in P11NG and update P11NG
ECA-12311 - CRL Downloader Service Failing to Import External CA CRLs
ECA-12075 - Prevent ACME alias overrides when creating a new alias using an existing name
EJBCA 8.3.1
Released May 2024
Bug Fixes
ECA-12422 - External RA Cannot Query Peered CA Certificate Profiles
ECA-12428 - Upgrade JDBC drivers used by EJBCA containers
EJBCA 8.3.0
Released May 2024
New Features
ECA-10867 - Make the nextUpdateHours element configurable in the GetPolicesResponse
ECA-11319 - Add REST API endpoint for key recovery
ECA-11559 - Autoenrollment: Support "Supply in the request" enrollment
ECA-11623 - Recreate the menu as Primefaces and changing to a top-menu
ECA-11859 - Add support for being able to restrict keys/algorithms in the certificate profile for alternative signatures.
ECA-11931 - Add ConfigDump support for the hybrid settings for the CA
ECA-11932 - Add ConfigDump support for the hybrid settings for Certificate Profiles
ECA-1Z1997 - REST add ability to add end endtity with key recovery enabled
ECA-12024 - Allow enrollment of Hybrid CSRs through UI.
ECA-12091 - RA mode support for EST over CoAPs
ECA-12104 - Review only: P11NG Cli command to list keypairs in the same way as EJBCA does
ECA-12107 - Server Name Indicator support in Coap-proxy
ECA-12138 - Use SCEP alias name for defaultCA if CA is not specified in request
ECA-12206 - Support alternative signature in ExtendedInformation and in KeyStoreCreateSessionBean
ECA-12339 - SBOM for EJBCA Container Set
Improvements
ECA-10214 - Extend REST /v1/ca results to include external CAs
ECA-10671 - Allow setting OCSP settings in the UI and CLI that can only be set in the ocsp.properties when using pre-signed proofs
ECA-10949 - Move MSAE Config to the CA
ECA-11606 - Add ability to test encrypt/decrypt-only keys on a crypto token
ECA-11750 - Add CryptoToken Key Usage to ConfigDump
ECA-11798 - Improve handling of HSM connection timeouts
ECA-11889 - Load CKAs, such as public key value and key usage, more efficiently from PKCS11 HSMs when listing keys
ECA-11941 - Enable validity start and end dates in the past
ECA-11985 - Adapt to stricter SubjectDN checks in IETFUtils.rDNsFromString
ECA-11996 - Add API in Crypto Token and P11NG to read key usage
ECA-12008 - Cleanup: Fix warnings introduced from x509-common-util
ECA-12009 - Change AcmeReplayNonceFilter to ContainerResponseFilter
ECA-12010 - Update documentation related to LW CMP Profile
ECA-12015 - Add time limit of certificate archival during CRL generation
ECA-12016 - ejbca.sh importcacert should include full CA chain
ECA-12017 - Add republish button per item in Publisher Queue
ECA-12019 - Include "id-etsi-ext-valassured-ST-certs" extension in the Certificate Profile
ECA-12023 - Use CKA_KEY_TYPE for P11 key algorithm, by upgrading p11ng, and use publicKey to get correct algorithm for CMS
ECA-12031 - Remove support for DSA
ECA-12035 - Add a prohibition to create a non-hybrid CA under a hybrid root, and vice versa.
ECA-12036 - Updated readme and security policy, add Issue templates
ECA-12037 - Include ECDSA hashing mechanisms in the Legacy Java PKCS#11 providers disabledMechanisms
ECA-12042 - CoAP proxy updates to support Software Appliance multi-NIC capabilities
ECA-12053 - RA Web Edit End Entity pressing enter selects Revoke And Delete, reorder so that is not the default
ECA-12062 - Add wildcard unit tests to DomainBlacklistBaseDomainCheckerTest
ECA-12063 - Change the default value of httpsserver.tokentype property to P12
ECA-12070 - Add OAuth (optional) support for userinfo
ECA-12073 - Reduce overhead for listing keys with P11NG Crypto token
ECA-12076 - Cleanup: Remove OcspKeyRenewalSession
ECA-12087 - Update language files, from David Carella
ECA-12088 - Remove jndi.properties.glassfish and jndi.properties.jbosseap6
ECA-12090 - Modify CreateCsrCommand to not require an SDN
ECA-12094 - Change behavior of Pre-Certificate Revocation Service
ECA-12106 - L10n: Localize Message Use entity CN (for SAN/dNSName extension) in Admin UI
ECA-12108 - Improve GUI info when testing key pair
ECA-12115 - Add support for maxWorkerJobs in configdump of publish queue service
ECA-12117 - Create multi-stage Dockerfile
ECA-12134 - Correct MSAE SPN format help in Admin UI
ECA-12156 - Minor language updates for Peer systems
ECA-12163 - Allow EJBCA container to import JSON via configdump
ECA-12174 - Clean up code after implementation of issuance/revocation prompted ocsp response pre-production
ECA-12182 - Upgrade MailAttachment to not use > JDK17 classes
ECA-12213 - SCEP GetCACaps returns error in SCEP CA mode when no CA is passed in message
ECA-12225 - L10n: French GUI language fixes
ECA-12226 - L10n: RA GUI Missing keys and fixes (ICAO, OAuth, etc.)
ECA-12228 - Minor code cleanup
ECA-12230 - Refactor "Add End Entity" page
ECA-12241 - Introduce granular search criteria in REST API
ECA-12254 - Remove ConfigurationChecker
ECA-12257 - RA GUI Make New Request page improvements
ECA-12266 - Remove all localizations used in crypto tokens
ECA-12268 - Review only: Ability to issue Link Certificate using previous signature algorithm when changed
ECA-12271 - Remove Services related localizations
ECA-12293 - Review: admin-gui: Adding more id= attributes to the new menu
ECA-12301 - Upgrade Apache CXF to 4.0.4
ECA-12316 - Introduce 'begins with' search operation in REST API
ECA-12322 - MSAE Intermediate CAs with same DN causes issues with LDAPS
ECA-12325 - Allow ejbca.sh change slot PINs w/o providing the previous PIN
ECA-12330 - Drop ca.keystorepass and ca.cmskeystorepass
ECA-12337 - Update p11ng to support Ed448 on Utimaco
ECA-12364 - Upgrade EJBCA to BC 1.78
ECA-12367 - Admin and RA UI language improvements from David Carella
ECA-12382 - Show alternative signing algorithm when enrolling via CSR in RA GUI
ECA-12384 - Fix documentation error in step-by-step instruction for ra web make new request with CSR
ECA-12387 - Warning removal: Add missing serialVersionUID
ECA-12388 - Warning cleanup: Update references to org.junit.rules.Timeout
ECA-12389 - Warning cleanup: Update references to org.junit.Assert.assertThat
ECA-12397 - Add list/table of deprecated and dropped features to the documentation
ECA-12400 - Upgrade to Nimbus-Jose to 9.37.3
ECA-12414 - Localization - French translation for RA web
Bug Fixes
ECA-11548 - Unable to only create deltacrl in REST
ECA-11626 - Enrollment code (minimum bit length) by pass
ECA-11962 - Fix InternalKeyBinding rekeying when keyspec is an OID
ECA-11969 - ejbca-db-cli verify broken - P11ng ClassNotFoundException
ECA-11970 - User can add Crypto Token with just spaces
ECA-11988 - RA Search engine keeps old incorrect results
ECA-11989 - RA Misleading message when no criteria selected.
ECA-11991 - CE cannot be compiled due to MSAE classes
ECA-11994 - Fix session timeout issue when edit ca
ECA-11995 - URI Name Constraints Not Accepting Multiple Subdomains
ECA-12006 - SCP Publisher doesn't validate empty URL fields
ECA-12011 - custom_data in REST v1/endentity requires extension_data set as well
ECA-12013 - Typo when SCEP_CLIENT_CERTIFICATE_RENEWAL_CLASSNAME can not be instansiated
ECA-12014 - CompressedCollection fails in some environments during CRL generation. Remove it
ECA-12025 - Notification Timeout Not Returning Generated Certificate
ECA-12026 - Missing OCSP transaction log entries
ECA-12040 - /v1/certificate/expire does not return certificates if maxNumberOfResults is not mentioned
ECA-12045 - Ensure all CA certificates are loaded into CaCertificateCache
ECA-12049 - EJBCA appears to leave PKCS#11 sessions around (CKR_SESSION_COUNT error)
ECA-12050 - CMP NestedMessageContent reading RA certs directory should ignore subdirectories
ECA-12051 - ant runweb misspells ocsp for included test
ECA-12057 - Ldap timeouts not saved properly in MSAE autoenrollment alias
ECA-12059 - CmpRevokeResponseMessage may be created with incorrect Sender in header in some cases
ECA-12060 - Sign CMPv2 responses with CA sigAlg when request uses HMAC - refactoring
ECA-12071 - Regression: rest api v2 certificate search broken in 8.2 when performing count
ECA-12077 - CMP Aliases in RA Mode doesn't survive upgrade to 8.2
ECA-12083 - Enroll with username/requestId incorrectly validations CSR fields
ECA-12085 - ejbca.cmd file does not work
ECA-12093 - Private keys without CKA_ID keys on an HSM gives NoSuchMethodError: 'boolean org.apache.log4j.Logger.isWarnEnabled()'
ECA-12105 - Regression: NPE in Admin UI when crypto token contains DSA key
ECA-12110 - OCSP Issuer URLs not showing on configdump export
ECA-12116 - Regression: ConfigDump fails with p11 error
ECA-12120 - Potential NPE when creating SSH CA, optimize usage of extgen.generate
ECA-12126 - SubCAs not provisioned with hybrid key
ECA-12129 - Unable to restart container when Security parameters are set
ECA-12130 - Regression: Community admin web for CMP aliases misses the 'Add' button
ECA-12131 - Username should come from changed DN in EST RA Vendor mode with Allow ChangeSubjectName enabled
ECA-12135 - Add back favicon to Admin UI Add End-Entity page
ECA-12137 - Error with focus and duplication in RA GU subject directory attributes
ECA-12139 - Review only: HealthCheckServlet query parameters dont work under load
ECA-12145 - Containerized installation issues - Public Access Member is not removed
ECA-12170 - Possible NPE in CAInterfaceBean
ECA-12172 - Compliance issue
ECA-12189 - Fortanix HSM Failures after idling without HSM activity
ECA-12196 - REST API Key Recovery endpoint doesn't work over Peers
ECA-12197 - Regression: DeltaCRLException trying to renew a CA
ECA-12204 - Regression: Un-revokation does not work when an invalidityDate is used
ECA-12215 - Regression: Community admin web for SCEP aliases - cannot delete alias
ECA-12223 - Regression: Order of Name and Id changed in WS API NameAndId object
ECA-12224 - Regression: Error revoking certificate when invalidityDate is null - Row was updated or deleted by another transaction
ECA-12227 - Merge DN function when merging SANs is case sensitive
ECA-12231 - Increase metaspace size
ECA-12233 - RaEndEntitySearchPaginationSummary does not implement Serializable
ECA-12238 - Speed up certificate search query
ECA-12246 - Regression: Order of ResponseType and Data changed in WS API CertificateRequestResponse object
ECA-12249 - Enroll EC certificate using MSAE protocol
ECA-12251 - Add new hard coded PQC key(s) for pre-signing validation
ECA-12253 - CRL store servlet shows CRL download links even if CRL is not present.
ECA-12255 - Log Redaction is not always performed in publishers
ECA-12256 - Ed25519 CSR in RA UI fails with NPE on Java 17
ECA-12264 - Regression: CertificateSamplerCustomPublisher can not be created
ECA-12278 - Incorrect alter table SQL for MS-SQL in post-upgrade scripts
ECA-12291 - Configdump export for Roles considers only internal CAs
ECA-12306 - Fix stack overflow while storing Validation Authority Publisher
ECA-12312 - Remove duplicates in RA Web field 'Key Algorithms'
ECA-12313 - Not possible to change key type or size when reissuing a certificate.
ECA-12335 - PKCS#12 files from key recovery through the WS API uses legacy certificate bag algorithm
ECA-12338 - Admin Web - Rename approval profile - error message to be improved
ECA-12375 - Handle AWS KMS disconnects without errors
ECA-12386 - Fix YamlWriterUnitTest
ECA-12391 - Fix usage of imagePullSecrets in EJBCA Helm Chart
ECA-12392 - Missing 'VA Functions' menu in VA builds
ECA-12393 - Security issue
ECA-12396 - CLI - gencsr - Could not create key: Key Algorithm DILITHIUM5 was unknown
ECA-12399 - RA Web CSR enrollment with Dilithium as primary algorithm only works when all EC curves allowed
EJBCA 8.2
Released December 2023
New Features
ECA-11720 - P11NG-CLI ability to list and delete data objects
ECA-11844 - Capability to issue CA Exchange Certificate via MSAE
ECA-11849 - Add Utimaco PKCS#11 R3 to defaultvalues.properties
ECA-11850 - Support AWS Service Roles for AWSKMS Crypto Tokens
ECA-11851 - Handle Key Exchange Token request / response from MSAE Servlet
ECA-11862 - Add dropdown in MSAE alias config for Exchange Certificate Profile
ECA-11863 - Add x509 extensions for MS Exchange Certificate to certificate profiles
ECA-11864 - Allow caller to customize whats checked in health checks
ECA-11876 - SOAP WS API: Support more fields when creating CAs
ECA-11883 - Background Service Renewing CA Exchange Certificate
ECA-11907 - Add keyusage flag to cryptotoken generatekey ability to modify attributes in p11ng-cli
ECA-11911 - Integrate MSAE key archival workflow with createCertficiateWs
ECA-11929 - Documentation for RA Chaining
ECA-11937 - Add keyusage flag to REST API generateKeyPair
ECA-11938 - Add p11 attribute override ability in p11ng-cli
Improvements
ECA-6415 - Searching for certificates in the RA web is slow
ECA-10698 - Inspect Certificate/CSR in RA UI
ECA-11613 - DER format CSR enrolment via REST API
ECA-11620 - Normalize the CMP Configuration page according to UX design conventions
ECA-11621 - Normalize the EST Configuration page according to UX design conventions
ECA-11622 - Normalize the SCEP Configuration page according to UX design conventions
ECA-11646 - Extended flexibility in CMP RA mode validation logic
ECA-11662 - Add a new REST endpoint to trigger Service workers
ECA-11798 - Improve handling of HSM connection timeouts
ECA-11804 - OCSP response pre-production during issuance/revocation
ECA-11846 - Peer publisher should always publish certificate contents for CA and OCSP certificates
ECA-11852 - Upgrade JackNJI11 to improve error handling in FindObjects and work with cloudHSM with more than 1024 key pairs
ECA-11882 - Create RA side cache for MSAE Key Exchange Certificate
ECA-11894 - Language update by David Carella
ECA-11913 - Exchange certificate DN should be based on issuers CN
ECA-11914 - Allow non-Bouncycastle keypairs to be recovered from SOAP APIs
ECA-11939 - Add a feature toggle presigned OCSP responses upon issuance & revocation generation
ECA-11943 - Force reload cached JS and CSS files when EJBCA version changes
ECA-11961 - Fix testRedactionPatterns test in CE
ECA-11984 - L10n: Add Document-Signing EKU in RA GUI (English)
Bug Fixes
ECA-10858 - EE profile change in RA web
ECA-11665 - Can not use PEM cert download in RA Web if key recovery is enabled
ECA-11729 - BE Publisher - we can add any property via REST
ECA-11818 - End Entity is being updated even when nothing was changed
ECA-11825 - NPE when trying to import CA certificate response when MS CA compatibility is enabled
ECA-11828 - IllegalStateException when starting EJBCA with MS CA compatibility enabled and cryptotoken auto-activation disabled
ECA-11842 - RA - only key algorithm section is visible
ECA-11847 - FE RA - unify fields in end entity.
ECA-11855 - FE PeerConnector - cancel works like save
ECA-11861 - Add/Remove buttons in EST View mode are clickable
ECA-11865 - Configdump import fails for /endentityprofilesrules/profileName/keyrecovery/
ECA-11871 - Restore ca.keyspec that was accidentally removed from install.properties.sample
ECA-11893 - ejbca-db-cli verify broken - no such provider BC
ECA-11896 - Regression: CrlStoreSessionBean.getLastCRLInfoLightWeight gives exception using Oracle Database
ECA-11905 - Allow non-Bouncycastle keypairs to be recovered from RA GUI
ECA-11915 - RA certificate search timeout returns "No results"
ECA-11916 - List of Vendor CAs in EST alias is not sorted
ECA-11925 - Edit CMP Alias page displays RA Name Generation Prefix/Postfix on Client Mode
ECA-11926 - Only KEC enabled certificate profiles must be shown in drop down in MSAE alias
ECA-11927 - AWX configdump import failure due to missing yaml key (should not be mandatory)
ECA-11946 - Relapsed - MSAE Alias - Removing template mapping always removes the top row
ECA-11954 - Fix missing ConfigDump default value for "Fortanix Base Address" in CryptoTokens
ECA-11955 - Fix NullPointerException in EjbcaWS method "createExternallySignedCa" when caProperties = null
ECA-11956 - Exception when trying to add an alias
ECA-11960 - Allow recovery for usergenerated tokens only if they are marked for recovery
ECA-11968 - isDeltaCrl flag in storeCrl in CertificateCrlReader is set incorrectly
ECA-11975 - Regression: Could not find key 'CMP_ALIAS/.extendedvalidation'
ECA-11977 - Log Redact ui bug in approvals for key recovery
ECA-11982 - Fix CMP alias UI - distorted vendor mode fields
ECA-11983 - RA Web Make New Request UI Bug
ECA-11986 - Make RA Web certificate search backwards compatible with older CA versions
EJBCA 8.1
Released September 2023
New Features
ECA-10059 - Add Auto Enrollment configuration to configdump for import/export
ECA-11456 - Not possible to create a keystore for PQC
ECA-11485 - Fix key specification configuration for NTRU in Certificate Profile and Ra web
ECA-11583 - Create new service worker type "Database Maintenance Worker"
ECA-11584 - CRL cleanup logic for DatabaseMaintenanceWorker
ECA-11601 - End Entity Profile field for Subject Name redaction
ECA-11636 - Allow WildFly container start with cgroup2
ECA-11660 - Support id_token in OAuth2
ECA-11672 - Subject Name log redaction for ACME
ECA-11675 - Subject Name log redaction for REST
ECA-11676 - Subject Name log redaction for RA web
ECA-11680 - Subject Name log redaction for ejbca-ejb module
ECA-11682 - Subject Name log redaction for cesecore-ejb module
ECA-11683 - Subject Name log redaction for cesecore-common and cesecore-entity module
ECA-11685 - Subject Name log redaction for x509-common-util module
ECA-11700 - Subject Name log redaction for protocols: EST, CMP and SCEP
ECA-11719 - Subject Name log redaction for ejbca-common
ECA-11720 - P11NG-CLI ability to list and delete data objects
ECA-11739 - HSM support for Dilithium for HSMs supported by P11NG
ECA-11746 - CLI command for certificate count
ECA-11763 - PingFederate Oauth Integration
ECA-11806 - Ability to issue CV Certificates (from a CVCA) from a PKCS#10 CSR
Improvements
ECA-7617 - Hide "Create CRL" button for CVC CAs
ECA-7618 - Add option to use custom port with ScpPublisher
ECA-9297 - Name Registration Authorities not included in QC Statements
ECA-10590 - Add Configdump import/export support for peer systems
ECA-10673 - Update CRL links of Publisher Queue Status
ECA-10964 - When registering through WS/SOAP "edituser" the "startTime" and "endTime" is always modifiable regardless of the EEP settings
ECA-11273 - Protect CMP error messages whenever possible
ECA-11323 - Improve v1/certificate/certificaterequest error handling
ECA-11413 - Ensure that all session data is Serializable
ECA-11450 - Introduce revocation cache for authentication
ECA-11551 - Search End Entities Slow/Timeout if upper() used
ECA-11557 - Add Invalidity date to REST /v2/certificate/search
ECA-11570 - Remove self-register properties from web.properties.sample
ECA-11594 - Library upgrade (xstream)
ECA-11615 - Validate subject_dn in REST /v1/endentity
ECA-11631 - Change dnsjava Lookup default cache for ACME dns-01 challenge
ECA-11647 - P11NG-CLI: print key type and public values
ECA-11661 - Add configdump support for External CRL Distribution Point
ECA-11678 - Subject Name Redaction Audit Log - Remaining System Tests
ECA-11714 - Migrate to the new jsch library
ECA-11725 - Support validity parameters in SSH certificate enrollment in REST
ECA-11753 - Update relevant EJBCA doc
ECA-11766 - Subject Name log redaction for ACME refinement
ECA-11771 - Subject Name log redaction for ejbca-common-web and ejbca-entity refinement
ECA-11797 - Configurable CA Chain order for SCEP
ECA-11805 - Document use of P11NG for RSASSA-PSS
ECA-11811 - CLI importca command should take a token name argument for pre-existing crypto token
ECA-11813 - Update docs related to ECA-11754
ECA-11816 - Clear warning in Admin UI about renewing existing CA
ECA-11824 - Upgrade x509-common-utils to 0.10.5
ECA-11841 - Upgrade RESTEasy libraries to version 4.7.8.Final or newer
Bug Fixes
ECA-7089 - /ca_functionality/add_ca access rule can't be set in Admin GUI
ECA-11228 - Cache clearance fails in cluster due to https redirect
ECA-11289 - Revisit "Generate OCSP responses for" in VA Responders
ECA-11467 - External Issuing CAs are displayed as Root CAs
ECA-11498 - REST API fails with "REST resources is not authorized for this Peer connection"
ECA-11515 - Manage Services - Delete Service without selection opens dialog
ECA-11518 - Manage CAs - Import CA certificate - Import arbitrary file results in a NullPointerException
ECA-11531 - Fix p11ng-cli.sh deleteobject command
ECA-11545 - ejbca.sh ca importcert command does not print a user message after failure
ECA-11561 - Duplicate service timer invocations are not ignored
ECA-11568 - Ensure that data on Search End Entity page is Serializable
ECA-11572 - Exception creating CSR for CA without uploading CA chain
ECA-11580 - Remote Internal Key Binding Updater E-mail action doesn't work
ECA-11602 - Multiple MSAE alias value override
ECA-11604 - RA web Certificate Validity fields - doesn't support "days:hours:minutes"
ECA-11610 - EST get CA certificate fails when certificate authentication is used
ECA-11612 - Error should be displayed when clicking on buttons on search End Entity Page
ECA-11624 - Search End Entity Advance, Searching by Date of Creation only is not possible
ECA-11627 - Auditor role shows "Edit" button on end entity profiles
ECA-11634 - JsfDynamicUiHtmlInputFileUpload$1 Exception on acme alias modification.
ECA-11691 - In Edit CA page directoryName name constraints is classified as URI type
ECA-11692 - Enrollment in RA web fails for DILITHIUM(n) keys
ECA-11703 - EJBCA does not provide OCSP response with the proper hash when using the CA signing key
ECA-11705 - NPE arises when no CAs to check have been chosen
ECA-11710 - BE Lack of messages in ValidationMessages.properties
ECA-11712 - Add error messages for End Entity /setstatus REST API
ECA-11717 - CA certificate should be possible to revoke from Admin web only
ECA-11721 - CA revocation revokes expired certificates
ECA-11723 - ITS REST APIs are not accessible via Swagger UI
ECA-11726 - Documented database index incompatible with postgresql
ECA-11727 - Remove references to ejbca-rest-common src-test directory
ECA-11730 - BE Lack validation for publisher REST import
ECA-11737 - pkcs11ng cryptotokens incorrectly show as active if used by a CA
ECA-11744 - Wrong timezone is used for CT log sharding
ECA-11756 - Node local log redaction settings are not immediately detected after restart
ECA-11757 - CT Pre-certs trigger Unique Subject DN check
ECA-11773 - Refinement on log redaction audit log and other
ECA-11774 - Minor refinement on log redaction for EjbcaWS
ECA-11786 - Refinement on missed log redactions
ECA-11802 - Fix NPE in CertificateData.getLogSafeSubjectAltName
ECA-11810 - Regression: NPE after upgrade from older EJBCA to current main (which has Subject Name log redaction feature)
ECA-11817 - End Entities cannot be edited in RA Web
ECA-11819 - Enrollment Issues with WebService (log redaction)
ECA-11822 - Calculation of maximumExpirationDate to renew certificate overflows at 25 days
ECA-11827 - ca_management endpoint must be Unavailable in CE edition
ECA-11829 - Fix AvailableProtocolsConfigurationTest
ECA-11832 - Fix broken equals/hashCode in PeerOutgoingInformation
ECA-11835 - Selecting CertSafePublisher and AzureCrlPublisher in Edit publisher page generates NPE
ECA-11836 - No default value for the 'Available Security Levels'
ECA-11839 - Regression: NPE on certificate issuance in RA web, when CA is running 8.0
ECA-11843 - Fix non-deterministic serialization of Certificate Profiles
EJBCA 8.0
Released June 2023
New Features
ECA-9249 - Implement ConfigDump for SSH Certificate objects
ECA-9260 - Create a REST call to request an SSH certificate
ECA-9264 - Allow SSH CA public keys to be downloaded in SSH format from the RA web
ECA-9562 - ACME DNS Identifier Validation tls-alpn-01 Challenge
ECA-9856 - Add validity override option to REST /v1/endentity
ECA-10968 - Initial PoC support for Falcon and Dilithium PQC algorithm using soft token and non-official OIDs
ECA-11136 - CMP HMAC validation in Client Mode (Extended validation)
ECA-11146 - Modify language clue about security strength from only NTRU to PQC general
ECA-11154 - Support EC point compression in issued certificates if CSR has it
ECA-11177 - Fortanix crypto token type
ECA-11201 - Add RFC9336 Document Signing built-in extended key usage
ECA-11248 - Ability to include language files from custom publisher plugins
ECA-11258 - Add Matter IoT specific DN components
ECA-11266 - Make max number of jobs for a publishing queue worker configurable.
ECA-11283 - Create tests for CoAP REST endpoint
ECA-11296 - Support Subject and AuthorityKeyIdentifier method 2
ECA-11297 - Add PQC KEM algorithm NTRU as available algorithms in Certificate Profile
ECA-11298 - Add documentation of PQC support
ECA-11300 - Ability to order Key Identifier extensions in specific order
ECA-11328 - Add protocol configuration for REST CoAP
ECA-11363 - Correct test failure in Jenkins related to ticket ECA-11328
ECA-11367 - Est server side key generation
ECA-11377 - CoAP Support for EST Server Side Key-gen
ECA-11378 - CoAP Support for EST 'simplereenroll'
ECA-11432 - Add options to select encryption and wrapping algorithm in clientToolBox SCEPTest command
ECA-11433 - Add support for RSA-OAEP decryption in P11NG
ECA-11440 - Missing support IPv6 for SANs in CMP protocol
ECA-11453 - REST API endpoint for counting issued and active certificates
ECA-11457 - Add uniqueIDentifier and certificationID DN components
ECA-11504 - Document initial support for IBM HPCS HSM using P11NG
ECA-11520 - OCSP responder support for CertId using SHA384 and SHA512 in OCSP requests
Improvements
ECA-8627 - Allow multiple CRL Updater Services to run in parallel
ECA-9536 - Replace configurable header JSP file path with a header selection/upload
ECA-10442 - Add placeholder for certificate serial number in decimal format to e-mail notifications
ECA-10686 - Remove commons-digester
ECA-10688 - Upgrade commons-io to 2.11 or later
ECA-10903 - Improve logging for ACME EAB failures
ECA-10971 - Create an exportable x509-cert-utils module
ECA-10987 - Don't rely on presence of TLS session tickets when detecting type of public access role member
ECA-11064 - Return list of supported JWS algorithms if ACME EAB request uses an unsupported JWS algorithm
ECA-11075 - Add "verify-required" critical option
ECA-11164 - Update ldap.jar to latest version
ECA-11165 - Upgrade log4j to 2.19.0
ECA-11167 - Extend ACME available MAC algorithms to HS384 and HS512
ECA-11170 - Remove reference to velocity.log from build.xml
ECA-11178 - Upgrade woodstox-core to 6.4.0
ECA-11180 - Upgrade Google Guava to version 31.1 or later
ECA-11188 - Rewrite the Validators Page to conform with emerging UX practices
ECA-11189 - Always check revocation status of certificates during authorization
ECA-11191 - Remove calls to deprecated constructors of Integer and Float
ECA-11192 - Cleanup: Update deprecated BouncyCastle references
ECA-11196 - Refactor some CRL related classes and code.
ECA-11199 - Update commons-configuration2 --> 2.8.0
ECA-11214 - Upgrade EJBCA to use CDI
ECA-11215 - Upgrade to javaee-api-8.0.1
ECA-11216 - Allowing special character "+" in email address in AdminWeb add entity
ECA-11233 - Modify CryptoTokenTestRunner to include P11NG
ECA-11235 - Convert MBeans declared in CA UI's faces-config to use CDI instead
ECA-11261 - Remove CoAP endpoints from SwaggerUI
ECA-11264 - Reduce and upgrade javassist to version 3.29.2
ECA-11267 - Modify the Validators page to use a separate column for validator type
ECA-11269 - Refactor ACME Alias overview page according to current UX practices
ECA-11293 - EJBCA - Create an EST CoAP config API
ECA-11294 - CoAP server - Load EST config from EJBCA
ECA-11316 - Solve the root-resource mistery
ECA-11326 - Add handling of "Number of Allowed Requests" in code for race condition avoidance
ECA-11327 - Fix ACME system test failures false positives due to challenge validations
ECA-11373 - Add PQC key generation by the CA in RA Web
ECA-11376 - Remove deprecated call to CoreMatchers.containsString() in AcmeAssert.java
ECA-11390 - P11NG: Clear cache after login
ECA-11391 - CP improvement - Add only relevant key usages to certificates
ECA-11396 - Update default PKCS#11 libraries for Thales ProtectServer 2 and 3
ECA-11399 - Make scope UI configurable for PingID OAuth Provider
ECA-11400 - Remove unused classes
ECA-11401 - Move KeyTools.getBytesFromOauthKey and KeyTools.getKeyIdFromJwkKey out of x509-commons-util
ECA-11402 - Containerize CoAP Proxy
ECA-11404 - Est over coap access rule for Coap rest resource
ECA-11417 - Decrypt Intune client secret on CA
ECA-11426 - SSH Swagger UI example issues
ECA-11435 - Upgrade SnakeYaml to version 2.0
ECA-11436 - Update jackson libraries
ECA-11442 - Rewrite the Search End Entities page in the CA UI to JSF
ECA-11447 - Add warning about re-keying Root CAs
ECA-11451 - Update Swagger Codegen lib to v2.4.31 or later
ECA-11452 - TLS 1.3 Support for key bindings
ECA-11454 - Support decimal serialNr for EJBCA CLI revoke
ECA-11465 - Include SSH feature(s) in the standard EE build
ECA-11466 - 'Use Entity CN Field" for MS UPN
ECA-11474 - Replace tabs in System Configuration Screen with PrimeFaces tabs
ECA-11476 - RA web is not affected by Certificate Chain ordering
ECA-11486 - Fix key algorithm and key spec for PQC when view certificate in Ra web
ECA-11489 - Add ability to enable/disable Fortanix DSM crypto token in properties
ECA-11491 - Enable post-quantum algorithms by default
ECA-11500 - Updated EJBCA logo based on Keyfactor rebranding
ECA-11501 - Match all active vendor CA certificates with CMP vendor certificate mode
ECA-11502 - Evaluate MSAE deny permissions
ECA-11529 - Add margin for Search End Entity Buttons
ECA-11537 - Make ejbca.sh config available on RA / VA builds
ECA-11553 - editcapage: Add ID to the form elements so that test automation does not break with every single release
Bug Fixes
ECA-4347 - Race condition when multiple RA threads are requesting certificates for the same user
ECA-10304 - ACME Configuration: Modified settings reset after save.
ECA-10412 - Fix warnings
ECA-10754 - REST API: When hitting max_statement_time (or 'Maximum Query Timeout'), the request does not fail
ECA-11080 - AdminWeb: GetCrl with insufficient permissions results in 500 Error
ECA-11089 - Unable to Save Advanced Access Rules
ECA-11128 - Autoenrollment alias does not accept krb5 conf file if it is considered plain text
ECA-11137 - Can't view/edit Batch Generation / Clear Text Password state from RA GUI
ECA-11148 - Conflicting autogenerated password error at EE creation
ECA-11161 - Fix HMACAuthenticationModule extracted username bug
ECA-11174 - ZIP releases fail to build using Java 17
ECA-11194 - post upgrade failure from version 7.3.1.4 to version 7.10.0.1
ECA-11202 - WS javadoc fail after X509-Common-Util move
ECA-11203 - ant test:clientToolBox fails after x509-common-util
ECA-11210 - NPE when enrolling an EE with a revoked CA.
ECA-11213 - org.ejbca.core.protocol.scep.ProtocolScepHttpTest.test03OpenScep() failing
ECA-11222 - Internal error via REST API returns wrong status code
ECA-11229 - REST Endpoint accepting EST messages from CoAP Proxy
ECA-11231 - Fix testEjbcaVersion test
ECA-11263 - ejbca-ws-generate broken since upgrade to JEE8
ECA-11290 - UPN value not included in certificate if "Required" in EE Profile not selected
ECA-11292 - View End Entity page in Ra web is broken
ECA-11295 - Add getCertificateSignatureAlgorithm body in SshCertificateUtility
ECA-11310 - Regression: p11ng module missing from ejbca-ejb-cli
ECA-11317 - Process ACME wildcard certificates in order state ready
ECA-11329 - Regression: NPE trying to delete crypto token, checking presence in ACME EAB
ECA-11340 - BC version number not updated in jboss-deployment-structure.xml
ECA-11343 - CoAP server- NullPointerException on repeated enrollment requests
ECA-11346 - End entity profile validation logic for clear password and send notification
ECA-11355 - Fix classpath error in WS CLI
ECA-11369 - Fix compilation issue caused by ECA-11233
ECA-11380 - CRL Import via CA UI can't handle large CRLs
ECA-11412 - clientToolBox does not honor pkcs11.disableHashingSignMechanisms=false
ECA-11419 - PKCS11CryptoToken not working in CE on Java 17
ECA-11424 - Audit log timezone stuck in UTC
ECA-11425 - SSH User cert with principal
ECA-11430 - Remove RSA-OAEP mapping to RSA in ScepRequestMeassage
ECA-11431 - Error creating new CA when there are failed crypto tokens
ECA-11437 - clientToolBox SCEPTest should URL encode GetCACert CA name
ECA-11443 - Missing RA web language string for Matter DN components VID and PID
ECA-11444 - NPE when enrolling SSH certificate via REST
ECA-11455 - Algorithm key length can not be validated for dilithium algorithm
ECA-11458 - Properly handle Verify-required in RA web certificate pages
ECA-11459 - Fix output format of coap serverkeygen cbor response
ECA-11460 - Ensure P11NG CLI generated keys meet Utimaco CP5 HSM keyUsage constraints
ECA-11469 - OCSP Responder next key update "fail" in 7.11.0.1
ECA-11471 - VaPeerStatusServletSystemTest tests are failing
ECA-11475 - MSAE cannot handle commas "," in CN field
ECA-11477 - Update SafeObjectInputStream with KeyFactor classes
ECA-11478 - Security issue
ECA-11479 - Regression: adding new DN components does not work any longer
ECA-11487 - EC keys generation from REST endpoints does not work
ECA-11492 - Unable to download initial superadmin token from RA web
ECA-11499 - LDAP DN order field on edit SSH CA page does not update after clicking save button
ECA-11510 - Va functionality shows up in RA specific EJBCA build
ECA-11523 - Wrong comparison of Hash sets.
ECA-11525 - Crypto tokens created using ejbca.sh do not autoactivate
ECA-11532 - Remove "Asterisk in freshest CRL field" from documentation
ECA-11534 - Javascript does not run in View Certificate dialog, causing revocation confirmation to not show
ECA-11535 - Oauth link does not work in adminWeb
ECA-11538 - Unescaped single quotes blocks publisher type selection in CA UI
ECA-11539 - Protocol status icons are squashed up
ECA-11541 - After cloning a Validator, further edits also result in cloning
ECA-11550 - Fix regressions on the Search End Entities page in CA GUI
ECA-11558 - Infinite amount of Add Constraint rows
ECA-11563 - On open to view certificate on Search End Entities, Error 404
ECA-11564 - Remove "(unused)" from revocation reasons list on Search End Entities page
ECA-11565 - CA Gui search end entity advanced page match how operators gets reset on new added criteria
EJBCA 7.12
EJBCA 7.12.0.3
Released October 2023
New Features
ECA-11876 - SOAP WS API: Support more fields when creating CAs
Improvement
ECA-11852 - Upgrade JackNJI11 to improve error handling in FindObjects and work with cloudHSM with more than 1024 key pairs
Bug Fixes
ECA-11599 - Rest Endenityv1 not working on 7.12 RA + 7.10 CA
ECA-11721 - CA revocation revokes expired certificates
ECA-11744 - Wrong timezone is used for CT log sharding
Issues Resolved in 7.12.0.2
EJBCA 7.12.0.2 was an internal release, not generally available to customers
ECA-11478 - Security issue
ECA-11525 - Crypto tokens created using ejbca.sh do not autoactivate
EJBCA 7.12.0.1
EJBCA Hardware Appliance eIDAS edition-specific maintenance release
Released April 2023
Bug Fixes
ECA-11460 - Ensure P11NG CLI generated keys meet Utimaco CP5 HSM keyUsage constraints
EJBCA 7.12
Released April 2023
New Features
ECA-11253 - New column in CertificateData in invalidityDate
ECA-11254 - Add support for CRL extension "Invalidity Date"
ECA-11255 - Extend revocation REST endpoint with invalidity date
ECA-11256 - CRL generation with invalidity date
ECA-11304 - Add checkbox in Edit CA: "Allow invalidity date"
ECA-11322 - Modify the order of certificate extensions in a Certificate Profile
ECA-11411 - Support SCEP RFC8894 CACaps with AES plus RSAES-OAEP
Improvements
ECA-11334 - EC Certificate Issuance Performance Issues
ECA-11336 - Display invalidity date in RA-web search certificate view
ECA-11354 - Update to commons-fileupload-1.5.jar due to CVE-2023-24998
ECA-11379 - Unnecessary resize required during clone of HashMap in EndEntityProfile
ECA-11415 - Add ServletFileUpload.setFileCountMax in request_result.jsp
Bug Fixes
ECA-10286 - IPv6 addresses are not parsed from CSRs
ECA-10703 - Improving the log entry when publishing CRL but not storing them in db
ECA-11175 - Nullpointer when refreshing OAuth bearer token
ECA-11238 - Upgrade to 7.11.0 and Manage Requests generated an error
ECA-11240 - ClientToolBox OCSP command fails if server is configured to use nonce
ECA-11259 - Null Pointer Exception when doing configdump.sh import (p11ng)
ECA-11272 - Unable to create/handle Authenticated CSRs
ECA-11277 - Marshalling error in 7.11 with cvcRequest
ECA-11281 - CRL Updater Service Skip CA if Token Offline
ECA-11299 - Certificate view in CA UI via managed Peer cannot be closed
ECA-11301 - Cache reload causing Java out of memory error
ECA-11303 - Peer Connector - Unable to generate DH keys
ECA-11310 - Regression: p11ng module missing from ejbca-ejb-cli
ECA-11317 - Process ACME wildcard certificates in order state ready
ECA-11325 - Configdump does not allow names with slashes
ECA-11347 - Preserve SAN order when enrolling (est and others).
ECA-11351 - ejbca.sh is ignoring p11ng when importing a CA
ECA-11357 - MSAE Alias - Removing template mapping always removes the top row
ECA-11358 - MSAE "The connection test succeeds." if the default password wasn't changed
ECA-11360 - Certificate Search by Serial Number is timing out
ECA-11365 - Remote Internal Key Binding Updater service renews certificate that expires with the CA
ECA-11371 - Upgrade breaks ACME Aliases where RA Name Generation Scheme = RANDOM
ECA-11374 - Security Issue (Update library kerby-asn1)
ECA-11375 - Security Issue (Update library kerb-core)
ECA-11383 - NPE when viewing certain certificates with Private Key Usage Period extension
ECA-11384 - Static date strings fail in non UTC
ECA-11389 - ADConnectionSingletonBean - could not obtain lock within 5000MILLISECONDS
ECA-11393 - REST end entity management v2 looks to be available in Community
ECA-11403 - In "Edit CA" page "Make certificate request" button is broken
ECA-11408 - Supporting dashes in SCEP Alias names
EJBCA 7.11
EJBCA 7.11.0.1
Released February 2023
Bug Fixes
ECA-11227 - Key Recovery data not stored using P11NG
EJBCA 7.11.0
Released December 2022
New Features
ECA-9261 - Allow enrollment of SSH Certificates over the RA Web
ECA-9263 - Allow SSH certificates to be searched in the RA web
ECA-10522 - Add support for ECDSA Authentication in peers using TLS 1.2
ECA-10813 - Support for PBMAC1 algorithm in CMP
ECA-10816 - Support for P10CR request body in CMP
ECA-10963 - End entity profile for SSH
ECA-10965 - Add support for SHA3 ECDSA signature algorithms to P11NG
ECA-10980 - GUI: Ability to toggle revocation reason change
ECA-10981 - Invoke publisher when revocation reason is changed.
ECA-10982 - Backend: Allow revocation reason change
ECA-10997 - RA Web support for revocation reason change
ECA-11023 - CMP Alias Configuration for "Extended validation"
ECA-11034 - Check if CMP extended validation via peers is enabled
ECA-11096 - Add cache for signer certificate in CMP servlet
ECA-11119 - Custom 'Expire' header for OCSP
ECA-11134 - Implement full support for Ra Mode HMAC protection when using Extended Validation
Improvements
ECA-10541 - Improve RoleMembers in Partitioned approvals
ECA-10691 - Split Keybindings page into OCSP Keybindings and Authentication Keybindings
ECA-10719 - Remove ValidationTool
ECA-10937 - Make entity e-mail field unchecked by default for RFC 822 in End Entity Profile
ECA-10940 - Inject cross-certificates in CA Certificate chains for ACME (and others)
ECA-10946 - Add Certificate validity start and end date option in RA Web
ECA-10947 - Remove hardcoded DB name in mysql-privileges.sh
ECA-10952 - Extract AD group membership from PAC (MSAE)
ECA-10959 - Add PKUP in View Certificates
ECA-10961 - Changes in external properties are not detected sufficiently fast
ECA-10969 - CryptoToken page: Add IDs to the form elements so that test automation can identify them unambiguously
ECA-10976 - Shortened IPv6 Parsing Errors in 7.9.0
ECA-10988 - p11ng: implement better detection for vendor-specific behaviour
ECA-10992 - Add option to enforce HTTPS client authentication for ACME
ECA-10999 - Allow MSAE LDAP queries to follow LDAP referrals
ECA-11008 - Merge P11NG changes from SignServer
ECA-11012 - Request: Add new Index to create-index-ejbca.sql
ECA-11049 - Configurable non-expired preproduced OCSP responses
ECA-11052 - Improve error handling of EjbcaWS.cvcRequest
ECA-11059 - Improve error message for future revocation date (RA-Web)
ECA-11060 - RA-Web Change of revocation reason || Rendering conditions
ECA-11061 - Improve /v2/endentity/search pagination and documentation
ECA-11063 - Make SSH source-address field searchable in RA
ECA-11065 - Create placeholder methods for RA Validation of CMP message
ECA-11066 - Signature verification of cmp message in RA
ECA-11067 - Support P10CR request body in cmpclient
ECA-11083 - Add MAC verification to CmpServlet
ECA-11092 - Minor language and UI improvements
ECA-11093 - Move database.useSeparateCertificateTable above database settings in sample config file
ECA-11094 - Validate Certificate status in CMP message
ECA-11120 - Full French language and some GUI localization support, contributed by David Carella of Linagora.
ECA-11124 - Add cache clearing to CMP Servlet and fix test
ECA-11126 - Fix cmp message signature validation in Client Mode
ECA-11131 - Oracle DB grants updated not to require DBA or admin rights
ECA-11139 - Support either of multiple authentication modules in CMP extended validation
ECA-11143 - Add PBMAC1 support for extended CMP validation
ECA-11144 - Add test related for p10cr in CmpExtendedValidationTest
ECA-11145 - Allow CMP CERT_REQ requests in HMAC mode with extended validation
Bug Fixes
ECA-10401 - Force local key generation option should not be visible in Community
ECA-10799 - Renamed CAs stuck in "List Of Vendor CAs" in EST alias
ECA-10859 - CA imported with empty name
ECA-10874 - Documentation for WildFly 24 specifies PKCS12, while JKS are generated
ECA-10894 - Configure OCSP extensions to always return if configured
ECA-10897 - Azure OAuth OID Approval Prompt with AWS EJBCA Issues
ECA-10919 - REST Certificate search V2 returns totalCert = null when certificates size is 0
ECA-10925 - Special characters in IssuerDN not displayed correctly when reviewing certificate
ECA-10929 - Pkcs12 content for PEM with enrollment with key recovery enabled
ECA-10930 - CMP request without Content-Length returns wrong HTTP status code
ECA-10953 - "Flush item" sometimes flushes a different item from the queue
ECA-10954 - Default rules preset require /administrator/ in REST
ECA-10958 - Saving Service config page takes too long when selecting large number of CAs
ECA-10962 - Execution error when approving certificate in RA Web
ECA-10967 - Concurrent requests to adminweb cause interrupted page loads and uppercase text
ECA-10970 - Key Pair Created In The Wrong Slot For Crypto Token When 2 Tabs Are Open
ECA-10989 - EJBCA CE Test Build Fail (false positive)
ECA-10990 - Delete EE Subject DN Field with Same DN Attribute and Validation merges fields
ECA-10991 - 'Required' has no effect at Key recovery options
ECA-10998 - Use Username and Request ID are missing from RA web
ECA-11004 - ConfigDump import fails when signing CA of SubCA is non-existent
ECA-11005 - NullPointerException in SCEP GetCACert when CA name is incorrect
ECA-11011 - REST max results increase stopped working
ECA-11017 - Adding a CT log with specific usage period causes exception
ECA-11020 - Fix issue with FQDN in SAN for MSAE
ECA-11025 - EndEntity profile Subject field validation runs against the wrong field
ECA-11029 - ClientToolBox creates not correctly DER wrapped OCSP Nonce extension
ECA-11031 - Revisit EndEntityManagementSession TRIM queries
ECA-11033 - Change revocation reason for Pre-cert revocation Service
ECA-11041 - Revocation backdate does not survive approval.
ECA-11042 - Revocation reason PRIVILEGE WITHDRAWN text does not show proper
ECA-11044 - Upgrade apache common-text to 1.10 and commons-lang3 to 3.12.0
ECA-11045 - fix encryptpwd not to require running appsrv
ECA-11047 - Not able to delete soft/p11 cryptotoken (CE Contribution)
ECA-11048 - Revocation backdate/change reason fix for partitioned approval.
ECA-11051 - ACME EAB Issue upgrading from 7.8.2 to 7.10.0.1
ECA-11054 - cmpclient missing libs
ECA-11056 - Publishing is interrupted if one item in queue cannot publish
ECA-11058 - Unable to upload cert file to enable the OCSP responders.
ECA-11068 - configdump - "Use entity e-mail field" checkbox at a RFC 822 Name (e-mail address)
ECA-11073 - REST endpoint profile related issues
ECA-11090 - Updating remote keybindings should generate key names with "-" instead of "_"
ECA-11095 - Make client certificate revocation effective for ACME over peers
ECA-11122 - Remove location header for acme order post-as-get
ECA-11123 - "ejbca.sh cryptotoken list" returns list without details for P11NG Tokens
ECA-11127 - ConfigDump can fail with NPE when importing CMP configuration
ECA-11138 - Fix language file
EJBCA 7.10
EJBCA 7.10.0.1
Included in this release are also the changes made in EJBCA 7.10.0, which was only released internally.
Internal Release September 2022
New Features
ECA-9266 - Create a REST call for retrieving an SSH CA's public key
ECA-9561 - ACME IP Identifier Validation http-01 Challenge
ECA-9998 - REST endentity/search call with pagination
ECA-10222 - Produce Pre-signed OCSP Responses Only for non-expired Certificates
ECA-10392 - Add REST end point to /ca to import a CRL
ECA-10574 - Allow v1/certificate REST module to be released with the next CE edition
ECA-10640 - Add HSM/PKCS11 support for CITS
ECA-10667 - CA type and CA Implementation for ProxyCA
ECA-10693 - Periodically update public keys on Azure OAuth Alias
ECA-10705 - Add 'Renew' to the menu and Implement the renew page UI
ECA-10706 - Implement the Renew Current Client Certificate section
ECA-10723 - Allow REST to use CSR + keep end entity email address
ECA-10742 - Sort and pagination on End Entity Search v2
ECA-10743 - REST Endpoint for CRL Creation
ECA-10765 - Add support for ssh-ed25519-cert-v01 for SSH keys/certificates
ECA-10795 - Make P11NG work with GCP KMS PKCS#11 library
ECA-10828 - Key encryption/archival using ECCDH
ECA-10868 - Remove default public access role after initial installation
ECA-10869 - REST Endpoint to get end entity profiles
ECA-10870 - REST Endpoint to get certificate profiles
ECA-10871 - REST Endpoint to get end entity profile content
ECA-10917 - Cert Safe Publisher in Community Edition
Improvements
ECA-10005 - App version, host and used auth is not shown when init wizard is
ECA-10009 - Remove old script based autoenrollment
ECA-10060 - Improve AcmeAuthorizationData data structure for read operations
ECA-10298 - Editing Certificate Extension Data in RA web
ECA-10386 - Keep Subject DN order in EE profiles with configdump export
ECA-10402 - Remove ejbca-setup.sh and modify documentation
ECA-10443 - ACME performance - Make challenge types configurable per ACME alias
ECA-10451 - Catch NPE for subject key ID in SearchCertificatesRestResponseConverterV2 REST API
ECA-10481 - Add protocol configuration to configdump
ECA-10519 - Add proper Git readme and license files in root directory
ECA-10562 - Add support for EE email in REST /v1/certificate/pkcs10enroll POST
ECA-10563 - Upgrade dnsjava to 3.5.0
ECA-10645 - Merge P11NG change to close sessions with unfinished operation
ECA-10649 - Upgrade json-smart to version 2.4.8 or later
ECA-10663 - Add Email notification support to /v1/endentity REST
ECA-10672 - Add internal "setupgradeversion" command
ECA-10677 - Create new access rule for restricted public access in RA UI
ECA-10679 - Migrate P11NG into its own module
ECA-10684 - Upgrade commons-codec to 1.15 or later
ECA-10687 - Upgrade commons-fileupload to 1.4 or later
ECA-10690 - Upgrade commons-text to 1.9
ECA-10697 - Upgrade Nimbus JOSE+JWT to nimbus-jose-jwt-9.21.jar
ECA-10700 - Upgrade csrfguard to 4.0.0 or later
ECA-10714 - Remove ROOT access requirement for EMPTY EEP when enrolling via Use Username
ECA-10720 - EJBCA REST API Update Time field doesn't work for query criteria with cert v2 api
ECA-10726 - Change ACME system test methods to challenge type to DNS to fix test failures in Jenkins
ECA-10727 - Replace cli-util with keyfactor-commons-cli
ECA-10733 - Remove references to ocsp.defaultresponder in ocsp.properties.sample
ECA-10739 - Allow renewal when certificate is about to expire
ECA-10741 - Implement EST enrolment (RE) for Proxy CA
ECA-10744 - Add keyAlg parameter to Finalize endpoint in certificate REST API
ECA-10746 - Improve ACME DNS challenge error handling and logging
ECA-10747 - In the renewal page, use client certificate from the request
ECA-10753 - Add index recommendation that plays nice with Keyfactor Gateway Connector
ECA-10762 - upgrade jakarta.activation to 2.1.0 or later
ECA-10773 - ConfigDump support for ProxyCA
ECA-10776 - Investigate and improve high db usage
ECA-10786 - Editing Certificate Other Data in RA web
ECA-10804 - Upgrade Extent libs
ECA-10805 - Upgrade csrfguard to 4.1.4 or later
ECA-10810 - Remove URLEncoder.encode-warnings from CaRestResourceSystemTest
ECA-10812 - Upgrade Apache Commons Configuration from 1.6 to 2.7
ECA-10815 - Remove src/pkg subdirectory
ECA-10817 - Include Domain FQDN for Kerberos / DC templates
ECA-10819 - Merge P11NG changes from SignServer
ECA-10821 - Documentation improvement for REST API
ECA-10842 - Wildfly 26 officially supported/recommended
ECA-10843 - clientToolBox: EjbcaWsRaCli stress: allow to specify the number of tests to run
ECA-10844 - clientToolBox: add a bit of tooling to help handling of the result.ser Serialized Java Object File
ECA-10909 - RA Web Self-Renewal improvements
ECA-10921 - Update Documentation on CA Fields with PrintableString encoding in DN
ECA-10932 - Improve post upgrade UI logging
Bug Fixes
ECA-2140 - Multichoice for SubjectDN fields generates Exception
ECA-4383 - Add input validation and remove case sensitivity from keybind modify command.
ECA-8929 - configdump can not import Super Administrator Role
ECA-9094 - Regression - Exception occurs in RA Web preferences on changing language
ECA-9169 - Issue in configdump import for CP with extended key usages.
ECA-10131 - Duplicate certificates when database.crlgenfetchordered is used
ECA-10300 - MSAE alias "Test connection" clears user input
ECA-10371 - Configdump does not differentiate between spaces and underscore and can miss items
ECA-10381 - Null Pointer Exception in eedetails.xhtml
ECA-10502 - Adding role member through RA web assert tokenIssuerId=0
ECA-10545 - RA Web Make New Request does not correctly parse CSR
ECA-10588 - Support OCSP Pre-Signer service in Configdump
ECA-10623 - Default CRL Distribution Point is not a valid URI when ( " ) is used
ECA-10639 - Duplicate OCSPKeyBinding Entry
ECA-10646 - CertificateCrlReader fails if full CA chain is not present on VA.
ECA-10660 - REST /v1/endentity/{user}/setstatus doesn't allow PEM token
ECA-10665 - IllegalStateException in End Entity view for superadmin
ECA-10675 - RA Request preview shows EKU even if cleared from Cert Profile
ECA-10692 - Intune revocation poller fails if CA uses ldap order
ECA-10703 - Improving the log entry when publishing CRL but not storing them in db
ECA-10707 - Improve EJBCA's behavior with trailing spaces
ECA-10711 - Email not displaying in waiting for approval status
ECA-10712 - Post Upgrade Failing
ECA-10713 - MSAE cannot be used if AD template has "Subject name format: None"
ECA-10715 - CAs list not correct in edit EE page in Ra
ECA-10725 - CSR parsing with -----BEGIN NEW CERTIFICATE REQUEST----- is missing
ECA-10730 - EJBCA ACME MOD_MD ISSUES (http://SSL.Com )
ECA-10731 - ACME email notifications - how to make it work
ECA-10734 - ADConnectionSingletonBean - could not obtain lock within 5000MILLISECONDS
ECA-10736 - No options for "Issuer" When Editing End Entity in RA Web if Available CAs is Set to “Any CA"
ECA-10745 - MSAE "RelatesTo" Id can get overwritten during parallel requests
ECA-10750 - MSAE does not work when EJBCA is running on Windows
ECA-10758 - Sun PKCS11 not working on RedHat OpenJDK 11.0.15
ECA-10763 - Name constraints throwing NPE after 7.6.0
ECA-10775 - getAvailableCAsInProfile(int entityProfileId) in Web Services does not return CAs in case Any CA
ECA-10779 - Community Edition build failures
ECA-10792 - Missing descriptions in swagger.json
ECA-10793 - Unable to enroll superadmin due to missing transactional support
ECA-10796 - fix clientToolBox help/documentation
ECA-10798 - REST protocols can't be enabled in CE
ECA-10801 - Unexpected Exception when creating new OcspKeyBinding (when not selecting Key Pair Alias)
ECA-10811 - CertificateCrlReader can't update certificate if type changes from standard to limited
ECA-10822 - JsfDynamicUiPsmFactory ArrayIndexOutOfBoundsException
ECA-10826 - Configdump EST configuration can not update
ECA-10827 - EST configuration in UI does not show most recent state
ECA-10830 - REST SSH resource improvements
ECA-10839 - RA web enroll make new request page does not properly handle required fields
ECA-10849 - SSH Rest access token and response content to UTF
ECA-10850 - Correct test failure Jenkins related to ticket eca 10775
ECA-10851 - Intune revocation only working with a proxy
ECA-10853 - Library load/activation failure of auto-activated PKCS#11 NG token causes partial lock-out from GUI
ECA-10856 - Address duplicate entries in NoconflictCertificateData table
ECA-10857 - AuthToken 250 character limit preventing certificate issuance
ECA-10860 - End entity DN merge does not work on fields with DN as attribute value
ECA-10864 - Issue on importing validators via configdump
ECA-10865 - Regression: Access rule with non-existent CA causes NPE on RA certificate search
ECA-10872 - Update ejbcaClientToolbox with log4j compatability flag
ECA-10875 - Regression: Upgrade to Commons Configuration 2 breaks database protection using HSMs
ECA-10876 - Error obfuscating non-ASCII passwords
ECA-10881 - Upgrade to Commons Configuration 2 reloads config every minute instead of at file change
ECA-10886 - Marker from REST resource is never removed
ECA-10890 - User needs to re-select algorithm after the certificate has been approved in RAWeb
ECA-10891 - Publish Queue Process Service does not handle missing certificate correctly
ECA-10894 - Configure Certificate Hash OCSP extension to always return if configured
ECA-10896 - Add CRL generation upon revocation is not working
ECA-10904 - Security Issue
ECA-10905 - Security Issue
ECA-10908 - Upgrade page in CA UI always show "Failed"
ECA-10920 - OCSP transaction and audit logging could not be modified in UI
ECA-10922 - Allow soft (default) key generation to support EdDSA
ECA-10923 - Missing libraries on p11ng-cli classpath causes NoClassDefFoundError for StringLookupFactory
ECA-10926 - Security Issue
ECA-10927 - NoClassDefFoundError for ejbcawsracli
Released September 2022
Improvements
ECA-10950 - ConfigurationHolder cannot expect that all external config files exists
Bug Fixes
ECA-10951 - Missing dependecy at p11ng-cli for common-collection4
ECA-10955 - External web.properties override end up in (cesecore) ConfigurationHolder
ECA-10957 - Warning from CLI commands "Error when creating PropertyDescriptor"
EJBCA 7.9.1
Released June 2022
New Features
ECA-10693 - Periodically update public keys on Azure OAuth Alias
Improvements
ECA-10561 - ACME EAB with multiple keys
ECA-10519 - Add proper Git readme and license files in root directory
ECA-10746 - Improve ACME DNS challenge error handling and logging
ECA-10562 - Add support for EE email in REST /v1/certificate/pkcs10enroll POST
Bug Fixes
ECA-10300 - MSAE alias "Test connection" clears user input
ECA-10545 - RA Web Make New Request does not correctly parse CSR
ECA-10692 - Intune revocation poller fails if CA uses ldap order
ECA-10734 - ADConnectionSingletonBean - could not obtain lock within 5000MILLISECONDS
ECA-10745 - MSAE "RelatesTo" Id can ger overwritten during parallel requests
ECA-10758 - Sun PKCS11 not working on RedHat OpenJDK 11.0.15
ECA-10763 - Name constraints throwing NPE after 7.6.0
EJBCA 7.9
Included in this release are also the changes made in EJBCA 7.8.2, which was only released internally.
Released April 2022
New Features
ECA-7321 - RA Web should accept CSR in DER format
ECA-9834 - ACME configuration alias max. length of 250 characters
ECA-10261 - Add support for RFU bits in cert-cvc
ECA-10263 - Add support for RFU bits in EJBCA
ECA-10467 - Define new CA type for ITS CA's
ECA-10468 - ITS CA Type in the UI
ECA-10470 - REST Resource for ITS Certificate Request
ECA-10529 - ITS end entity request and response creation and verification
ECA-10554 - Allow CMPv2 enrollment in RA mode using vendor certificate
ECA-10592 - Authorization validation for ETSI certificates and integration to REST
ECA-10593 - End Entity management over REST for C-ITS ETSI
ECA-10612 - Import CITS CA and other UI changes for CITS
ECA-10613 - Subject attributes validation during registration, EC enroll and authorization validation
ECA-10614 - Download or rest endpoint for CITS certificates
ECA-10625 - Future Dated CRLs from the CLI.
ECA-10627 - Allow WS requests using Request Processors send through editUser as well
Improvements
ECA-7381 - Sunset Public Web
ECA-7588 - Remove CADataHandler
ECA-7765 - Allow public user to finalize enrollment in RA Web
ECA-8476 - Only show logout button in CA web when "Session timeout" is enabled
ECA-9256 - Allow an OCSP Responder to sign for other CAs
ECA-9566 - The Option "Send notification" is Not Available in RA Web
ECA-9799 - Search for Certificates at RA Web doesn't reflect Expired status in the main table list
ECA-10296 - Update EJBCA libs for Swagger to work on Wildfly > 22.0.0
ECA-10345 - Put PIN last in the GUI when creating crypto token
ECA-10413 - Allow EEP Subject DN values to be enforced
ECA-10414 - Add E-mail checkbox "Use email from address field" to RA-web
ECA-10416 - Increase CSR Size Limit
ECA-10418 - Name constraint support for make new request in RA web
ECA-10421 - Add checkbox to RA Web when creating end entity to activate key recovery
ECA-10452 - Trim external log lib
ECA-10454 - Improve dn merge procedure for end entities
ECA-10456 - Add end entity with clear text password in the RA web
ECA-10459 - Code cleanup: modules/oldlogexport
ECA-10460 - Code cleanup: modules/externalra-gui
ECA-10469 - Define MVP TBSCertificate fields for ITS CA's
ECA-10473 - Complete the rest endpoint implementation for CITS
ECA-10474 - Increase length of ACME EAB with symmetric keys generated key.
ECA-10476 - Introduce ITS Certificate Profile
ECA-10488 - Upgrade ITS epic branch with BC 1.7.1 b03
ECA-10489 - Create enrollment endpoint for the ITS REST API
ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect
ECA-10501 - Remove support for CMP over TCP
ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2
ECA-10512 - Upgrade EJBCA Intune Integration to Use Microsoft Graph API
ECA-10530 - Update standalone scripts with log4j compatability flag
ECA-10538 - SHAxWithRSAAndMGF1 / SHAxWithRSASSA-PSS not working with Azure Key Vault or AWS KMS Crypto tokens
ECA-10539 - Update slf4j
ECA-10543 - Update PublicAccessToken to not require delete end entities access rule
ECA-10548 - Add CrmfRequestTest into Jenkins
ECA-10555 - OEREncoding for InnerECRequest/Response
ECA-10558 - REST endpoint for ITS-S Registration
ECA-10576 - System test for ITS REST endpoint
ECA-10584 - Update ejbca.cmd with log4j changes
ECA-10585 - Deprecate and remove legacy batch enrollment GUI
ECA-10610 - Hardening
ECA-10615 - Upgrade BC to 1.71, pull in main branch changes
ECA-10619 - Upgrade commons-cli to 1.5
ECA-10628 - Allow the encryptpwd CLI command to run without appserver active
ECA-10633 - Upgrade jack11nji
ECA-10642 - Refactor ITS enrollment operation to be performed by CA implementation
ECA-10647 - Improve EJBCA's behavior when looking up invalid DNS records for CAA
Bug Fixes
ECA-9950 - Batchenrollment gives BCFKS error
ECA-10219 - New role members cannot manage existing approval requests
ECA-10228 - Invalid ocsp certificate prevents wildfly startup
ECA-10279 - CVC is not working in RA web
ECA-10388 - Peer connections using RSA Authentication Key binding with P11NG, Azure and AWS crypto tokens stopped working after JDK update
ECA-10424 - Logging Location of API Requests
ECA-10426 - Configurable DN order in LDAP Publisher
ECA-10436 - Regression: Error editing Key Vault crypto Token
ECA-10437 - CA Functions CRL download link fails to download CRL when CA SubjectDN contains ampersand
ECA-10457 - REST configdump export can fail even if ignore errors is enabled
ECA-10463 - ConfigDump Export/Import EEPs with multiple DNs/SANs
ECA-10471 - Regression - ejbca-db-cli not working after upgrading to 7.8.0.1
ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE
ECA-10485 - CMP Certificate Confirmation - Default CA
ECA-10490 - Cannot re-activating suspended cert with "Safe Direct Publishing"
ECA-10491 - X.509 CA sequence is compared with keysequence from cert request in a wrong way
ECA-10497 - Regression: OCSP signing cache is always reloaded for requests with unknown CAs
ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms
ECA-10532 - Fix ACME issuance of certificates with non-validated domains
ECA-10533 - EJBCA RA - Navigation dead-ends
ECA-10534 - Enrollment fails with GetCACert enabled in SCEP CA mode
ECA-10535 - AWSS3Publisher causes OCSP Peer Publishing to fail
ECA-10549 - Disable "Use queue ..." options when "Safe Direct Publishing" enabled
ECA-10550 - Regression: Potential NPE causes test failures when Trace logging is enabled
ECA-10557 - Jenkins CMP test failure
ECA-10569 - Create tests for cmp update command in cli
ECA-10571 - Make "Unspecified" revocation reason in OCSP responses configurable
ECA-10572 - URI Name Constraints should not allow/require protocol to be specified.
ECA-10577 - Key algorithm of uploaded CSR field shows wrong value
ECA-10579 - Clean up access rules requirements for using a CSR on the Make New Request page
ECA-10583 - Name constraint error produces stacktrace and unintuitive error message in RA UI
ECA-10591 - Startup database error due to deprecated property UserData.hardTokenIssuerId
ECA-10601 - Failures in PostgreSQL running create-index sql script, comment out drop index statements
ECA-10603 - ejbca-db-cli Broken
ECA-10620 - Request and EE CA mismatch still cause EE status change
ECA-10621 - Minor security issue
ECA-10622 - Changing an EE status over RA web leads to unwanted disabling of Batch generation (clear text pwd storage) checkbox
ECA-10626 - Support 'Any' cryptoProivder in MSAE templates
ECA-10634 - Fix IOException in db-cli
ECA-10635 - Update AzureBlobPublisher to use new Azure auth
ECA-10637 - Azure Key Vault only lists the first 25 key aliases
ECA-10638 - EJBCA restricts OCSP nonce to 30 octets instead of 32 as stated in RFC8954
ECA-10644 - The publisher queue inspection window should display the time with a 24-hour clock
ECA-10662 - Intune Resource URL not honored in new SCEP code
EJBCA 7.8.2.1
EJBCA 7.8.2.1 was an internal release, not generally available for customers.
EJBCA 7.8.2
EJBCA 7.8.2 was an internal release, not generally available for customers.
Released February 2022
Improvements
ECA-10479 - Library upgrade
ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect
ECA-10501 - Remove support for CMP over TCP
ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2
ECA-10509 - Remove SaferDaily, SigningDaily and ScriptrunningDailyRollingFileAppender
ECA-10510 - Upgrade Appender in TestLogAppenderResource to Log4J2
ECA-10530 - Update standalone scripts with log4j compatability flag
ECA-10531 - Resolve test failures after log4j upgrade
Bug Fixes
ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE
ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms
ECA-10532 - Fix ACME issuance of certificates with non-validated domains
EJBCA 7.8.1
Released December 2021
New Features
ECA-9561 - ACME IP Identifier Validation http-01 Challenge
ECA-9760 - REST searchCertificates call with pagination
ECA-10108 - Merge additional support for the NONEwithRSAandMGF1 (raw RSASSA-PSS) signature algorithm in P11NG
ECA-10184 - KeyVault Machine Identity Authentication
ECA-10334 - HTTP Basic Authentication in EST client mode
ECA-10344 - REST API support for configdump export
ECA-10347 - REST API support for configdump import
ECA-10349 - Add configdump support to Azure BLOB publisher
ECA-10356 - Add Primus HSM PKCS#11 library path
ECA-10380 - Domain Allow List Validator
ECA-10395 - Add support for URI Name Constraints
Improvements
ECA-5472 - Foldable view when there are many optional fields in the RA
ECA-8562 - Improve tests coverage of Configdump's import of Certificate Profiles
ECA-8745 - Increase the number of SANs configurable in end entity profiles (to >100)
ECA-9681 - Fix AcmeOrderData end entity stored including binary data as map
ECA-9763 - Change the message for CA Activation with approvals
ECA-10092 - Add cert auth to Azure Trusted OAuth Provider
ECA-10266 - Upgrade Nimbus JOSE+JWT to nimbus-jose-jwt-9.12.1.jar
ECA-10284 - Check if all invocations of AcmeAccountSessionBean.updateAccount are required
ECA-10293 - Bad signature performance using P11-NG with network HSMs
ECA-10302 - Revoking certificates from adminweb with reason 'Privileges withdrawn'
ECA-10318 - Add roles claim to Azure OAuth for Authentication
ECA-10322 - Create tables SQL script for NDB cluster has flaws
ECA-10324 - Combine ACME and general EAB
ECA-10327 - Reduce CRL and OCSP Validities by 1 second
ECA-10330 - Change default settings SCT in EJBCA 7.x
ECA-10333 - REST Search - Return eep and cp values
ECA-10339 - Viewing CRL's for CA with MS Compat Enabled
ECA-10345 - Put PIN last in the GUI when creating crypto token
ECA-10352 - MS CA compat with Sub CA in EJBCA and External Root
ECA-10353 - Allow name constraints to block all DNS Names
ECA-10354 - Fix ACME pre-authorization returns order object without authorization
ECA-10355 - Update EJBCA to work with Wildfly 25
ECA-10358 - ACME performance - refactor AcmeOrderSessionBean.processPendingOrders
ECA-10360 - Add aliases cache for P11-NG crypto tokens
ECA-10361 - PKCS#10 REST endpoint using end entity information (not CSR)
ECA-10367 - Optimize PKCS#11 sign to avoid redundant PKCS#11 calls
ECA-10377 - EE REST API support search by modified date
ECA-10382 - Allow to configure ignored CAA properties when their processing is done outside EJBCA
ECA-10384 - Differentiate rows in CA Structures & CRLs
ECA-10398 - Align buttons in Certificate Profile and Publishers sections
ECA-10400 - X509CACrlUnitTest test fix
ECA-10406 - Merge smaller P11-NG changes from SignServer
ECA-10428 - Remove extra dot from cert
ECA-10430 - Upgrade BC to 1.70
Bug Fixes
ECA-6166 - CA key export does not warn if no RSA keys are present for encryption.
ECA-7235 - Settings are reset when Match with setting is changed
ECA-8227 - It is possible to revoke an already revoked end entity
ECA-9203 - Exception occurrs even if 'Gender' value is given
ECA-10126 - Error when syncing to VA via peer connector
ECA-10157 - Security Issue
ECA-10172 - EST Vendor Mode ChangeSubjectName should not compare with the CSR DN
ECA-10224 - CREATE CA: NullPointerException
ECA-10229 - CMP Authentication Radio Buttons are not disabled in view page
ECA-10237 - Trusted OAuth Providers are removed without any warning or confirmation
ECA-10254 - SCEP alias for Intune not allowing certain characters for client secret.
ECA-10264 - Configdump import failed if the /cryptotoken/keys/remove/ rule is set
ECA-10295 - Configdump does not import Approval Profiles
ECA-10301 - Revoking certificates from adminweb with reason 'AA compromise'
ECA-10303 - Throwaway CA Revocation Broken in 7.6.0
ECA-10311 - View CMP Alias page says: Edit CMP Alias
ECA-10319 - Broken RA End Entity edit page
ECA-10320 - OCSP not working when CA uses Ed25519
ECA-10323 - Enrollment code can not be empty when setting EE status from Generated to New with autogenerated enrollment codes
ECA-10343 - NumberFormatException when creating a crypto token using token label when cryptotoken.p11.lib.X.slotlist is used
ECA-10357 - Ignore keys which cannot be read by the P11NgCryptoToken
ECA-10363 - Make audience check optional
ECA-10365 - Fix links in ACME HTTP response headers
ECA-10383 - In RAWeb custom values "Set validity" doesn't work
ECA-10390 - "Republish" publisher queue view action uses wrong PublishQueueProcessWorker
ECA-10391 - 'Required' restriction on name constraints in end entity profiles are not validated.
ECA-10394 - Clean up of cesecore-p11 is not optional
ECA-10399 - ExpiredCertsOnCRL encodes with fractional seconds
ECA-10404 - Make EEP upgrade for 7.8.1 cluster compatible
ECA-10407 - Audience cannot be empty when "disable audience check" is selected
ECA-10410 - Reintroduce ECA-9475
ECA-10422 - Fix failing tests
EJBCA 7.8
EJBCA 7.8.0.3
Released November 2021
Bug Fixes
ECA-10254 - SCEP alias for Intune not allowing certain characters for client secret.
EJBCA 7.8.0.2
EJBCA 7.8.0.2 was an internal EJBCA SaaS specific release
EJBCA 7.8.0.1
Included in the EJBCA 7.8.0.1 release are also changes made in EJBCA 7.8.0, which was an internal release, not generally available for customers.
Released October 2021
Improvements
ECA-10327 - Reduce CRL and OCSP Validities by 1 second
Bug Fixes
ECA-10303 - Throwaway CA Revocation Broken in 7.6.0
EJBCA 7.8.0
EJBCA 7.8.0 was an internal release, not generally available for customers.
Released September 2021
Improvements
ECA-8561 - Add a validation check for Configdump Handlers
ECA-9685 - Improve German translation for AdminWeb and RA
ECA-9752 - Access control too restrictive when searching for end entities using EjbcaWS.findUser
ECA-10069 - Enroll menu in the RA web is not shown until the rule create_end_entity is set to Allowed
ECA-10120 - Deploying EJBCA with oracle 19c DB
ECA-10183 - CABF Compliance: EJBCA follows redirect to other ports than BR 1.7.6 Authorized Ports when validating ACME http-01 challenge
ECA-10205 - Would like to be able to specify key sizes and curves in clientToolBox stresstest
ECA-10208 - Fix message typo: modifyable = modifiable
ECA-10235 - Documentation: Not possible to use custom DN attributes with number 200, as recommended in sample file
ECA-10247 - Ant target for ACME system tests is broken
ECA-10248 - Security issue
ECA-10249 - Extend CLI recover command with delta functionality
ECA-10309 - Implement transaction-aware direct publishing
Bug Fixes
ECA-9235 - Validity of CVC certificate view in RA web should display only full days
ECA-9551 - Permission Loss on EEP Import
ECA-9850 - Configdump exports "CAs to check" for Services, even when it is not applicable
ECA-9991 - Regex validation breaks Certificate Profile field update
ECA-10068 - Possible to view end entities in RA web though the role is set to Deny
ECA-10071 - Enrollment code can not be empty when setting status to generated in RA Web
ECA-10142 - Regression: Notification Subject field in End Entity Profile currently max 40 characters.
ECA-10147 - CA activation should not require /ca_functionality/edit_ca access
ECA-10182 - OAuth is not working with Ping ID
ECA-10185 - REST endentity add user with PEM token fails
ECA-10190 - EST Client mode does not properly parse DN for UID attribute
ECA-10191 - Cannot edit end entity after enabling revocation upon issuance
ECA-10192 - Issuance revocation reason not set by the RA web
ECA-10193 - Pre-Sign Linting is Not Possible for a CA with P-384
ECA-10199 - Enrollment with PublicWeb does not consider the key specification selected by the user
ECA-10200 - Clicking on Audit Log Details column scrolls to the top left of the page
ECA-10201 - The text in the "Profile Description" field of the End Entity profile is not holding after saving the End Entity profile.
ECA-10204 - Proper formatting for worker.properties when creating OCSP Presigner service using ejbca.sh cli
ECA-10210 - OCSP Transaction / Audit log upgrade doesn't work
ECA-10212 - Multiple COUNTRYOFCITIZENSHIP / COUNTRYOFRESIDENCE are silently discarded
ECA-10215 - Database interruption during publishing can cause certificates to be lost
ECA-10218 - Custom extension of type BITSTRING is encoded with double bytes when empty octet is removed
ECA-10220 - Regression: ManagementCA fails to renew due to OID error, after editing CA
ECA-10233 - Why does ant runinstall set the clear password
ECA-10240 - Complete description texts for fields in the AcmeConfiguration
ECA-10241 - Autoenrollment menu link not visible in add/search end entity pages
ECA-10244 - RA Web Search for Certificate by full serial name does not work with Serial Number Octet Size less than 8
ECA-10246 - Fix ACME Name Generation Scheme Re-enrollement + Tests
ECA-10277 - Security Issue
ECA-10289 - Upgrade problem EJBCA 7.4.3 to 7.7.0
ECA-10290 - fix ConfigdumpOAuthKeyInfoUnitTest
ECA-10305 - Implement EJBCA CLI command for getting relevant truststore
ECA-10315 - Error when attempting to set name constraints via EJBCA WS
EJBCA 7.7.0
Released July 2021
New Features
ECA-3085 - Option to start audit log verification from a specified sequence number
ECA-10074 - Azure CRL Publisher
ECA-10180 - ACME Name Generation Scheme
Improvements
ECA-9797 - Documentation is missing for "extension_data" field in REST calls
ECA-9863 - SCEP: add option to include CA chain in the GetCACert call (update for RFC8894)
ECA-10050 - GUI option for Microsoft conformant CA creation
ECA-10051 - OCSP Responder support for multiple signer keys
ECA-10080 - Make ms conformant setting irreversible in other end points
ECA-10081 - Improve DynamicUiProperty field validation user mesages
ECA-10084 - UI: Hide "Partition CRL Settings" when "MS Key Updates" is enabled.
ECA-10085 - CA signKey must correspond to partition.
ECA-10086 - Suspend previous CRL partition with CA key re-keying.
ECA-10087 - Enforce Partition CRLs with MS CA Key Updates
ECA-10091 - Add approvals for ACME account management
ECA-10140 - Enforce CRL Distribution Point in Edit CA page if MS CA Compatibilty mode is selected
ECA-10152 - Enforce Use of Authority Key ID
ECA-10153 - Generating Default CRL Dist. Point should use partition suffix
Bug Fixes
ECA-9805 - Enrollment code not shown in RA web when using key recovery
ECA-10138 - Single Active Certificate Constraint sets revocation date to 1970
ECA-10166 - IntuneRevocationWorker is missing setting for AUTH_AUTHORITY in 7.7
ECA-10167 - CA certificate CDP not updated on MS CA re-keying
ECA-10174 - SCEP Issuance has incorrect log message
ECA-10194 - Azure CRL Publisher Not Publishing CRLs via peer
ECA-10197 - CRL Publisher label wrong
ECA-10198 - Azure CRL Publisher fails unless password entered
EJBCA 7.6.0
Included in the EJBCA 7.6.0 release are also changes made in EJBCA 7.5.1, which was only released internally.
Released June 2021
New Features
ECA-8220 - CMP: possibility to configure Issuing CA certificate included or not in the caPubs field
ECA-9476 - Make it possible to restore end entity and certificate data from the WildFly log file
ECA-10043 - Update Intune dependencies
ECA-10078 - Add validation and display useful error messages
ECA-10090 - Validation of uploaded EAB config
ECA-10114 - Update documentation with RA web changes
ECA-10123 - Secret Input For Custom Worker UI
Improvements
ECA-7640 - End entity editor in the RA Web
ECA-8473 - Support other authentication than password for Azure Key Vault Crypto Token
ECA-9276 - Support client certificate authentication for Azure Intune for SCEP enrollment
ECA-9553 - ACME EAB Documentation
ECA-9685 - Improve German translation for AdminWeb and RA
ECA-9832 - Security hardening
ECA-9836 - Add option to SCEP Alias to disable SHA-1 digest algorithm in responses
ECA-9936 - Add handling of unsupported role member types
ECA-9942 - Compile statedump-ejb without access to appserver
ECA-9996 - Migrate the OCSP transaction log and the OCSP audit log to the GUI
ECA-10001 - Give ACME aliases with EAB the option to generate the symmetric key
ECA-10021 - Add EAB support to REST for /v1/certificate/pkcs10enroll
ECA-10028 - Update REST Search functionality with the EAB ID
ECA-10029 - Add the EAB ID field to the RA Enroll page
ECA-10034 - Decide in a format that has namespace support
ECA-10061 - Security hardening
ECA-10064 - Language improvement and typo updates
ECA-10065 - Support Azure MHSM as a Key Vault crypto token
ECA-10079 - Help text on EAB upload page
ECA-10098 - Preview of uploaded EAB namespaces under System Configuration
ECA-10101 - Security hardening
ECA-10102 - Multi-select for EAB Namespaces in Certificate Profile
ECA-10165 - IntuneRevocationWorker is missing setting for AUTH_AUTHORITY
Bug Fixes
ECA-7972 - CN is not copied to dNSName when "Use entity CN field" is enabled in the end entity profile
ECA-9330 - Security Issue
ECA-9558 - Multiple choices of the same curves in certificate profile - unable to enroll ECDSA prime256v1 certificate via RA Web
ECA-9660 - Cannot enroll over ACME using an EC keypair
ECA-9975 - Pre-produced OCSP responses are only published to the first VA
ECA-9985 - DeltaCRL creation time
ECA-9999 - Incorrect response to ACME challenge URL when using POST-as-GET
ECA-10020 - Regression: CSR Upload in the RA Web causes spontaneous redirect to blank page
ECA-10022 - Fix ACME pre-authorization NPE and empty list of authorizations
ECA-10044 - Fix ACME EAB shared key encryption from RA
ECA-10048 - Security issue
ECA-10073 - Saving CA resets Subject Alternative Name field
ECA-10082 - Security issue
ECA-10083 - Autoenrollment: Clear header from outgoing SOAP message when one already exists
ECA-10088 - Autoenrollment: Enrollment permission check is too strict
ECA-10089 - Security issue
ECA-10093 - SSH settings must not be displayed in CE edition End-Entity Profile edit form
ECA-10097 - Regression: Security exception and missing classes on classpath when importing using EJBCA DB CLI
ECA-10104 - Regression: Exception occurs when viewing certificate
ECA-10106 - Signing of data larger than 20 KiB with ECDSA and PKCS#11 NG (e.g. eIDAS HSM) fails
ECA-10109 - Signing of data larger than 20 KiB with AWS KMS and Azure Key Vault fails
ECA-10113 - Maximum number of failed login attempts not working via RA Web
ECA-10116 - Run CRL partition index db update in post-upgrade instead of upgrade at a startup
ECA-10122 - Unable to set Intune key binding in SCEP configuration
ECA-10125 - Intune SCEP Serialization Error
ECA-10129 - Intune revocation missing SCEP fields
ECA-10132 - Azure Crypto Token using cert auth with auto activation shows inactive when restarting wildfly
ECA-10133 - Fix selenium
ECA-10134 - EAB namespaces broken for configdump
EJBCA 7.5.1
EJBCA 7.5.1 was an internal release, not generally available for customers.
Internally Released May 2021
New Features
ECA-9270 - Allow Intune verification to be performed from the RA
ECA-9441 - Implement support for a keystore using FIPS compliant algorithms
ECA-9972 - Create a Service Worker for Intune Revocation
ECA-10010 - Use configured CAs
ECA-10016 - SCEP servlet should update intune after cert issuance
Improvements
ECA-9658 - ACME agree to new ToS
ECA-9792 - Add a button for importing certificates to an OCSP responder
ECA-9833 - Configdump SCEP Import/Export with Intune settings
ECA-9898 - ACME: Limit followed redirect codes according to CABForum Ballot SC44
ECA-9974 - The domain ignore list used for CAA validation should be consistent with how domains names in certificates work
Bug Fixes
ECA-9372 - "Any CA" in Ocsp Pre-Signer Service has no effect
ECA-9408 - Security hardening
ECA-9903 - Remove Apache Velocity from /lib
ECA-9977 - Regression: ejbca.sh fails to import endentities profiles with notifications - need commons-lang3
ECA-9984 - Allowed Characters changing after disabling User Storage
ECA-10000 - p11ng-cli signperformancetest calculates signings per seconds incorrectly
ECA-10007 - MSAE Configuration displays in VA instances
ECA-10017 - Fix FindBugs warnings related to OAuth
EJBCA 7.5
EJBCA 7.5.0 was an internal release, not generally available for customers.
EJBCA 7.5.0.1
Released May 2021
New Features
ECA-6630 - Create YAML export for CMP configuration
ECA-6689 - Not possible to issue CA certificates through the RA web
ECA-9441 - Implement support for a keystore using FIPS compliant algorithms
ECA-9484 - Support for Ed25519 in P11NG
ECA-9490 - General Account Binding (GAB)
ECA-9491 - ACME External Account Binding (EAB)
ECA-9492 - ACME EAB Configuration UI
ECA-9494 - ACME EAB Implementation as specified in RFC8555
ECA-9495 - ACME EAB Implementation for public key signature validation
ECA-9500 - Add support for new eIDAS QC statement esi4-qcStatement-7, Legislation
ECA-9525 - Optionally, add cache header for OCSP unauthorized response
ECA-9527 - Add Role as standard DN field
ECA-9550 - Prevent deployment of EJBCA after a hardcoded date
ECA-9561 - ACME IP Identifier Validation http-01 Challenge
ECA-9572 - Create MSAE Servlet module in EJBCA
ECA-9633 - Support Thales DPoD
ECA-9671 - Option to disable http-01 challenge for ACME wildcard certificates
ECA-9696 - Make the ACME order validity configurable
ECA-9724 - Add XCEP implentation in the msae package
ECA-9737 - Add EST client mode
ECA-9738 - CLI support to create new Crypto Token with Azure key vault (ejbca.sh ca cryptotoken)
ECA-9762 - Read token and give access (RA Web)
ECA-9767 - Add MS Intune Azure Active Directory authentication URL to SCEP alias
ECA-9771 - Add Intune verification Auth. URL to SCEP alias configuration
ECA-9780 - Add MSAE to protcol configuration
ECA-9816 - Add Intune resource URL and Graph related fields to SCEP alias configuration and mask app key field
ECA-9817 - Add CRL generation upon revocation and configdump
Epics
ECA-9005 - Integrate Microsoft Autoenrollment (MSAE) into the EJBCA RA
ECA-9624 - OAuth Support
ECA-9716 - CRL Generation upon revocation
Improvements
ECA-4750 - Change default configuration of User Notice text to use UTF-8
ECA-7391 - Only show CA-related approvals in CA Web (and vice versa)
ECA-7844 - The space before the Validator name is not trimmed
ECA-8350 - Implement 'revokeCert' resource authorization for an ACME account holding all of the identifiers in the certificate
ECA-8705 - Deleting items with dependencies
ECA-8940 - Make P11-NG an optional provider for EJBCA
ECA-9006 - Certificate Template Enrollment Authorization Bypass
ECA-9282 - Replace outmoded language in EJBCA
ECA-9361 - Add "Flush" and "Republish" to publisher queue view
ECA-9378 - Improve the error logging for OCSP response generation
ECA-9475 - Make REST search result limit rely on global config
ECA-9489 - Add support for key unwrapping in P11-NG provider
ECA-9526 - Fix OWASP job in Jenkins
ECA-9532 - ACME system test failures
ECA-9533 - ACME EAB config dump
ECA-9540 - Selenium setup script fails in EJBCA CE
ECA-9554 - Update nimbus-jose-jwt-8.19.jar to latest release 9.1.2
ECA-9573 - Invoke RaMasterApi from MSAE Servlet
ECA-9600 - Documentation improvement: E-mail Notification Configuration in EEP
ECA-9608 - Separate CP5 functionality from regular P11 in P11-NG
ECA-9611 - ACME EAB UI layout and code convention improvements
ECA-9612 - Log which CMP message type is received
ECA-9613 - Improve ACME EAB ConfigDump
ECA-9626 - Add selenium tests for ECA-8705
ECA-9627 - Improve ACME EAB Implementation for public key signature validation GUI
ECA-9628 - Issue a qualified certificate with multiple Semantics Identifier (OIDs)
ECA-9629 - Library upgrade in MSAE Servlet
ECA-9646 - Re-enable OAuth configuration in CA UI
ECA-9657 - Configure Keycloak login url
ECA-9664 - MSAE Servlet Kerberos authentication
ECA-9667 - Fix failing unit tests in Jenkins
ECA-9670 - Improve Documentation: Remove meaningless instruction in REST example script
ECA-9673 - Change kerberos configuration runtime
ECA-9687 - Improve clean up of ACME nonce data
ECA-9701 - Make it possible to query different AD machines from EJBCA server.
ECA-9704 - OAuth login page for RA UI
ECA-9715 - Improve caching for Azure Crypto Token
ECA-9718 - Unit test for OAuth request
ECA-9720 - Minor UX improvements for OAuth
ECA-9728 - Query AD Policies from XCEP Service
ECA-9729 - Encrypt ACME EAB symmetric key
ECA-9730 - Make the CES (MSAE) implementation a Java WebService
ECA-9731 - Option to use SSL / TLS AD connection in MSAE
ECA-9732 - UI Configuration for MSAE
ECA-9753 - Merge CertUtils and CertTools
ECA-9754 - Convert AD time format to Java
ECA-9761 - Fix JSF dynamic UI components update of value range
ECA-9766 - Replace static list of AD Templates in MSAE UI Configuration
ECA-9772 - Refactor MSAE AD Connection
ECA-9773 - CEP Service: Invoke AD connection from external package
ECA-9774 - CES Service: Invoke AD connection from external package
ECA-9775 - Create unit tests for MSAE ASN1 helper class
ECA-9784 - Add default P11 provider path for AWS CloudHSM
ECA-9785 - Rename PKCS#11 CP5 to PKCS#11 NG in crypto token driver select list
ECA-9796 - Add a CLI command to view detailed information about an OAuth provider
ECA-9804 - MSAE UI option for policy name
ECA-9811 - Support SHA256 and SHA512 RSA signatures for certificates issued by RSA based SSH CAs
ECA-9835 - Read AD templates dynamically from CESService
ECA-9838 - REST End Entity Management enabled by default
ECA-9845 - Try to authenticate using OAuth when client certificate authentication fails
ECA-9846 - Pin OAuth role members to a specific provider
ECA-9858 - Support SHA224WithECDSA in P11-NG
ECA-9875 - REST unable to pkcs10Enroll when EE profile uses auto generated password
ECA-9878 - ACME pre-authorization system test
ECA-9894 - Allow usage of JWK public key for OAuth
ECA-9901 - Strip trailing slash from OAuth URL for KeyCloak providers
ECA-9907 - Update mapped AD template settings
ECA-9910 - Set ACME problem response content type to application/problem+json
ECA-9913 - Fallback to database is CEP Service CA cert isn't found in cache.
ECA-9917 - Prevent the user from adding public keys with duplicate keyids
ECA-9923 - Administrator name should not be UUID when logging in with KeyCloak
ECA-9960 - Revisit MSAE libs
ECA-9964 - Allow CEP service to represent multiple CAs
ECA-9965 - Rename default provider type
Bug Fixes
ECA-6010 - CLI importcacert can't import CA chain certificates
ECA-7447 - Disable "set password" in RA web if end entity profile enrollment code is "auto-generated"
ECA-7485 - EEP default CA selection doesn't work on adminweb EE creation and RaWeb enrollmakenewrequest pages
ECA-8499 - Not possible to mix Sun PKCS#11 and CP5 PKCS#11 tokens
ECA-8947 - The CLI command mergecatokens is not working for CAs with token type provider Pkcs11NgCryptoToken
ECA-9140 - CA Structure & CRLs links do not work if CA DN contains &
ECA-9155 - Certificate is generated without Username
ECA-9317 - When "Use entity CN field" In The EEP is Enabled, it is not visible on adminweb while adding EE
ECA-9499 - Security Issue
ECA-9534 - Wrong label in end entity profile: "UID, Unique Identifier" subject DN field should be "userid"
ECA-9543 - Fix DynamicUiProperty / DynamicUiModel property validation.
ECA-9544 - Insert DynamicUiModel JSF into existing table grid
ECA-9545 - Fix DynamicUiProperty / DynamicUiModel component enabling / visibility
ECA-9546 - Adding RA Proxying of EjbcaWS.softTokenRequest
ECA-9549 - Incorrect encoding of non-english languages in RA web on Java 11
ECA-9558 - Multiple choices of the same curves in certificate profile - unable to enroll ECDSA prime256v1 certificate via RA Web
ECA-9565 - Make the CE index page show the correct version information
ECA-9568 - Remove the final/static keywords from EJB methods
ECA-9586 - Regression: First letters of first DC component in CA DN always capitalized
ECA-9590 - CA signing algorithm suggestion defaults to SHA1WithRSA after selecting crypto token
ECA-9615 - Regression: When selecting multiple keys in a crypto token the wrong key(s) are removed
ECA-9619 - Remote internal key binding updater service fails with nullpointer exception
ECA-9622 - Null pointer exception is thrown when the CA tries to issue a certificate using a corrupt CSR
ECA-9630 - Regression: EST re-enroll stopped working due to authorization of re-enrolling entity
ECA-9632 - ExtendedInformation is not parsed correctly by SecureXMLDecoder for some values
ECA-9634 - Fix ACME revokeCert resource for revocations for account holders having all authorizations for the identifiers in a certificate
ECA-9638 - Fix ACME EAB exception handling
ECA-9640 - CMP 3GPP: Unable to enroll Ericsson eNodeB in Vendor Mode
ECA-9656 - EJBCA will debug log a private key if sent with CSR
ECA-9660 - Cannot enroll over ACME using an EC keypair
ECA-9661 - No check if Allow Subject DN Override by CSR in REST
ECA-9666 - Missing space in TLS error message
ECA-9675 - SCEP – null name for End Entity generated instead of DN serialNumber
ECA-9714 - Some system tests failing on processing PKCS10 requests
ECA-9721 - Error Admin UI rendering creating CAs with crypto token errors
ECA-9726 - Regression: error about ApprovalData column when exporting using ejbca-db-cli
ECA-9727 - REST API fail to enroll CSR with Subject Directory Attribute
ECA-9736 - Regression: Add/Edit End Entity actions are not logged to Audit Log
ECA-9741 - RA web ignores Subject Directory Attributes in user CSR
ECA-9749 - Regression: Intune not working, upgrade intune libraries
ECA-9764 - Fix failing configdump unit tests in Jenkins
ECA-9765 - Regression: EjbcaWS.processSoftTokenReq does not work when end entity already exist
ECA-9768 - REST API: NullPointerException enrolling end entity without ExtendedInformation
ECA-9783 - Warnings printed from CEP Service on startup
ECA-9802 - Regression: Response to acme endpoints is not correct in all cases.
ECA-9805 - Enrollment code not shown in RA web when using key recovery
ECA-9806 - AlgorithmTools is spamming the log, lower log level for list of available algorithms
ECA-9807 - Workaround C_GetAttributeValue bug in AWS CloudHSM
ECA-9808 - CE build broken. Package org.cesecore.keys.token.p11ng.provider does not exist (in CE)
ECA-9809 - Unable to sign RSA public keys with SSH CA
ECA-9815 - OAuth login page is not shown when authentication fails on a JSP page
ECA-9822 - Regression: ejbcaClientToolBox.bat does not work
ECA-9824 - Edit CA resets Extended Services Key Specification for CMS CA Service
ECA-9839 - Theoretical NPE in EjbcaWebBeanImpl
ECA-9841 - OAuth provider without keys cannot be deleted
ECA-9847 - Regression: Missing library in CMP HTTP proxy
ECA-9851 - OAuth Client Secret should be input type password
ECA-9853 - OAuth refresh token assumes there is also an access token
ECA-9855 - Security issue
ECA-9859 - Read profiles via Peers for MSAE UI Configuration
ECA-9860 - Same MSAE policy UID is used for all machines
ECA-9862 - MSAE AD password is shown cleartext
ECA-9871 - Fix trace interceptor invocation duration
ECA-9872 - Regression: Peer publishing between 7.5 and older is broken
ECA-9873 - Error clicking "previous" CA certificate in CA structure certificate view
ECA-9877 - External RA: Unable to access external RA
ECA-9886 - Fix ACME pre-authorization order creation
ECA-9887 - Security Issue
ECA-9895 - Oauth login fails in chrome
ECA-9896 - Failed to get token from authorization server. HTTP status code 401
ECA-9900 - Fix AcmeConfiguration upgrade method.
ECA-9904 - LDAP Connection resets regularly
ECA-9908 - Test connection doesn't use the saved password
ECA-9909 - List of "Available MS Templates" isn't sorted
ECA-9912 - Incorrect table definition in sql script for MS-SQL for OcspResponseData.rowProtection
ECA-9916 - Implement oid claim for Azure
ECA-9919 - PKCS11HSMKeyTool fails with missing jna dependency
ECA-9924 - AD Search Scope too narrow
ECA-9931 - Security hardening
ECA-9932 - Fix exception with "default method" in Java on some environments
ECA-9933 - Must enter client secret again when saving OAuth provider
ECA-9938 - OAuth login in RA UI does not work over peer connection
ECA-9949 - OAuth: Failed to get token from authorization server.
ECA-9954 - Regression: NPE when getting non-existent configuration over peers, when debug logging is enabled
ECA-9956 - Conf files update is not reflected
ECA-9958 - Regression: NPEs on System Configuration page
ECA-9959 - MSAE SAN DNS Contains only domain part
ECA-9963 - EstRAModeBasicTest failing due to typo in expected error string
ECA-9967 - Errors in CA UI when TLS session is restarted
ECA-10042 - ACME EAB secret key logged on debug level
EJBCA 7.4.3.3
Released February 2021
Bug Fixes
ECA-9749 - Regression: Intune not working, upgrade intune libraries
ECA-9779 - Invalid backport: not working in OpenJDK 8u272/11.0.6 without Java patch
ECA-9809 - Unable to sign RSA public keys with SSH CA
EJBCA 7.4.3.2
Released December 2020
Tasks
ECA-9694 - Security issue
Improvements
ECA-9669 - Workaround for MSSQL Hibernate driver issue that leads to duplicates in CRL
ECA-9679 - Signing with RSASSA-PSS not working in OpenJDK 8u272/11.0.6 without Java patch
ECA-9693 - Security Issue
Bug Fixes
ECA-9557 - SSH Certificate Signer not working with p11
ECA-9705 - Invalid storage of SIM value (RFC4683) in the Subject Alternative Name of a certificate
ECA-9711 - AWS KMS request throttling when reading public keys results in unusable keys
EJBCA 7.4.3
Released October 2020
New Features
ECA-5333 - Ability to search for approval requests by part of Subject DN / or e-mail
ECA-7994 - Not possible to request CVC certificates in RA web
ECA-8845 - Planning of grab new installations issue
ECA-9237 - Authentication path for OAuth in CA UI
ECA-9239 - Authentication path for OAuth in RA web
ECA-9240 - Ability to manage OAuth keys via AdminWeb
ECA-9241 - Ability to manage OAuth keys via CLI
ECA-9333 - REST API commands for End Entity Management
ECA-9337 - Landing page for "grab new installation"
ECA-9346 - CLI support to create new CA with AWS/Azure KMS crypto token (ejbca.sh ca init)
ECA-9350 - Authentication path for OAuth in WebService and REST API
ECA-9351 - Ability to configure default OAuth key
ECA-9376 - Add language strings for OAuth in RA Web
ECA-9421 - Add entry for Trident HSM to web.properties defaults
ECA-9431 - System test of URL access with JWT Bearer token
ECA-9450 - Add OAuth support to AuthenticationFilter
ECA-9451 - Add OAuth support to JSP pages
ECA-9453 - Make it possible to ask the healthcheck servlet which VAs are up to date
ECA-9471 - Unit test of OAuth Keys in Configdump
ECA-9481 - Updating preferences in RA Web and CA UI with OAuth authentication
ECA-9509 - Trigger landing page for new installations
Tasks
ECA-8905 - Update JWT libraries for EJBCA
ECA-9315 - Document CA rekey recommendations
ECA-9380 - Upgrade jackson-databind to 2.9.10.6
ECA-9381 - Remove jdom jar
ECA-9383 - Upgrade hibernate jars
ECA-9515 - New Swagger version requires json-patch JAR and newer jackson-databind JAR
ECA-9539 - Skip REST related test in CE
Improvements
ECA-8750 - KeyGenParams is handled inconsistently for RSA
ECA-8800 - Improve usability when selecting crypto tokens/algorithms on CA
ECA-9023 - Use prepared statements in ApprovalSessionBean and org.ejbca.util.query.Query
ECA-9215 - Configure full Azure Key Vault Name which would include the DNS FQDN
ECA-9238 - Ability to access CA UI via OAuth without allowing unauthenticated usage
ECA-9243 - Change or remove svn.revision property
ECA-9283 - SSH Implementation improvements
ECA-9293 - SSH Implementation remaining TODOs
ECA-9309 - CleanUp the code, discovered in SSH implementation/review
ECA-9328 - Improve JackNJI11ProviderTest
ECA-9355 - Prevent admin lock-out when using OAuth
ECA-9368 - Fail over to another node if CRL updater cannot complete work due to crypto token being inaccessible
ECA-9379 - Document how to view number of CRLs for each issuer in housekeeping guide
ECA-9412 - Export\import OAuth keys with configdump
ECA-9415 - Add ACME support for cert-manager
ECA-9428 - Some WS methods swallow AuthorizationDeniedException
ECA-9430 - Avoid using SHA1 for HSM public key dummy certificates
ECA-9457 - Lower logging level in from ERROR to INFO when request key is not allowed
ECA-9458 - Trim external lib
ECA-9462 - Remove unused jar file
ECA-9464 - Upgrade internal library
ECA-9465 - Upgrade internal library
ECA-9467 - Upgrade internal library
ECA-9469 - Upgrade internal library
ECA-9514 - Temporarily remove OAuth configuration from CA Web
ECA-9522 - UI Improvements to installation page
ECA-9523 - EJBCA's validity definition does not align with the one from RFC5280 and baseline requirements
Bug Fixes
ECA-8681 - CRLData query wrongly assumes unique result
ECA-9031 - Regression: certificate validity option for key validators are not shown
ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6
ECA-9185 - Security Issue
ECA-9213 - Regression: 'Close' button not functioning under Role Members 'View Certificate' page
ECA-9280 - SecureXmlDecoder lacks support for UserDataVO, causing deserialization error
ECA-9291 - Incorrect encoding of critical options for SSH certificates
ECA-9296 - SSH values still show up in end entity profiles even if SSH module is not present
ECA-9301 - EJBCA freezes at startup if cyclic cross-signed root certificates are used in OCSP chain
ECA-9302 - Regression: Unable to Generate Certs from WebService When the Username is Set To Autogenerated in the EEP
ECA-9304 - Missing CA causes NPE when viewing KeyBindings
ECA-9318 - Wrong defaultKey selected from crypto token
ECA-9325 - Add quotation marks to the properties argument in the sample command in the CLI for services
ECA-9335 - Regression: SerialNr Octet size not retained after upgrade
ECA-9343 - Duplicated close on stream in EndEntityProfileSessionBean and CertificateProfileSessionBean
ECA-9349 - CLI does not include plugins-ee on first build
ECA-9364 - EjbcaWS.findCerts(username, isValid=true) should also return certificates with status = 21
ECA-9365 - Not possible to delete publisher, if exists ssh CA
ECA-9370 - CMP's EndEntityCertificateAuthenticationModule does not use BC to verify certificates
ECA-9392 - ACME system test includes invalid altName extension in CSR
ECA-9413 - Fix ACME test failures in main
ECA-9426 - OCSP responses without extensions are sent with an empty "singleExtensions" list
ECA-9432 - Removal of unidfnr/src-test causes Unit tests failure and partial execution of unit tests
ECA-9434 - Multiple CRLs with different CRL partition indexes after upgrade causes NonUniqueResultException
ECA-9436 - ProtocolOcspHttpStandaloneTest failure (false positive)
ECA-9437 - Avoid random StringToolsTest failure
ECA-9440 - Regression: CA UI links do not work with a HTTP proxy running on a different port/hostname/scheme
ECA-9448 - Regression: Changes in EndEntityProfileSessionBean and CertificateProfileSessionBean in try-with-resources produce incomplete xml
ECA-9452 - Test for pkcs10enroll endpoint returns error when user is set to autogenerated in EEP
ECA-9455 - Possible NPE in REST search certificate call
ECA-9456 - Approvals created without cert authenticated admins fail in RA Web
ECA-9482 - Missing icon and name of access rule with misconfigured peer connector
ECA-9485 - Regression: XmlSerializer does not B64 encode non-ASCII strings, causing audit record to fail in some cases
ECA-9498 - Regression: OCSP keybinding certificate import fails when CA fingerprint is missing in database
ECA-9501 - Test Failure: KeyValidatorSession
ECA-9503 - Test Failure: REST System tests
ECA-9506 - Update method invocations to getPendingEntriesCountForPublisherInIntervals
ECA-9517 - ant ziprelease doesn't set git revision properly
ECA-9518 - AdminWeb header/logo URL is sometimes not shown due to incorrect URL
ECA-9520 - Jenkins RA/VA builds using invalid revsion property
ECA-9524 - EJBCA CE doesn't build from main
ECA-9528 - ACME NPE while running same certbot request twice or more
ECA-9529 - Regression: Custom logo does not load
ECA-9535 - Too many CT keys would fill up screen during CA creation
ECA-9538 - AcmeConfiguration is missing configdump setting for getRetryAfter
ECA-9541 - Test failures after inclusive validity range fix
ECA-9547 - "ant ziprelease" produces Community Edition zip release that does not build
ECA-9548 - Regression: PKI Disclosure Statements are not encoded correctly in audit log
EJBCA 7.4.2
Released September 2020
New Features
ECA-9360 - Omit "unspecified" revocation reason in OCSP responses
Improvement
ECA-9328 - Improve JackNJI11ProviderTest
ECA-9341 - Permit inclusion of additional subject DN fields when using ACME
Bug Fixes
ECA-9165 - Certbot 1.4.0-1.6.0 fails to enroll over RA peer
ECA-9285 - Warn about incorrect peer role configuration that breaks RA nodes
ECA-9301 - EJBCA freezes at startup if cyclic cross-signed root certificates are used in OCSP chain
ECA-9342 - SCP Publisher doesn't close all connections
ECA-9344 - DB import fails when number of objects are high
ECA-9357 - Count of successful publishing operations not correct in PublisherQueueSessionBean
EJBCA 7.4.1
Released July 2020
New Features
ECA-9244 - Allow the SCEP SSB to verify messages from Intune
ECA-9248 - Add option to certificate serial number generator to use a FIPS/SP800 BC hybrid entropy source
ECA-9250 - Modify ziprelease command to not include the SSH module by default
ECA-9251 - Review implementation of the SSH CA
ECA-9252 - Modifications to End Entity and Certificate Profiles for SSH Certificates
ECA-9253 - Review implementation of SSH Public Keys
ECA-9254 - Review implementation of SSH Certificates
ECA-9255 - Review implementation of SSH-related WS methods
ECA-9265 - Add REST stress test command to clientToolBox
Improvements
ECA-8432 - OCSPkeyBinding Default Responder DB Queries
ECA-8787 - Add the ability to have multiple DVCAs with the same holder country and mnemonic
ECA-9211 - Optionally include certificate chain in /pkcs10enroll response
ECA-9275 - Database protection compatibility code should skip automatic upgrade
ECA-9283 - SSH Implementation improvements
ECA-9289 - Allow validity changes for SSH certificate profiles
ECA-9293 - SSH Implementation remaining TODOs
ECA-9294 - Microsoft Intune feature documentation
ECA-9295 - Make sure all files under the ssh module have the Enterprise license header
ECA-9299 - Remove unneeded values from intune configuration
ECA-9319 - Add CVC WS system test how to renew a domestic DV from a CVCA in the same instance
Bug Fixes
ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6
ECA-9206 - Prevent peer system from being removed when referenced by a publisher
ECA-9217 - ACME http challenge validation process fails when the server redirects to HTTPS
ECA-9278 - SHA512withRSAandMGF1 cannot be used by JackNJI11
ECA-9291 - Incorrect encoding of critical options for SSH certificates
ECA-9296 - SSH values still show up in end entity profiles even if SSH module is not present
ECA-9298 - Security Issue
ECA-9314 - Regression: "Key already in use" functionality stopped working on CA page
ECA-9326 - SCEP approvals only works with soft Crypto Tokens, not HSM.
EJBCA 7.4.0
Released June 2020
New Features
ECA-4491 - Support Ed25519 and Ed448 (EdDSA) certificate issuance using soft crypto tokens
ECA-5333 - Ability to search for approval requests by part of Subject DN / or e-mail
ECA-6787 - Ability to specify Superadmin Validity during installation
ECA-6790 - Add "Enforce Key Renewal" Option
ECA-7162 - Add regex validation to usernames for EEP
ECA-8699 - Support encryption for SCEP in Azure Key Vault crypto token
ECA-8718 - Add test of "Enforce Key Renewal"
ECA-8781 - CLI command to import key recovery data for end entities
ECA-8848 - Database table for pre-produced OCSP responses
ECA-8849 - Service worker pre-produced OCSP responses
ECA-8850 - CA setting enabling pre-produced responses.
ECA-8852 - Publisher for OCSP Response Data
ECA-8866 - Create OCSP Cache for CA canned response setting
ECA-8878 - Session bean (interface etc) for OcspResponseData
ECA-8892 - Handling conflict between CA setting to pre-produce OCSP responses and OCSP Key binding nonce setting
ECA-8895 - Create indexes for the OCSPResponseData table
ECA-8899 - Approvals for SCEP RA mode
ECA-8913 - Support AWS KMS (Key Management Service, different from AWS CloudHSM)
ECA-8944 - Service worker UI for OCSP pre-production
ECA-8962 - Implement SCEP enrollment with approvals for already existing end entities
ECA-8990 - Update plugin sample to deploy cleanly
ECA-9051 - Shift the configuration of ExtendedUserDataHandlers (such as the UnidFnrHandler) from CMP configuration to CA configuration
ECA-9053 - Implement configuration of Request Processors in the CA
ECA-9057 - Implement a validator for the Google Safe Browsing API
ECA-9065 - Upgrade procedure after moving Request Processors from CMP to CA
ECA-9066 - Shift execution of Request Processors from CrmfRequestHandler into CertificateRequestSession
ECA-9072 - Service worker logic for final OCSP response
ECA-9074 - Support for CLI batch generation with EdDSA keys
ECA-9142 - Create a webservice call for creating an externally signed CA.
ECA-9163 - Add support for WS createExternallySignedCa command in clientToolBox
Tasks
ECA-7435 - Java 11: SOAP WS Client and Tests do not work
ECA-8212 - Batch enrollment GUI does not build under JDK11
ECA-8651 - Update resteasy jars used for junit testing
ECA-8695 - Security: Upgrade external dependency
ECA-8696 - Update db2jcc4.jar used for jenkins tests
ECA-8700 - Use reflection in CESeCoreUtils to support older version of Java
ECA-8717 - Java 11: ejbca-ws-cli uses endorsed.dirs which is not supported in java 11
ECA-8724 - Upgrade cert-cvc to 1.4.10
ECA-8727 - Documentation: Oracle JDK 8 not listed any longer in prerequisites
ECA-8730 - Fix JUnit, UserFulfillEndEntityProfileTest and CommandLibraryTest tests that fail on Java 11 (due to issues in tests)
ECA-8731 - Remove old commons-httpclient 3.1 and upgrade commons httcomponents to latest stable version
ECA-8733 - Update ConfigImport "known limitations"
ECA-8744 - FindBugs: fix warning about NP_NULL_PARAM_DEREF
ECA-8804 - Security: Upgrade external dependency
ECA-8807 - Change the copyright footer to 2020
ECA-8855 - Automate test ECAQA-128: End Entity Profile - Custom Validity
ECA-8898 - Document known issue related to approval requests after an upgrade to EJBCA 6
ECA-8918 - Documentation: Document support for Cloud HSMs
ECA-8980 - EJBCA Testing: ACME (Continued) Testing
ECA-9011 - Upgrade apache cfx
ECA-9049 - Investigate CRL-related test failures in Jenkins
ECA-9050 - Code cleanup: Remove dead encrypt/decrypt methods in CA
ECA-9079 - Add selecatable head banner with advisory notice and consent warning
ECA-9088 - Grab ClientToolBox test from Git
ECA-9089 - Learn how the current EJBCAClientToolBox test works.
ECA-9090 - Create/Extend JenkinsFile and DockerFile for EJBCAClientToolBox
ECA-9091 - Setup Jenkins Job to run EJBCA ClientToolBox
ECA-9100 - Documentation: update JBoss security about Diffie-Hellman keysize and datasource passords
ECA-9114 - Upgrade jackson databind
ECA-9168 - Regression Test & Automation EcaQa75
ECA-9187 - Add configuration steps for WildFly 18
ECA-9197 - Document how to limit length of DN fields using regexp validation
Improvements
ECA-1758 - Add system tests for caRenewCertRequest (WS)
ECA-4130 - Publishers: Show the publisher type next to the name in the Publishers page
ECA-5912 - Trim spaces and check syntax of CT URLs when they are added
ECA-6284 - Use something faster than java.beans.XMLEncoder/Decoder
ECA-6296 - Limit length of subject DN in RA GUI search results
ECA-6505 - Documentation: Add diagram how CA, CPs and EEPs are related
ECA-7064 - Disallow creation of Peer Connectors with the same name
ECA-7633 - New flag in 'ejbca.sh ca republish' command to list certificates instead of end entities
ECA-7722 - Minor usability improvements on Edit CA page
ECA-7819 - Remove old installation properties and ant targets
ECA-7959 - A user should be able to click a link to be returned to the previous page after error occurs
ECA-8157 - Add back the username field to EEP
ECA-8636 - CT systemtest - Publish precert
ECA-8670 - Allow selenium setup to run with different ManagementCA name
ECA-8672 - Fix trivial warnings in cesecore-common
ECA-8675 - Fix CryptoToken import in configdump
ECA-8694 - Automate ECAQA-155
ECA-8698 - Unclear UI messages for RA CA name in EST alias
ECA-8703 - Trim space for ACME Aliases Add function
ECA-8706 - Refactor CAInterfaceBean and related classes
ECA-8713 - Automate ECAQA-152
ECA-8715 - Optimize Azure Key Vault Crypto Token to not make unessecary REST calls when checking for status
ECA-8716 - Optimize PKCS11 Crypto Token to not make unessecary PKCS#11 calls on deactivated crypto tokens
ECA-8720 - Jenkins: upgrade powermock dependencies for JDK11+
ECA-8721 - Jenkins: EJBCA_JDK_DOCKERS
ECA-8722 - Update cert-cvc library to build with Java 11
ECA-8725 - Optimize render of created/edit CA page to not list all crypto token keys
ECA-8729 - ConfigImport Admin Roles import order
ECA-8738 - Make it possible to run tests within eclipse
ECA-8746 - Add small help text for subject DN field when creating a CA
ECA-8747 - Give error message when trying to import an IS certificate to a DVCA
ECA-8749 - ApprovalProfileSession.removeApprovalProfile throws exception when profile does not exist, does not follow javadoc contract
ECA-8754 - Optimize CaSessionBean.getCAIdToNameMap to use cache
ECA-8755 - Optmize CryptoTokenManagementSessionBean.getKeyPairInfo to not list all aliases
ECA-8758 - Sort "Extended Key Services Specification" dropdown
ECA-8765 - Document in Client Toolbox how to include CESeCoreUtils
ECA-8774 - Fix some NPEs in the log when accessing without proper session
ECA-8775 - Improve output format in CertDistServlet listcerts command
ECA-8783 - Add test case for va publisher data source (Selenium)
ECA-8788 - Inconsistent behaviour between CLI and AdminWeb created CA using CA defined AIA
ECA-8789 - Allow UNUSED data value in databaseprotection.properties
ECA-8793 - Add new HTTP security headers
ECA-8794 - Add HTTP security headers to CertDistServlet
ECA-8795 - Improve error handling in PublicWeb when entering invalid DN
ECA-8797 - The wrong path of a language configuration file in the document
ECA-8801 - Change text uses->allows in configuration checker message about ECC keys
ECA-8809 - Fix formating in CertStoreServletTest and CertFetchAndVerify
ECA-8813 - Show a warning when basic constraints are violated
ECA-8821 - Better error message when trying to sign with an inactive crypto token
ECA-8839 - Allow serial numbers to be entered with colon or spaces also
ECA-8863 - Jenkins jobs improvement
ECA-8865 - Selenium test constantly failing on RA-web
ECA-8872 - Documentation Clarify what multiple issuers in the CAA validator means
ECA-8879 - Create end entity based on UPN in certificate when running "importcertsms" CLI command
ECA-8882 - Improve Swedish translation of the RA web
ECA-8907 - Add validator for SAN field in Create CA page and improve error handling.
ECA-8908 - Update documentation for pre-produced OCSP responses
ECA-8911 - Ability to get version of clientToolBox
ECA-8921 - Automate ECAQA-113
ECA-8924 - Automate ECAQA-116
ECA-8926 - Add delete method in OcspDataSession bean.
ECA-8930 - The Save button in the RA web edit end entity page should be located at the bottom
ECA-8932 - Document improvement in CRL Behaviour after CA Revocation
ECA-8936 - Revise the OcspResponseData table and primary key.
ECA-8943 - Public key blacklist should handle Debian blacklist format
ECA-8958 - Modify CmpRAUnidTest to run without the Unid datasource
ECA-8961 - Improve debug logging for approvals to easily see type
ECA-8975 - Code cleanup: Encode EC keys generated by a Pkcs11NgCryptoToken without explicit params first
ECA-8977 - Add sample token properties to changecatoken CLI command to make it easier to use
ECA-8996 - Code cleanup: Azure crypto token
ECA-8997 - Code cleanup: AWS KMS crypto token
ECA-8999 - Add cabforganizationidentifier as argument to WS cli
ECA-9003 - Code cleanup: OidsObjectLinkedHashSetConverter and write unit test
ECA-9027 - Check that all certificate/end entity profile pairs have at least one usable CA
ECA-9032 - Configurable time before expire for Ocsp Response Presigner
ECA-9033 - Improve JPQL query for getting expired responses
ECA-9034 - Support SHA1 and SHA256 hashes for Pre-produced OCSP responses
ECA-9035 - Upgrade to BC 1.65
ECA-9036 - Increase column size of subject DN and subject email for MySQL/MariaDB
ECA-9041 - SCEP: Debug log message encryption algorithms
ECA-9045 - Enable legacy browser enrollment in IE11 on Windows 10
ECA-9058 - On-demand setting for OCSP pre-production
ECA-9067 - Improve CryptoToken Config: Verify Auto-Activation Codes
ECA-9070 - Add support for CAs using SHA256WithDSA
ECA-9096 - Peer publisher for OCSP response data
ECA-9097 - Show only relevant curves/key sizes on certificate profile page
ECA-9098 - Retrieving curves and algorithms on RA web needs to be optimized
ECA-9107 - Add peering configuration capability to CLI to support scripting external VA/RA
ECA-9113 - CLI ca importcertdir command should use random password
ECA-9123 - Don't check key length is we have allowed Ed25519 or Ed448
ECA-9124 - Add "Cache-control" header to HTTP POST OCSP responses.
ECA-9131 - Clean-up job for expired OCSP Responses
ECA-9132 - Support Archive Cutoff for pre-produced OCSP responses
ECA-9135 - Improve documentation about allow.external-dynamic.configuration in ejbca.properties and cesecore.properties
ECA-9139 - Trigger OCSP Response Publisher on generation
ECA-9160 - Allow CLI upgrade command to run post-upgrade automatically
ECA-9162 - Allow to store pre-produced OCSP responses in response to requests with Nonce, if response does not have Nonce
ECA-9186 - Make new XmlSerializer code locale insensitive and deterministic
ECA-9189 - Allow OCSP Response Pre-Signer to only do Final Responses
ECA-9208 - Don't render OCSP Pre Production in EJBCA CE
Bug Fixes
ECA-1691 - Reject issuance if both notBefore and notAfter are in the past
ECA-2052 - Country code in Subject DN of CVC CA is case sensitive
ECA-2068 - Export CA key Store with incorrect password shows an exception on the screen
ECA-4155 - Check if RoleMember matched by X.509 certificate has a plausible CA and certificate serial number combination
ECA-4363 - Use different return codes for importprofiles CLI command
ECA-4735 - Unify appearance in "Edit CA" page between "CA life cycle" and "Externally signed CA creation/renewal"
ECA-5704 - Extended Key Usages / Prevent user from adding same Label for different OIDs
ECA-5705 - Extended Key Usages / Adding new Label with an existing OID replaces the old one without any error
ECA-6113 - SAN with escaped commas (e.g. in directoryName) is not displayed correctly
ECA-6189 - Subject DN e-mail field and EE e-mail field conflated in the RA
ECA-6770 - Extra slashes introduced on links from some admin web pages
ECA-7060 - Handle invalid input on 'Approval Profiles' page
ECA-7072 - Long text input in field validation of Manage Data Source page causes crash
ECA-7299 - Unit tests require PKCS#11 "slot 1" to exist and do not work with SoftHSM
ECA-7333 - It is possible to add Internal Key Bindings without a name
ECA-7678 - 'Close' button not functioning under 'Roles and Access Rules' page
ECA-7733 - Security hardening
ECA-7739 - Using a certificate profile template does not select the correct fields
ECA-8049 - Treat Subject Directory Attributes the same way as Subject DN.
ECA-8146 - OCSP signer renewal via peers not working for throw-away CA
ECA-8233 - "invalid use of tag" warnings from Javadoc for WS exceptions on JDK 11
ECA-8237 - Getting "XML Parsing Error: no root element found" when clicking "View Older" in View Certificate popup
ECA-8376 - RA Web doesn't build in CE.
ECA-8496 - Document how to prevent BouncyCastle not being loaded by an EJBCA classloader
ECA-8659 - Error message is not displayed in Audit Log UI page when database protection fails to verify
ECA-8679 - Security issue
ECA-8680 - Index recommendation will not allow use of partitioned CRLs
ECA-8687 - Fix selenium test failures due to wrong Certificate Profile save message
ECA-8689 - Enable /administrator when granting access to the WS protocol over peers
ECA-8690 - Import of IKB doesn't set bound cert Id
ECA-8691 - Add upgrade notes for ECA-8679
ECA-8697 - Audit log menu item visible on some pages even if the audit log is disabled
ECA-8707 - Key sequence ignored when renewing CA
ECA-8711 - Regression: Cannot change "Signed by" option for CAs in Uninitialized state
ECA-8712 - No alias for key purpose 0 error when editing external CA
ECA-8714 - Use CRL partitions should not be rendered for External CAs
ECA-8719 - 'Make New Request' on 'RA Web' on 'Clean Installation' results in StackOverflowError
ECA-8723 - cert-cvc should use Bouncy Castle provider for verification of CVCAuthenticatedRequest
ECA-8728 - TestDatafields in cert-cvc fails if clock is 00:00-00:59
ECA-8734 - Incorrect warning of ConfigExport/Import SCP Publisher
ECA-8735 - Some system tests fail if ManagementCA is called something else
ECA-8736 - HealthCheckTest.testAuditLogHealthCheck does not restore databaseprotection.keyid.AuditRecordData
ECA-8737 - change/addUser should throw a proper error message instead of NPE when changing a user to a non-existing EE profile
ECA-8739 - NPE when importing brainpoolP256r1 DVCA certificate
ECA-8742 - Delete tests leave crypto tokens left behind by system tests
ECA-8743 - KeyGenParams is not serializeable
ECA-8752 - CA message handlers may throw NPE instead of CADoesntExistsException when CA does not exist
ECA-8756 - ClassCastException on Wildfly 14 when saving a certificate profile with "Subject DN Subset" enabled
ECA-8757 - CaImportCACommand doesn't activate KeyRecoveryCAServiceInfo
ECA-8759 - Unclear error message CA/B Forum Organization Identifier is blank or missing
ECA-8761 - Certificate Extensions not enabled in the Certificate Profile give no error
ECA-8766 - Certificate pinning for Authentication Key Bindings is not working if the pinned certificate is not in the database
ECA-8772 - Minor security issue
ECA-8773 - Security issue
ECA-8777 - Security issue
ECA-8778 - WS request with missing required extension field can still be issued
ECA-8779 - WS request with extension field that is in CP but not EEP can be issued
ECA-8780 - KeyRecoverySessionBean.addKeyRecoveryData does not return false is data already exists
ECA-8782 - ServiceSession logs incorrect administrator when editing a service
ECA-8785 - Statedump import fails when there is an unconfigured EST alias
ECA-8786 - Making a CVC WS request can fail if there is an unitialized CVCA
ECA-8791 - Cannot search by year 2020 in Admin Web
ECA-8796 - Sometimes wrong default setting for "Send notification" in the RA, when notifications are enabled
ECA-8799 - Regression: Wrong JKS is downloaded in the "CA Certificates & CRLs" page
ECA-8803 - NPE in Admin UI if script publisher configured and after that external scripts are disabled
ECA-8811 - CVCA link certificate has wrong validity
ECA-8816 - 'Remove from CRL' should be removed from 'Revocation Reason' list
ECA-8819 - Cannot use 7.x RA with 6.15 CA
ECA-8823 - Bad default CRL parameters when importing CA
ECA-8832 - Create button enabled while viewing CA non privileged.
ECA-8858 - Test failure in ConfigdumpCertificationAuthorityUnitTest
ECA-8859 - CA does not get selected on Add End Entity page load, test failure in EcaQa59_EEPHidden
ECA-8861 - Strip key alias when creating new keys
ECA-8864 - I cannot download generated certificate request as PEM or DER. An exception has occurred.Server returned: 500
ECA-8869 - Fix duplicate/ambiguous network name on old Jenkins jobs
ECA-8870 - Fix selenium tests jobs of Domain Blacklists on Jenkins
ECA-8871 - Test EcaQa5_AddEndUserEndEntity fails due to changing element IDs and incorrect profile
ECA-8873 - No certificate profile specified in EcaQa202_NegativeBlacklistExactMatch test
ECA-8874 - EcaQa77_EndEntitySearch is sensitive to the environment
ECA-8880 - UpdatePublicKeyBlacklistCommandTest contains empty folder in resources, which fails with GIT
ECA-8881 - Empty POST to /.well-known/est/simpleenroll results in NullPointerException
ECA-8884 - PKCS#11 CP5 Cryptotoken type displayed even if no libraries are configured
ECA-8885 - HealthCheckTest fails on Community Edition
ECA-8888 - Test failures in Selenium jobs due to port conflict
ECA-8890 - Certificate Validator ignores profile settings
ECA-8893 - ServiceLocatorException on approval/notification when mail is not configured
ECA-8900 - The wrong certificate profile is edited when opening two certificate profiles in different tabs/windows
ECA-8910 - Jenkins Oracle DB is missing indexes, which causes failures
ECA-8912 - No remote key bindings listed on CA when any keybinding references a non-existent key
ECA-8915 - Usability: Verify allowed characters in key aliases when generating keys in using Azure Key Vault REST API.
ECA-8916 - Fix Jenkins test failure in EcaQa76_AuditLogSearch
ECA-8917 - Pre-sign Certificate Validator gives error when using ECDSA and a CA using HSM
ECA-8925 - Fix timing sensitivity in CTLogTest
ECA-8942 - Web Services - DN Merge Issue with Multiple OU Fields
ECA-8948 - Avoid NPE when no CA configured in EST alias
ECA-8955 - SCEP renewal should give nice error message when renewal cert does not exist
ECA-8956 - SCEP RA mode should not log on error level for normal handled error cases
ECA-8957 - Fingerprints not normalized on public key blacklist import
ECA-8959 - Public EC keys generated by a Pkcs11NgCryptoToken are always using explicit EC parameters
ECA-8960 - Regression: throwing checked Exceptions from postConstruct is not allowed in JEE spec
ECA-8985 - Certutil dump file created in Windows cannot be read by 'ejbca.sh ca importcertsms'
ECA-8989 - Unable to upload a zip with custom CSS files
ECA-8993 - CMP response message with PBE protection does not include configured extra certs
ECA-9012 - 'General Settings' Help/Documentation link 'Edit Validator' page is broken
ECA-9015 - Import Help/Documentation is broken under System Configuration/Custom RA Styles
ECA-9024 - AJAX for associating an RA style with a role is broken
ECA-9025 - Weird error message when certificate profile cannot be removed
ECA-9028 - Validators Help/Documentation link is broken under Edit CA page
ECA-9029 - Approval request not done by cert authenticated admins shows blank in Requested By
ECA-9030 - Improve audit logging for custom RA styles
ECA-9038 - NPE clicking Receive Certificate Response in Edit CA screen, if nothing is uploaded
ECA-9048 - Some languages not working for subject DN when viewing certificates in CA GUI
ECA-9060 - Adding a new label with a existing OID does not give you any error/message.
ECA-9064 - Prevent inactive CmsCAService to try to load keystore
ECA-9069 - Some CA lists in services are not sorted
ECA-9071 - Regression - 2 Edit buttons displayed in RA Web End Entity Details page
ECA-9073 - Approvals can't be edited by admin
ECA-9078 - Documentation link for Enable End Entity Profile Limitations? is broken
ECA-9080 - Documentation link for 'Create Authenticated Certificate Signing Request' is broken
ECA-9082 - 'ETSI PSD2 QC Statement' Documentation link refers to the wrong page
ECA-9086 - Missing documentation for CA/Browser Forum Organization Identifier
ECA-9103 - Ed448 and Ed25519 not supported in RA UI and Public Web
ECA-9104 - Edit end entity can log the wrong changed DN if DN merge is used
ECA-9106 - Regression: Unable to submit to CT logs
ECA-9109 - Regression: RA GUI: Regardless of the format chosen the downloaded certificate is always a PKCS12 certificate.
ECA-9110 - EJBCA adminweb is not accessible after configuring "Custom Publisher"--An exception has occurred. For input string: "60000"
ECA-9111 - Regression: EJBCA CA key renewal service does not work on subCAs
ECA-9112 - Selenium Tests in Jenkins
ECA-9125 - Avoid that upgrade adds duplicate OCSP extension that already exists
ECA-9126 - Methods to delete Ocsp Responses fail
ECA-9128 - Regression: Peers cannot deserialize TreeMap
ECA-9129 - Custom extensions cannot be deserialized by EJBCA
ECA-9130 - Regression: can not change CVC terminal type in CA UI
ECA-9136 - RaMasterApi reports wrong API_VERSION
ECA-9137 - Regression: Not possible to activate rollover renewal, CA rollover cert activation is not rendered in Admin UI
ECA-9138 - Documentation link broken in Edit Publisher 'Publisher Queue' section
ECA-9143 - NPE editing SCEP alias after rename of end entity profile and SCEP alias list items are not sorted
ECA-9150 - Audit Log page error
ECA-9152 - Some certificates are missing when downloading a JKS chain
ECA-9153 - Always close SSH connections created by the SCP publisher
ECA-9154 - Regression: can't edit ICAO document type list in adminweb
ECA-9157 - OCSP audit and account logging does not work when serving pre-produced responses
ECA-9159 - NJI11ReleasebleSessionPrivateKey always assumes RSA
ECA-9166 - Class was not found on classpath
ECA-9167 - Typo error in ORM mapping for ApprovalData
ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6
ECA-9172 - Rollover of expired CA will not make it active due to CRL generation failure
ECA-9174 - NPE in configuration checker if certificate profile linked from end entity profile does not exist
ECA-9178 - HealthCheckServlet is trying to create a "filename.properties" with no path
ECA-9181 - Deleting token used for 'Force Local Key Generation' breaks Basic Configurations page
ECA-9188 - Don't persist responses with status 'Unknown'
ECA-9190 - NullPointerException in Statedump when a non-existent publisher is still in use
ECA-9192 - Not possible to add additional CA certificates to CMP response
ECA-9200 - Regression: Several ajax calls on certificate profile page broken
ECA-9202 - Statedump support for the Google Safe Browsing Validator
ECA-9204 - It is possible to rename a CA with no name
ECA-9205 - NPE when testing the connection of a VA Peer Publisher referencing non-existing peer system
ECA-9207 - Regression: Created CVC Authenticated requests can not be downloaded in Admin UI
EJBCA 7.3.1.4
Released May 2020
ECA-9128 - Regression: Peers cannot deserialize TreeMap
ECA-9129 - Custom extensions cannot be deserialized by EJBCA
ECA-9136 - RaMasterApi reports wrong API_VERSION
EJBCA 7.3.1.3
Released March 2020
ECA-8959 - Public EC keys generated by a Pkcs11NgCryptoToken are always using explicit EC parameters
EJBCA 7.3.1.2
Released March 2020
Improvements
ECA-8775 - Improve output format in CertDistServlet listcerts command
ECA-8783 - Add test case for va publisher data source (Selenium)
ECA-8793 - Add new HTTP security headers
ECA-8809 - Fix formating in CertStoreServletTest and CertFetchAndVerify
Tasks
ECA-8790 - Perform upgrade testing
ECA-8807 - Change the copyright footer to 2020
Bug Fixes
ECA-7060 - Handle invalid input on 'Approval Profiles' page
ECA-7153 - Security issue
ECA-8719 - 'Make New Request' on 'RA Web' on 'Clean Installation' results in StackOverflowError
ECA-8757 - CaImportCACommand doesn't activate KeyRecoveryCAServiceInfo
ECA-8772 - Minor security issue
ECA-8773 - Security issue
ECA-8776 - Backport - ClassCastException on Wildfly 14 when saving a certificate profile with "Subject DN Subset" enabled
ECA-8777 - Security issue
ECA-8782 - ServiceSession logs incorrect administrator when editing a service
ECA-8791 - Cannot search by year 2020 in Admin Web
ECA-8802 - Acme failure
ECA-8811 - CVCA link certificate has wrong validity
ECA-8819 - Cannot use 7.x RA with 6.15 CA
ECA-8823 - Bad default CRL parameters when importing CA
ECA-8858 - Test failure in ConfigdumpCertificationAuthorityUnitTest
ECA-8874 - EcaQa77_EndEntitySearch is sensitive to the environment
ECA-8875 - Backport Domain Blacklist test reliability fixes
ECA-8880 - UpdatePublicKeyBlacklistCommandTest contains empty folder in resources, which fails with GIT
ECA-8883 - RA fails into an endless loop on load when missing /ra_master/invoke_api access
ECA-8890 - Certificate Validator ignores profile settings
EJBCA 7.3.1.1
Released November 2019
Bug Fixes
ECA-8679 - Security issue
ECA-8708 - P11NG - SHA384withECDSA doesn't work
EJBCA 7.3.1
Released November 2019
New Features
ECA-6784 - Improved peer publisher reporting - Create and download report after manual synchronization
ECA-8461 - Add the ability to view queued publisher items in the CA web
Tasks
ECA-7272 - Update readme documentation for dependency libs
ECA-8450 - Add OWASP Dependency checker to Jenkins
ECA-8638 - Update commons-beanutils to version 1.9.4
ECA-8639 - Add CT changes to documentation
ECA-8640 - Upgrade nimbus-jose to version 8.2
ECA-8643 - Update db2jcc4.jar used for jenkins tests
ECA-8644 - Update clover.jar, only used for tests, to version 4.4.1
Improvements
ECA-6205 - Remove unused method testImportFromZip
ECA-6979 - If a CT-configured certificate does not accumulate enough SCTs, it should be written to update OCSP, but not distributed to subscriber
ECA-8524 - Check for expired key binding certificates in the Configuration Checker
ECA-8635 - CT systemtest - Precert store
ECA-8648 - Notify if a search result is a pre-certificate in RA web
ECA-8660 - Add GCM mode ciphers for outgoing peer connections
Bug Fixes
ECA-8377 - Regression: Fast-fail is triggered when a CT submission is interrupted
ECA-8404 - CT publisher with direct publishing enabled, publishes old certificate on renewal
ECA-8630 - Incorrect handling of empty subjectAltName in a CSR in the RA UI
ECA-8658 - Error downloading CV certificate via Admin GUI search end entities screen
ECA-8667 - Update CESeCoreUtils and back-port build.cesecore.p11.jar option
ECA-8678 - Inspect publisher queue page shows wrong hour
ECA-8685 - "CMP" mentioned in EST CLI commands
EJBCA 7.3.0.1
Released 30 October 2019
New Features
ECA-8530 - Add CLI support for EST config enhancements
ECA-8554 - Configdump import of EST Configuration
ECA-8606 - EJB CLI command for controlling enabled protocols
Tasks
ECA-8582 - Resolve circular dependency between Certification Authority and Certificate Profile
ECA-8583 - Detect early on if export versions are compatible with current software version
ECA-8602 - Review and update configdump documentation as needed
ECA-8637 - Security: Upgrade external dependency
ECA-8650 - Security: Upgrade external dependency
Improvements
ECA-8396 - System test for P11NG
ECA-8572 - Prevent NPE in PeerPublisher if Peer Connector does not exist
ECA-8574 - Profile edit notification
ECA-8580 - Option to disable adding of new nodes to GlobalConfiguration
ECA-8584 - Detect and prompt for all passwords that will be used during import
ECA-8585 - Add link to Apple CT log list to admin GUI, in addition to Googles
ECA-8586 - Improve documentation for Managing CAs
ECA-8589 - CA Life Cycle JSF rendering conditions are wrong
ECA-8591 - Do not print stack trace in CLI when application server is not running
ECA-8593 - Add more detailed error message to clientToolBox certreq command when csr can not be read or directory is invalid
ECA-8600 - Check ConfigDump for unused/unimplemented code
ECA-8601 - Normalize configdump/src-cli
ECA-8604 - Refactor ConfigDumpImportItem and BaseCrud
ECA-8609 - Remove replace option in Configdump
ECA-8611 - Improve configdump error handling
ECA-8612 - Auto-resolve configdump references after import
ECA-8613 - ConfigdumpException should result in rollback
ECA-8614 - Configdump flag to control non-interactive behavior
ECA-8626 - Update PMD scan pipeline to use warnings-ng plugin syntax
ECA-8642 - Improve detection of current software version for Configdump Import
ECA-8646 - Change session timeouts to 15 minutes for PCI DSS compliance
Bug Fixes
ECA-8544 - P11 slot is already used warning displayed incorrectly
ECA-8553 - Importing CA hierarchies in Configdump not always working
ECA-8578 - REST API certificate search for active certificates do not include certificates notified about expiration
ECA-8595 - ant clean does not clean ra-gui or batchenrollment-gui modules
ECA-8596 - Delta CRL is not generated correctly when a certificate is released from hold
ECA-8597 - Link to delta CRL in CA web fetches base CRL instead
ECA-8605 - EJBCA 7.3.0 and ACME with cleartextpassword
ECA-8617 - Exclude tests for org.cesecore.keys.token.p11ng from non-eidas release
ECA-8620 - Default OCSP responder always sends "Unknown" for non-existing CA, regardless of settings
ECA-8623 - Use correct port override in EST alias systemtest
ECA-8624 - Disabling node tracking prevents local clear cache
ECA-8625 - p11ng cache not cleared on token reactivation
ECA-8641 - Improve configdump error message when write access is denied
ECA-8647 - Fix configdump import of Certificate Policy in Certificate Profile
ECA-8655 - Ordering of role members varies in Configdump exports
ECA-8661 - ACME newOrder fails due to lack of access to EEP or other failed assumption
ECA-8662 - problem importing Scep configuration with configdump
ECA-8663 - ConfigDump Import: PKCS12 key store mac invalid
EJBCA 7.3.0
Released October 2019
New Features
ECA-7278 - Initial support for Azure Key Vault as EJBCA Crypto Token
ECA-8039 - Make OCSP Archive cutoff configurable in the CA UI, for all OCSP responses, and with (optional) static date (CA notBefore)
ECA-8236 - CA/Browser Forum Organization Identifier Field certificate extension (OID: 2.23.140.3.1) for PSD2 certificates
ECA-8371 - Add RA proxying to get global configurations
ECA-8372 - Get GlobalAcmeConfiguration over peer
ECA-8379 - EST support in Statedump
ECA-8390 - Convert caaIdentities URLs to IDN (ASCII) for ACME processing
ECA-8402 - Update SCEP GetCACaps return message to scep draft23
ECA-8403 - SCEP: set default hash algorithm to SHA-256 and support 3DES as response message encryption
ECA-8438 - Create Configdump EJB interface
ECA-8439 - Create configdump import CLI command
ECA-8440 - Add EJBCA version field to Configdump exports
ECA-8449 - Overwrite option for Configdump CLI: Replace/Update/Leave
ECA-8461 - Add the ability to view queued items in the CA web
ECA-8517 - Configdump import of Custom Certificate Extensions
ECA-8518 - Configdump import of Extended Key Usages
ECA-8519 - Configdump import of Internal Key Bindings
ECA-8520 - Configdump import of Publishers
ECA-8521 - Configdump import of Services
ECA-8522 - Configdump import of Certification Authorities
Tasks
ECA-7435 - Java 11: ClassNotFoundException: org.apache.geronimo.osgi.locator.ProviderLocator from WS Tests
ECA-8277 - clientToolBox uses the ext dir, which no longer exists in Java 11
ECA-8380 - ACME: QA Testing of ACME Changes
ECA-8405 - Documentation: Clarify CMP concurrent request to same user fails
ECA-8453 - Update some external dependencies
ECA-8454 - Update the last MySQL5Dialect to MySQL5InnoDBDialect in (old) external RA
ECA-8459 - Webtests: Add platform verification feature
ECA-8474 - Documentation: Add database driver and DataSource for PostgreSQL
ECA-8500 - QA Testing 7.3
ECA-8526 - System Test Investigation: EE_COS7_OpenJDK8_WF10_NOHSM_MSSQL2017
Improvements
ECA-7596 - Unification and consolidation of dockers' shell scripts
ECA-8073 - Include key information in ConfigDump
ECA-8247 - Allow CT logs to pick sharding by period
ECA-8273 - acme: Reduce code duplication
ECA-8329 - Clean up language files (Hard Token)
ECA-8330 - GUI: Rename all "Administrator Role" to "Role"
ECA-8335 - Update ACME authorization resources to RFC 8555 compliance
ECA-8336 - Update ACME 'revokeCert' resource to RFC 8555 compliance
ECA-8337 - Update ACME 'directory' resource to RFC 8555 compliance
ECA-8338 - Update ACME certificate resources to RFC 8555 compliance
ECA-8339 - Update ACME 'newAccount' resource to RFC 8555 compliance
ECA-8340 - Update ACME account resources to RFC 8555 compliance
ECA-8341 - Update ACME order resources to RFC 8555 compliance
ECA-8342 - Update ACME 'keyChange' resource to RFC 8555 compliance
ECA-8346 - Include references to the sql scripts available in the documentation.
ECA-8347 - Update ACME 'newNonce' resource to RFC 8555 compliance
ECA-8350 - Implement 'revokeCert' resource authorization for an ACME account holding all of the identifiers in the certificate
ECA-8356 - Exceptions caught by the EST servlet are not logged properly
ECA-8370 - Update ACME challenge response resource to RFC 8555 compliance
ECA-8397 - Update ACME documentation to RFC 8555 compliance
ECA-8399 - Remove ACME 'challenge' GET resource
ECA-8401 - Display a fingerprint of the imported Statedump after it has been imported in the CA web
ECA-8406 - Give a proper error message when using an attributes file for Client Toolbox in EJBCA
ECA-8409 - Select the correct attribútes file when editing a crypto token
ECA-8413 - Include the configured OCSP archive cutoff extension in all OCSP responses, not only for expired certs
ECA-8422 - Add CLI functionality for listing and editing OCSP extensions
ECA-8441 - Add import to ConfigdumpCore
ECA-8442 - Add YamlReader class
ECA-8443 - Add PoC for import of one object type in ConfigdumpSessionBean
ECA-8444 - Add import of important objects types in ConfigdumpSessionBean
ECA-8445 - Add import in configdump dump handlers
ECA-8446 - Create functional test (system test) for configdump import
ECA-8447 - CLI test for Configdump
ECA-8466 - ACME test suite re-factorings
ECA-8468 - Only report when available upstream RA peers changes
ECA-8475 - ACME end point test coverage
ECA-8477 - Add import of End Entity Profiles in Configdump
ECA-8478 - Configdump import of roles
ECA-8481 - Add implementation version in jar files to CAA cli tool, and other tools
ECA-8482 - Fix call of ACME operations with explicit ACME alias
ECA-8490 - Configdump import of Certificate Profiles
ECA-8502 - Create test for CaImportMsCaCertificates (import dump file created by certutil)
ECA-8513 - Sort items in list boxes on the role_edit.xhtml page in alphabetic order
ECA-8523 - Print CRL and public key when CRL fails to verify
ECA-8525 - Test of configdump import of Publishers
ECA-8527 - Option to export defaults in Configdump
ECA-8528 - Configdump documentation
ECA-8529 - AzureCryptoToken: Fix missing html ID and log if password is empty
ECA-8537 - Test of Configdump import of Internal Key Bindings
ECA-8543 - Exclude configdump import from ziprelease
Bug Fixes
ECA-7320 - CN from CSR not loaded correctly when "Changing a CSR"
ECA-7486 - EEP default Token type selection doesn't work on RaWeb enrollmakenewrequest page
ECA-7739 - Using a certificate profile template does not select the correct fields
ECA-7849 - Regression: foot_banner not used
ECA-7947 - Unused access rules are saved in basic mode
ECA-8033 - For configdump, allow it to skip past CAs waiting for a response and complete.
ECA-8099 - CA created with "Signed By External CA" has Serial Number Octet Size -1
ECA-8232 - IPv6 RFC compliant HREF links in EJBCA
ECA-8307 - CryptoTokenData: P11CryptoToken row entry touched/updated without need
ECA-8319 - "clientToolBox PKCS11HSMKeyTool linkcert" command should work according to ICAO 9303
ECA-8320 - SCP Publisher uses managing admin to sign payload
ECA-8322 - CertificateCrlReader does not handle revocation publications correctly
ECA-8323 - Fix findbugs warnings
ECA-8325 - CMP Configuration UI issues
ECA-8326 - CryptoToken.getPublicKey return javadoc differs from implementation
ECA-8344 - Jenkins job EE_COS7_OpenJDK8_WF10_NOHSM_DB2 cannot find DB2 Express-C docker image
ECA-8345 - Jenkins failing test 'org.ejbca.core.model.services.worker.CertificateCrlReaderSystemTest.testReadCertificateFromDisk'
ECA-8354 - First column not displayed when running the script language-tool.sh -s
ECA-8360 - Generated CRL Distribution Point and Issuer do not show correct DN
ECA-8375 - Regression: Failing Selenium test EcaQa206_CRLPartitionsIncorrectSettings
ECA-8383 - Reference lib.jpa.classpath not found when building cmpProxy for Tomcat.
ECA-8391 - New EST alias fields missing from ConfigDump export
ECA-8407 - User is asked to confirm slot re-use when editing an existing PKCS#11 crypto token
ECA-8410 - Set EJBCA_HOME in ejbca.sh if not set already
ECA-8411 - CRL is stored in publisher queue even if direct publishing is successful
ECA-8412 - PublishQueueProcessWorker always reports a NO_ACTION ServiceExecutionResult
ECA-8419 - Jenkins failing test 'org.ejbca.core.ejb.ProfilingTest.retrieveStats'
ECA-8420 - Jenkins failing test 'org.ejbca.core.ejb.upgrade.UpgradeSessionBeanTest.testUpgradeOcspExtensions6120'
ECA-8423 - Update Muehlbauer WS for removed Hardtoken
ECA-8426 - Trim CT log URLs
ECA-8428 - EST Name Generation USERNAME option gives error message when client username not set
ECA-8433 - Add placeholder to ejbca resourses CMP error message
ECA-8434 - OCSP Extensions are temporarily saved, even when the Save button is not clicked
ECA-8435 - Some CA lists in RA Web is sorted case sensitive
ECA-8436 - Caching issue with PSD2 fields in RA-web
ECA-8457 - Database protection broken on existing installations
ECA-8464 - EST configuration in Admin UI is not cleared when navigating away from the page
ECA-8465 - MSSQL Jenkins job (DB collation has to support case sensitivity)
ECA-8470 - Regression: GUI doesn't render "</br>" correctly for view certificate screen
ECA-8479 - Crypto token manage page checks for wrong permission
ECA-8484 - RA enrollment returns older certificate when validation fails
ECA-8485 - Legacy External RA not working with Wildfly 14 because of problem with the hibernate provider.
ECA-8486 - NPE when you click on 'Export selected' without selecting anything on Manage End Entity Profile page
ECA-8488 - L10n: Typo in English language
ECA-8492 - Importing Microsoft CA fails using ejbca.sh
ECA-8504 - Inconsistency when creating roles in CA web and RA web
ECA-8506 - Add missing textfield id for textfieldsharedcmprasecret
ECA-8509 - Regression: EJBCA Ignores CryptoToken Selection While Creating CA When Using the Default Key Option for the CertSignKey
ECA-8514 - RA Web incorrectly claims that role has members
ECA-8515 - Peer connector missing permissions when Approval management is set
ECA-8532 - Allow subject DN override and allow extension override is not honoured in the REST API
ECA-8538 - Regression: exception clicking on "Clear caches" button
ECA-8540 - Configdump error when exporting new unmodified ACME alias
ECA-8541 - Missing setters and unhandled nulls cause errors in Configdump
ECA-8542 - Fix configdump warning when importing certain End Entity Profiles
EJBCA 7.2.1.1
Released on 22 August 2019
Bug Fixes
ECA-8457 - Database protection broken on existing installations
ECA-8428 - EST Name Generation USERNAME option gives error message when client username not set
EJBCA 7.2.1
Released on 30 July 2019
New Features
ECA-8255 - AWS S3 Publisher for publishing certs and CRLs to an S3 bucket
ECA-8355 - EST Name Generation Enhancements
ECA-8232 - IPv6 RFC compliant HREF links in EJBCA
Improvements
ECA-8356 - Exceptions caught by the EST servlet are not logged properly
ECA-8266 - Possibility to issue a final OCSP responses with unlimited end date 99991231235959Z
Bug Fixes
ECA-8099 - CA created with "Signed By External CA" has Serial Number Octet Size -1
ECA-8265 - Security Issue
ECA-8320 - SCP Publisher uses managing admin to sign payload
ECA-8322 - CertificateCrlReader does not handle revocation publications correctly
ECA-8365 - Error message and stack trace is lost when there are repeated CT log errors
ECA-8364 - Regression: CT log "Acquire semaphore was interrupted"
ECA-8363 - IPv6 Bug: SAN IPv6 field ignored on issuance
ECA-8351 - Regression: possible to delete EE profile with entities registered. EE becomes uneditable after deleting its EE profile
ECA-8312 - EJBCA installation fails on Windows SQL Server
EJBCA 7.2.0
Released on 20th of June 2019
New Features
ECA-7943 - Add selenium test for creating a CA with partitioned CRLs
ECA-8092 - Remove Hard Tokens - a followup ticket
ECA-8113 - Add REST endpoint for cryptotoken management
ECA-8114 - Write systemtests for crypto token REST resource
ECA-8115 - Update static swagger file for documentation
ECA-8116 - Create REST endpoint for cryptotoken activation
ECA-8117 - Create REST endpoint for cryptotoken deactivation
ECA-8118 - Create REST endpoint for cryptotoken key creation
ECA-8127 - Create REST endpoint for CA Activation
ECA-8151 - Update CLI to allow viewing/generating partitioned CRLs
ECA-8249 - Import CVC CA CLI command should be able to import DVCA
Tasks
ECA-8125 - As a tester, I would like to call Rest endpoints for both testing and utilities that will work internally and externally of a docker image.
ECA-8137 - POC: Remote access for REST using GIT
ECA-8141 - Testing: Integration / Verification Testing
ECA-8176 - Exploratory testing using Swagger-UI
ECA-8182 - Document new REST resources
ECA-8194 - Add example script for ejbca-rest-api/v1/certificate/pkcs10enroll to the REST documentation
ECA-8209 - -Ddoc.update=true does not work anymore
Improvements
ECA-7059 - Remove properties files for CRLstore and CertStore
ECA-7272 - Security verification
ECA-7418 - Java 11: Xerces throws ClassNotFoundException: org.w3c.dom.ls.DocumentLS
ECA-8053 - Return correct version from REST status endpoint
ECA-8129 - Enable CT fastfail caching / backoff by default
ECA-8130 - Set up CT log test server and document it
ECA-8131 - Create DB update scripts and ORM files for new SCT table
ECA-8132 - Entity Bean for SCT disk cache
ECA-8134 - Saving SCT data to persistent table
ECA-8135 - Save and Read SCTs from persistent SCT table
ECA-8136 - Upgrade notes for persistent SCTs
ECA-8138 - Unit test of OcspCtSctListExtension
ECA-8149 - Code cleanup April 2019
ECA-8152 - Prevent broken certificate chain from being imported in the CLI using the 'ca importca' command
ECA-8156 - Generate URLs for URL rewrite with Client Toolbox
ECA-8158 - Documentation: Update CertSafePublisher description
ECA-8159 - Improve HealthCheck to also perform test signatures on the audit log
ECA-8165 - Create REST endpoint for CA Deactivation
ECA-8167 - Possibility to issue a final CRL with unlimited end date 99991231235959Z
ECA-8170 - Improve reliability of service workers in a cluster
ECA-8173 - Service workers always log success if the service ran, no matter the result
ECA-8181 - Warn when slot does not contain a key with the alias 'testKey' and relax the naming convention for these keys
ECA-8192 - Move REST resources into separate modules
ECA-8203 - CA token sign test should not sign with the same key twice
ECA-8206 - Use SHA256 with creating signed PKCS7 messages from X509 CAs
ECA-8208 - Refactor SCT caching to cache partial results also
ECA-8211 - Create a return type for publishers in order to track numbers of successes and failures
ECA-8229 - Debug log all steps in StartupSingletonBean
ECA-8230 - Base archiveCutoff on actual producedAt time instead of currentTimeMillis
ECA-8231 - Use the default CA of the SCEP alias, if no CA is specified in the message
ECA-8239 - Remove jsessionid from URLs on first session visit
ECA-8250 - Protocol Configuration for new REST resources
ECA-8264 - Update version in CT user agent to 1.1
ECA-8280 - Seconds in certificate's "valid from" and "valid to" fields (EJBCA API)
Bug Fixes
ECA-7739 - Using a certificate profile template does not select the correct fields
ECA-7828 - Drop down menu for 'Select Worker' under 'Services' is not responsive
ECA-7841 - Regression: Missing JAXB in JDK11 and lack of bundled API JAR causes complication error for Acme classes
ECA-8025 - Regression: Wrong CA-certificate is downloaded in the CA web
ECA-8079 - Edit CA page problems when creating CA from statedump
ECA-8099 - CA created with "Signed By External CA" has Serial Number Octet Size -1
ECA-8144 - Unable to change publisher type during edit
ECA-8147 - Regression: Cannot enter LDAP protocol CDP URL
ECA-8148 - Unable to edit and save access rules in basic mode
ECA-8153 - CertSafe Publisher throws NPE
ECA-8155 - Return not found on unhandled EST operations
ECA-8160 - ejbca.sh does not detect current working directory correctly
ECA-8161 - Ticket #215 VIECA?
ECA-8168 - NPE in RA web when rendering view enrollwithusername.xhtml
ECA-8191 - Change the ocsp.nonexistingisbad.uri pattern
ECA-8215 - Converter missing in selectManyListbox
ECA-8216 - Installation: Ejbca.ear does not deploy on Wildfly 10
ECA-8234 - OCSP requests with missing issuerKeyHash causes exception
ECA-8240 - Typos in create database postgresql script
ECA-8243 - Regression: NPE when a service is not scheduled to run
ECA-8253 - Integer converter missing in selectManyListbox on LDAP Publisher page
ECA-8254 - Check and possibly fix public key AlgorithmIdentifier parameters when issuing certificates
ECA-8308 - OcspKeyBinding CSR is not compatible with Microsoft CA
EJBCA 7.1.0.1
Bug Fixes
ECA-7828 - Drop down menu for 'Select Worker' under 'Services' is not responsive
ECA-8144 - Unable to change publisher type during edit
ECA-8147 - Regression: Cannot enter LDAP protocol CDP URL
ECA-8148 - Unable to edit and save access rules in basic mode
ECA-8153 - CertSafe Publisher throws NPE
ECA-8215 - Converter missing in selectManyListbox
EJBCA 7.1.0
Released on the 29th of April 2019
New Features
ECA-961 - Partitioning of large CRLs by number of issued certificates
ECA-7384 - Protocol (WS/CMP/REST/CLI) support for issuing with multi-value RDNs
ECA-7474 - GUI support to enable/disable multi-value RDNs in End Entity Profiles
ECA-7785 - New validator phase that will run before using the CA private key to sign the tbsCertificate
ECA-7815 - Selenium tests for Domain Blacklist Validator
ECA-7906 - Remove CA related UI parts from RA/UI builds.
ECA-7907 - Rendering conditions for "Certificate Authority" page on different builds
ECA-7909 - Hide unusable commands from EJBCA CLI (ejbca.sh)
ECA-7910 - Create separate module for X509CA
ECA-7911 - Split X509 CA into common and build specific parts
ECA-7912 - Create new ant target for RA/VA ziprelease
ECA-7921 - Configdump support for Domain Blacklist Validator
ECA-7934 - Add CRL partition index column in certificate tables
ECA-7935 - Add crlPartitionIndex column in CRLData
ECA-7936 - Add partition configuration in X509CAInfo
ECA-7937 - User interface for configuration of CA CRL partitioning
ECA-7938 - Add documentation for partitioned CRL configuration
ECA-7939 - Update X509CA.generateCRL function to handle partitioned CRLs
ECA-7940 - Assign certificates to CRL partitions upon issuance or import
ECA-7941 - Show available CRL URLs if partitioning is used, in Edit CA page
ECA-7942 - Method generating partitioned CRL CDP URLs
ECA-7945 - Perform regression testing for certificate issuance with and without CRL partitioning
ECA-7946 - Add extensive system test of CRL partitioning
ECA-7953 - Allow for the export of single CP/EEPs
ECA-7962 - Make "ca republish" CLI command work with partitioned CRL
ECA-7963 - Update CRL Download Service to handle Partitioned CRLs
ECA-7964 - Create a separate module for CVC CA
ECA-7966 - RA-API, WS and REST support for Partitioned CRLs
ECA-8030 - Add YubiHSM2 P11 library to known P11 libraries
ECA-8048 - Add support for Partitioned CRLs in CertDistServlet, GetCRLServlet and CRLStoreServlet
ECA-8052 - Partitioned CRLs should not be allowed without "Issuing Distribution Point" CRL extension
Tasks
ECA-7385 - Document multi value RDN behavior for 'Subset of Subject DN' (not working with multi-value)
ECA-7389 - Document Administrator matching of multi-valued RDNs
ECA-7435 - Java 11: ClassNotFoundException: org.apache.geronimo.osgi.locator.ProviderLocator from WS Tests
ECA-7766 - Create a Jenkins job for testing Oracle DB
ECA-7825 - Java 11: ejbca-db-cli uses endorsed.dirs which is not supported in java 11
ECA-7857 - Create a Jenkins job for testing openJdk11
ECA-7892 - Make validationtool tests runnable
ECA-7904 - Investigate what to remove from Admin Web in RA/VA builds
ECA-7913 - Document changes RA / VA / CA builds.
ECA-7944 - Exploratory testing
ECA-7956 - Refactoring ExternalProcessTools.writeTemporaryFileToDisk for readability
ECA-7970 - Update changelog summary
ECA-7987 - Clarify documentation of fixed octet random serial number generator
ECA-7990 - Remove usage of SecureRandom from test cases to avoid copy-paste
ECA-8026 - Create Jenkins jobs for limited RA / VA builds
ECA-8027 - Fix remaining failures for Selenium tests in Jenkins
ECA-8034 - Upgrade testing of Partitioned CRL
ECA-8045 - Exemplify of the Required flag for custom certificate extensions
ECA-8050 - Add to CRL documentation - expired certs not included in new CRL
ECA-8058 - Fix EcaQa198 selenium test fail in Jenkins.
Improvements
ECA-7272 - Security verification
ECA-7391 - Only show CA-related approvals in CA Web (and vice versa)
ECA-7418 - Java 11: Xerces throws ClassNotFoundException: org.w3c.dom.ls.DocumentLS
ECA-7521 - User must fix malformed file when making cert request.
ECA-7554 - POC of Jenkins warnings job to analyze the code style/quality/shape
ECA-7593 - Add ClientToolBoxTest in new Jenkins
ECA-7596 - Unification and consolidation of dockers' shell scripts
ECA-7622 - Ability to edit token type in the RA Web
ECA-7722 - Minor usability improvements on Edit CA page
ECA-7797 - Upgrade JAX-RS 2.0 related libraries, correct swagger ACME generation and rely more on app server's JAX-RS implementation
ECA-7798 - Unit tests for the Configuration Checker
ECA-7853 - Change default digest alg of CMP request and response messages to SHA256
ECA-7884 - System test for copying DNSName from CN over WS
ECA-7902 - Add ExtentReport Plugin
ECA-7954 - Replace "Export profiles..."-links from profiles pages with buttons.
ECA-7957 - Improve error message when pinging an unknown peer system
ECA-7965 - Document CertTools.verify behavior for bad params with JUnit test
ECA-7975 - Avoid using two executors for Jenkins jobs
ECA-7986 - Better validation message when CAA validator is running on a certificate without dNSNames
ECA-7997 - Translate the RA web to Swedish
ECA-8000 - External Command Validator output not forwarded to EJBCAWS
ECA-8011 - Make crlPartitionIndex nullable instead of DEFAULT 0
ECA-8013 - Upgrade BC to 1.61
ECA-8016 - Database publishing of partitioned CRLs
ECA-8029 - Remove Hard Tokens, Hard Token Profiles and Hard Token Issuers from EJBCA
ECA-8097 - Selenium test for CA with incorrect Partitioned CRL settings
ECA-8101 - Upgrade notes for partitioned CRLs
ECA-8103 - CRL Update Worker should handle partitioned CRLs
ECA-8107 - Change terminology for "retired CRL partitions"
ECA-8109 - CRL partition fields in new CA page appear after changing Crypto Token
ECA-8110 - Document that CRL partition 0 gets URL without partition number
Bug Fixes
ECA-7626 - Fix out of memory issues on new Jenkins
ECA-7731 - Subject AltName does not appear in the RA Web when Subject DN is not used
ECA-7733 - Security Fix
ECA-7753 - Selenium Docker Jenkins followup ticket - NoInitialContextException: Need to specify class name in environment or system property
ECA-7841 - Regression: Missing JAXB in JDK11 and lack of bundled API JAR causes complication error for Acme classes
ECA-7868 - Regression: CA names in Edit End Entity Profile page should be sorted
ECA-7915 - Unexpected error while using Create Authenticated Certificate Signing Request in CA page
ECA-7929 - Fingerprints downloaded from the RA Web are scrambled
ECA-7952 - Some rules not applied when creating a role from the RA Web
ECA-7958 - New fields in X509CAInfo should be added to configdump
ECA-7973 - Clicking Test Command twice in External Command Certificate Validator gives exception
ECA-7974 - Community Edition build broken in trunk
ECA-7977 - CRL Downloader can't handle entries with extensions, but no reason code
ECA-7984 - Jenkins not cleaning up temporary fles
ECA-7985 - Unit tests do not respect tests.jvmargs
ECA-7989 - Possible race condition in SerialNumberGenerator with different CAs use different octet sizes
ECA-7991 - Make ApprovalSessionTest reliable
ECA-8002 - CRL Partition: CA does not retain CRL Partition settings
ECA-8004 - List of validators in certificate profiles is not sorted
ECA-8005 - NPE when trying to change ca token of a non existing CA
ECA-8010 - JBoss CLI on Jenkins uses too much memory on Jenkins
ECA-8012 - Regression: Delegated key pair generation doesn't work with RA-Gui enrollment
ECA-8014 - Trivial typo in revoke end entity reason codes
ECA-8015 - Exception in Admin UI trying to view a crypto token configured with a non-existing P11 library file
ECA-8018 - For Signed CMP messages, signed error message may not be signed with the expected signature for some errors
ECA-8023 - Update the default key aliases when importing keystores
ECA-8040 - Regression: End Entity Profiles ZIP file with directory cannot be imported
ECA-8042 - Cannot create CA with 'Use CRL partitions' option checked
ECA-8046 - Jenkins jobs use the same name for docker resources
ECA-8047 - Regression: Some End Entity Profiles ZIP files cannot be imported
ECA-8054 - Some classes still try to instantiate EjbcaWebBean
ECA-8055 - Log errors at initialization failure of EjbcaWebBeanImpl
ECA-8061 - Creating a CA using CRL Partition gives EntityExistsException
ECA-8062 - EST reenrollment fails if the DN includes more components than CN
ECA-8063 - ExtRAMessagesTest does not compile
ECA-8072 - CaRenewCACommandTest stops working after 2019-04-15
ECA-8075 - The "Generate" buttons do not include the "&partition=*" if using Partitioned CRLs in a new CA
ECA-8083 - Certification Authorities: Creating new CA with CRL Partitions fails
ECA-8085 - Fix potential race condition in REST initialization found by PMD
ECA-8087 - Unable to create CA with CRL Partitions
ECA-8090 - Certificate created with "use partitions" CA has 0 as crlPartitionindex
ECA-8095- Null pointer exception when a certificate profile uses CA defined AIA values, but the CA has defined none
ECA-8105- Regression: Cannot edit approval requests in RA-web
ECA-8111- SoftHSM directory has wrong owner on Jenkins
EJBCA 7.0.1.5
Bug Fixes
ECA-8215 - Converter missing in selectManyListbox
EJBCA 7.0.1.4
Bug Fixes
ECA-7828 - Drop down menu for 'Select Worker' under 'Services' is not responsive
ECA-8144 - Unable to change publisher type during edit
ECA-8148 - Unable to edit and save access rules in basic mode
ECA-8161 - Ticket #215 VIECA?
Tasks
ECA-8174 - Regression Test: Verify patch release 7.0.1.4 for the Appliance Release
Improvements
ECA-8159 - Improve HealthCheck to also perform test signatures on the audit log
ECA-8170 - Improve reliability of service workers in a cluster
EJBCA 7.0.1.3
Bug Fixes
ECA-8012 - Regression: Delegated key pair generation doesn't work with RA-Gui enrollment
EJBCA 7.0.1.2
Bug Fixes
ECA-7989 - Possible race condition in SerialNumberGenerator with different CAs use different octet sizes
EJBCA 7.0.1.1
Bug Fixes
ECA-7916 - CA with fixed validity end date cannot be created in EJBCA 7
ECA-7918 - Domain Blacklist Validator rebuilds internal cache on each request
ECA-7919 - Minor security issue
ECA-7920 - Regression: ConfigDump error in validators
ECA-7977 - CRL Downloader can't handle entries with extensions, but no reason code
New Features
ECA-7930 - Test button for Domain Blacklist Validator
EJBCA 7.0.1
Released on 4 March 2019
New Features
ECA-4991 - Allow configuration of serial number octet size per CA
ECA-5865 - Add a summary of visible prior approval steps before final approval
ECA-6052 - Add Domain Blacklist validator
ECA-7206 - End Entity Profile setting to allow dnsName SAN field to be automatically populated by the CN in a CSR
ECA-7340 - PSD2 GUI support when adding end entity
ECA-7770 - Database protection for CSR in CertificateData
ECA-7779 - Implement test function in SCP Publisher
ECA-7780 - Implement EJBCA Issue Checker Framework
ECA-7808 - Add Domain Blacklist Validator class with basic structure
ECA-7809 - Persistance of Domain Blacklists
ECA-7810 - Show warning at validation failure in Approval process
ECA-7860 - New Approval issuance phase for Validators
ECA-7861 - Implement DomainBlacklistAsciiLookalikeNormalizer
ECA-7863 - Implement Domain Blacklist Checker classes
Improvements
ECA-5438 - English translations for ErrorCodes in the RA
ECA-5667 - Add a file link metadata type to Approvals
ECA-6075 - RA Web: Improve validator error messages
ECA-7526 - Add a description field to Certificate and End Entity Profiles
ECA-7607 - Optimize ejbca-db-cli speed when verifying audit log
ECA-7693 - CSR download and clear buttons in Ra Web
ECA-7709 - Update tag library schemas for JEE7
ECA-7756 - Improve error message when CA signingkey was changed without renewing CA certificate
ECA-7782 - Add documentation for the EJBCA Issue Checker
ECA-7783 - Attach access control logic to tickets
ECA-7791 - Update to JEE7 API library
ECA-7793 - Log4j priority is deprecated
ECA-7803 - Label the EJBCA Issue Checker as experimental
ECA-7812 - Unit tests for matching against Blacklists
ECA-7817 - Add autocomplete=off to all h:inputSecret fields
ECA-7826 - Wrap tickets descriptions in a class
ECA-7837 - Make Dynamic UI Property handle empty lists
ECA-7838 - Include two choosable head banners for test and acc systems
ECA-7840 - Implement Integer multiple-choice for DynamicUiProperty
ECA-7842 - System test for "Approval" validation phase
ECA-7843 - EJBCA startup does full table analysis on Oracle causing timeout issue during startup
ECA-7852 - Change the menu option "View Log" into "Audit Log"
ECA-7854 - Rename "Constraints" label in CT logs to "Log Sharding"
ECA-7862 - Investigate and fix shouldConvertToCorrectEndEntityInformation test failure.
ECA-7870 - Introduce a ValidatorsHelper for UI tests
ECA-7871 - Add more path examples for windows paths in properties files
ECA-7872 - Update the documentation tags and improve labels for roles pages
ECA-7882 - Sort Admin UI lists ignoring case
ECA-7883 - Rename "Issue Checker" to "Configuration Checker"
ECA-7887 - Improve Domain Blacklist checkers
ECA-7889 - Syntax check of domains in domain blacklists
ECA-7897 - Disallow "Abort certificate issuance" option for Approval Request issuance phase
ECA-7898 - Disallow Approval Request issuance phase for CAA Validators
ECA-7900 - Show matching blacklist entry when a domain is blacklisted
Bug Fixes
ECA-5326 - SCEP RA mode should not require batch generation checkbox in EE profile
ECA-7608 - CSR stored in End Entity is never cleared but re-used
ECA-7664 - Regression: Cannot enable CMS for existing CA
ECA-7717 - Trying to save P11 crypto token with incorrect PIN makes EJBCA think token already exists
ECA-7758 - Fix WebTest failures
ECA-7759 - Regression: Widgets gone missing in JSF conversion - End Entity Profiles -> notifications
ECA-7772 - Avoid foreign key constraints creation for obsolete AccessRulesData and AdminEntityData
ECA-7773 - Hide harmless alter table error from DB CLI import command
ECA-7775 - ziprelease-cesecore-src and ziprelease-cesecore-bin build targets broken
ECA-7776 - ConfigDump: Publish Queue Process Service configs are being exported as "Renew CA Service" Workers
ECA-7777 - Can't view end entity with deleted profile in RA
ECA-7786 - Regression: not possible to export CA keystore
ECA-7787 - Regression: Edit CA page does not show key aliases from Statedumps correctly
ECA-7794 - SCP Publisher does not store/load the password properly
ECA-7796 - Fix FindBugs warnings
ECA-7804 - Update MySQLDialect since it uses MyISAM instead of InnoDB with upgraded Hibernate libs
ECA-7805 - Fix failures in ConfigdumpCoreUnitTest and YamlWriterUnitTest
ECA-7806 - NPEs during scanning
ECA-7807 - NumberFormatException during scan
ECA-7821 - Regression: CA key types not updated when creating CA and selecting signature algorithm
ECA-7850 - Fix checks for numeric IDs
ECA-7855 - SHA384 missing from algorithms selection when returning signed CMP messages
ECA-7858 - Not all certificate profiles shown in Issue Checker for limited admins
ECA-7859 - Regression: addendentity CLI command can not be used for auto-generated passwords
ECA-7873 - Regression: CA cert list in CA Structure & CRLs changes order causing CRL generation to fail
ECA-7874 - InstantiationException when trying to view JSP pages
ECA-7876 - Cannot create CVC CA on JBoss EAP 7.1
ECA-7877 - View Certificate in Edit CA screen not available for CV Certificates
ECA-7879 - Regression: list of CAs is sorted case sensitive
ECA-7885 - Upload controls on Edit Validator page does not work
ECA-7888 - DynamicUiProperty of label type cause NPE on post back to server
ECA-7890 - Missleading error message in adminweb when Domain Blacklist Validation fails
ECA-7896 - EditCAsMBean.initApprovalRequestItems() doesn't init any request item types
ECA-7899 - Increase POST Size for New Blacklist Validator
ECA-7901 - Blacklist validator classes are no longer found ini GUI
Tasks
ECA-7764 - Add a Magnum-CI job that tests trunk on an HSM enabled installation.
ECA-7813 - Check upload file size limit on Appliance
ECA-7816 - Place holder issue for GUI testing of Domain Blacklist Validator
ECA-7820 - Remove installation documentation for WildFly 8,9 and Glassfish
ECA-7864 - DOCUMENTATION: please add FIPS same key restriction
ECA-7880 - Document the Domain Blacklist Validator
EJBCA 7.0.0
Released on February 7th 2019
New Features
ECA-3076 - Detect and audit log when an administrator logs out of the CA Web UI
ECA-6777 - Create new DB column for storing CSR in CertificateData
ECA-7225 - Note in approvals that values have been changed from the default
ECA-7256 - Allow the creation of unenrolled EEs from the RA Web
ECA-7339 - PSD2 ASN.1 module and API code
ECA-7383 - Core API support for multi-value RDN and End Entity Profile validation of multi-value RDNs
ECA-7401 - Implement ConfigDump export for MultiGroupPublisher
ECA-7413 - Add SHA348withRSAandMGF1 and SHA512withRSAandMGF1 to the list of selectable signature algorithms
ECA-7414 - Make EJBCA build with Java 11
ECA-7419 - Can't paste ACME root anchor with tabs
ECA-7440 - Configdump exports parts of ACME configuration even if excluded
ECA-7444 - User Data Source access control does not let superadmins select "Any CA"
ECA-7470 - Possibility to add array values in edit CA CLI
ECA-7539 - Add subcommand to clientToolBox to interact with database over pure JDBC
ECA-7556 - ClientToolBox command for running a health check
ECA-7562 - Add WS CLI method to get remaining number of approvals
ECA-7586 - Implement a session timeout from the CA Web UI
Improvements
ECA-3724 - Convert Certificate Profiles pages to JSF
ECA-4348 - Remove remaining NetID integration code
ECA-4377 - CertTools.isCertificateValid logging refers to OCSP.
ECA-4630 - Convert Edit End Entity Profile page to JSF
ECA-5804 - Make ApprovalSessionTest less timing sensetive
ECA-5851 - Convert Certificate Authority pages to JSF
ECA-5932 - Upgrade bundled Hibernate jars
ECA-6210 - Stop using Ejb3Configuration in DatabaseSchemaScriptCommand
ECA-6801 - Convert EJBCA Home page to JSF
ECA-6802 - Convert CA Activation Page to JSF
ECA-6803 - Convert CA Structure & CRLs page to JSF
ECA-6804 - Convert Edit Crypto Tokens page to XHTML
ECA-6805 - Convert Manage Crypto Tokens page to XHTML
ECA-6806 - Convert Manage Publishers page to JSF
ECA-6807 - Convert Edit Publishers page to JSF
ECA-6808 - Convert Manage End Entity Profiles page to JSF
ECA-6810 - Convert Manage User Data Sources page to JSF
ECA-6811 - Convert Edit User Data Source page to JSF
ECA-6812 - Convert Manage Hard Token Issuers page to JSF
ECA-6813 - Convert Edit Hard Token Issuers page to JSF
ECA-6816 - Convert Manage Approval Profiles page to XHTML
ECA-6817 - Convert Edit Approval Profile page to XHTML
ECA-6818 - Convert Audit Log page to XHTML
ECA-6819 - Convert Manage Keybindings page to XHTML
ECA-6820 - Convert Edit Keybindings page to XHTML
ECA-6821 - Convert Manage Peer Connectors page to XHTML
ECA-6822 - Convert Edit Peer Connectors page to XHTML
ECA-6824 - Convert Manage Services page to XHTML
ECA-6825 - Convert Edit Services page to XHTML
ECA-6826 - Convert Manage CMP Aliases page to JSF
ECA-6827 - Convert Edit CMP Alias page to JSF
ECA-6828 - Convert Manage EST Aliases page to JSF
ECA-6829 - Convert Edit EST Alias page to JSF
ECA-6830 - Convert Manage SCEP aliases page to XHTML
ECA-6831 - Convert Manage SCEP alias page to XHTML
ECA-6832 - Convert System Configuration page to XHTML
ECA-6833 - Convert Preferences page to JSF
ECA-7263 - Remove "Administration" title from CA UI
ECA-7276 - Database CLI import from XML format
ECA-7284 - Fix broken web tests for JSF conversion
ECA-7289 - Improvements to Certificate Transparency section in certificate profiles
ECA-7292 - Add proper error handling for JSF
ECA-7298 - EJBCA CLI's "Merge CA Tokens" leaves unused crypto tokens behind
ECA-7312 - Increase initial size of ProtectionStringBuilder for Certificate Profiles to avoid unessecary warnings in debug log
ECA-7313 - Change mime type for CRLs from application/x-x509-crl to application/pkix-crl as defined in RFC5280
ECA-7314 - Implement "Custom Certificate Extension Data" field for RA enrollment
ECA-7315 - findCertificatesByExpireTime API calls, CLI and RA UI, should not return already expired certificates
ECA-7317 - SCEP error messages when CA can not be found are not complete
ECA-7325 - Extend tests for Custom Certificate Extensions
ECA-7327 - Convert viewcainfo.jsp and viewcertificate.jsp popUps to jsf
ECA-7334 - Review End Entity Profiles UI Tests
ECA-7343 - Refactor org.ejbca.webtest.helper.CaHelper
ECA-7344 - Refactor org.ejbca.webtest.helper.AdminRolesHelper
ECA-7348 - Introduce a CaStructureHelper for UI tests
ECA-7355 - Review Convert CA Structure & CRLs UI tests
ECA-7356 - Introduce an ApprovalProfilesHelper for UI tests
ECA-7357 - Review Approval Profiles UI tests
ECA-7362 - Review Administrator Roles UI Tests
ECA-7365 - Add a Jenkins job for EJBCA UI Tests
ECA-7367 - Acme must be in status unavailable under System Configuration (community edition)
ECA-7371 - Usage of sun.security.pkcs11 is not allowed when compiling in Java 11
ECA-7375 - Crypto Tokens page messages are displayed twice.
ECA-7380 - Missing space between 'Title' and '?' in Manage Crypto Tokens page
ECA-7421 - configdump module's unit tests are not collected by Jenkins unit tests job 'EJBCA_TRUNK_UNIT_PUPPET'
ECA-7423 - Failing tests of org.ejbca.configdump.core.ConfigdumpCoreUnitTest
ECA-7437 - Clean up unused imports, parameterize, remove unused variables ect.
ECA-7456 - VendorAuthenticationTest.test01_3GPPMode depends on server time zone
ECA-7471 - Allow system tests to run with EJBCA not on localhost
ECA-7491 - Use relative URLs in AdminGUI
ECA-7492 - Fun refactoring task - WebLanguages class uses property arrays, but should be remade in more OOP way
ECA-7508 - EJBCA-CLI: Do not add duplicate role members
ECA-7514 - Fix failing tests in EjbcaRestHelperUnitTest
ECA-7518 - Allow tests to run with TLS certificates not issued by ManagementCA
ECA-7522 - Add proper configuration to jenkins-files/*/conf/
ECA-7527 - Investigate and fix ACME failing tests in trunk
ECA-7530 - Convert ACME Configuration page to xhtml
ECA-7531 - Convert ACME Alias Configuration page to xhtml
ECA-7532 - Add Deviation List Signer Extended Key Usage
ECA-7537 - Simplify and improve configuration of CMP tests
ECA-7541 - Change CT log policy labels to not use mathematical symbols
ECA-7546 - Make API and log use of requestID and approvalID consistent and easier to understand
ECA-7547 - Allow OCSP KeyBinding certificate without Key Usage
ECA-7555 - Acme SystemTest(s) failure for 6.15X EJBCA_TRUNK_DB2V105_UBUNTU1204_JBOSSEAP61_PUPPET jenkins job
ECA-7557 - Fix failing CMP TCP system tests
ECA-7563 - Separate out EjbcaWSTest.test02FindUser into its own test class
ECA-7566 - EjbcaWS.findUser() does not work for subjectEmail
ECA-7567 - Allow browser binary to be configured for Web Tests
ECA-7573 - Improve error handling and remove dead code in AdminWeb
ECA-7574 - Convert Approval Actions page to XHTML
ECA-7575 - Convert Approval Action page to XHTML
ECA-7576 - Clarifications in the Multi Group Publisher documentation
ECA-7579 - Editing EE functionality in RA Web is hidden behind the View-button
ECA-7594 - fun refactoring task: ViewCertificateManagedBean parseRequest method needs the button control logic refactored out into their own methods
ECA-7604 - Get rid of PublisherDataHandler class
ECA-7605 - Fix admin-gui build.xml
ECA-7609 - Clear hibernate cache in ejbca-db-cli to avoid high memory usage
ECA-7612 - VendorAuthenticationTest test case fail in Jenkins
ECA-7614 - Implement ECAQA-196 test scenario.
ECA-7616 - Code refactoring in MultiGroup Publisher Data class.
ECA-7625 - Stop using System.lineSeparator, except for writing to files or pipes
ECA-7634 - ACME test improvements
ECA-7636 - Update system requirements in documentation
ECA-7642 - WebEjbcaClearCacheTest should be skipped if not running on localhost
ECA-7643 - EjbcaWSTest should not use hardcoded "superadmin" user
ECA-7644 - EJBCA ziprelease should not include scripts from jenkins-files
ECA-7645 - CrmfRAPbeRequestTest fails on community edition
ECA-7648 - EE_COS7_OpenJDK8_WF10_NOHSM_DB2 job failure
ECA-7649 - POC Automate profiles installation for Firefox
ECA-7650 - Ability to upload CT log key in raw B64 format
ECA-7654 - Update '© 2002–2018 PrimeKey Solutions AB' to 2019
ECA-7658 - Use white-list instead of black-list of allowed HTTP methods in web.xml
ECA-7679 - PeerConnectionsTest uses TLSv1, but should use TLSv1.2
ECA-7680 - PatternLoggers should check if log level is enabled before doing work
ECA-7682 - PeerConnectionsTest.testPublishCertificate should inform about prerequisite in failure message
ECA-7684 - Typo in error message on 'View Certificate' page
ECA-7689 - Update web.xml to Servlet 3.1 use correct JSF 2.2 schema in faces-config.xml
ECA-7692 - Add CSRs for unit testing the RSA Key Validator
ECA-7694 - Modify application.xml to reflect new JEE7 version
ECA-7696 - Add method to get filename from uploaded file
ECA-7701 - Upgrade persistence.xml to JEE7
ECA-7705 - AutoEnrollment Documentation Improvement
ECA-7707 - HttpMethodsTest.testDocs should not fail if internal docs are not used
ECA-7738 - JDK11 Compliance: Patch CESeCore with provider fix from DSSINTER-289
ECA-7740 - Simplify ant build scripts to cut build time
ECA-7755 - The copyright year should be updated to include 2019
ECA-7761 - Minor security improvement
Bug Fixes
ECA-6865 - Failure to publish to a Peer Publisher gives no error message in log in some cases
ECA-7013 - RA Style is deselected while modifying access rules
ECA-7269 - Regression: JSF errors on JBoss AS 7.1.1
ECA-7273 - Certificate profiles appear to be (but aren't) editable for an Auditor
ECA-7282 - Poor error message for incorrectly formatted CT public keys: "Extra Data Detected in Stream"
ECA-7285 - Add HEAD request for the endpoint revokeCert
ECA-7286 - Fix NPE which happens when de-registering account with certbot
ECA-7326 - Bound Certificate under Internal Key Binding is displayed wrongly
ECA-7329 - NPE when you click on 'Republish' button on View Certificate page under Authentication Key Binding
ECA-7332 - OCSP Extensions configurations is applied to the newly created ones
ECA-7338 - Regression: clearPwd flag on WS editUser does not work
ECA-7342 - Check for legal characters is not working for some pages
ECA-7366 - dncomponents.properties.sample order of orgaizationIdentifier differs from default in DnCompoonents.java
ECA-7370 - ServiceManifestBuilder does not run with Java 11
ECA-7378 - PublicWeb check certificate status inly works with 8 octet cert serialNumber
ECA-7379 - Regression: throwing checked Exceptions from postConstruct is not allowed in JEE spec
ECA-7404 - CA Activation backlink broken
ECA-7433 - Dry-run parameter not respected when importing validators using Statedump
ECA-7434 - Add modular protocol configuration to Statedump
ECA-7438 - NullPointerException in some Adminweb pages if External Script Access is disabled and you have Custom Publishers
ECA-7443 - CAs and Fields in User Data Sources are stored as strings, causing ClassCastException
ECA-7445 - Missing exclude option for Validators in Statedump
ECA-7460 - NPE when importing a CA where a previous certificate exists without expireDate
ECA-7480 - When creating an EndEntity in RA Web and delete_end_entity accessrule is disabled, the process ends incorrectly with success but end entity is not created
ECA-7499 - java.lang.IllegalStateException when using browser back/forward button
ECA-7500 - Certificate Request Generated despite choosing the wrong format
ECA-7511 - EjbcaWSHelperSessionBean.caRenewCertRequest lacks an null check
ECA-7516 - Investigate and fix duplicate ID exception in editservice.xhtml
ECA-7523 - Test failures in ProtocolOcspHttpTest due do missing cleanup
ECA-7524 - Regression: HttpMethodsTest fail because of unexpected HTTP header value
ECA-7525 - Domestic / Non-external CVCA/DVCA do not have the expiration field set
ECA-7529 - OcspExtensionsTest fails on community edition
ECA-7533 - Fix WS documentation for isApproved and getRemainingNumberOfApprovals
ECA-7534 - DnFieldDumpHandler missing DnFieldExtractor.URI in Map.
ECA-7535 - Regression: Upgrade of customcertextensions.properties fails
ECA-7536 - CertificateCrlReaderSystemTest fails on Windows
ECA-7540 - Importing a CVCA certificate with error triggers CSRF error
ECA-7543 - CertSafePublisherTest fails on Windows due to line endings
ECA-7544 - Fix UpgradePublisherTest
ECA-7550 - Missing label and fields cleared erroneously in Edit Services page
ECA-7552 - StatedumpTest should use systemtests.properties
ECA-7558 - Admin Web returns redundant security headers
ECA-7568 - OCSP unathorized (6) error adds blank line to OCSP transaction log
ECA-7572 - Publisher queue status on home page looks weird since JSF conversion
ECA-7583 - Regression: Errors when creating a CA are not handled
ECA-7584 - USERAUTH fail when publishing with the SCP Publisher
ECA-7587 - Fix NPE when exception lacks an error message
ECA-7591 - Configdump CA is missing support for getLatestSubjectDN
ECA-7595 - UpgradeSessionBeanTest.testUpgradeOcspExtensions6120 fails intermittently
ECA-7599 - AcmeConfigurationAndValidationSystemTest.leaveRevocationReasonUnchanged fails intermittently
ECA-7611 - Fix validity field in Edit CA page
ECA-7613 - CertificateCrlReaderSystemTest fails intermittently
ECA-7615 - Multigroup publisher errors handled incorrectly after conversion
ECA-7624 - Fix ConfigdumpValidatorUnitTest and YamlWriterUnitTest
ECA-7628 - configdump change causes test build failure in CE
ECA-7631 - Typo in Error message
ECA-7632 - RA Web enrollment, End entity removed if finishUser is unchecked in the CA
ECA-7647 - 'Receive Certificate Response' does not work for Externally signed CA
ECA-7662 - SecurityEvents*SessionBeanTest fails on H2 dues to use of ORDER in DELETE
ECA-7663 - CertificateRetrievalTest.test09FindWithMissingCertData assumes database.useSeparateCertificateTable=false
ECA-7665 - OutgoingPeerConnectionTest fails intermittently
ECA-7667 - Invalid single quotes in language file
ECA-7669 - The certificate link of an 'EJBCA Node Start' row in the Audit Log does not work
ECA-7676 - Nullcheck would have been NPE in BlacklistEntry
ECA-7677 - PeerConnectionsTest is missing slf4j runtime dependency
ECA-7697 - Regression: Default 'RA-Administrator' and 'Supervisor' roles gets 'Authorization Denied Cause: You are not authorized to view this page.'
ECA-7698 - Update example URL for external documentation
ECA-7699 - Can't access Admin web index page without /ca_functionality/view_ca access
ECA-7712 - Cannot save end entity profile where End Entity E-mail is disabled
ECA-7715 - Regression: Peer connectors cached in browser session not updated when cloning
ECA-7716 - Replace invalid double quotes in language files
ECA-7721 - Regression: CMP RA Name Generation Scheme don't use language strings anymore
ECA-7723 - Can't check "Critical" checkboxes on Edit CA page
ECA-7726 - Non-informative error message on Edit EST Aliases page
ECA-7730 - Clicking Logout in Adminweb gives NumberFormatException
ECA-7735 - Cloning a peer connector does not clone the flag for process incoming requests
ECA-7737 - Certificate of type "Sub CA" can't be published
ECA-7741 - Update tag library schemas for JEE7 in AdminWeb
ECA-7742 - CAA Validator fails DNSSEC validation for CH domains
ECA-7760 - ScpPublisher: Destination URL for certificates saved as crl.scp.destination and vice versa
ECA-7767 - Configdump validator export can fail with NPE
ECA-7769 - Fix warnings from DB CLI
Tasks
ECA-6864 - Set up a Jenkins instance to test JDK8/Wildfly10 using Docker
ECA-7261 - Map which ECAQA automatic tests which need to be remapped
ECA-7275 - Test ACME wildcard cert issuance and pre-authorization with certbot.
ECA-7331 - Verify if Swagger UI for works for ACME API. If it does, add documentation to confluence. If not, hide the ACME part from swaggerUI
ECA-7545 - New Docker job on Jenkins - EE_COS7_OpenJDK8_WF10_NOHSM_DB2
ECA-7551 - Exploratory testing on CMP configuration page
ECA-7695 - Update persistence.xml and orm-dbtype.xml to reflect JEE7 version
ECA-7763 - Test upgrade from 6.15.0 to 7.0.0
ECA-7768 - Update readme with license information for Hibernate jars
EJBCA 6.15.2.5
Tasks
ECA-8693 - Security: Backport upgrade of external dependency
Bug Fixes
ECA-8679 - Security issue
EJBCA 6.15.2.4
Bug Fixes
ECA-8667 - Update CESeCoreUtils and back-port build.cesecore.p11.jar option
EJBCA 6.15.2.3
Bug Fixes
ECA-8319 - clientToolBox PKCS11HSMKeyTool linkcert" command should work according to ICAO 9303
ECA-8345 - Jenkins failing test 'org.ejbca.core.model.services.worker.CertificateCrlReaderSystemTest.testReadCertificateFromDisk'
EJBCA 6.15.2.2
Bug Fixes
ECA-7991 - Make ApprovalSessionTest reliable
ECA-8010 - JBoss CLI on Jenkins uses too much memory on Jenkins
ECA-8017 - SernoGeneratorRandom fails to build on JDK7
ECA-8072 - CaRenewCACommandTest stops working after 2019-04-15
ECA-8320 - SCP Publisher uses managing admin to sign payload
ECA-8322 - CertificateCrlReader does not handle revocation publications correctly
EJBCA 6.15.2.1
Bugs
ECA-7626 - Fix out of memory issues on new Jenkins
ECA-7976 - Fix configdump test failure on 6.15.x branch
ECA-7977 - CRL Downloader can't handle entries with extensions, but no reason code
ECA-7984 - Jenkins not cleaning up temporary fles
ECA-7985 - Unit tests do not respect tests.jvmargs
ECA-7989 - Possible race condition in SerialNumberGenerator with different CAs use different octet sizes
EJBCA 6.15.2
Released on 7th of March 2019
New Features
ECA-7539 - Add subcommand to clientToolBox to interact with database over pure JDBC
ECA-7779 - Implement test function in SCP Publisher
ECA-7894 - Backporting "ECA-4991 Allow configuration of serial number octet size per CA" to EJBCA 6.15.2
Improvements
ECA-5804 - Make ApprovalSessionTest less timing sensetive
ECA-7367 - Acme must be in status unavailable under System Configuration (community edition)
ECA-7421 - configdump module's unit tests are not collected by Jenkins unit tests job 'EJBCA_TRUNK_UNIT_PUPPET'
ECA-7423 - Failing tests of org.ejbca.configdump.core.ConfigdumpCoreUnitTest
ECA-7491 - Use relative URLs in AdminGUI
ECA-7520 - Make CertSafePublisherTest locale independent
ECA-7522 - Add proper configuration to jenkins-files/*/conf/
ECA-7537 - Simplify and improve configuration of CMP tests
ECA-7555 - Acme SystemTest(s) failure for 6.15X EJBCA_TRUNK_DB2V105_UBUNTU1204_JBOSSEAP61_PUPPET jenkins job
ECA-7576 - Clarifications in the Multi Group Publisher documentation
ECA-7609 - Clear hibernate cache in ejbca-db-cli to avoid high memory usage
ECA-7612 - VendorAuthenticationTest test case fail in Jenkins
ECA-7625 - Stop using System.lineSeparator, except for writing to files or pipes
ECA-7642 - WebEjbcaClearCacheTest should be skipped if not running on localhost
ECA-7643 - EjbcaWSTest should not use hardcoded "superadmin" user
ECA-7644 - EJBCA ziprelease should not include scripts from jenkins-files
ECA-7645 - CrmfRAPbeRequestTest fails on community edition
ECA-7648 - EE_COS7_OpenJDK8_WF10_NOHSM_DB2 job failure
ECA-7656 - Backport improvements for peer connector tests to 6.15.x
ECA-7658 - Use white-list instead of black-list of allowed HTTP methods in web.xml
ECA-7679 - PeerConnectionsTest uses TLSv1, but should use TLSv1.2
ECA-7680 - PatternLoggers should check if log level is enabled before doing work
ECA-7682 - PeerConnectionsTest.testPublishCertificate should inform about prerequisite in failure message
ECA-7707 - HttpMethodsTest.testDocs should not fail if internal docs are not used
ECA-7744 - Backport: Avoid defining clover ant task when unused
ECA-7755 - The copyright year should be updated to include 2019
ECA-7761 - Minor security improvement
ECA-7843 - EJBCA startup does full table analysis on Oracle causing timeout issue during startup
ECA-7878 - Disable Admin GUI -> View Log menu item when logging to database is disabled
Bug Fixes
ECA-7523 - Test failures in ProtocolOcspHttpTest due do missing cleanup
ECA-7525 - Domestic / Non-external CVCA/DVCA do not have the expiration field set
ECA-7529 - OcspExtensionsTest fails on community edition
ECA-7533 - Fix WS documentation for isApproved and getRemainingNumberOfApprovals
ECA-7535 - Regression: Upgrade of customcertextensions.properties fails
ECA-7536 - CertificateCrlReaderSystemTest fails on Windows
ECA-7540 - Importing a CVCA certificate with error triggers CSRF error
ECA-7542 - CertSafePublisher sends incorrect revocation date
ECA-7543 - CertSafePublisherTest fails on Windows due to line endings
ECA-7544 - Fix UpgradePublisherTest
ECA-7548 - Cannot create a crypto token with token label as slot reference
ECA-7552 - StatedumpTest should use systemtests.properties
ECA-7558 - Admin Web returns redundant security headers
ECA-7584 - USERAUTH fail when publishing with the SCP Publisher
ECA-7595 - UpgradeSessionBeanTest.testUpgradeOcspExtensions6120 fails intermittently
ECA-7599 - AcmeConfigurationAndValidationSystemTest.leaveRevocationReasonUnchanged fails intermittently
ECA-7601 - UNID-FNR fails to deploy on JBoss AS 7.1.1
ECA-7613 - CertificateCrlReaderSystemTest fails intermittently
ECA-7621 - Fix CMP tests on 6.15.x branch on new Jenkins server
ECA-7624 - Fix ConfigdumpValidatorUnitTest and YamlWriterUnitTest
ECA-7628 - configdump change causes test build failure in CE
ECA-7662 - SecurityEvents*SessionBeanTest fails on H2 dues to use of ORDER in DELETE
ECA-7663 - CertificateRetrievalTest.test09FindWithMissingCertData assumes database.useSeparateCertificateTable=false
ECA-7665 - OutgoingPeerConnectionTest fails intermittently
ECA-7676 - Nullcheck would have been NPE in BlacklistEntry
ECA-7677 - PeerConnectionsTest is missing slf4j runtime dependency
ECA-7698 - Update example URL for external documentation
ECA-7742 - CAA Validator fails DNSSEC validation for CH domains
ECA-7760 - ScpPublisher: Destination URL for certificates saved as crl.scp.destination and vice versa
ECA-7794 - SCP Publisher does not store/load the password properly
Tasks
ECA-7641 - Transform CE job that used to be trunk to 6.15
ECA-7848 - Investigate 6.15 WS test failures
EJBCA 6.15.1.3
Bugs
ECA-8153 - CertSafe Publisher throws NPE
EJBCA 6.15.1.2
Bug
ECA-7548 - Cannot create a crypto token with token label as slot reference
EJBCA 6.15.1.1
Bug Fixes
ECA-7542 - CertSafePublisher sends incorrect revocation date
Improvements
ECA-7520 - Make CertSafePublisherTest locale independent
EJBCA 6.15.1
Released on 20 November 2018
New Features
ECA-7202 - ACME system tests - analyse, improve and enable skipped system tests
ECA-7382 - GUI modifications in Edit Publisher for MultiGroupPublisher
ECA-7392 - Data structure for MultiGroupPublisher
ECA-7393 - Backend logic for MultiGroupPublisher
ECA-7395 - Code for converting between textfield data and MultiGroupPublishers groups
ECA-7396 - Implement PublisherSession.getPublisherNameToIdMap
ECA-7401 - Implement ConfigDump export for MultiGroupPublisher
ECA-7425 - Add SCP Publisher implementation
ECA-7426 - Implement Certificate/CRL Reader implementation
Improvements
ECA-3917 - Warn user when trying to creating multiple representations of the same P11 slot
ECA-7402 - Add synchronization to org.cesecore.util.ui.DynamicUiProperty.values
ECA-7406 - Move EnterpriseValidationAuthorityPublisher from va module into plugin-ee module
ECA-7409 - Add option to send JUnit tests standard output to console
ECA-7416 - Speed up import of certificate directory using the CLI
ECA-7420 - Minor security issue
ECA-7424 - Move CertSafePublisher into plugins-ee module
ECA-7430 - Add missing "isRequired" CCE field to ConfigDump
ECA-7432 - Colour-code modular protocol configuration table
ECA-7436 - GDPR Adapt the Legacy VA Publisher
ECA-7442 - Allow creation of quick zipreleases without having SVN installed
ECA-7446 - Add authorization to CustomPublisherContainer.getCustomUiPropertyList
ECA-7449 - Security: fix minor scanner issues
ECA-7450 - Multi Group Publisher: Only queue certificate statuses that will be published
ECA-7451 - Remove leftover from certificatestore build.xml
ECA-7453 - Disallow deletion of publishers in use by Multi Group Publisher
ECA-7454 - Documentation for Multi Group Publisher
ECA-7465 - Documentation: Missing steps in AD publisher TLS configuration
ECA-7468 - Add revocation time to CertSafe Publisher JSON
ECA-7471 - Allow system tests to run with EJBCA not on localhost
ECA-7479 - Prevent compiling with Java 11, as long as it doesn't work
ECA-7490 - Use relative keystore paths in ejbca-setup.sh scripts
ECA-7493 - Allow any user of full checked out source to make alpha CE ziprelease
ECA-7507 - Skip ProtectedDataPKCS11Test when no PKCS#11 library is configured
ECA-7510 - DnFieldExtractorTest fails in CE version
Bug Fixes
ECA-7336 - OCSP warningBeforeExpirationTime not working
ECA-7407 - Probing confluence during build even if doc-update=false
ECA-7408 - Don't shadow remote EJB client classes in system tests
ECA-7411 - AcmeOrderData is missing ORM for all db types except "mysql"
ECA-7412 - ACME ORM XML for postgres uses <lob></lob>
ECA-7434 - Add modular protocol configuration to Statedump
ECA-7441 - EJBCA WS tests fail with SunCertPathBuilderException
ECA-7455 - Security: security issue
ECA-7472 - AcmeWorkflowTest assumes "which" is available on test system
ECA-7476 - Regression: X-FRAME-OPTIONS sometimes blocks admin UI head banner
ECA-7487 - Creating Crypto Token on same slot as database protection breaks DB protection
ECA-7489 - batchenrollmentgui does not build
ECA-7497 - Fix VaEnterpriseValidationAuthorityPublisherTest test failure
ECA-7506 - test:run fails to compile CertificateCrlReaderSystemTest
ECA-7509 - Extra field added to the legacy VA Publisher
ECA-7515 - NPE in getCaaIdentities when using ACME
EJBCA 6.15.0
Released on 5 October 2018
New Features
ECA-7019 - Write documentation for ACME
ECA-7185 - ACME persistence: Create ORM scripts AcmeAccountData
ECA-7187 - Add ACME to Statedump
ECA-7188 - Add ACME to Configdump
ECA-7198 - ACME persistence: Create ORM scripts/entities/CRUD for AcmeOrderData
ECA-7199 - ACME persistence: Create ORM scripts/entities/CRUD for AcmeAuthorizationData
ECA-7200 - ACME persistence: Create ORM scripts/entities/CRUD for AcmeChallengeData
ECA-7202 - ACME system tests - analyse, improve and enable skipped system tests
ECA-7237 - Swagger problems with ACME module
ECA-7244 - Add ability to link in compiled JARs as plugins
ECA-7250 - PKCS11 enable using CKA_LABEL also when a sun attributes file is used
ECA-7253 - Add a method to SignSession in order to sign arbitrary payloads
ECA-7257 - Add possibility to disable Crypto Token key generation for specific PKCS#11 drivers in GUI
ECA-7259 - Add Amazon CloudHSM p11 driver to known P11 drivers in web.properties
ECA-7264 - Re-use endentity for ACME cert renewal flow
ECA-7287 - Add Required checkbox to the custom extension configuration screen and logic in backend
ECA-7288 - Add wildcard identifier to the Certificate Extension OIDs
Tasks
ECA-7138 - Ensure quality in ACME
ECA-7203 - Verify that ACME works with aliases
ECA-7207 - Verify & document External Account Binding in ACME
ECA-7252 - test ACME cert renewal and deacticvation flows with acme4j
ECA-7275 - Test ACME wildcard cert issuance and pre-authorization with certbot.
ECA-7323 - Document Peer RA Protocol Rules
ECA-7324 - Document Optional Custom Extensions
ECA-7331 - Verify if Swagger UI for works for ACME API. If it does, add documentation to confluence. If not, hide the ACME part from swaggerUI
Improvements
ECA-6921 - ACME persistence: CRUD for AcmeAccountData
ECA-7114 - Improved test for ACME dns-01 validation.
ECA-7120 - Upgrade EJBCA/CESeCore to BouncyCastle 1.60
ECA-7125 - Precompile Swagger UI WAR and add to ejbca/dist
ECA-7194 - Create certificate only for order from request
ECA-7204 - Re-enable ACME in GUI
ECA-7227 - Remove "CA Service Activation" from Certificate Profiles
ECA-7233 - Remove JavaDoc and source files from lib directory
ECA-7234 - Use a StringBuilder to improve efficiency creating database protection
ECA-7239 - Make DNSSEC optional for dns validation
ECA-7240 - EJBCA_TRUNK_MARIADB_UBUNTU1204_JBOSS711GA_PUPPET tests failing
ECA-7243 - Hide external account binding option from ACME GUI
ECA-7247 - Improve the New Terms of Service Agreement functionality of EJBCA ACME server.
ECA-7248 - Use EJBCA name style for issuerDN in CMP revocation request handler
ECA-7251 - Remove clover jar from ziprelease
ECA-7304 - Update default DNSSEC trust anchors
ECA-7305 - Upgrade handling for new "DNS port" setting for ACME
ECA-7310 - Improve feedback from CAA Validator
ECA-7311 - Possible serialization failure when editing Access Rules in Advanced Mode
ECA-7316 - Missing svn:keywords
Bug Fixes
ECA-6872 - Cannot enroll user with Cyrillic characters using RA web + appliance
ECA-7096 - Don't store certificate meta data option makes expireDate not published, causing archiveCutOff
ECA-7154 - SQL Grammar Exception on MS SQL Server v12
ECA-7193 - Move check of requested certificate validity from finalize to newOrder
ECA-7201 - Documentation link to Renew CA gives 404
ECA-7211 - OCSP signing certificates aren't always published for throwaway CAs with revoke enabled
ECA-7215 - CMP: RA Name Generation Scheme with DN component serialNumber does not work
ECA-7220 - DROP table scripts for AcmeNonceData is missing
ECA-7224 - Broken class-path references in ctlog.jar causes WARN messages in the JBoss log file
ECA-7231 - StringTools B64 failing unit test after upgrade to BC 1.60
ECA-7238 - EjbcaWS doesn't handle timeformats ending with 'Z'
ECA-7242 - EJBCA is trying to parse the string 'KeyId' as an integer when authorising an admin
ECA-7245 - NPE when issuing certificate via certbot
ECA-7246 - EjbcaWSTest fails with clearpassword
ECA-7249 - HSMKeyTool --force flag does not work when using an attributes file
ECA-7258 - Security: information leak in debug log
ECA-7260 - CryptoToken key generate button shown when it should not
ECA-7268 - RA Web search End Entities doesn't render if not authorized to search certificates
ECA-7269 - Regression: JSF errors on JBoss AS 7.1.1
ECA-7274 - Test ACME wildcard certificate issuance and pre-authorization with acme4j
ECA-7277 - DatabaseProtection on CertificateProfileData incompatible between <=6.11 and >= 6.12
ECA-7285 - Add HEAD request for the endpoint revokeCert
ECA-7286 - Fix NPE which happens when de-registering account with certbot
ECA-7302 - Name Constraints error when saving existing CA
ECA-7306 - GUI bug in Edit CA page.
ECA-7307 - 'Close' button not functioning under 'View Certificate'
ECA-7322 - Import renewed CA certificates, for External CA does not import to CertificateData, for Externally Signed CA does not publish
EJBCA 6.14.1
Released on 24 August 2018
Bug Fixes
ECA-7209 - Configdump crashes on export due to 'isCaAllowed' in certificate profile
ECA-7210 - BC class conflict in some occasions: X509CertificateObject cannot be cast to org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier
ECA-7212 - EJBCA fails to start on JBoss AS 7.1.1
ECA-7213 - JSF errors on JBoss AS 7.1.1 and EAP 6.x
ECA-7221 - Configdump support for dumping issuers is missing
ECA-7222 - WebService keyRecoveryEnroll gives NPE if end entity extendedInformation is missing
ECA-7223 - processSoftTokenReq method requires end entity profile to allow clear text password
ECA-7229 - Can not start Peer Connector on JBoss EAP 6.4
ECA-7236 - NPE thrown by publisher when useSeparateCertificateTable is changed from false to true
ECA-7241 - EST enrollment requires end entity profile with batch enrollment enabled
ECA-7242 - EJBCA is trying to parse the string 'KeyId' as an integer when authorising an admin
EJBCA 6.14.0
Released on 7th August 2018
Technical Requirement
ECA-6978 - Implement Rest conventions
ECA-7022 - Specify license information for swagger dependencies
Bug
ECA-3298 - One Junit failure on DB2
ECA-4729 - getRequestServerName with ejbca behind a reverse proxy via ajp returns wrong server name
ECA-5416 - SoftCryptoToken used for database protection always debug logs stacktrace about PKCS12 keystore password
ECA-6292 - Common PKI CertHash OCSP extension should be a singleExtension instead of a responseExtension
ECA-6654 - PublicCryptoToken can't be used for database protection verification
ECA-6763 - EJB CLI still logs too much irrelevant info
ECA-6774 - Fix the active status logo in internal key binding.
ECA-6848 - Regression: 'Provide request info' hidden when only 'Select key algorithm' should be
ECA-6862 - CertificateDataSessionBean.findUsernameByIssuerDnAndSerialNumber declared final
ECA-6869 - Upgrade code for 6.11 creates access rules that are not normalized
ECA-6880 - fix unit tests for Commuity MariaDB+ubuntu+JBOSS711GA configuration
ECA-6887 - Return value for rejected approvals in EjbcaWS.getRemainingNumberOfApprovals(int) is incorrect
ECA-6895 - Refine behavior of ApprovalSessionBean.getRemainingNumberOfApprovals(int)
ECA-6901 - Handle non-DNs gracefully in CertTools.isDNReversed
ECA-6923 - Missed slashes in documentation links
ECA-6947 - Validator view not refreshed, editing Validators modifies cache content
ECA-6950 - Documentation: Custom certificate extension data link broken
ECA-6951 - Documentation links on Admin GUI overview page broken
ECA-6959 - Cache CA name lookup in RoleMembers page view scope
ECA-6997 - Database upgrade version comparison does not handle varying number if fields
ECA-7000 - Improve isFullQualifiedDomainName
ECA-7001 - ExternalCommandCertificateValidator handles stdout and stderr incorrectly
ECA-7004 - Public key blacklist validator fails match on RSA keys when not all algorithms are specified in validator
ECA-7014 - External Command Certificate Validator should fail on non-zero exit code
ECA-7015 - The enum constant UNKNOWN needs a corresponding case label in this enum switch
ECA-7016 - Unlikely argument problems in ACME implementation
ECA-7027 - WS API documentation has wrong URL
ECA-7031 - Documentation Link broken for 'Manage Publishers'
ECA-7040 - Regression: External RA (polling) does not work for Keystore Requests
ECA-7043 - Upgrade with long version number can fail
ECA-7057 - Fix documentation link from Public Web
ECA-7063 - Peer connector settings are not saved when creating a new peer connector
ECA-7078 - Jenkins builds failure for test EjbcaWSCVCTest
ECA-7079 - Jenkins builds failure for SystemTests of REST API
ECA-7080 - Jenkins builds failure for AcmeWorkflowTest of ACME
ECA-7083 - CaaValidator always succeeds when the domain ignore list matches
ECA-7084 - Fix Jenkins test error: Non unique method in RA Master API
ECA-7085 - Some JUnit tests don't run
ECA-7086 - Regression: Help labels and at least one option is gone from the CAA Validator
ECA-7088 - some REST-related unit tests are failing in EJBCA_TRUNK_UNIT_PUPPET
ECA-7090 - Swagger inputs in snakecase are not evaluated in REST method input
ECA-7094 - Error "Can't reset to root in the middle of the path" during ant install on JBoss ≥6.4.19
ECA-7099 - CRL generation as CRL Issue interval can miss some intervals
ECA-7100 - Revocation CA lookup for nonConflictingCertificateData does not use normalized DN format
ECA-7101 - EjbcaWS.getProfile leaks information about CA's and EEPs
ECA-7108 - X509CA.upgrade could upgrade CA Overlap Time wrong from ancient version
ECA-7111 - Troubleshooting missing from documentation
ECA-7112 - Fix test failure EndEntityProfileSessionBeanTest.testAuthorization
ECA-7115 - WS customLog call calculates CA ID wrong if caName is missing
ECA-7116 - WS customLog call swaps username and admin certificate parameters in log
ECA-7140 - Ignore Top Level Domains field in CAA Validators no longer work
ECA-7141 - orm entry for AcemNonceData incorrect for PostgreSQL
ECA-7142 - Documentation Link broken for under OcspKeyBinding Tab
ECA-7144 - RaMasterApi dispatches non-serializable objects
ECA-7145 - Invalid error handling for EjbcaWS.getProfile (remote)
ECA-7148 - Jenkin's job EJBCA_TRUNK_UNIT_PUPPET compilation failure
ECA-7149 - Jenkins job EJBCA_TRUNK_UNIT_PUPPET has failing unit test of RsaKeyValidatorTest.testRocaWeakKeys
ECA-7150 - Regression ejbca-db-cli crashes with ClassNotFoundException: AcmeNonceData
ECA-7155 - Manage ACME Aliases is linking to SCEP documentation
ECA-7157 - Fields notBefore and notAfter in the order object are optional
ECA-7158 - HEAD endpoint for new-order is missing and required for certbot compliance
ECA-7159 - REST API /expire offset and maxNumberofResults doesn't work on multiple nodes
ECA-7160 - HEAD endpoint for new-account is missing and required for certbot compliance
ECA-7167 - Regression: Cannot generate keystore with autogenerated password from RA
ECA-7173 - ConcurrentModificationException while editing end entity with custom, dynamic, extensions
ECA-7176 - Regression: RA Web upload CSR auto-parsing stopped working
ECA-7179 - Regression: RA Web cleanup deletes existing end entity
ECA-7180 - NPE in ProfileAndTraceInterceptor
ECA-7181 - CertBot fails due to null values in JSON
ECA-7182 - ACME Link headers are not encoded according to the standard
ECA-7183 - Fix ACME notAfter validation failure
ECA-7184 - Check for incorrect approval settings for ACME CA/profile fails
ECA-7192 - ziprelease excludes configdump.sh from release zip
New Feature
ECA-5711 - RA API call base for ACME
ECA-6750 - System tests: VA Publisher with Throwaway certs
ECA-6845 - Fixing unittests EJBCA_TRUNK_MARIADB_RHEL64_JBOSSEAP64_OPENJDK8 Jenkins build
ECA-6851 - Create automated test for ECAQA-3
ECA-6853 - Add Peer RA Protocol Rule for SCEP
ECA-6854 - Create automated test for ECAQA-76
ECA-6858 - Create automated test for ECAQA-67
ECA-6867 - Create automated test for ECAQA-24
ECA-6868 - Create automated test for ECAQA-62
ECA-6874 - Create module for REST API
ECA-6876 - Implement client certificate authentication for REST API
ECA-6878 - REST API call: List of CAs
ECA-6882 - Create JAXRS "certificate" endpoint in ejbca-rest-api module
ECA-6891 - POST service endpoint to certificatecontroller for requesting new server certificate
ECA-6893 - ACME: Implement dns-01 validation method
ECA-6896 - Create automated test for ECAQA-42
ECA-6897 - Create automated test for ECAQA-8
ECA-6898 - User documentation REST API
ECA-6902 - Create REST service for downloading CA certificates
ECA-6903 - REST method for revoking a certificate
ECA-6904 - GET method to get certificates that are about to expire
ECA-6934 - Add RA proxying of EjbcaWS.findUser(UserMatch) and EjbcaWS.editUser(UserDataVOWS)
ECA-6937 - Create a common exception handler for the REST API
ECA-6941 - Add Swagger to the REST API
ECA-6942 - Create automated test for ECAQA-74
ECA-6944 - Create automated test for ECAQA-28
ECA-6948 - Use HEX serial number as identifier in the REST API
ECA-6953 - REST Json provider configuration
ECA-6954 - REST exceptions cleanup
ECA-6955 - REST soft exceptions
ECA-6956 - Create remaining JUnit test for REST
ECA-6957 - REST system tests
ECA-6958 - REST Use profile names as input instead of ID
ECA-6964 - Refactor cert enrollment REST service to do profile and endentity lookups behind RaMasterApi to improve performance
ECA-6970 - Add RA Proxying of EjbcaWS.getAvailableCertificateProfiles
ECA-6971 - Add RA Proxying of EjbcaWS.getAvailableCAsInProfile
ECA-6972 - Add RA proxying to EjbcaWS.processCertReq
ECA-6973 - Add RA proxying to EjbcaWS.cvcRequest
ECA-6974 - Add RA proxying to EjbcaWS.customLog
ECA-6975 - Add RA proxying to EjbcaWS.findCerts
ECA-6982 - Add RA proxying to EjbcaWS.getAuthorizedEndEntityProfiles
ECA-6983 - Add RA proxying to EjbcaWS.getCertificate(String, String)
ECA-6984 - Add RA proxying to EjbcaWS.getCertificatesByExpirationTime
ECA-6985 - Add RA proxying to EjbcaWS.getCertificatesByExpirationTimeAndType
ECA-6986 - Add RA proxying to EjbcaWS.getCertificatesByExpirationTimeAndIssuer
ECA-6987 - Add RA proxying to EjbcaWS.getLastCAChain
ECA-6988 - Add RA proxying to EjbcaWS.getProfile(int, String)
ECA-6989 - Add RA proxying to EjbcaWS. getLatestCRL
ECA-6990 - Add RA proxying to EjbcaWS.getRemainingNumberOfApprovals
ECA-6991 - Add RA proxying to EjbcaWS.isApproved(int)
ECA-6992 - Add RA proxying to EjbcaWS.isAuthorized(int)
ECA-6993 - Add RA proxying to EjbcaWS.pkcs12Req(String, String, String, String, String)
ECA-6994 - Add RA proxying to EjbcaWS.republishCertificate(int)
ECA-6999 - REST endpoint for keystore enrollment
ECA-7007 - REST endpoint to get CRL
ECA-7008 - REST endpoint to search for certificates
ECA-7010 - REST endpoint to check certificate revocation status
ECA-7011 - Start using Converters in REST related response, request and entity classes
ECA-7029 - Link Rest API documentation to the proper place
ECA-7030 - Prevent Swagger exposure in Production
ECA-7032 - Add RA proxying to EjbcaWS.getPublisherQueueLength(String)
ECA-7033 - REST endpoint to finalize enrollment after approval
ECA-7034 - Add RA proxying to EjbcaWS.revokeUser(String, int, boolean)
ECA-7035 - Add CLI command to list publishers
ECA-7038 - Extend EJBCA EJB CLI to allow adding RoleMembers of any supported type
ECA-7039 - Add Cavium Nitrox III as known HSM driver
ECA-7051 - Add protocol configuration for REST
ECA-7052 - Add REST APIs to Peer RA Protocol access rules
ECA-7053 - Add ACME to Peer RA Protocol access rules
ECA-7067 - Add positive audit log messages for all Validation operations
ECA-7076 - REST API - SystemTest - Authorized client requesting a new server certificate
ECA-7077 - REST API - SystemTest - Authorized client revokes a certificate
ECA-7092 - REST API license headers to Enterprise
ECA-7122 - Add RA proxying to EjbcaWS with request local instance first.
ECA-7126 - Add RA Proxying of EjbcaWS.getAvailableCAs
ECA-7127 - Rest APi unit tests are not run in Jenkins
ECA-7156 - Implement CAA identities
ECA-7178 - contacts should not be mandatory for ACME's POST newAccount endpoint
Task
ECA-6861 - Initial prototype of REST API
ECA-6871 - Add Fabiens cmp monitoring script to extras
ECA-6879 - Identification of certificates in REST API
ECA-6890 - Document Wildfly 12 configuration
ECA-6949 - Fix the Jenkins build EJBCA_TRUNK_MARIADB_RHEL64_JBOSSEAP64_OPENJDK8
ECA-7136 - Ensure quality in CAA Validator
ECA-7137 - Ensure quality in REST-API
ECA-7139 - Ensure quality in WS RA-proxying
Improvement
ECA-6090 - Add ability to specify multiple issuers in CAA validator
ECA-6162 - CT log request - optional full hierarchy, full Json request in debug log
ECA-6436 - Ability to set explicit.ecc.publickey.parameters for crypto tokens
ECA-6849 - Simplification of p11 token login (Crypto Token Activation)
ECA-6856 - Use consistent format of library license references
ECA-6863 - Fix easy to fix compiler warnings in Admin GUI classes
ECA-6873 - Improve handling when receiving SCEP getCACaps request for missing CA
ECA-6883 - Refactor X509CAInfo constructors to use build pattern
ECA-6884 - Run Web Tests on windows
ECA-6885 - CMP: add senderKID to responses when they are signed
ECA-6888 - unidfnr.enabled should have a default value
ECA-6892 - Create exhaustive regression tests for ApprovalSessionBean.getRemainingNumberOfApprovals(int)
ECA-6900 - Shift "Contributors" page from EJBCA - The Open-Source Certificate Authority (CA) into Confluence Documentation
ECA-6905 - ACME draft-12 update: Remove tls-sni-02 and oob-01
ECA-6906 - ACME draft-12 update: Use camelcase instead of dash
ECA-6907 - ACME draft-12 update: New finalize workflow
ECA-6908 - ACME draft-12 update: Update and review all JavaDoc
ECA-6910 - ACME draft-12 update: Remove authz and cert resources "up" Link
ECA-6911 - ACME draft-12 update: newNonce should respond with HTTP 200
ECA-6912 - ACME draft-12 update: Update AcmeAccount creation workflow
ECA-6913 - ACME draft-12 update: Directory meta info should indicate if external account is required
ECA-6914 - ACME draft-12 update: Wildcard certificate issuance
ECA-6915 - ACME draft-12 update: Remove AcmeAuthorization scope
ECA-6916 - ACME draft-12 update: Update AcmeChallenge workflow
ECA-6917 - ACME draft-12 update: Verify response code for wrong content type
ECA-6918 - ACME: AcmeAccount should belong to an AcmeConfiguration
ECA-6920 - ACME persistence: AcmeNonceData
ECA-6922 - ACME draft-06 cleanup: Remove custom JAX-B serialization
ECA-6924 - ACME: Verify certbot compliance
ECA-6926 - ACME: Enable as part of release
ECA-6931 - ACME: Implement the missing calls in RaMasterApi to allow proxy use
ECA-6932 - ACME UI Configuration: GlobalAcmeConfiguration and AcmeConfigurations
ECA-6960 - ACME draft-12 update: Remove authzDeactivate resource "up" Link
ECA-6966 - Info log details when a database upgrade is started
ECA-6977 - Certificate Transparency, add verification of embedded SCTs and upgrade version of google/certificate-transparency-java
ECA-6980 - Remove root certificate from CT submission
ECA-6981 - GUI: Crypto Tokens form usability
ECA-6995 - GUI: End Entities search result revocation usability
ECA-7005 - Small improvement to CT debug logging
ECA-7017 - REST Jackson library unification
ECA-7018 - Add ACME to modular protocols configuration
ECA-7020 - When a CT log returns an error, log at info level instead of debug
ECA-7028 - modify REST enrollKeystore to accept JSON body rather than query parameters
ECA-7036 - Unidfnr data class should have unid as part of protection string.
ECA-7037 - File system property to disable X.509 client cert requirement for Admin GUI
ECA-7041 - Access rule '/cryptotoken/keys/generate/' is required to create CSR for OCSP Key Binding
ECA-7044 - Support Role namespace in EJB CLI
ECA-7045 - Reorganize crypto tokens documentation into a concept and an operational section
ECA-7048 - Adapt new RA API methods to RA API Guidelines
ECA-7049 - Make sure all RA API methods work both locally and remotely, where applicable
ECA-7056 - Create a "CA Overview" page in the documentation
ECA-7081 - Log all CRL parameters used when making a decision to generate a CRL or not
ECA-7087 - improve EJBCA_TRUNK_UNIT_PUPPET jenkins build (or runsa ant target) somehow, so that build error would make the build red
ECA-7091 - Remove Norwegian FNR from log
ECA-7095 - Enable "Don’t allow ROCA weak keys" in CA/B Forum RSA Key Validation Template
ECA-7097 - Merge REST revocation response classes
ECA-7113 - Make the dns resolver and iana root anchor configurable for acme
ECA-7121 - REST - return correct response code from POST and PUT endpoints
ECA-7123 - REST revocationstatus returns 'revoked' for non-existing entries
ECA-7124 - Complete IEjbcaWS JavaDoc for new RA master API calls.
ECA-7129 - Use static json for static swagger REST API documentation
ECA-7131 - SystemTest for REST Certificates search
ECA-7132 - Remove "default" ACME alias
ECA-7134 - Improve REST endpoint Swagger descriptions
ECA-7147 - Use consistent serial number response format in REST API
ECA-7166 - Update the documentation links for the OCSP keybindings page
ECA-7172 - Add new index for searches on AuditRecordData
ECA-7174 - Improve ProfileAndTraceInterceptor to print arguments properly
ECA-7177 - Increase CRL upload size from 60 KB to 250 MB
ECA-7186 - ACME Configuration: Hide EMPTY profile and add info text about Default CA etc.
ECA-7191 - Add request/response logging for REST calls
EJBCA 6.13.0
Released on 3 May 2018
Epics
ECA-5792 - Allow peer publisher to only publish required data for OCSP
ECA-6727 - Revocation of Throwaway Certificates
New Features
ECA-6734 - New DB Table (Part of Alpha)
ECA-6737 - New SSB with basic NoConflictCertificateData functionality (Part of Alpha)
ECA-6738 - CA config changes + Admin GUI mods
ECA-6739 - Certificate lookup from PublishQueueServiceWorker
ECA-6740 - Changes in CRL generation logic
ECA-6741 - Update Database CLI
ECA-6743 - Modify EjbcaWS.revokeCert call (Part of Alpha)
ECA-6744 - Modify EjbcaWS.revokeCert call to accept more meta data
ECA-6745 - Manual tests with asynchronous replication
ECA-6746 - ECA-QA click test for Revocation of Throwaway Certs
ECA-6748 - System tests: WS call (Part of Alpha)
ECA-6750 - System tests: VA Publisher with Throwaway certs
ECA-6751 - Performance tests: Check existing tests (Revoke & OCSP)
ECA-6752 - Performance tests: Perform tests (before & after)
ECA-6753 - Document revocation of throw away certs
ECA-6789 - Edit CA page should include an option to select which certificatedata table to write to
Tasks
ECA-6756 - Add manual test of OCSP for UnidFnr
ECA-6778 - Update all occurrences of ocsp.extensionoid and extensionclass in documentation
Improvements
ECA-4337 - EJBCA client toolbox PKCS11HSMKeyTool generate command should not overwrite existing keys
ECA-6362 - Document all pages in the UI that are going to be deprecated by EJBCA 7.0
ECA-6572 - Remove timeStampClient.jar from documentation
ECA-6762 - Make existing EjbcaWS.revokeCert call work without certificate data being present
ECA-6764 - Fix missing header and id in test related classes.
ECA-6766 - System test of publishing of throw away certificate revocation status, with mock publisher
ECA-6767 - CertificateDataWrapper should handle revoked throw away certificate case
ECA-6772 - GUI: Usability about GeneralNames type fields (e.g. for Subject Alternative Name)
ECA-6779 - Update Confluence documentation for QC-Statements
ECA-6786 - VA Publisher should not update if revocation reason is permanent
ECA-6791 - Create separate CRUD bean for CertificateData and NoConflictCertificateData, for database queries etc.
ECA-6795 - CMP: don't log stack trace if CMP alias does not exist
ECA-6796 - Check new option "Accept revocations for non-existing entries" in backend code
ECA-6836 - Make it possible to issue throw-away certificates with publishers enabled
ECA-6837 - Restrict "Accept revocation of non-existing certificates" option to throw-away CAs only
ECA-6844 - Create fingerprint sheet in RA web
ECA-6850 - Add backend code for selecting which certificate data table to write to.
ECA-6856 - Use consistent format of library license references
ECA-6859 - Improved naming and ordering of Throw Away Certificate Revocation options
Bug Fixes
ECA-6717 - Remove clientToolBox dependency on ejbca-ejb
ECA-6728 - NPE when changing Approval Profile type
ECA-6761 - Republish/re-activate in the Admin Web passes html encoded data to API
ECA-6768 - DirectoryName in CMP (RA mode) requests doesn't work
ECA-6771 - GUI: Wrong designation of QC-Statements "Name Registration Authorities"
ECA-6775 - Unidfnr entity bean must handle longtext datatype.
ECA-6797 - ConfigDump does not find certain profiles etc. when --exclude option is used
ECA-6800 - junit ProtocolOcspHttpTest freezes
ECA-6823 - checkRevocationStatus returns wrong value for throw away CAs
ECA-6848 - Regression: 'Provide request info' hidden when only 'Select key algorithm' should be
ECA-6852 - Upgrade ocsp extensions does not account for '*' prefix
EJBCA 6.12.0
Released on 4 April 2018
Epics
ECA-6464 - Implement UnidFnr as a Module
ECA-6466 - YAML Based Configuration Export
New Features
ECA-1960 - GUI: End-Entity Search results usability (actions with buttons)
ECA-5752 - Split out CSS from AdminGUI template.xhtml and provide theme support
ECA-5840 - Create an ant script that automatically exports EJBCA documentation to a local directory
ECA-6477 - Create base classes for the web test module
ECA-6514 - Create test + pilot export with basic End Entity Profiles export using YAML
ECA-6515 - Finish End Entity Profile YAML export
ECA-6516 - Create CLI interface for YAML export
ECA-6517 - Create YAML export for Validators
ECA-6518 - Create YAML export for CAs
ECA-6519 - Create YAML export for Certificate Profiles
ECA-6521 - Create YAML export for EST Configuration
ECA-6522 - Create YAML export for Services
ECA-6523 - Create YAML export for Publishers
ECA-6524 - Create YAML export for Crypto Tokens
ECA-6525 - Create YAML export for Roles
ECA-6526 - Create YAML export for Peer Connectors
ECA-6527 - Create YAML export for Internal Key Bindings
ECA-6528 - Create YAML export for Ocsp Configuration
ECA-6530 - Create YAML export for Admin Preferences
ECA-6532 - Options for what to include and exclude in YAML export
ECA-6533 - Create module for YAML export
ECA-6543 - Add CLI support for EST configs
ECA-6544 - Update test.xmli for YAML module
ECA-6546 - Implement java.util.Map to YAML conversion
ECA-6549 - Create automated test for ECAQA-153
ECA-6550 - Create automated test for ECAQA-87
ECA-6560 - Create automated test for ECAQA-98
ECA-6567 - Create automated test for ECAQA-78
ECA-6580 - Create YAML export for User Notifications in End Entity Profiles
ECA-6606 - Certificate revocation using EJBCA WebService API through External (Peer) RA
ECA-6615 - Fail hard if building with Confluence pull property set, but Confluence server can't be contacted.
ECA-6617 - Ensure that the Confluence docs are automatically (and always) updated with the ziprelease.
ECA-6620 - Put a placeholder page in Documentation if building without any prior Documentation retrieved
ECA-6629 - Create YAML export for SCEP configuration
ECA-6634 - Support SCEP via the RA
ECA-6646 - Remap all ? links in CA UI from old documentation to new Confluence based documentation
ECA-6649 - Configdump CA fixes
ECA-6661 - Remove init code from UNID-FNR OCSP Extension implementation
ECA-6662 - Entity bean (protected data)
ECA-6663 - SSB (with logic to check signature)
ECA-6664 - Create Scripts for DB Table
ECA-6665 - Module for UnidFnr
ECA-6666 - UnidFnr upgrade handling
ECA-6671 - Add CA ID generation to clientToolBox
ECA-6672 - OCSP ext. UI selection per keybinding
ECA-6695 - Create automated test for ECAQA-138
ECA-6696 - Create a helper class for Web Tests
ECA-6714 - Add description field for IKB "Trusted Certificates"
Tasks
ECA-6465 - Investigate the impact of curve aliases changing in BC v1.59
ECA-6483 - Add static code analyzing support for EJBCA code base.
ECA-6493 - Clean up warnings in CertProfileBean
ECA-6513 - Investigate and decide library to use for YAML
ECA-6553 - Update copyright year to 2018
ECA-6561 - Clean up http://ejbca.org and tighten up site
ECA-6585 - Create a CT logging Test Root
ECA-6720 - Remove old UNID-FNR properties from ocsp.properties.sample
Improvements
ECA-2156 - GUI: Search forms layout and usability
ECA-2731 - Move all find* methods from EndEntityManagementSession to EndEntityAccessSession
ECA-3417 - CaSession.getCAInfo and other get* methods in CaSession should return null
ECA-3610 - Bring all CRUD methods from UserData to EndEntityAccessSession
ECA-3772 - InformationMemory and associated cache classes are redundant and should be removed
ECA-5382 - RA: Allow certain admins to see requests that they are not allowed to approve
ECA-5499 - Use Facelet templating instead of frames
ECA-5520 - Additional information shown for CSRs uploaded
ECA-5675 - Request custom search should have date help in the RA
ECA-5769 - Support for nameSpace in EJBCA CLI
ECA-5864 - Make it possible to change EEP of an EE
ECA-6298 - CaInfo.getCertificateChain should return a List instead of a Collection
ECA-6320 - Allow validators to render dynamic values.
ECA-6325 - RA Web: Make the EE/Cert Details page match the search page
ECA-6352 - RA Web: Add a link back to the EE when viewing a certificate
ECA-6356 - Create system tests for modular protocol configuration
ECA-6411 - Move ServiceManifestBuilder into its own project
ECA-6437 - Ability to specify a subjectAltName and issuerAltName when creating CAs with CLI
ECA-6479 - Approval Partition names are not shown in the CA UI.
ECA-6501 - Add sun/security/action to jboss-deployment-structure.xml
ECA-6503 - Remove Web Tests from zip release
ECA-6506 - Null Pointer Exception when viewing an Accumulative Approval Request in Admin GUI
ECA-6551 - Format validation message properly under QueryGenerator
ECA-6554 - clientToolBox test with 8192 bit RSA keys fails with exception
ECA-6563 - GUI: Improve punctuation in English language for Admin GUI
ECA-6565 - Clean up language files
ECA-6566 - Clarifying ocsp.extensionoid description
ECA-6583 - Command line option to turn Configdump exceptions into warnings
ECA-6586 - Append file extension to YAML files
ECA-6590 - Replace spaces and special characters in configdump file names
ECA-6592 - Make YAML keys case consistent
ECA-6595 - Configdump export should require authentication token
ECA-6596 - Improve debug logging in CT with some more details
ECA-6600 - State BR version in the drop down in key validators
ECA-6605 - Create a unit test to ensure that CAA record sets that contain no ISSUE/ISSUE_WILD statements allow issuance
ECA-6607 - Refactoring the message keys of actions
ECA-6608 - GUI: Harmonize all popup windows
ECA-6610 - Remove redundant CAA language properties
ECA-6611 - Move guides section from EJBCA homepage to Confluence Documentation
ECA-6612 - Create an atomic WS call to perform key recovery
ECA-6613 - Include ConfigDump in ZipRelease
ECA-6614 - Allow PKCS#10 challengePassword encoded as IA5String
ECA-6616 - Source Confluence information from a PK-only properties file to avoid leaking data
ECA-6618 - Remove legacy documentation from EJBCA trunk
ECA-6619 - More gracefully handle deploying a Community release on an Enterprise installation
ECA-6637 - Basic System Configuration YAML export
ECA-6642 - When calling WS separate error messages if not authorized or if WS is disabled
ECA-6643 - Report unhandled getters in ConfigDump as errors
ECA-6645 - Make crypto token page resilient agains NPE when downgrading to Community
ECA-6650 - Ability to provide password piped to PKCS11HSMKeyTool
ECA-6651 - Update all links in the PrimeKey site to point to the new documentation.
ECA-6652 - ClientToolBox: document that generatenewuser uses two WS calls, and reference to certreq for the same functionality with a single WS call
ECA-6653 - EST re-enrollment should not also require username and password authentication
ECA-6657 - Improve performance when add a warning to each key in the crypto token already in use by another CA
ECA-6658 - Run.bat not in ejbca-db-cli
ECA-6675 - Move release notes, change log and upgrade documentation to Confluence
ECA-6679 - ConfigDump should handle relative paths on the CLI
ECA-6693 - Add ability to set explicitecc Crypto Token flag when renewing CA using the CLI
ECA-6697 - Allow for the same CT log appear in multiple CT log groups
ECA-6701 - Add Last-Modified, Expires and Etag headers to OCSP Post Responses
ECA-6706 - Restructure OCSP unid extension module to ejbca-ejb
ECA-6708 - Update tests for ProtocolLookupServerHttpTest for new UNID implementation
ECA-6716 - Remove Unid Data Source configuration and clean up Unid tests
ECA-6722 - Improve OCSP Extensions section in Admin GUI
ECA-6729 - File upload for test function of ExternalCommandCertificateValidator broken for Firefox and Chrome
Bug Fixes
ECA-5683 - Unescape escaped characters in SubjectAltName
ECA-6110 - Save should result in an error when 'Required' is checked for Subject DN Attributes
ECA-6489 - Header/footer filenames in System Configuration get reverted to default values
ECA-6500 - Typo in cesecore.properties.sample about ca.keepocspextendedservice
ECA-6502 - Approval state is not saved in Admin GUI
ECA-6507 - Certificate profile Approval style broken/ugly
ECA-6508 - ${ca.tokenpassword} in cli.xml should be quoted to allow whitespace and empty password
ECA-6510 - Cannot create certificate with a plus sign in SAN URI field
ECA-6538 - Modify all calls to FileUtils.writeStringToFile(...) to specify charset.
ECA-6548 - Approval Profiles WARNING javax.enterprise.resource.webcontainer.jsf.renderkit
ECA-6555 - Approve Actions with Status 'Expired' shows when Status 'Waiting' is used
ECA-6559 - Regression: CA Functions page broken due to non-JSP friendly code
ECA-6564 - Replace the word 'Unselect' by 'Deselect' in English language
ECA-6570 - Default CA Id is incorrect when importing an end entity profile with a missing CA Id
ECA-6571 - Search for expired approvals in RA Web is broken
ECA-6575 - Regression: importcacert command does not work with parameter 'initauth'
ECA-6579 - GUI: Word 'Actions' with 's' in table column headers
ECA-6581 - Regression: Add End Entity with name constraints permitted causes stacktrace
ECA-6589 - Regression: Editing an EE with name constraints causes NPE
ECA-6591 - Regression: DynamicUiProperty radio buttons not rendered
ECA-6597 - CAFingerprint of certificates are not populated correctly when importing CA and user certificates
ECA-6602 - Missing last used EE profile in Admin Preferences causes ConfigDump error
ECA-6609 - GUI: Tables graphically broken on home page
ECA-6621 - RA Web: Alignment of Certificate table
ECA-6639 - RA: New role can not be created if RA-login-role belongs to Namespace
ECA-6640 - Advanced search of EE doesn't follow RA Admin profile restrictions
ECA-6641 - WS through Peer RA does not work without a local Role on the RA
ECA-6644 - clientToolBox can not create proper CVCA link certificates
ECA-6654 - PublicCryptoToken can't be used for database protection verification
ECA-6656 - Order of SAN fields should not change if it comes from the CSR
ECA-6660 - RA: A comma in the certificate subject DN is displayed with leading /
ECA-6677 - ejbca-setup quick install script fails to run SQL cleanup commands
ECA-6678 - Warning about missing IKB ID null from ConfigDump
ECA-6681 - Fix warning about missing Validator getters from ConfigDump
ECA-6694 - CMP Configuration upgrade does not work
ECA-6698 - Unknown key binding causes Internal Key Bindings page to crash
ECA-6699 - CT label requirements (e.g. Google / non-Google) are sometimes not satisfied
ECA-6709 - Regression: Certificates with tag characters < > in directory name cannot be imported
ECA-6712 - 'Use IODEF E-mail' and 'Use IODEF WEB' checkmarks are behaving strangely
ECA-6718 - keyRecover WS call forwarded over peer connection throws if not available locally
ECA-6723 - OSCP signing cache does not update properly.
ECA-6725 - Fields not disabled when viewing a Validator
ECA-6730 - Fix test failures due to NPE in CaTestCase
EJBCA 6.11.1
Bug Fixes
ECA-6431 - End Entity Profile field validation should not allow empty fields
ECA-6439 - GeneralPurposeCustomPublisher test command shows error message with empty path
ECA-6443 - clientToolBox OCSP GET does not work with TLS connections
ECA-6461 - Regression: Cannot enroll in Public Web
ECA-6463 - Fix CrmfRequestTest.test12ServerGeneratedKeys
ECA-6467 - Null pointer exception when enroling with EC in RA web
ECA-6471 - Regression: It's only possible to add partitions to the first approval step
ECA-6481 - Base64 decoding fails with BC v1.59
ECA-6509 - XStream 1.4 lib requires JDK8
ECA-6535 - EST not working on local CA when a peer connection to a VA is present
ECA-6537 - EST: in EST profile Certificate Profile field not updated automatically when End Entity profile field is changed
ECA-6542 - EST Aliases fail to add values for future keys
ECA-6547 - Regression: Approval requests cannot be edited
ECA-6556 - EST certificate profile and default CA is stored with name instead of ID
ECA-6587 - No End Entity Profiles selected when viewing Role in Basic Mode after upgrading
ECA-6603 - EST - Enroll with username/password not working through external RA
ECA-6622 - CAA Issuance fails for domains where both issue and issuewild records exist in a certain order
ECA-6624 - PeerConnectionTest.publishCertificate fails with database protection enabled
ECA-6625 - Regression: Statedump and Database CLI doesn't work on with JDK8
ECA-6633 - CMP: check if extraCert is active does not consider if it is notified about expiration
ECA-6638 - Crypto Tokens are re-created and activated every time cache is reloaded
Epic
ECA-6468 - CMP changes to return caPub certificates and lessen DN checks on VC certificate
New Features
ECA-6212 - Add support for SHA3 signature algorithms
ECA-6512 - CMP Vendor mode: ability to issue multiple certificates authenticated by the same Vendor certificate
ECA-6577 - CMP ability to select CA certificates to add to caPubs in CMP responses (multiple order defined)
ECA-6601 - CMP ability to select CA certificates to add to extraCerts in CMP responses (multiple order defined)
Improvements
ECA-6434 - CMP Vendor mode: Ability to have different requestDN from VendorCert DN where request DN lacks extract username component
ECA-6435 - CMP Vendor mode: Ability to have different requestDN from VendorCert DN
ECA-6440 - ExternalCommandCertifciateValidator to call external scripts only
ECA-6460 - Upgrade EJBCA to BC 1.59
ECA-6536 - Info-loggning for incoming and outgoing EST requests
ECA-6540 - EST: improve help messages in EST alias
ECA-6541 - EST/CMP/SCEP configuration should use password field
ECA-6558 - Make EST be displayed in a nice way Enterprise vs Community
ECA-6569 - Documentation: clarify steps to renew OCSP certificates
ECA-6573 - Update CustomerLdapPublisher1
ECA-6574 - Add documentation links to CMP and EST aliases pages
ECA-6631 - CMP: find registered end entity by DN if username (extracted from DN) is not found
ECA-6632 - CMP: don't include trust anchor in extraCert certificate list to verify
EJBCA 6.11.0.1
2018-01-11
Bug Fixes
ECA-6470 - Regression: Editing of approval profiles with multiple steps is broken
ECA-6472 - Approval Requests with view rights don't turn up under the pending tab
ECA-6490 - All approval partitions are visible when approving in the CA GUI
ECA-6495 - EC Validator doesn't recognize keys with "EC" as algorithm
ECA-6496 - RA Web, improve session re-authentication checks
ECA-6498 - Minor security issue
ECA-6504} - Null Pointer Exception when opening executed approval in Admin GUI
New Features
ECA-6454 - Add NoCacheFilter to Public Web
Improvements
ECA-6482 - RA Style Improvements
ECA-6497 - Improve authentication checks in Admin Web
EJBCA 6.11.0
2018-01-02
Bug Fixes
ECA-6086 - Document CAA IODEF limitations
ECA-6120 - Document that CAA Validator requires TCP ports to be open in firewall
ECA-6187 - clientToolBox. SCEPTest compares the wrong types in responses
ECA-6199 - AdminWeb: Partitioned approval "Request has been executed"
ECA-6222 - Public key exponent min value can be larger than max value for the RSA Key Validator.
ECA-6223 - Possible to enter negative values in all numerical fields in RSA Key Validator
ECA-6236 - Titles "Import CRL" and "Basic Functions" are not localized
ECA-6237 - Display bug in Certificate Profile viewing
ECA-6238 - GUI: Unknown language keys found in Audit Log
ECA-6264 - Fix javadoc compilation errors
ECA-6326 - Error when listing tokens on a HSM
ECA-6330 - Error if default OCSP responder is set to NONE
ECA-6345 - EJBCA Certificate Enrollment Error page
ECA-6348 - when trying to navigate RA Web nothing happens (Blank page). Error message occured in logs
ECA-6371 - Status labels not localized in "Protocol Configuration"
ECA-6374 - ECC Key Validator shows incorrect label
ECA-6376 - Add fields in Partitioned Approval results in java.lang.NullPointerException
ECA-6388 - RA Web: Role Members issued by External CAs states "Unknown CA"
ECA-6391 - CT Log Lifetime table accepts negative values
ECA-6392 - Supervisor does not have access to certificate in audit log
ECA-6417 - MAXFAILEDLOGINATTEMPTS in ExtendedInformation can be saved as a string if set via WS
ECA-6421 - Regression: System Config cannot be saved, NPE
ECA-6422 - Google Ct Policy is reset after flushing cache and saving
ECA-6424 - Clicking on Add End Entity(request) in Approve actions page results in Internal Server Error
ECA-6427 - Misplaced null check in EST operations session bean
ECA-6429 - Regression: NPE in Admin GUI editing CVC CA that was created before validators
ECA-6433 - RA Web: End Entity status change doesn't work from external RA
ECA-6442 - Add dummy AlwaysAllowAuthenticationToken.InternalMatchValue in order to deserialize expired approval requests
ECA-6445 - Upgrade of CAA Validator not triggered when ValidatorBase changed
ECA-6449 - All form fields in End Entity Profiles page should have auto-complete disabled
New Feature
ECA-4220 - Support for EST protocol
ECA-4650 - GUI: View functionality for default certificate profiles
ECA-5869 - Add links to an End Entity's certificates in the RA EE Search page.
ECA-5870 - Allow for EE status change from the RA
ECA-5997 - StateDump Validators
ECA-6051 - Add post-processing to Validator framework
ECA-6083 - In the Create CA screen, add a warning to each key in the crypto token that is already used by another CA
ECA-6279 - Add GUI support for CAA misissuance reports w. IODEF
ECA-6280 - Add WS IODEF support in backend for CAA misissuance reports
ECA-6293 - Implement datatype for IODEF
ECA-6313 - Use XML converter for IODEF types
ECA-6315 - Support for CVC certificate extensions
ECA-6383 - Support for FIPS 201-2 PIV FASC-N subjectAltName
ECA-6404 - Include CMP Transaction ID in the log of CMP Proxy
ECA-6425 - Password generator in clientToolBox
ECA-6447 - Add a configurable whitelist to external validators
ECA-6455 - Write documentation for EST
Task
ECA-5944 - Go through RaMasterApi and verify that the presence of a certificate does not prevent forwarding of the request
Improvement
ECA-3838 - Move DummyApprovalRequest into a test module
ECA-3844 - Move all CRUD methods from CAData into CaSessionBean
ECA-4476 - Name constraints should be validated before approval request gets added
ECA-6155 - Make "treat lookup failure as permission to issue" configurable for CAA lookups
ECA-6229 - Clean up unused language keys
ECA-6246 - Introduce protocol configurations in system config
ECA-6247 - Deny access to disabled protocols globally
ECA-6249 - Modular Protocol Configuration to the RA over Peers
ECA-6257 - Code clean up in RA Preferences.
ECA-6285 - Improve comment about 'web.errorpage.notification' in 'web.properties.sample'
ECA-6286 - Standard Date/Time examples for the logs
ECA-6291 - Language files clean up, sorting "Mostly Configuration Module"
ECA-6329 - OcspKeybindings should display active status
ECA-6331 - Refactoring "HELPER" message keys in language files
ECA-6333 - Document modular protocol configuration
ECA-6366 - Add jboss-deployment-structure for BC provider on Oracle JDK for external RA SCEP server
ECA-6367 - Add a constant for key purpose 0, defaultKey
ECA-6368 - Remove old unused help links
ECA-6369 - Change default OCSP signature algorithm to use SHA-256
ECA-6370 - Update 'second' CSS style according to 'default' one
ECA-6377 - Move profile ID constants into the correct classes
ECA-6379 - Old list of Role Members is used when an Approval Request is created
ECA-6396 - Specify Bouncy Castle provider explicitly for audit log verification
ECA-6402 - Add test for expiration year filtering of CT Logs
ECA-6405 - Notify user when RA is offline
ECA-6407 - Modular protocol configuration over Peers using access rules
ECA-6409 - Internal Key Bindings page throws exceptions when there's a crypto token error
ECA-6410 - Modular protocol configuration improvements - Implement servlet filter
ECA-6418 - Improve error handling for CV certificates
ECA-6423 - Add Javadoc for CaConstants
ECA-6428 - Modular protocol configuration improvements - UI, Configuration
ECA-6430 - Custom CVC extensions in link certificates
ECA-6432 - Improve error message to distinguish between client and server cert in peer connector
ECA-6446 - Add a system configuration value for enabling External Command Validators
ECA-6452 - "External Command" text frame in External Command Certificate Validator should be wider
ECA-6457 - Create an upgrade routine that enables External Scripts (under System Configuration) only if any General Purpose Custom Publishers exist
EJBCA 6.10.1.1
2017-12-15
Bug Fixes
ECA-6426 - EJBCA needs "System upgrade" (from 6.8 -> 6.10.1) on a freshly installed database on the appliance
EJBCA 6.10.1
2017-12-11
Bug Fixes
ECA-5945 - 'Roles which may approve this partition' resets when Members of role changes
ECA-5977 - Continue to check connectivity to peers after MariaDB Galera Cluster error
ECA-6198 - Upgrading KeyRecoveryData (with rows) past EJBCA 6.1.0 will fail
ECA-6250 - AccessTreeUpdateData accessed too often, causing performance reduction
ECA-6256 - "Description" attribute can not be used in Subject DN
ECA-6258 - Approval partition metadata doesn't show up unless the partition has a title
ECA-6264 - Fix javadoc compilation errors
ECA-6268 - Approval metadata is lost in the RA gui when a request moves from Pending to Processed
ECA-6274 - Approving/Viewing roles are removed when metadata is added to an Approval Profile
ECA-6278 - CA Renewal with name change logs caid as 0
ECA-6281 - Add flag to not reverse Custom DN order by the LDAP DN Order setting
ECA-6300 - upgrade() in CAs should set new version last
ECA-6327 - Wrong CT error message when saving certificate profile
ECA-6341 - Upgrade of extended services from version before EJBCA 5 doesn't work correctly
ECA-6343 - AccessUserAspectData must handle null matchValues after upgrade
ECA-6346 - CAA fails to ignore issuewild statements for non-wildcard domains
ECA-6348 - when trying to navigate RA Web nothing happens (Blank page). Error message occured in logs
ECA-6349 - Error editing access rules and members in role in GUI after upgrade, can not get role with negative ID
ECA-6358 - RA End Entity Search stops working until page reload if session is lost
ECA-6359 - Certificates with null or zero End Entity Profile not accessible through RA
ECA-6360 - X509AuthenticationToken match should ignore null values
ECA-6375 - CAA mispelled in documentation
ECA-6382 - Adding a new CT log without a label makes it unselectable
ECA-6389 - Cosmetic Fixes to CT Log Configuration
ECA-6393 - Sort CT Labels
ECA-6394 - search.cgi certificate download by subejctKeyID hash doesn't always return the last if there are multiple
ECA-6395 - Remove CTLOGTAB_MOVEDCTLOGS message
ECA-6403 - Minimum SCTs should be possible to set to zero
New Features
ECA-6303 - Replace the current "mandatory/non-mandatory" setting for CT logs with a basic label system
ECA-6304 - Upgrade CT logs using the mandatory/non-mandatory binary setting to the label system
ECA-6305 - Document new CT logs features
ECA-6307 - Add code to System Configuration for adding/removing/editing CT log labels
ECA-6309 - Modify Certificate Profiles to use the CT log label system instead of the mandatory/non-mandatory for min/max
ECA-6310 - Create a table in CT settings for having the minimum number of logs set by validity at issuance
ECA-6312 - Add an option in Certificate Profiles for CT log publishing to base the minimum number of logs on validity.
ECA-6351 - Add CT backend support for labels, and submit to all logs in parallel
ECA-6363 - Backport CVC Certificate Extensions to 6.10.1
ECA-6365 - Custom CVC extensions in certificate requests
ECA-6385 - Allow CT submission to use implicit min/max defined by validity (configuration option)
ECA-6399 - Allow CT submission to use implicit min/max defined by validity (backend)
Improvements
ECA-6406 - Fix CT performance and error logging regressions
ECA-5879 - Update quick install guide with ejbca-setup scripted installation
ECA-6248 - Microoptimization of X509CertificateAuthenticationToken
ECA-6260 - CaSession.getAllCaIds queries the database every time and should be cached
ECA-6261 - Micro-optimize status lookup in WebAuthenticationSession.authenticate
ECA-6262 - RaMasterAPI should cache active CA to determine if backend is available
ECA-6263 - CertificateData.existsByIssuerAndSerno can be a micro-optimized
ECA-6270 - Micro-optimize EndEntityManagementSession.existsUser
ECA-6275 - Micro-optimize away one getIssuerDN in CertificateCreateSessionBean
ECA-6276 - Remove dual verification of POPO
ECA-6277 - Optimize to avoid repeated certificate encoding/decoding converting into BC class
ECA-6297 - Optimize EjbcaWS to only enrich with raw subject DN when override will be used
ECA-6306 - Avoid ArrayCopy in DNFieldExtractor.getUseFields
ECA-6308 - Pre-allocate enough byte array buffer when writing XML
ECA-6311 - Cache StringTools internal CharSet for forbidden characters
ECA-6314 - Don't use Exception as condition handling in RequestMessageUtils
ECA-6317 - Micro-optimize exists queries and get status
ECA-6318 - Save one BCrypt operation internally in a transaction
ECA-6334 - Remove old CT code
ECA-6335 - Document required upgrade steps from EJBCA 3.x to 6.10
ECA-6353 - Duplicated role members after upgrade to 6.8
ECA-6381 - Forbid upgrading EJBCA from versions prior to 5.0.0
ECA-6397 - Filter CT logs based on expiration date of certificate
EJBCA 6.10.0.2/3
2017-11-21
Bug Fixes
ECA-6346 - CAA fails to ignore issuewild statements for non-wildcard domains
EJBCA 6.10.0.1
2017-11-08
Bug Fixes
ECA-6251 - Regression: "Custom" access rule template no longer shows up in the simple role page
ECA-6267 - Regression: Don't issue for gazebear.org
ECA-6269 - Regression: Preferences tab in RA gives error
ECA-6273 - References to commons-logging upgrade not updated for CMP Proxy
Improvements
ECA-6244 - Issue for gazebear.info when DNSSEC enabled
EJBCA 6.10.0
2017-11-01
Bug
ECA-5959 - Disabling OcspKeyBinding doesn't take effect until restart
ECA-6004 - RA Web: The field SAN MS-UPN is broken in Make New Request
ECA-6042 - Forbid non-modifiable empty Subject DN/Alt Name/Directory Attributes in EEP
ECA-6043 - Public Web: Create Keystore for Key Recovery displays Key specification drop-down menu
ECA-6101 - Disabling authorization cache, with value -1, gives error
ECA-6102 - Possible NPE when looking for database error to display
ECA-6119 - Regression: Role Members normalizes serial numbers with leading zeros
ECA-6143 - Regression: RA web can't process CSR
ECA-6147 - CMP Revocation with PBE responseProtection where KeyId is missing gives NPE
ECA-6151 - Misplaced "invalid certificate request" message
ECA-6153 - Regression: Processed approvals not listed in RA web
ECA-6157 - NPE in RA enrollment page when there's an end entity e-mail but no SAN
ECA-6158 - EST checkin causes Community build to fail
ECA-6159 - CMP: revocation should handle empty header.recipient
ECA-6163 - CAA Validator outputs stacktrace for expired DNSSEC protected records
ECA-6164 - Regression: ClassCastException when visiting "Search End Entities" in /ejbca/adminweb
ECA-6181 - NPE editing end entity with name constraints in profile, but no ExtendedInformation in entity
ECA-6183 - ServiceTypeHolder and ModuleTypeHolder.equals compares the wrong type
ECA-6184 - HardTokenInformation.equals compares the wrong type
ECA-6185 - RaRoleMemberBean compares the wrong type in getAvailableMatchKeys
ECA-6186 - PeerRaMasterServiceThreadBean compares the wrong type in keepServingRaPeer
ECA-6188 - GUI: Certificate Profiles form visually broken
ECA-6190 - EJBCA 6.x should handle legacy access match types from EJBCA 3.x
ECA-6193 - ejbca.cmd on windows does not handle enough arguments for all commands
ECA-6194 - CMP: enabling CMP over tcp causes deployment failure on modern Jboss
ECA-6201 - CMP: CA by KeyId function should work with internaltionalized characters, but be limited in length
ECA-6209 - CAA Validator seems to fail for gaps in DNSSEC domain records
ECA-6214 - Fix warnings in CT code
ECA-6216 - EJBCA's implementation of ValidatingResolver fails to receive an NSEC3 if CAA record set on domain is empty
ECA-6218 - Regression: NPE when performing browser enrollment with "allow extension override" enabled
ECA-6225 - Concurrent modifiation in ConfigurationHolder during startup with custom WS modifications
ECA-6231 - OCSP Responder may crash the VA's default responder signing certificate has expired.
ECA-6232 - Upgrade seems to cause a ConcurrentModificationException since lib upgrade
ECA-6233 - Correct upgrade guide in terms of obligatory versions
ECA-6235 - Hide EST Configuration menu options if module is not present
ECA-6240 - Roles upgraded from old (<4.0) installations may create a stacktrace in the UI
ECA-6242 - commons-configuration 1.10 breaks system tests
New Feature
ECA-5848 - Allow an RA Admin to request a shorter validity time than is set in the profile
ECA-6024 - CMP Central Key Generation
ECA-6095 - Rewrite EJBCA RA Web to be able to read CSS files from an archive stored on the database.
ECA-6096 - Add to the peers protocol the ability to transmit stored CSS archives from the CA to the RA
ECA-6097 - Define RA CSS by the role of the logged in user
ECA-6100 - Add possibility to import and store custom RA CSS file
ECA-6176 - Ability to upload custom logo images and multiple CSS files
ECA-6177 - Enable injection of uploaded logo images
ECA-6178 - Introduce 'Preferences' menu item in RA
ECA-6191 - Mandatory SCT responses
ECA-6195 - Add Infineon weak key checking to RSAKeyValidator (ROCA,
ECA-6197 - Document Custom RA Styles
ECA-6213 - Apply RA Style selected from the 'Preference' menu in RA-web
Improvement
ECA-2723 - When deleting an End Entity Profile, list which end entities/authorization rules that actually use it.
ECA-3222 - CMP: Add back the ability to use "KeyId" in AdminGUI
ECA-5381 - Allow approval of other requests than Add End Entity in the RA if the admin is missing that privilege
ECA-5383 - Upgrade external libraries
ECA-5610 - Pagination during search exceeding max records
ECA-5698 - Improve Certification Authorities usability
ECA-5741 - All search pages appear to be case sensitive
ECA-5927 - Review which Role Member match operators that should be case sensitive
ECA-6108 - Move DnsNameValidatorMock to systemtests-common and log error for possible NPE when loading Profile
ECA-6131 - Not possible to change CA subjectAltName using cli
ECA-6138 - Parallelisation of CAA lookup for certificate with multiple SANs
ECA-6150 - Stop writing complete stack traces for expected validation failures
ECA-6167 - Add Peer Connector RA illustration to architecture documentation
ECA-6168 - GUI: Internal Key Bindings form usability
ECA-6169 - GUI: Certification Authorities form usability
ECA-6170 - GUI: Crypto Token form usability
ECA-6174 - Skip PKCS11-tests if no PKCS11 driver is installed
ECA-6179 - Shorten AIA label in Certificate display popup
ECA-6196 - Improve cache for custom RA styles
ECA-6211 - Add Quirin's tests to CaaTestSuite
ECA-6224 - Increase max length of Admin GUI altName input fields
ECA-6228 - GUI: Validators form usability
ECA-6245 - Remove EJBCA license headers from ValidatingResolver classes
EJBCA 6.9.1
2017-10-06
Bug
ECA-6103 - importcert command fails in some instances for DirectoryName SAN values
ECA-6104 - DNAME records are not followed correctly by CAA Validator
ECA-6115 - CMP: error verifying extraCerts in RA mode when more than the EE cert is present in a chain longer than two
ECA-6117 - Certificate with empty attribute can not be imported
ECA-6121 - CAA Validator doesn't fail for nonsense domains.
ECA-6135 - Regression: Key WS Key recovery requires call to edituser() before enrollment
ECA-6148 - Remaining login attempts counter not decreased using public web
ECA-6152 - Regression: Uploading EC CSRs in RA result in exception
New Feature
ECA-6063 - Make Trust Anchor for CAA Validators configurable
ECA-6116 - Add TTL information to CAA Tool output
ECA-6133 - Add whitelist possibility to CAA Validator
Improvement
ECA-6064 - Optimize issuance by minimizing EndEntity XML encoding/decoding
ECA-6093 - Optimize ConfigurationHolder.getPrefixedPropertyNames
ECA-6105 - Raw subject DN extended information should be base64 encoded
ECA-6118 - Ability to use "description" attribute in directoryName fields
ECA-6122 - Add additional logging to CAA Validator
ECA-6123 - Make recursion depth configurable for CAA Validators
ECA-6127 - CAA Validator should only lookup CAA records instead of ANY
ECA-6128 - Make querying top level domains (TLDs) for CAA lookups optional
ECA-6129 - Introduce DNS lookup caching for multiple SANs in the CAA Validator
ECA-6136 - DNSSEC should be enabled by default in the CAA validator
ECA-6137 - Issue if CAA lookup failed more than once and there is no DNSSEC chain to the ICANN root
ECA-6145 - Support CNAME discovery as in Errata 5065
ECA-6149 - Fill in default CAA Validator timout in the UI
ECA-6150 - Stop writing complete stack traces for expected validation failures
ECA-6161 - Make DNAME lookups in CAA validator optional
EJBCA 6.9.0.6
2017-09-21
Bug
ECA-6107 - CAA validation allows issuance of wildcard certificates for subdomains, even though issuance is prohibited.
ECA-6124 - CAA max recursion count is triggering for other checks than CNAMES
ECA-6125 - KeyValidatorSession splits DNSNames incorrectly for CAA lookups
ECA-6126 - CAA Validator fails for a SocketTimeoutException
EJBCA 6.9.0.5
2017-09-08
Improvement
ECA-6107 - CAA validation allows issuance of wildcard certificates for subdomains, even though issuance is prohibited.
EJBCA 6.9.0.4
2017-09-07
Improvement
ECA-6106 - CAA Validator should keep looking up domain tree even if NXDOMAIN is encountered
EJBCA 6.9.0.3
2017-09-05
Bug
ECA-6099 - Ra Web: Trying to enroll P12 for user added in Admin GUI gives NPE
EJBCA 6.9.0.2
2017-08-30
Bug
ECA-6088 - Create tables scripts all refer to the PublicKeyBlacklistData instead of BlacklistData
EJBCA 6.9.0.1
2017-08-29
Bug
ECA-6088 - Role Member caching does not play well with clusters
ECA-6089 - NPE when upgrading from 6.9.0Beta to 6.9.0Final due to IODEF
ECA-6091 - NPE in View Certificates in RA Web if certificates have no KeyUsage
EJBCA 6.9.0
2017-08-28
Bug
ECA-4853 - Some fields aren't grayed out in read-only services
ECA-5524 - Admin GUI should prevent saving of empty QC statement
ECA-5672 - Add/Edit End Entity page silently removes e-mail if domain is omitted
ECA-5904 - Stack trace printed on screen when enrolling EE with invalid QC
ECA-5905 - Link certificate should have the same expire date as old ca certificate
ECA-5917 - Auditor, wrong layout on 'Certificate Profiles'
ECA-5946 - Possible to send a request to create an End Entity that already exists from RA Web
ECA-5949 - WebService API: the field sendNotification in UserDataVOWS isn't set
ECA-5950 - Duplicate entries of the member 'SuperAdmin' in 'Super Administrator Role'
ECA-5960 - CMPv2 extraCerts field not correctly (re)ordered in all cases
ECA-5965 - Missing value for view_request_page_data_value_UNREVOKE
ECA-5967 - E-mail notification sends the old 'uniqueId' if request has been rejected
ECA-5969 - transactionId and recipiantNonce are not always set in CMP error messages.
ECA-5971 - NullPointerException if clicking 'Save state' in failed Approval Action window
ECA-5975 - getApprovalProfileForAction can throw exception if no approval is required
ECA-5978 - RA enrollment with requestid doesn't authenticate password with reusecert = true
ECA-5979 - Request to change Username of End Entity changes the Username and sends a request
ECA-5980 - Unable to approve End Entity revocation request
ECA-5981 - Enrollment by username does not work on the RA
ECA-5984 - Two admins opening the same approval request and trying to approve causes NullPointerException
ECA-5988 - Checking if key recovery is possible in the RA checks all listed certificates
ECA-5989 - Statedump: "AuthorizationDeniedException: Granted access of the current administrator might be affected by this change"
ECA-6003 - Public Web: The field SAN MS-UPN is broken in Self-registration
ECA-6005 - Various NPEs for CMP Revocation requests with faulty payloads
ECA-6009 - ClearCache fails with exception in some cases
ECA-6012 - Key recovery flag not reset on rejected approval using local key generation
ECA-6016 - Approval Profiles doesn't update until logout
ECA-6018 - Deleting an Approval/Certificate Profile and then clicking 'View' causes NullPointerException
ECA-6020 - Adding end entity in admin GUI with autogenerated username gives error
ECA-6022 - Rejecting both partitions of Approval Request generates error message
ECA-6023 - AuthenticationKeyBinding.isClientSSLCertificate should not require KU keyEncipherment
ECA-6030 - Upgrade is never called for Validator
ECA-6033 - Non-modifiable empty End Entity E-mail should not be allowed in EEP
ECA-6034 - WebService: CertificateCreateException should be wrapped in order to pass on good message and error code to client
ECA-6035 - Selecting nothing under 'Available CAs' when editing an EEP causes NullPointerException
ECA-6036 - Public Web Request Registration should not display step 2 if EEP/CP is invalid
ECA-6060 - Disabled remote key bindings not displayed as such in admin gui
ECA-6061 - End entity profiles with User Notifications can't be imported
ECA-6065 - 'New...' button for 'Namespace' does not function if you haven't selected an existing 'Namespace'
ECA-6066 - CA_Administrator documentation does not match about 'Renew CA'
ECA-6070 - Approving a Key Recovery request on the RA requires /ca_functionality/approve_caaction/
ECA-6074 - RA Web: enroll with username and code displays "Key Algorithm: null null"
ECA-6076 - 'Available bit lengths' is disabled under 'RSA Key Validator Settings'
ECA-6080 - Auditor pre-defined role can not view selected Validators
ECA-6081 - Validators Access Rules not saved for RA Administrators,Auditors and Supervisors pre-defined role
Epic
ECA-5175 - Support for delegated key pair generation
New Feature
ECA-2853 - Implement CMP ImplicitConfirm
ECA-4219 - Verify public keys before cert issuance
ECA-5286 - Make CA based Key recovery possible on RA
ECA-5627 - DNS Certification Authority Authorization (CAA) Resource Record
ECA-5644 - Add the ability to download P10 from approval and end entity view in RA
ECA-5866 - Add configuration value to approval profiles for whether or not the original submitter should be allowed to approve
ECA-5954 - Add system config option for local key generation
ECA-5955 - Document Key validators
ECA-5956 - Encrypt keypair for key recovery using a selectable crypto token, for local key generation
ECA-5957 - Ability to request key recovery from RA Web
ECA-5966 - Add MIME type for VBScript (for IE enrollment)
ECA-5972 - Support for getting the certificate chain as response in the IKB update message
ECA-5983 - Document delegated key recovery
ECA-5987 - Make it possible to mark certificate for recovery using local key generation
ECA-6006 - ClearCacheCommand should clear validator cache
ECA-6019 - Add EjbcaWS support for key recovery with local key pair generation
ECA-6045 - Implement CAA Validator in EJBCA
ECA-6047 - Implement the IODEF CAA record type (e-mail)
Task
ECA-6015 - Update RA documentation with Role Management
ECA-6021 - Work around hibernate bug with MS-SQL that makes ResultSetMapping fail
ECA-6025 - Document how to increase max parameter count in WildFly
Improvement
ECA-5697 - Certificate Profiles usability
ECA-5884 - Upgrade EJBCA to BouncyCastle 1.57
ECA-5907 - certprofiles.zip / entityprofiles.zip is not a zip file
ECA-5919 - Name Constraints exception when adding End Entity
ECA-5948 - Make pre-issuance public key blacklist available outside of EJB context
ECA-5952 - Base key validators on Profiles and put into ProfileData
ECA-5958 - Extract ProfileSessionBean from ApprovalProfileSessionBean
ECA-5962 - cmpclient: be more forgivning of cache-control content
ECA-5974 - Restrict visibility of key validators by Certificate Profile
ECA-5976 - Move KeyValidatorsBean.importKeyValidatorsFromZip(byte) into session beans
ECA-5996 - SecureXMLDecoder should handle exported classes
ECA-5999 - Remove unused constants from UserDataVOWS
ECA-6000 - Improve label consistency on role pages in the RA
ECA-6007 - Improve Role Member performance
ECA-6013 - Default PKCS #11 libraries updated (OpenSC, SoftHSM, PKCS11 Spy)
ECA-6014 - Sort list of CAs and Certificate Profiles in the CMP alias page
ECA-6028 - System test for delegated key generation
ECA-6029 - Have EjbcaWS.getRemainingNumberOfApprovals(int) throw exceptions for approval requests which have been denied or which have expired
ECA-6054 - Generalize PublicKeyBlacklistData into BlacklistData
ECA-6062 - Sort validators alphabetically and list validator type in menu
ECA-6067 - Have selecting the "Apply for all Certificate Profiles" checkbox in Validators disable the "Apply for Certificate Profiles" list
ECA-6077 - Documentation on the format and perform validation on certificate validity fields on Validators Edit page
ECA-6079 - Validators is not available for pre-defined RA_Administrator
ECA-6082 - Remove imports/export functionality for Validators.
EJBCA 6.8.0.1
2017-08-17
Improvement
ECA-6056 - Databaseprotection does not work with CertificateProfiles using Approvals
EJBCA 6.8.0
2017-06-19
Technical Requirement
ECA-4793 - RA configuration should be retrieved from the CA
Bug
ECA-4550 - Space in email field results in misleading error message
ECA-5287 - Stack overflow on peer RA if the rule /ra_master_invoke_api is not accepted
ECA-5311 - RA Enrollment does not work if the request was added in the AdminGui
ECA-5364 - CSR in End Entity extendedInformation is removed when request is edited in admin GUI
ECA-5380 - Approve Actions search does not work with certain Status options is approval is expired
ECA-5453 - DN value with only spaces causes exception in the RA enrollment page
ECA-5458 - Extra access rules are required for creating certificates through the RA
ECA-5480 - Remove prioritization arrows in View page for Approval Steps
ECA-5483 - Buttons positions under Approval Steps are not positioned properly
ECA-5485 - Approve Actions table items are not aligned properly
ECA-5604 - /ca_functionality/view_certificate is seemingly unused
ECA-5623 - When editing end entities timeModified and timeCreated are logged incorrectly
ECA-5628 - Command description for RevokeCertificateCommand breaks formatting.
ECA-5694 - Disable prioritizing arrows in Approval Profiles view-only
ECA-5707 - Error sending approval profile notifications using MS-SQL
ECA-5712 - 'Use UTF-8 in policy notice text' is disabled using the External CA
ECA-5722 - Searching for certificates by serial number does not work in the RA
ECA-5731 - GUI: Cosmetic bug in CA edit page
ECA-5735 - WaitingForApprovalException changed in core but not WS
ECA-5743 - Enable fresh install with new authorization system
ECA-5748 - AccessRulePlugin needs to be able to provide resource name
ECA-5758 - End Entity Profiles allows for creating hidden EEPs based on case
ECA-5762 - EJBCA Installation Instructions, missing reload when adding email service
ECA-5767 - Soft CA Token key alias set to wrong value in upgrade from 4.0
ECA-5772 - Subscribe cache to local authorizations system updates
ECA-5776 - RoleMemberData.tokenMatchValue is not allowed to be empty on Oracle
ECA-5778 - Crypto Tokens page considers an apostrophe invalid in character names
ECA-5784 - Legacy script based autoenrolment should not remove end entity profile
ECA-5791 - Incorrect syntax in generated SQL query when searching for approval requests
ECA-5794 - Denying access rule /ca/ (recursive for all CAs) allows listing of end entities from multiple CAs
ECA-5801 - CMP: RA CA not found when using ProfileDefault EndEntityCertificate authentication module
ECA-5803 - CMP key update request updates revoked certificates
ECA-5807 - Attempting to add hard token issuer with insufficient access displays NumberFormatException
ECA-5808 - Documentation regression: Error in installation instruction
ECA-5812 - Internal key bindings allows listing of CAs not authorized to role
ECA-5815 - Can't close role add/rename/delete dialogs if there's an error
ECA-5822 - Importing a certificate in the CLI to a keybinding with the wrong keys causes a stacktrace
ECA-5823 - CMP error handling causes a NullPointerException if message header lacks transaction ID
ECA-5824 - Simplified AdminGUI authorization for request processing configuration fails to set all rules
ECA-5829 - Advanced Search End Entities page in CA UI doesn't parse apostrophes
ECA-5830 - Details column in Audit log shows only encoded base64 if text contains accent characters (ë, è, ê, etc)
ECA-5831 - Non-ASCII characters in audit log export are incorrectly encoded as XML entities
ECA-5834 - Search for on audit log using 'contains' on 'Details' column can't parse apostrophes
ECA-5850 - Timing sensitive CT unit tests can fail if they run first
ECA-5853 - Upgrade to 6.7.0 fails due to Use Default CA Issue value
ECA-5859 - Change crypto token CLI command does not work if old crypto token does not exist
ECA-5861 - Regression: EjbcaConfigurationHolder produces unwanted garbage output in CLI
ECA-5871 - End Entity Profiles are sorted case sensitive in Access Rules Page.
ECA-5872 - Viewing EE in RA-gui displays approval request ID incorrectly
ECA-5874 - Custom certificate extension in GUI is missing RAW encoding option
ECA-5887 - CESeCoreUtils.makeKeyUnmodifiable reports success even if HSM does not allow to change CKA_MODIFIABLE
ECA-5888 - Better error message handing requests with dnEmail or UPN without @
ECA-5890 - InternalKeybinding properties render in the wrong order
ECA-5892 - PDS URL + location inside a QCstatement is not persisted when exporting the certificate profile
ECA-5893 - Regression: Certificate profiles cannot be imported
ECA-5895 - RA Manage request review causes NPE for revocation request
ECA-5898 - Wrong default timeout for CT Logs
ECA-5906 - 'Save state' in executed 'Approve Action' leads to NullPointerException
ECA-5910 - Cloning an approval profile puts the old ID in the data of the new profile
ECA-5911 - Approve request to add already existing End Entity causes NullPointerException
ECA-5916 - CA Name Change link certificate shows wrong Issuer DN
ECA-5918 - error in console log when editing certificate profiles
ECA-5922 - Statedump: Internal key binding properties are not imported
ECA-5923 - Create CA as CA Administrator gives Error message: For input string: ""
ECA-5924 - Access to all CA's required to edit CA
ECA-5925 - Exception removing last radio button on approval profile
ECA-5930 - Old ExternalRA needs Base64GetHashMap as acceptable class for serialization
ECA-5934 - Debug log always, falsely, claims cadata can not be fetched
ECA-5938 - Unable to save end entity profiles without specified date when custom validity is enabled
ECA-5939 - Available CAs in End Entity profile not sorted properly
ECA-5940 - Perform more stringent validation of CMP Vendor and RA mode extraCert certificates
New Feature
ECA-4222 - Support the EFF ACME (REST) protocol
ECA-4779 - Support Windows Autoenrollment through a proxied RA
ECA-5019 - Rolling upgrades of CA and RA servers should be possible
ECA-5174 - Add GUI and WS support for ID on SIM subjectAltName
ECA-5337 - WS method to import/update external CA certificates
ECA-5617 - Create the new RoleMemberData object and associated session bean.
ECA-5618 - Upgrade Roles/Rules according to the new design.
ECA-5625 - Ability to do post-upgrade from GUI
ECA-5629 - Create the new RoleData object and associated session bean.
ECA-5630 - Create a basic page in the RA UI for Roles Management
ECA-5631 - Create an RA page for Roles Management
ECA-5632 - Create an RA page for Roles Members Management
ECA-5633 - Create an RA page for editing Role and Access Rules Management
ECA-5634 - Upgrade Role Members according to the new design.
ECA-5635 - Use new Role and RoleMember instead of AdminGroupData and AdminEntityData
ECA-5648 - Use value object RoleMember instead of RoleMemberData in API
ECA-5653 - Add tokenIssuerId column to RoleMemberData
ECA-5669 - Cache authorizations for the exact same client
ECA-5676 - Always delete all Role's RoleMembers when deleted
ECA-5714 - Add human readable description to Role Members
ECA-5734 - Add P11Spy as known P11 implementation to web.properties
ECA-5737 - Provide conversion from Role's accessRules to AccessSet
ECA-5742 - Create system tests for for RoleMemberSessionBean
ECA-5751 - Handle HardTokenIssuerData.adminGroupId during upgrade
ECA-5755 - Write system tests for role namespaces
ECA-5773 - Create documentation for all and any rules used in EJBCA
ECA-5796 - Experimental support for Curve25519 (ECDSA with Curve25519 curve)
ECA-5800 - Document all Audit Log Events
ECA-5817 - RaMasterApi with outgoing upstream connection from RA
ECA-5825 - System test RA over outgoing peer connections
ECA-5842 - Ability to modify the built-in password encryption/obfuscation key
ECA-5843 - Add Georgian as a language to QC Statements extension
ECA-5846 - Implement CMP proxying on the RA
ECA-5857 - Ability to download CSR from Approve requests and view end entity in RA
ECA-5867 - Add Vietnamese language files
ECA-5880 - Create "Unknown is unauthorized" mode for OCSP responses
ECA-5886 - Disable the nonce extension for individual OCSP responders.
ECA-5891 - Add Utimaco P11 R2 to default P11 libraries
ECA-5894 - Add a WS method for getting the number of approval remaining for a certain request.
Story
ECA-4790 - KaRA should be well documented
ECA-5170 - Public RA user must be able to finalize legacy enrollment with username and enrollment code
Task
ECA-5010 - Remove EJBCA wiki
ECA-5775 - Clear RA cache on the cache reload event
ECA-5878 - Add contributed ejbca-setup script downloading and installing full EJBCA Community
ECA-5897 - Revert changes that were made to EJBCA trunk during original ACME implementation
Improvement
ECA-3164 - Use implicit match type for admins
ECA-3363 - Auto register AccessMatchValues by using ServiceLoader for AuthenticationTokens
ECA-3607 - Modify CLI to fail gracefully in case appserver is not running
ECA-4097 - When editing EE profiles, if the default Cert profile i chosen as default but not among the allowed, it is added
ECA-4530 - Prohibit admin from lowering own access
ECA-4844 - Approval requests sorting should be shown with an icon
ECA-5444 - Correct size of drop down boxes in RA search pages
ECA-5544 - Improve RA log messages
ECA-5545 - RA enrollment: Show/hide details button is shown when it's not needed
ECA-5581 - Rename the "View More" link to something more obvious on approval page
ECA-5584 - Log info on key used for database-protection
ECA-5607 - Preparations for optimized lookup of preferred match value
ECA-5614 - Treat authorization as a union of all grants by role memberships instead of based on DN order
ECA-5620 - Implement new access control logic based on the new Role and RoleMember representations
ECA-5621 - Add a namespace check to RoleSessionBean
ECA-5637 - Upgrade commons-httpclient and move from lib/ext to lib
ECA-5652 - Adapt the existing access rules page to the new access rule system
ECA-5654 - Increase size of tokenMatchValue column in RoleMemberData
ECA-5655 - Adapt the current AdminGUI Roles page to work with the MPKI generation roles
ECA-5684 - Set secure flag on Public Web session cookie
ECA-5685 - Corrected DatabaseSchemaTest fails on Oracle with ORA-24816
ECA-5693 - Change 'Cancel' button to 'Back' in Approval Profiles in View mode
ECA-5695 - Clean up old access control not needed for upgrade
ECA-5701 - Handle P11 providers that are broken for EC when figuring out supported curves
ECA-5715 - CMP - Do not enforce clear-text-password with EndEntityCertificate
ECA-5723 - Replace 'Logged in <Username>' to 'Logged in as <Username>'
ECA-5724 - Number(Short) and Number(Long) fields are printing numbers from right side
ECA-5736 - Open 'RA Web' in a new tab
ECA-5757 - Improving advanced access rule page usability
ECA-5760 - Propagate authentication failures when checking authorization
ECA-5761 - Show namespace in Role Members page
ECA-5766 - System Configuration autoenrollment doc link should point to proper information
ECA-5768 - Use new authorization system in the RA if available
ECA-5774 - Audit log RoleMember changes
ECA-5779 - Make RoleDataSession.persistRole idempotent
ECA-5782 - Have LegalCharsValidator report what characters that break validation
ECA-5789 - Finalize post-upgrade proceedure for 6.8.0
ECA-5790 - Add org.apache.tomcat.util.http.Parameters.MAX_COUNT to standard JBoss 7 configuration
ECA-5797 - Avoid authorization cache update when authorization never really changed
ECA-5806 - Clean up unused and redundant access rules related to public_web_user/, basic_functions/ and secureaudit/auditor/
ECA-5810 - Upgrade EJBCA/CESeCore to BC 1.56
ECA-5813 - Improve error message on browser enrollment key generation failure
ECA-5814 - Add possibility to get any CRL using Public and RA Web
ECA-5818 - Clean up Roles produced during system tests
ECA-5821 - Make note in doc/UPGRADE that upgrades directly from EJBCA 4 are possible
ECA-5826 - Fix deprecations in PeerConnectorPool after upgrade of HttpComponents
ECA-5832 - Decode B64 encoding in Audit Log XML export
ECA-5836 - Remove AuditorQueryHelper
ECA-5838 - Remove possibility to search in details column of Audit Logs
ECA-5845 - Split approval profiles up for different types of requests
ECA-5852 - Replace EJBCA logo with the new edition
ECA-5855 - Replace references to primekey.se to http://primekey.com
ECA-5858 - Improve/correct audit log entries for Crypto Token, id->ID
ECA-5860 - Add signature algorithm to keybind list CLI command output
ECA-5868 - Change default intresources.secondarylanguage to english
ECA-5873 - Re-implement EFF ACME protocol support
ECA-5899 - Add a CMP Key Update Request test to verify that admins can't request certificates from the wrong CA.
ECA-5902 - Adjust OCSP max-age and next update (in response and RFC5019 headers) to OCSP signing certificate expire date, if expire is before configured values
ECA-5914 - CMP: Handle several certs in extraCerts field
ECA-5915 - CMP: Not all SubCAs need to be imported in Vendor mode
ECA-5920 - Changes all references from Role "Administrators" to "Role Member"
ECA-5929 - Publishers are not sorted alphabetically in select menus
ECA-5933 - GUI: New eIDAS word for SSCD
ECA-5942 - CryptoTokenManager: Make clear that the "Authentication Code" is not being *set* or *defined* here
Sub-task
ECA-5745 - Use new authorization system in Admin GUI
ECA-5750 - Use new authorization system for approvals
ECA-5754 - Adapt statedump to new Roles and RoleMembers
ECA-5780 - Remove legacy authorization system code used from Admin GUI
ECA-5781 - Remove no longer needed use of ComplexAccessControlSession
ECA-5783 - Remove no longer needed use of AccessControlSession
ECA-5786 - Remove no longer needed use of RoleManagementSession and related classes
ECA-5787 - Consolidate legacy authorization code needed for upgrade
ECA-5788 - Remove AccessTree and related classes
EJBCA 6.7.0.1
2017-04-27
Bug
ECA-5853 - Upgrade to 6.7.0 fails due to Use Default CA Issue value
EJBCA 6.7.0
2017-03-08
Bug
ECA-2971 - Show error when validity is specified without unit in Certificate Profile form
ECA-4021 - Creating a CA using an validity date in the past fails silently
ECA-4140 - Access Rules: Remove forcing Advanced Mode
ECA-4467 - SCEP rollover test case fails in certain circumstances
ECA-5025 - Debug log if certain special characters in SubjectDNs are present when using statedump
ECA-5284 - Requesting admin can still see approval options on CA
ECA-5396 - Enrollment code (password) is not evaluated inside approval notification e-mail
ECA-5530 - Regression: Order of CT logs is lost when saving system configuration
ECA-5548 - Minor security issue
ECA-5562 - Avoid read of cached GlobalConfigurationData from making it a managed entity
ECA-5569 - Special characters are not displayed correctly in the AdminGUI
ECA-5574 - Fix printing null as exception message on enrollment pages
ECA-5580 - Accumulative profiles do not validate values
ECA-5598 - KaRA approving certificate revocation requires /ca_functionality/approve_caaction privileges
ECA-5599 - Autocomplete should be off in password fields
ECA-5601 - Security Issue
ECA-5605 - Security improvement
ECA-5606 - Document that Public web self registration requires a new Approval profile after upgrade to 6.6.0 (or an NPE is thrown)
ECA-5624 - Security improvement
ECA-5626 - Regression: not possible to list CMP aliases that reference the KeyId end entity profile
ECA-5643 - SLF4J gives warning output in CLI
ECA-5682 - Unescape + character before generating a certificate
ECA-5687 - EJBCA 6.5.0 Community post-upgrade does not fail gracefully
ECA-5690 - EJBCA plugins doesn't work with JDK 8
ECA-5718 - Regression: Characters ÄÅÖ are displayed incorrectly when you Add End Entity
ECA-5738 - CA Name Change, CRL number of Name Changed CA CRL is not in sequence with the original CA
New Feature
ECA-5124 - Custom search for approvals, for searching by date, for expired requests or different admin
ECA-5139 - Limit OIDs that are acceptable in Extension Override
ECA-5304 - Default "CA issuer URI" for CA
ECA-5352 - Statedump should include approval profiles
ECA-5550 - Ensure that self signed CA's include their own certificate in their revocation CRLs
ECA-5593 - CMP: Allowing native CAs to be Vendor CAs in test mode
ECA-5689 - OCSP transaction logging, add revocation reason as field
Task
ECA-5494 - Remove references to superseeded app.version.effective property
ECA-5508 - Subtract actual wait in PeerRaThrottleCounter
Improvement
ECA-4294 - Use JDBC to detect index presence
ECA-4382 - Deprecate ocsp.responderidtype in ocsp.properties
ECA-4585 - Clarify value 0 for OCSP response validity and max-age
ECA-4603 - Update CT jar and its dependencies
ECA-4835 - Security hardening
ECA-4838 - Security hardening
ECA-4859 - Implement support for CT logs that use RSA instead of ECC
ECA-4901 - Handle empty UserData and CertificateData subjectDN on Oracle and DB2 in Oracle compatibility mode
ECA-4997 - Regression: Reimplement CMP Unid support
ECA-5086 - KaRA-Approvals: Remove cache when getting approval profile authorization string
ECA-5116 - Support for renaming key aliases via statedump overrides
ECA-5308 - approvalSession.addApprovalRequest should return created id
ECA-5325 - Improve javadoc of EnrollMakeNewRequestBean.getSubjectDn
ECA-5369 - KaRA: Ability to un-expire an expired approval request
ECA-5374 - Remove unused authenticationToken in ApprovalSession.query
ECA-5423 - Fix spelling of getEndEntityProfileiId
ECA-5426 - Audit log does not show the changes made in EE
ECA-5457 - Rename ApprovalProfile.getApprovalProfileIdentifier()
ECA-5463 - Add confirmation when saving End Entity Profiles
ECA-5477 - Document that Allow subject DN override by CSR is a pre-requisite for CMPTest
ECA-5504 - Make it possible to re-order CT logs
ECA-5522 - newly added Log URL and Timeout (ms) display
ECA-5551 - Minor EJBCA WS test robustness fixes
ECA-5556 - Put public static variables in GeneralPurposeCustomPublisher in correct case
ECA-5557 - Keep key aliases (key pair infos) sorted in statedumps
ECA-5559 - Show key specification when viewing an approval request
ECA-5560 - Replace references to the deprecated class X509Extension
ECA-5561 - Approval requests from unauthenticated RA users appear to originate from CLI
ECA-5563 - Pre-6.6.1 statedumps can no longer be imported since EJBCA 6.6.1
ECA-5564 - Show all warnings from Statedump in CLI / AdminWeb output
ECA-5572 - GenerateToken.generateOrKeyRecoverToken throws Exception
ECA-5573 - Try to use NoSuchEndEntityException for all exception handling of lost EEs
ECA-5576 - Remove unused variables in RAAuthorization
ECA-5583 - ExternalRA tests can't run due to missing JARs
ECA-5588 - Replace UserDoesntFullfillEndEntityProfile with EndEntityProfileValidationException
ECA-5589 - Keep sort and search settings when going back in Manage Requests page
ECA-5597 - Replace dummy CN values in keystore certs
ECA-5636 - KaRA: add a request control filter
ECA-5638 - Security: Upgrade commons-fileupload to 1.3.2
ECA-5639 - Security: Upgrade batik to 1.7.1
ECA-5640 - Security: Upgrade xstream to 1.4.9
ECA-5641 - Security: Upgrade commons-beanutils to 1.9.3
ECA-5645 - CSR should be stored as Base64 in ExtendedInformation instead of binary
ECA-5646 - Add CSR if available to findendentity cli command
ECA-5650 - Don't require @ in rfc822Name when validating End Entity profiles
ECA-5651 - Add some documentation for Native MS Autoenrollment
ECA-5691 - Add possibility to get any CRL using CLI command
EJBCA 6.6.4
2017-02-20
Bug
ECA-5687 - EJBCA 6.5.0 Community post-upgrade does not fail gracefully
ECA-5700 - Upgraded ValidationAuthorityPublisher settings cannot be changed in GUI
EJBCA 6.6.3
2016-12-22
Bug
ECA-5527 - PeerRaMasterServiceBean delays shutdown
ECA-5554 - View certificate throws StringIndexOutOfBoundsException when certificate cannot be read
ECA-5568 - Incorrect column type used in Oracle upgrade script
ECA-5571 - ApprovalProfileSession is not sent to Workers, leading to an NPE
ECA-5575 - Error generating CRL on MSSQL, update dialect to SQLServer2008Dialect
ECA-5577 - Import certificate profiles in Admin GUI ignores profileId
ECA-5578 - ExternalRA fails if no approval profile has been set
Improvement
ECA-5079 - Make sun classes for PKCS#11 available using jboss-deployment-structure.xml
ECA-5526 - Add new RA Web to Admin GUI menu
EJBCA 6.6.2
2016-12-04
---
Bug
ECA-5549 - CT Log submission can fail in certain circumstances when it shouldn't
EJBCA 6.6.1
2016-11-23
---
Master Ticket
ECA-5509 - Performance optimizations
Bug
ECA-3554 - CVC certificate validity should not be backdated 10 minutes
ECA-5253 - NPE should be avoided when not receiving an OCSP response in CmpProxyServlet
ECA-5387 - Issuer Alternative Name not included in Root CA until it's renewed
ECA-5479 - NPE when trying to view list of CMP configurations with missing profile
ECA-5489 - Incorrect regex breaks "view certificate" page from Internal Key Bindings page for some CA DNs
ECA-5495 - Update of imported CA certificate is not persisted to the CertificateData table
ECA-5502 - Prevent legacy OCSP signer renewal from processing the same entry twice
ECA-5514 - Make DynamicUiProperty.values thread safe
New Feature
ECA-1628 - Add option to keep revoked expired certificates on CRLs.
ECA-5141 - Specify hours, minutes and seconds in certificate profile
ECA-5330 - Certificate expiration period specific to certain days
ECA-5419 - Make CT Log timeout editable again, as well as the other fields
ECA-5470 - Document trailing space in RDN value behavior in test
ECA-5491 - Add CLI command to change crypto token for a CA
ECA-5492 - Update Ubuntu quick start guide to 16.04 and Java 8
Task
ECA-5428 - Get DB2 job on Jenkins running again
ECA-5507 - Use available helper method for ContentVerifier creation
Improvement
ECA-4447 - Make EJB timers non-persistent
ECA-5451 - Prevent change of audit log node id once sequence is initialized
ECA-5459 - Only regard revocation reasons *Compromise and unspecified as CA private key compromise in VA
ECA-5460 - Update RHEL quick start in installation doc
ECA-5469 - Document that WS certificateRequest method overwrites the end entity
ECA-5478 - Ability to add multiple PDS URIs
ECA-5486 - Document Java version requirements when running JBoss 7.1.1.GA or JBoss EAP 6
ECA-5490 - Add new recommended database index for CRL generation
ECA-5493 - Excessive logging when editing Certificate Profile
ECA-5496 - IKB certificate import should not use the current CA certificate if public key does not match
ECA-5501 - Don't initialize classes in ServiceManifestBuilder
ECA-5517 - javascript for convertdot during ziprelease only works on JDK8
Sub-task
ECA-5511 - Remove extra call to getDataMap() from ProfileData.getProfile()
ECA-5512 - Remove some unneded calls to EndEntityInformation.extendedInformationToStringData()
ECA-5513 - Make assertSerialNumberForIssuerOk() more light weight
ECA-5516 - Investigate efficiency of ExtendedInformation persistence conversion
EJBCA 6.6.0
2016-10-19
Bug
ECA-3897 - Unrevoked certificates do not appear on delta CRLs
ECA-4549 - In Basic Access Rules, 'All' is listed last in the list of CAs
ECA-4596 - ClientToolBox is unable to verify signature when testing more exotic EC keys in HSM
ECA-4647 - Basic Access Rules: Pre-selected end entity rules for RAAdmin role template do not correspond to actual rules.
ECA-4834 - Security hardening
ECA-4856 - Security Hardening
ECA-4858 - Confusing audit log message when reactivating a crypto token
ECA-4860 - CryptoToken Id not updated when importing a statedump with the merge option
ECA-4862 - CmpMessageHelper.createUnprotectedErrorMessage throws an NPE if a nonce is not included in the CMP message
ECA-4872 - System configuration page broken in WildFly 10
ECA-4877 - CertTools.isCertificateValid logs cert serno in decimal instead of hex
ECA-4882 - CMP Proxy: Message signer chain should have its own configuration key in cmpProxy.properties
ECA-4883 - CMP Proxy: NPE when the right CA certificate is not found
ECA-4884 - Reference to Hudson in code when deploying ant
ECA-4885 - Key recovery requires 'Edit End Entities'-rights
ECA-4889 - Change all references from "Enrolment" to "Enrollment"
ECA-4892 - Clearing caches fails locally if clearing the cache on any clustered nodes fails as well.
ECA-4893 - CMP Proxy: Revocation status cache is read incorrectly
ECA-4915 - SecureXMLDecoder can't deserialize all standard types
ECA-4923 - ClientToolBox is missing lib/ejbca-ws.jar dependency
ECA-4925 - Old version of cert-cvc still under lib
ECA-4928 - CMP Proxy Servlet doesn't properly handle messages with faulty ASN.1 syntax
ECA-4929 - Sample code not updated after refactorings
ECA-4930 - Left-over old generated web services sources
ECA-4931 - Minor security issue
ECA-4945 - Edit admin entities broken in WildFly 10
ECA-4955 - CMP Proxy swallows underlying error message when verifying certificate path
ECA-4956 - Regression: Key alias in CMS CA service was changed so it can not be read after upgrade
ECA-4964 - NoClassDefFound in PeerConnectorServlet.destroy(), causes JBoss to freeze
ECA-4971 - Partial fix for handling InterruptedException correctly
ECA-4974 - Regression: SecureXMLDecoder doesn't allow import of CertificatePolicy objects
ECA-4988 - CMP Aliases can't handle that End Entity Profiles are renamed
ECA-4990 - CMP aliases can't handle CA removal
ECA-4992 - SHA256WithRSAAndMGF1 broken in some cases
ECA-4996 - Editing a CMP configuration while having limited access leads to hidden aliases being deleted
ECA-5003 - Profiles export fail if hard tokens are enabled.
ECA-5005 - Root access required to save system configuration
ECA-5072 - KeyBindings do not work if there's a CVC CA or uninitialized CA available
ECA-5098 - ApprovalProfile table breaks EJBCA DB CLI
ECA-5128 - Invoke postUpgrade instead of upgrade from placeholder
ECA-5165 - Access rule "store_certificate" is not used in the code
ECA-5185 - Regression: can not revoke user when user's registered CAId does not exist
ECA-5187 - languagefile.en.properties: correct different typings of ID
ECA-5193 - Fix broken jenkins test with non-serializable Keystore in RaMasterApi
ECA-5204 - RA enrollment: User doesn't get its request ID if RA is running on peer
ECA-5206 - CMP revocation requests fails CA authorisation if issuer CA has X.500 ordering
ECA-5213 - GUI bug in send notification, can not be set afterwards if set to required in profile
ECA-5216 - Checking requestId gives possibility to finalize even if it's not possible
ECA-5217 - WebService method checkRevokationStatus does not return null for non existing certificates as documented
ECA-5220 - Notification related fields show up on the approvals page
ECA-5224 - RA enrollment: Fix and improve the enrollment with approval buttons
ECA-5228 - Circular dependency between ApprovalProfileCacheBean and StartupSingletonBean
ECA-5232 - Adding approval profile metadata fields only works correctly for the final step
ECA-5234 - Store authentication token instead of admin cert serial number/issuer in approval requests
ECA-5236 - 'Hour' format in Advanced Mode for Search End Entities
ECA-5239 - GUI improvements to the Manage Request page
ECA-5244 - Cloning Approval Profiles ignores the new name and it's not possible to rename
ECA-5245 - NPE approving as another Admin in KaRA
ECA-5258 - RA enrollment: Support for enrolling PEM keystores
ECA-5260 - Occasional ConcurrentModificationException when re-deploying
ECA-5261 - Use id instead of approvalId as a Request ID
ECA-5262 - End Entity notifications when using approval always uses the requestAdmin, and not the approvalAdmin
ECA-5267 - RA enrollment: Unique Subject DN check is done after approval
ECA-5268 - Internal database constraint test audit logs certificate storage
ECA-5275 - Deleting Approval steps doesn't actually remove the step
ECA-5277 - Fix NPE when trying to list processed approvals in the RA
ECA-5278 - Handle approval editing in one step in ApprovalSessionBean, so the id can be preserved
ECA-5281 - EjbcaWSTest.test25CreateandGetCRL fails sporadically
ECA-5282 - Update "previous steps" in the RA approval page to handle partitions
ECA-5289 - Approval requests listing in the RA are never shown if older than the default validity (8 hours)
ECA-5293 - Regression: Manage Request page does not work over peers
ECA-5296 - Approval class has updated serialVersionUID
ECA-5297 - Number of remaining approvals is reset after upgrade
ECA-5298 - Fix Exceptions in RA GUI approvals
ECA-5299 - EjbcaWSTest.test03_5CertificateRequest fails with End Entity Profile limitations on
ECA-5305 - Regression: SecureXMLDecoder doesn't allow import of CTLog objects
ECA-5321 - JUnit: handle test case where we try to add non existing DN parameter to EE profile
ECA-5323 - Client toolbox start script not working for p11 when JAVA_HOME is set
ECA-5324 - NPE when trying to approve and the approval profile is to type Accumulative
ECA-5335 - KaRA: authorization cache is for ever, even with clear caches
ECA-5338 - External RA GUI should not bundle hibernate jar to deploy on WildFly 10
ECA-5342 - ui:repeat does not respect the "rendered" parameter on the RA Manage Request page, causing exceptions
ECA-5345 - KaRA: Manage Requests->Processed doesn't show anything
ECA-5346 - Name field does not work on Manage Request page
ECA-5347 - Java type inconsistencies in NameToIdMap
ECA-5349 - Not able to import statedump from EJBCA 6.5 into EJBCA 6.6
ECA-5350 - CA importcert CLI command should halt on error when no superadmincn is provided
ECA-5351 - statedump.sh script doesn't handle relative paths
ECA-5353 - Statedump source ziprelease includes .class files
ECA-5358 - KaRA: Text for 'Upload CSR' in RA GUI truncated
ECA-5363 - Headers are offset by one in Manage Requests view in mobile layout
ECA-5366 - Login link on public RA pages does not work
ECA-5367 - Edit End Entity requests show up with type = "???" in the RA
ECA-5375 - Enrollment from RA requires Edit End Entity access, instead of Add End Entity
ECA-5376 - Missing Administrator info in 'Waiting for Approval' section
ECA-5378 - Fix NPE when deleting the only step in an approval profile
ECA-5388 - OCSPResponseGenerator should use BC provider for signature verification
ECA-5391 - Wrong encoding of documentTypeList in ICAO 9303 DS certificates
ECA-5392 - ApprovalProfileBase.getSteps checks for null instead of empty
ECA-5403 - Improve messages in the RA Enrollment page
ECA-5411 - Email Notification parameters containing $ sign causes error
ECA-5414 - Systemtest failures with non JDK handled EC curves
ECA-5420 - Availability of EEPs in RA is cached session cached
ECA-5422 - Access rule misspelled in AdminCertReqServlet
ECA-5425 - Error codes of Peer Connectors does not work
ECA-5427 - NPE when doing direct issuance via RA
ECA-5431 - Typo in 'Notification Messages' under End Entity Profile page
ECA-5435 - Don't render Provide User Credentials section in RA when empty
ECA-5436 - Regression: Order of CT log might not be respected
ECA-5439 - Installation instructions don't work for Wildfly 10 / JBoss EAP 7.0 in some cases
ECA-5440 - Verification of database protection not working for Custom Certificate extensions
ECA-5441 - Statedump import failure for InternalKeyBinding
ECA-5454 - NPE in AdminGUI when the same admin approves a request a second time
Improvement
ECA-3959 - Editing end entity profile generates unnecessary INFO
ECA-4413 - Simplify EJB lookups in CAAdminSessionBean
ECA-4438 - Remove unused caid parameter in CA.createPKCS7Rollover
ECA-4499 - Allow longer SAN and DN by default
ECA-4673 - Downloading an non-existent delta-CRL on the public web leads to a 404
ECA-4690 - Replace deprecated references to org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.SubjectPublicKeyInfo(ASN1Sequence)
ECA-4795 - External RA: NPE in external RA gui when externalra-gui.issuerchain points to a non existing file
ECA-4803 - Security hardening
ECA-4906 - Limit OCSP Nonce to 32 bytes
ECA-4914 - Don't throw RTE when checking for non-existing CryptoToken activation status
ECA-4932 - Exclude install properties files from ejbca.ear
ECA-4936 - ConcurrentCache: Improve performance
ECA-4947 - Resetting an end entity password after key recovery should not require 'Edit End Entities'-rights
ECA-4952 - Simplified X509CertificateAuthenticationToken constructor
ECA-4963 - Certificate Profiles: Keep sorting, but sort default profile types first.
ECA-4970 - Set secure flag on Admin GUI session cookie
ECA-4983 - ejbcajslib.js has unneeded comment chars
ECA-4987 - Set search.cgi welcome page for RFC 4387 CRL and certificate stores
ECA-4998 - Document that CMP Unid support currently isn't supported
ECA-5029 - Usability improvement, limit Policy User Notice text field to 200 characters
ECA-5044 - Security Improvement
ECA-5047 - Improve pom.xml for cert-cvc
ECA-5088 - Move all CRUD methods from ApprovalData into ApprovalSessionBean
ECA-5106 - Add database column for subjectAltNames (SAN) in CertificateData
ECA-5115 - Allow notifications to be sent when admin has an external certificate not available in the database
ECA-5130 - Fix some resource leaks and thread locking issues in source
ECA-5142 - Generalize and improve InternalKeyBindingProperty
ECA-5147 - MS SQL server support in External RA build task
ECA-5148 - Perform some cosmetic improvements to the approve action page
ECA-5160 - Have externalized Approvals initialize their authentication tokens
ECA-5168 - Improve system tests for application servers that enforce class loading
ECA-5192 - Don't show admin roles that can't approve or view approvals
ECA-5195 - RA Enrollment: Show password only with downloading keystore
ECA-5196 - RA Enrollment: Provide user with more verbose error message during token creation
ECA-5203 - RA enrollment: Add support for autogenerated passwords
ECA-5212 - Sort Approvals by Request Date by default
ECA-5214 - KaRA: creating end entity should set email notification when it is required
ECA-5215 - KaRA: PRA Error handling when not unique subject DN or public key
ECA-5226 - Improve exceptions handling over peers to support more than just a message
ECA-5241 - Improve RA API exception handling
ECA-5247 - Change which requests are shown under the Pending and Processed tabs
ECA-5257 - RA enrollment: Download Token name should be CN value
ECA-5273 - Query.toString() should output something readable
ECA-5300 - Certificate Policies in the same order in certificate encoding as in the GUI
ECA-5301 - Add instruction for upgrade
ECA-5307 - PRA: Manage requests should show request ID
ECA-5317 - Autogenerated EE usernames as configurable with EEP
ECA-5318 - RA enrollment: Remove password fields with certificate creation if approval are not required
ECA-5332 - Statedump import should skip revocation of end entities' certificates
ECA-5343 - KaRA: AuthLoginException should contain error code, fix missing parameter to error messages
ECA-5344 - KaRA: password should be called enrollment code
ECA-5355 - KaRA: some reasons missing when explaining why admin can't approve a certain request
ECA-5356 - Delete modules/dist directory on clean
ECA-5357 - KaRA Usability: request form clearing and email
ECA-5362 - KaRA Usability: Rename "Needs Approval" and "Pending Approval"
ECA-5371 - KaRA Usability: more information when finalizing enrollment
ECA-5377 - Improvements for Approval Profiles Documentation
ECA-5393 - Log subject DN of cert failing validity check
ECA-5400 - KaRA: Document authorization rules for RA User and RA Admin
ECA-5405 - Security hardening
ECA-5410 - Approval profile notifications ability to include admin who last approved request
ECA-5418 - Show approval request type on the Manage Request page
ECA-5421 - CA Token Properties upgrade should debug log and be case insensitive
Master Ticket
ECA-5315 - KaRA Usability: improve usability of wording in KaRA
New Feature
ECA-2277 - NetBeans IDE project
ECA-2390 - Import CRL via the WebUI
ECA-2842 - Add SAN SRVName OtherName for Service Name in Certificates (RFC 4985)
ECA-2843 - Add SAN XmppAddr OtherName for XMPP Client certificates (RFC 6120)
ECA-4379 - Add additional CVC OIDs for SHA512 and SHA384
ECA-4473 - Shell script for running statedump tool
ECA-4861 - Add Windows Certificate Autoenroll files as module
ECA-4972 - GUI Support for PKI Disclosure Statements (PDS) QCStatement and QCType
ECA-5111 - ID on SIM (RFC-4683) support in cesecore
ECA-5145 - Internal profile support for eIDAS Qualified Extension types Type and PDS
ECA-5264 - Make requestID available for end entity notifications when an Approval request to add end entity is created (waiting for approval)
ECA-5265 - Configure WS genTokenCertificates and viewHardToken to use the new approval profiles
ECA-5274 - Audit log approval profiles
ECA-5279 - Support RegisteredID in subject alternative name
ECA-5310 - Update SQL scripts for EJBCA 6.6.0 database schema changes
ECA-5322 - Ability to use variables in email subject for email expiration service
ECA-5412 - Add support for Services that run on all hosts to enable HSM Keepalive Service to run on all nodes in a cluster
Story
ECA-4782 - RA must be configurable to demand logged in users
ECA-4784 - RA interface must handle certificate management tasks including requesting revocation
ECA-4786 - RA must allow searching for End Entities
ECA-4788 - All requests must be given a universal identifier so that they can be tracked through logs
ECA-4796 - RA must handle certificate requests by manual CSRs
ECA-4801 - RA Administrators must be able to be notified about user requests
ECA-4804 - Notify other administrators about certificate issuances or revocations
ECA-4805 - RA administrators must be able to edit user requests.
ECA-4820 - RA users should be able to see the status of their requests
ECA-4863 - Approvals should be partitioned
ECA-4873 - PRA must allow searching for Certificates
ECA-4895 - RA users will be able to request server side generated keystores
ECA-4896 - Logged in RA users should see the certificate types types they're authorized to
ECA-4979 - RA Interface should allow download of CA certificates and CRLs
ECA-5153 - RA administrators must be able to create end entities from the PRA
ECA-5336 - KaRA: As a RA User I have forgotten my requestID and need to finalize enrollment
Task
ECA-4868 - Security Issue
ECA-5031 - Update cmp proxy web.xml to JEE6
ECA-5209 - Remove additional left-over old generated web services sources
ECA-5263 - Update the RA to handle partitioned approvals properly
ECA-5348 - Add JUnit test for Certificate Profile extension
ECA-5361 - Evaluate security test report
ECA-5370 - KaRA usability: Rename Generate buttons to Download
ECA-5408 - Add authorization checks when trying to edit a request
ECA-5409 - Allow the Auditor role to see all RA pages except enrollment
ECA-5413 - Update CT log documentation
ECA-5437 - Document that Wildfly 10 config also applies to JBoss EAP 7.0.x
ECA-5446 - Prevent locales used during development to be selected in RA
Technical Requirement
ECA-4817 - An authentication token must travel in a nestled fashion from the RA to the CA, rights will be the intersection of all nestled tokens' rights
ECA-4819 - CA->ERA/PRA should use Peers to establish their connection
ECA-4826 - ERA/PRA must extract a subset of access rules from the CA
ECA-4869 - Deployable Public RA interface (PRA) as part of the EJBCA EAR
ECA-4917 - RA Proxy Authorization Cache
Sub-task
ECA-4446 - Introduce typing for ListDataModel
ECA-4800 - Support for request revocation of authorized certificates
ECA-4867 - Long hanging peer connections for reverse calls
ECA-4870 - Create a module for the Public RA interface and make sure it is deployed with the EJBCA EAR
ECA-4874 - Add End Entity Profile ID column to CertificateData
ECA-4875 - Create a basic PrimeKey branded CSS for the RA interface
ECA-4879 - Create/modify an authentication token that handles nestled credentials
ECA-4881 - Reverse calls should use AuthenticationToken with caller's server side TLS cert
ECA-4898 - Create initial RA enrollment workflow
ECA-4907 - Implement Approval Profiles and convert the old approvals to the appropriate profile.
ECA-4908 - KaRA-Approvals: Handle approval request according to approval profiles
ECA-4911 - KaRA-Approvals: Implement "Edit"
ECA-4918 - Method to list access rules that the AuthenticationToken is authorized to
ECA-4919 - Call RA peer when access rules change
ECA-4920 - RaAccessBean on RA for checking authorization
ECA-4922 - Introduce PublicAccessAuthenticationToken
ECA-4927 - Improve logging and retries of peer connections
ECA-4934 - Improve performance of LookAheadObjecInputStream tree
ECA-4937 - Proper error handling
ECA-4938 - Basic RA client HTTP session handling
ECA-4940 - I18N: Handle right to left languages in RA
ECA-4941 - I18N: Use UTF-8 in resource bundles and add fallback to default language
ECA-4942 - Peer Connector config for long-handing RA threads
ECA-4944 - Simplify authorization of server side TLS certificates for Peer RA
ECA-4948 - Test required access rules for EJBCA WS keyRecovery operation
ECA-4954 - Event driven throttle up of long hanging connections
ECA-4962 - Per-AuthenticationToken cache for AccessSets
ECA-4966 - Prevent race condition when app server is started and quickly shutdown
ECA-4969 - Prevent HTTP session stealing for TLS authenticated clients
ECA-4973 - Reloading the RA Authorization Cache instead of clearing it
ECA-4975 - Improve RA JSF base according to best practices
ECA-4977 - KaRA: Add OWASP ESAPI best practices
ECA-4981 - KaRA Approvals: Create access rules to manage ApprovalProfiles
ECA-4984 - RA page for CA certificate and CRL downloads
ECA-4986 - Leave a database mark for EEP Id population when upgrading to 6.6.0
ECA-4994 - Convert RaMasterApiProxy into a singleton
ECA-4995 - Progressive Enhancement with KickAss RA
ECA-5006 - Page to view/handle approval requests in the RA UI
ECA-5011 - Create certificate search base page and basic API call to improve on
ECA-5013 - Use RaAccessBean to limit displayed choices in the menu
ECA-5016 - Use reflection Proxy for RaMasterApi mock objects in tests
ECA-5018 - Detect if RFC4387 CRL store is enabled and adapt CRL download URLs
ECA-5028 - Inform RA of latest authorization cache update number on reconnect
ECA-5032 - Create end entity search base page and basic API call to improve on
ECA-5040 - Test search functionality on large dataset and limit query database load when possible
ECA-5042 - Override serialization of CertificateDataWrapper, to handle passing CertificateData between different versions
ECA-5051 - KaRA-Approvals: Move method accessing the database to the session bean
ECA-5052 - KaRA-Approvals: Replace the current cache with a @singleton bean
ECA-5053 - KaRA-Approvals: Sort approval profiles in the AdminGUI
ECA-5054 - Remove unused approvals code from UI
ECA-5058 - Add Approval and Request Expiration periods options to Approval Profile
ECA-5061 - KaRA-Approvals: Set the right approval profiles
ECA-5064 - Change class name of ApprovalProfileNumberOfApprovals
ECA-5067 - KaRA-Approvals: Approval Profile Cache should be cleared in the CLI too
ECA-5068 - KaRA-Approvals: Update documentation about approvals
ECA-5070 - Authorization rights for enrollment with new request
ECA-5077 - KaRA-Approvals: ApprovalProfileTypes in ServiceLoader
ECA-5082 - Maintain 100% uptime when upgrading Approvals
ECA-5090 - Clean up test methods in RaMasterApi
ECA-5092 - JUnit test for API design violations
ECA-5097 - RA Certificate chain download as PKCS#7
ECA-5100 - Certificate details view in RA
ECA-5109 - Serialize exceptions from invocations
ECA-5110 - Implement RA certificate search by Subject Alternative Name
ECA-5113 - RA method to get approval request by hash (approvalId)
ECA-5120 - Public Access token match either PLAIN or CONFIDENTIAL transport
ECA-5121 - AccessMatchType.NONE should not requre a matchValue
ECA-5123 - Admin should be able to see which admin an approval request is waiting for
ECA-5125 - Log who edited an approval request
ECA-5126 - Add notBefore column to CertificateData
ECA-5127 - Implement RA certificate search by issuance date as advanced option
ECA-5137 - Split generic search string into fields
ECA-5143 - Add view functionality for EEs in RA
ECA-5154 - Show preview of certificate during RA enrollment
ECA-5157 - Update admin guide on Peer Systems with new RA functionality
ECA-5159 - Invoke EEP's revoked notification when an individual certificate is revoked
ECA-5162 - Add approval metadata to Partitioned Approval Profiles
ECA-5163 - Add view rights to partitioned approval profiles
ECA-5164 - Display completed steps as view only when performing approval (if view rights are held)
ECA-5172 - Add an e-mail field to approval partitions
ECA-5173 - Add notification evaluation to approval executions
ECA-5177 - Refactor download credentials type during enrollment on PRA
ECA-5180 - Show "certificate preview" during enrollment on PRA
ECA-5182 - Enforce certificate profile algorightms for CSR during PRA enrollment
ECA-5183 - Fix approvals in the RA GUI after the refactoring
ECA-5186 - PRA enrollment: add support for the multiple non-modifiable values for EE fields
ECA-5189 - Approval Profile page renderes non-JS button in view mode
ECA-5200 - Add Web Designer styles and modifications, including mobile
ECA-5201 - Add support for nesting of parameter type List<AuthenticationToken> in RaMasterApi
ECA-5202 - Deserialized NestableAuthenticationTokens needs to be re-initialized within JVM
ECA-5205 - Use certs-only PKCS#7 / CMS on RA
ECA-5207 - Allow configuration of /ra_slave/manage from simplified peer auth view
ECA-5208 - RA enrollment: Refactor the RA interface according to the synchup week 27
ECA-5211 - Clean up GUI request authorization checks
ECA-5218 - Use more efficient backend call for RaMasterApi.getApprovalDataByRequestHash
ECA-5219 - Add buttons for changing step order in the approval profile UI
ECA-5221 - Split generic search string into fields
ECA-5222 - RA enrollment: Improve handling of NoJS buttons
ECA-5225 - RA enrollment: Hide static fields by default
ECA-5229 - Better handling of CSR upload during RA enrollment
ECA-5231 - Remove the approvalprofileid column from ApprovalData
ECA-5237 - Populate modifiable SAN fields from CSR during RA enrollment
ECA-5243 - Enforce CSR or key spec in EndEntityInformation when issuing a certificate
ECA-5248 - Don't localize logged messages using current users selected locale
ECA-5313 - KaRA Usability: Start step with nr 1 instead of 0 in Approval Profiles in Admin GUI
ECA-5314 - KaRA Usability: should be able to notify what partition (name) was performed
ECA-5316 - KaRA Usability: rename the word Partition for appoval parts
ECA-5340 - KaRA Usability: Shorten auto-generated username to 32 chars
EJBCA 6.5.5
2016-11-30
Bug
ECA-5495 - Update of imported CA certificate is not persisted to the CertificateData table
Improvement
ECA-5496 - IKB certificate import should not use the current CA certificate if public key does not match
ECA-5501 - Don't initialize classes in ServiceManifestBuilder
EJBCA 6.5.4
2016-10-27
---
Bug
ECA-5206 - CMP revocation requests fails CA authorization if issuer CA has X.500 ordering
ECA-5253 - NPE should be avoided when not receiving an OCSP response in CmpProxyServlet
ECA-5305 - Regression: SecureXMLDecoder doesn't allow import of CTLog objects
ECA-5323 - Client toolbox start script not working for p11 when JAVA_HOME is set
ECA-5387 - Issuer Alternative Name not included in Root CA until it's renewed
ECA-5440 - Verification of database protection not working for Custom Certificate extensions
New Feature
ECA-5279 - Support RegisteredID in subject alternative name
ECA-5322 - Ability to use variables in email subject for email expiration service
Improvement
ECA-5300 - Certificate Policies in the same order in certificate encoding as in the GUI
ECA-5459 - Only regard revocation reasons *Compromise and unspecified as CA private key compromise in VA
EJBCA 6.5.3
2016-06-22
Bug
ECA-5085 - Regression: ca editca fails on an NPE if --fields parameter is missed.
ECA-5089 - Security hardening
ECA-5091 - Single Active Certificate Constraint does not cause publishing when called from CMP
ECA-5129 - Security issue
ECA-5144 - Regression: Bug in Key Recovery
Improvement
ECA-5038 - State more clearly in documentation that Peers is enterprise only
ECA-5093 - Add debug logging when testing CT publisher connections
ECA-5094 - Potential security issue
ECA-5096 - In SCEP servlet don't info log auth failure that has already been audit logged
ECA-5099 - Potential security issue
ECA-5131 - Update Japanese Language Files
ECA-5135 - ejbca-db-cli verify command should support individual table verification
ECA-5158 - ejbca-db-cli "verify integrity protection" flag does not affect tables related to RoleData
New Feature
ECA-5136 - CHR override for IS and DV certificates
EJBCA 6.5.2
2016-05-13
Bug
ECA-4684 - Possible to enter more pages than there are results in View Audit Logs page
ECA-5020 - Statedump bash script is unintentionally included with release zip
ECA-5021 - Regression: Statedump is no longer able to import crypto tokens without activating them
ECA-5022 - CMP: Unable to find existing end entity profiles
ECA-5030 - Can't select uninitialised root CA as signer for local uninitialised sub-CA
ECA-5033 - Role display issue adding end entities
ECA-5034 - Can't use negative values in FieldEditor / editcertificateprofile command
ECA-5043 - If the folder defined by cmp.backend.extracertissuer does not exist, an NPE is thrown.
ECA-5048 - Single Active Certificate Constraint does not cause publishing
ECA-5069 - editca CLI command fails when renaming a CA
ECA-5071 - NPE thrown when importing statedump with prefix for CA CN field in subject DN
ECA-5073 - Security Issue
ECA-5075 - Possible session caching issues on SCEP alias page
ECA-5081 - Viewing deleted userdata may show session cached value of previously viewed user
Improvement
ECA-5007 - Use last full CRL generation date as input to certificate expiration
ECA-5024 - Don't log error when cAId column does not exist in AdminGroupData
ECA-5076 - Log as failed login event if certificate does not belong to any role
New Feature
ECA-4610 - eIDAS: New ETSI DN attribute "organizationIdentifier"
EJBCA 6.5.1
2016-04-15
Bug
ECA-4549 - In Basic Access Rules, 'All' is listed last in the list of CAs
ECA-4834 - Security hardening
ECA-4856 - Security Hardening
ECA-4858 - Confusing audit log message when reactivating a crypto token
ECA-4860 - CryptoToken Id not updated when importing a statedump with the merge option
ECA-4862 - CmpMessageHelper.createUnprotectedErrorMessage throws an NPE if a nonce is not included in the CMP message
ECA-4872 - System configuration page broken in WildFly 10
ECA-4882 - CMP Proxy: Message signer chain should have its own configuration key in cmpProxy.properties
ECA-4883 - CMP Proxy: NPE when the right CA certificate is not found
ECA-4884 - Reference to Hudson in code when deploying ant
ECA-4885 - Key recovery requires 'Edit End Entities'-rights
ECA-4889 - Change all references from "Enrolment" to "Enrollment"
ECA-4892 - Clearing caches fails locally if clearing the cache on any clustered nodes fails as well.
ECA-4893 - CMP Proxy: Revocation status cache is read incorrectly
ECA-4923 - ClientToolBox is missing lib/ejbca-ws.jar dependency
ECA-4925 - Old version of cert-cvc still under lib
ECA-4928 - CMP Proxy Servlet doesn't properly handle messages with faulty ASN.1 syntax
ECA-4931 - Minor security issue
ECA-4945 - Edit admin entities broken in WildFly 10
ECA-4955 - CMP Proxy swallows underlying error message when verifying certificate path
ECA-4956 - Regression: Key alias in CMS CA service was changed so it can not be read after upgrade
ECA-4974 - Regression: SecureXMLDecoder doesn't allow import of CertificatePolicy objects
ECA-4988 - CMP Aliases can't handle that End Entity Profiles are renamed
ECA-4990 - CMP aliases can't handle CA removal
ECA-4992 - SHA256WithRSAAndMGF1 broken in some cases
ECA-4996 - Editing a CMP configuration while having limited access leads to hidden aliases being deleted
Improvement
ECA-4673 - Downloading an non-existent delta-CRL on the public web leads to a 404
ECA-4795 - External RA: NPE in external RA gui when externalra-gui.issuerchain points to a non existing file
ECA-4906 - Limit OCSP Nonce to 32 bytes
ECA-4932 - Exclude install properties files from ejbca.ear
ECA-4947 - Resetting an end entity password after key recovery should not require 'Edit End Entities'-rights
ECA-4963 - Certificate Profiles: Keep sorting, but sort default profile types first.
ECA-4998 - Document that CMP Unid support currently isn't supported
New Feature
ECA-4473 - Shell script for running statedump tool
Task
ECA-4868 - Security Issue
EJBCA 6.5.0.5
2017-04-06
Bug
ECA-5767 - Soft CA Token key alias set to wrong value in upgrade from 4.0
ECA-5764 - Backport: Key alias in CMS CA service was changed so it can not be read after upgrade
ECA-5784 - Legacy script based autoenrolment should not remove end entity profile
ECA-5798 - Backport clientToolBox fix to EJBCA Community
EJBCA 6.5.0.4
2017-02-10
Bug
ECA-4872 - System configuration page broken in WildFly 10
ECA-4945 - Edit admin entities broken in WildFly 10
ECA-5687 - EJBCA 6.5.0 Community post-upgrade does not fail gracefully
EJBCA 6.5.0.3
2016-03-23
Bug
ECA-4931 - Minor security issue
ECA-4955 - CMP Proxy swallows underlying error message when verifying certificate path
EJBCA 6.5.0.2
2016-03-01
Bug
ECA-4860 - CryptoToken Id not updated when importing a statedump with the merge option
EJBCA 6.5.0.1
2016-03-01
Bug
ECA-4862 - CmpMessageHelper.createUnprotectedErrorMessage throws an NPE if a nonce is not included in the CMP message
EJBCA 6.5.0
2016-02-29
Bug
ECA-2841 - Document Password Limitation in manuals and sample files.
ECA-3600 - The /ca_functionality/edit_ca is missing from advanced Access Rules
ECA-3859 - E-mail doesn't work in usernamemapping in self-registration
ECA-4262 - Name constraints encoding incorrect in a certain case
ECA-4310 - Certificate profile key length restriction ignored when creating CA
ECA-4478 - Display "Base64 log ids" when listing CT logs
ECA-4518 - Cloning a fixed hard token certificate profile leads to GUI bug
ECA-4535 - ArrayIndexOutOfBounds when upgrading EJBCA 4 installations
ECA-4546 - Regression: Approvals page ignores 'Expired' status
ECA-4551 - Implement non-partitioned CRLs that will work with name-changed CSCA
ECA-4579 - GUI: Some spaces added in original values in End Entity profile
ECA-4582 - Regression: Edit end entity profile notifications bug
ECA-4584 - GUI: Display problem of Extended Key Usages, in View Certificates
ECA-4587 - Regression: test20MaliciousOcspRequest hangs forever on everything but Wildfly8
ECA-4588 - "Renew Browser Certificate"-link in Public Web broken
ECA-4602 - CMP: EEC authmodule - Checking for CA authorization does not work
ECA-4613 - Don't allow deletion of CT logs that are still in use by a Certificate Profile
ECA-4616 - Regression: EJBCA WS CLI shows a lot of warnings
ECA-4623 - Handle CertificateCreateException with null ErrorCode in public web
ECA-4626 - Duplicate DN values fail in the Self-Registration forms
ECA-4627 - Security Hardening
ECA-4628 - GUI: CA Structure & CRLs usability
ECA-4631 - Security Issue
ECA-4634 - The check whether Subject Directory Attributes fulfill profile always fails in Self-Registration
ECA-4644 - Fix the jbosslogsigning target
ECA-4656 - NPE on system configuration page if no other page has been loaded before it
ECA-4662 - Test CrmfRAPbeRequestTest does not clean up correctly
ECA-4663 - Regression: Standard superadmin shows up as 'Custom' in Basic Access Rules View
ECA-4664 - CompressedCollection silently allows add() after closeForWrite()
ECA-4666 - CmpTestCase can't be run against CmpProxy
ECA-4669 - Revoking/Republishing certificate by selecting its serial number from audit log outputs NPE
ECA-4671 - Possible infinite recursion, leading to OOM in intresources
ECA-4677 - Audit log: Only show valid conditions for each search column
ECA-4683 - Trying to view deleted end entity gives NPE
ECA-4686 - Approval requests from Self Registration appear to originate from CLI
ECA-4694 - CMP: EEC authmodule - Checking for CA authorization still does not work
ECA-4700 - Fix bugs related to Auditor role
ECA-4707 - PeerInternalKeyBindingUpdaterWorker should check status of CA's CryptoToken before trying renewal
ECA-4709 - NPE when trying to display remote IKB where remote cert is not present on CA
ECA-4714 - Security issue
ECA-4718 - Regression: EndEntityManagementSessionTest.test07MergeWithWS fails on the community release
ECA-4719 - ocsp.reqsigncertrevcachetime not defined in defaultvalues.properties
ECA-4721 - Certificate Transparency tab in System Configuration shows up in Community Edition
ECA-4733 - Security hardening of new Statedump GUI
ECA-4736 - Handle changed Subject DN in statedump files
ECA-4738 - Missing properties in cesecore-common library
ECA-4740 - CmpProxyServlet doesn't calculate process time correctly
ECA-4745 - Certificate Profile: Don't save values of disabled fields to make audit easier
ECA-4747 - Imported certificate profile does not include AvailableCAs in the GUI
ECA-4752 - Possible NPE in ConcurrentCache when using DEBUG logging
ECA-4754 - http://ejbca.org index page broken in chromium
ECA-4757 - Help reference not visible in services page
ECA-4762 - RA Administrators (Pre-defined role template) privileges are missing
ECA-4765 - GeneralPurposeCustomPublisher doesn't surround command arguments with quotes.
ECA-4812 - Healthcheck of CAs get key count wrong and checks for previousCertSignKey
ECA-4814 - SQL error in schema for Postgres databases
ECA-4815 - Fix some JUnit test failures in JDK8
ECA-4824 - Information leak in debug log
ECA-4830 - Minor security hardening
ECA-4832 - Security issue
ECA-4839 - Certificate download redirect does not work with non-ASCII characters in the Subject DN
ECA-4841 - Regression: Events are not shown in the 'View Log'
ECA-4843 - Regression: ConfigurationHolder can no longer read built in properties
ECA-4847 - Don't lock down statedump in fresh installations
Improvement
ECA-659 - Add restriction for key algorithm in certificate profiles
ECA-1910 - CAs in alphabetic order in the CA Structure & CRLs page
ECA-3204 - Re-factoring of P11Slot
ECA-3780 - Split and kill the src-directory
ECA-3929 - Improve rendering of crypto tokens on the CA Activation page.
ECA-4075 - Document that naming in IS end entities should not be changed
ECA-4237 - Peer connections should send full client certificate chain
ECA-4274 - Eliminate redundant images from docs
ECA-4393 - Reduce number of errors from the OCSP signing cache about expired CAs
ECA-4401 - Can not read private key with alias containing åäö from keystore
ECA-4403 - Parallel CT log submission
ECA-4404 - TLS session re-use for CT submission
ECA-4481 - Cache revocation status of request signers in OCSP responder
ECA-4482 - Make new transaction log variable for ISSUER_NAME and REQ_NAME in original order
ECA-4543 - Implement CSCA "CA Name Change" feature from ICAO 9303 7th part 12
ECA-4552 - Allow statedump to merge existing CryptoTokens
ECA-4562 - Make sure that there is only one set of code handling HSM keys.
ECA-4563 - CMP: ResponseStatus in CmpErrorResponseMessage is not used and should be removed
ECA-4564 - CMP: return message SYSTEM_UNAVAILABLE when profiles can not be read/found in RA mode
ECA-4570 - Document validation error messages returned by CMP Proxy
ECA-4574 - GUI: System Configuration sub-section order
ECA-4575 - GUI: Better CryptoToken alias default value
ECA-4576 - Several SAN DNSname in EMPTY profile
ECA-4577 - GUI: SHA-256 by default in CA creation form
ECA-4583 - GUI: CryptoToken page usability (private key export)
ECA-4595 - GUI: CA creation form usability
ECA-4598 - Make SecConst.MAXIMUM_QUERY_ROWCOUNT into a configurable value
ECA-4599 - EndEntityManagementSessionBean.revokeCert needlessly tries to revoke all certificates
ECA-4601 - Don't require "/ct/v1" in CT log URL
ECA-4607 - Allow CT Log public keys to be uploaded in DER format
ECA-4620 - Security issue
ECA-4629 - General code improvement
ECA-4633 - New RSA key sizes for the Extended Services in CAs
ECA-4638 - Minor improvements to CT Logs timeouts
ECA-4643 - Remove Dependency checker test.
ECA-4648 - Better configuration default values for languages
ECA-4668 - Proactive public web security hardening
ECA-4672 - Change CMP errors codes, missing aliases and already revoked
ECA-4674 - Proactive web security hardening
ECA-4676 - Allow CMP Proxy server to use multiple CA keychains
ECA-4696 - Add path to SafeNet Luna Client 6.1 to default PKCS11 libraries
ECA-4697 - Add path to SoftHSM to default PKCS11 libraries
ECA-4699 - Replace deprecated references CertTools methods
ECA-4701 - Update XStream and limit classes that can be deserialized by Statedump
ECA-4703 - Use newer BC pattern in CertTools to get rid of some warnings
ECA-4704 - Upgrade BouncyCastle to 1.54
ECA-4712 - Remove BaseCryptoToken.extractKey(String, String, String)
ECA-4720 - Document that the site search uses Google
ECA-4726 - Make "CA Name Change" configurable through Global Configuration
ECA-4734 - Document getAuthorizedAvailableAccessRules better
ECA-4737 - Combine the efforts of ECA-4566 and ECA-4568
ECA-4742 - Clarify error message when admin certificate does not belong to a user
ECA-4748 - cmpclient: Use SHA256 as signature algorithm
ECA-4773 - Lock down statedump when upgrading
ECA-4775 - Improve statedump CLI lockdown handling
ECA-4827 - Default healthcheck.publisherconnections to 'false' as documented in the admin guide
ECA-4845 - Improve error messages for approvals.
New Feature
ECA-4164 - Support for importing DER-encoded CA certificate file via CLI command "ca importcacert"
ECA-4177 - DER-encoded format as output option during enrollment via CSR
ECA-4319 - Include information in key binding CSR when creating from CLI
ECA-4474 - Prefix/override support for statedump during import
ECA-4504 - Make sure that a signature algorithm supported by the HSM is used when the algorithm is not specified.
ECA-4508 - Ability to define custom order of DN in issued certificates
ECA-4561 - Add restriction for EC curve names in certificate profiles
ECA-4566 - Add signature validation of signed requests in CmpProxy
ECA-4567 - Add HMAC PBE validation of signed requests in CmpProxy
ECA-4568 - Revocation checking of signature certificates in CMP Proxy
ECA-4569 - Separate library for certificate path validation
ECA-4600 - Add a CMP client for test purposes
ECA-4608 - Add Bull HSM default options for GUI access
ECA-4609 - GUI: Display the SHA-256 certificate fingerprint
ECA-4640 - GUI enabled statedump import of uploaded file
ECA-4641 - GUI enabled statedump import of bundled file
ECA-4698 - Add generics to CertTools.getCertfromByteArray methods
ECA-4761 - CA name should be displayed in the delete CA prompt
Task
ECA-4138 - Write complete system tests for ClientToolBox
ECA-4497 - Remove .cvsignore files from SVN repository
ECA-4498 - Remove the CESeCore backup/restore scripts from the release zips
ECA-4618 - CMSIncrementalMode is deprecated in Java 8 and should be removed from our config
ECA-4717 - Add systemd sample configuration for RHEL/CentOD
ECA-4730 - Remove old install guides from doc/howto
EJBCA 6.4.2
2015-12-29
Bug
ECA-4555 - PKCS#11 credentials are displayed incorrectly when creating CryptoToken
ECA-4646 - Clear caches failing with NPE in OcspExtensionsCache when an extension class is not found
Improvement
ECA-4463 - Add additional pages to Auditor Role
ECA-4682 - Log X-Forwarded-For if present in OCSP requests
EJBCA 6.4.1
2015-12-01
---
Bug
ECA-4262 - Name constraints encoding incorrect in a certain case
ECA-4535 - ArrayIndexOutOfBounds when upgrading EJBCA 4 installations
ECA-4582 - Regression: Edit end entity profile notifications bug
ECA-4592 - Approvals contains no relevant information
ECA-4602 - CMP: EEC authmodule - Checking for CA authorization does not work
ECA-4623 - Handle CertificateCreateException with null ErrorCode in public web
ECA-4631 - Security Issue
Improvement
ECA-4574 - GUI: System Configuration sub-section order
ECA-4575 - GUI: Better CryptoToken alias default value
ECA-4576 - Several SAN DNSname in EMPTY profile
ECA-4577 - GUI: SHA-256 by default in CA creation form
ECA-4583 - GUI: CryptoToken page usability (private key export)
ECA-4595 - GUI: CA creation form usability
ECA-4612 - Security Issue
EJBCA 6.4.0
2015-10-26
Bug
ECA-3576 - 'Enforce unique DN' creates a stack trace in public web
ECA-4016 - Unable to activate a crypto token imported by statedump after restarting JBoss
ECA-4022 - Can not use Brainpool or explicit ECC curve in CLI (e.g. import CA certificate, list/export CA)
ECA-4030 - "Key sequence" always set to 00000 when saving uninitialised CA with available crypto token
ECA-4171 - Missing parameter for the --end-entity-password option does not cause statedump import command to fail immediately
ECA-4172 - End entities inaccessible after changing the subject DN of an uninitialised CA
ECA-4197 - Role access rules not updated when changing subject DN of an uninitialised CA
ECA-4228 - Clean redundant method declaration in PublisherSession and PublisherSessionLocal
ECA-4276 - External RA SCEP junit test broken after BC updates
ECA-4283 - Warning about missing intresources running External RA SCEP
ECA-4284 - Possible to create a rollover certificate for a CA waiting for CSR
ECA-4286 - ClientToolBox PKCS11HSMKeyTool can no longer handle sun config file
ECA-4288 - Change usage license info in csv_to_endentity.sh
ECA-4295 - Incorrect documentation on "Finish User" setting.
ECA-4296 - SCEP Client Certificate Renewal shouldn't demand a challenge password
ECA-4298 - Probably wrong description of parameters in help for importcacert command
ECA-4306 - Use UTF-8 in German Admin GUI translation
ECA-4326 - CRLDownload service can't handle multiple revocation changes in a CRL
ECA-4327 - Links from cert enrollment completed page for IE is broken
ECA-4333 - Detect available EC curves in JDK by OID
ECA-4339 - DirectoryName subjectAltName is not added
ECA-4356 - Regression: Sorting of certificates has become random
ECA-4357 - Regression: external-ra-gui doesn't deploy
ECA-4364 - Regression: Error editing Publishers under CA Functions in Admin Web
ECA-4367 - ejbca-ws-generate not run after the addition of CA rollover WS operations
ECA-4368 - intresources missing in externalra-gui war file
ECA-4369 - NPE when trying to create custom publisher that is not pre-edited
ECA-4371 - SCEP Client Certificate Renewal allows renewal using expired certificates
ECA-4381 - OCSP TransactionLogger prints SERIALNUMBER instead of SN for REQ_NAME
ECA-4385 - Internal issue
ECA-4397 - Include custpubl publishers in build
ECA-4399 - System test auth token classes should be commonly accessible
ECA-4400 - Security Issue
ECA-4402 - Subject alternative names dropped when using "Allow merge DN Web Services"
ECA-4405 - ra addendentity CLI command breaks when hard token issuers are enabled
ECA-4414 - Typo error in System Configuration page
ECA-4416 - Verification of CRLs on CAs using Brainpool ECC does not always work
ECA-4418 - Expect OCSP signing if EKU in OCSP signing certificate is marked critical
ECA-4419 - Statedump 6.3 can't import 6.2 dump because ValidationAuthorityPublisher in not on the classpath
ECA-4435 - SCEP: Use empty content in CACert PKCS#7 messages
ECA-4453 - Peerconnector tests and Statedump fails to start due to JNDI problems (NoInitialContextException)
ECA-4457 - EjbcaWS.findCerts(username, isValid=true) should not fetch expired certificates from database
ECA-4469 - 'Edit Service' page: uppercase/lowercase inconsistency in drop down menu
ECA-4471 - Unable to view certificate with E field in issuer DN
ECA-4472 - EJB CLI fails if standalone argument is used after a standalone-enabled switch
ECA-4475 - Validation javascript on End Entity Profile page throws exception
ECA-4479 - CMP RA requests with only notBefore requested does not work
ECA-4483 - Remote EJB serialization of Collection<Certificate> hangs on JBoss 7.1.1.GA
ECA-4484 - EjbcaEventTypes.CA_ROLLEDOVER is missing its language reference
ECA-4489 - No checkbox "Renew keys” on 'Edit CA' page
ECA-4492 - NPE during standard SCEP Certificate Renewal
ECA-4494 - Single Active Certificate Constraint misses certificates due to subject DN differing between UserData and CertificateData
ECA-4495 - NPE in EJBCA WS findCerts when no base64CertData is stored
ECA-4503 - Test case in CertificateCreateSessionTest uses wrong status constants
ECA-4510 - Can't delete admin in access role
ECA-4513 - Unchecking auto-activate does not persist for auto-generated crypto tokens using default password
ECA-4523 - Security Issue, information leak
ECA-4525 - CustomCertExtensions and ExtendedKeyUsages are sorted alphabetically instead of numerically
ECA-4536 - Regression: Approve Action Name not displayed
ECA-4542 - 'List of End Entity Profiles' displays nothing in Auditor pre-defined role
ECA-4554 - NPE in remote IKB page when multiple CA clusters connect to the same VA
Improvement
ECA-3418 - Optimize JBoss reload during install
ECA-3815 - Improve batch command instructions
ECA-4034 - Include end entities in statedump export by default
ECA-4113 - Modify BatchCreateTool to allow easy cleanup of files from p12 directory
ECA-4163 - Move ScepRequestGenerator out of general code
ECA-4174 - PKCS#11 symmetric key unwrapping for KeyRecovery broken for some HSMs on JDK >= 1.7.0_75
ECA-4248 - Swap username and serialnumber for PUBLISHER_STORE_CERTIFICATE audit event
ECA-4254 - Document prerequisite for trusting external CA's leaf cert from IKB
ECA-4273 - Cosmetic cleanup of IEjbcaWS
ECA-4281 - GUI: Optimization of the header banner of Admin GUI
ECA-4287 - Pre-emptive rewrite of CertificateProfile cache
ECA-4291 - Add system tests for EjbcaWS.caCertResponseForRollover
ECA-4300 - Convert System Configuration page to JSF
ECA-4301 - Add tabs to System Configuration Page
ECA-4304 - Allow prefix for self registered users
ECA-4305 - Disable choice in self registration when referenced profile does not exist
ECA-4313 - Allow help text for custom publishers in language file
ECA-4317 - Document how to encrypt the datasource password in standalone.xml for JBoss EAP 6.4/JBoss AS 7.1
ECA-4325 - Remove CertificateCreationException from code
ECA-4330 - Backport ECA-2576 to 6.2
ECA-4331 - Make the static values for revocation reasons into a new type.
ECA-4342 - Have cryptotokens excluded from Clear All Caches by default.
ECA-4351 - Lower log level of misconfigured CertificatePolicies to WARN
ECA-4352 - Always use EC curves OID when possible for key generation
ECA-4361 - Add logging of 'X-Forwarded-For' in OCSP transaction log
ECA-4365 - Document that Healtch check can be enabled/disabled per CA
ECA-4376 - Add "All CAs" option to Rollover Service worker.
ECA-4390 - GUI: System Configuration page usability
ECA-4406 - Improve how upgrade versions are read, making migration from 6.2.10+ to 6.3+ possible
ECA-4407 - Clarify Illegal key length exception message as limitation by certificate policy
ECA-4415 - GUI: Certificate Profiles page usability
ECA-4430 - Bundle JEE6 API library to minimize appserver build time dependency
ECA-4431 - Update XML schemas for JEE6
ECA-4440 - Fix use of deprecated version of storeCertificateRemote in CertificateStoreSessionRemote
ECA-4441 - Rewrite the ExternalRA GUI to use JSF 2.0 and CSS
ECA-4449 - GUI: CryptoToken page usability
ECA-4454 - Certificate Profiles: Sort Custom Certificate Extension and EKUs alphabetically by label.
ECA-4455 - CustomCertExtensions: Remove limit on number of certificate extensions (was: Identify by OID instead of ID)
ECA-4456 - Allow EjbcaWS.findCerts(usename, isValid) to work without UserData
ECA-4458 - Improvements to Certificate Extensions overview page
ECA-4460 - Extended Key Usages overview page should be sorted by OID.
ECA-4461 - Add input validation control to SAN in EEP
ECA-4462 - Minor improvements to Auditor role
ECA-4465 - GUI: End-Entity Profile usability
ECA-4470 - Document how EKUs and CCEs are imported in upgrade
ECA-4480 - ExtRA GUI DB2 support
ECA-4490 - Upgrade EJBCA to BC 1.53
ECA-4515 - Remove translation of CustomCertExtension displayname into readable text
ECA-4517 - Buttons for type of Certificate Profile etc. are confusing for new users
ECA-4531 - ExtendedKeyUsages: remove deprecated method
ECA-4537 - 'End Entity Profiles' are not displayed in Access Rules
New Feature
ECA-3436 - Support WildFly 8
ECA-4264 - Ability to generate link certificate from key on HSM
ECA-4279 - Add ability to specify revocation reason and revocation date when importing certificates in the CLI
ECA-4282 - Allow CMP Proxy to work with External RA backend
ECA-4341 - Add CertificateProfileID to OCSP transaction logs
ECA-4343 - Custom Certificate Extensions and EKUs without recompilation
ECA-4344 - Introduce a Read-Only admin to EJBCA
ECA-4345 - Granular control over elements of the DN in End Entity Profiles
ECA-4360 - SCEP Client Certificate Renewal on a rollover CA
ECA-4372 - New setting for specifying certificate chain order in the public web.
ECA-4396 - Compile and deploy on WildFly 9
ECA-4459 - Certificate Extensions should define their own property fields
ECA-4502 - Improve upgrade procedure with database version detection.
Task
ECA-4289 - Remove outdated sample file change_p12_pwd.c
ECA-4292 - Remove Support for XKMS
ECA-4466 - AdminWeb CSS styles clean up
ECA-4468 - Remove site:publish ant target
Master Ticket
ECA-4432 - Remove JEE5 and JDK6 support
ECA-4375 - Update documentation to reflect dropped JBoss5 and JDK6 support.
ECA-4417 - Remove build and install script specifics for JEE5 app servers and JDK6.
ECA-4433 - Get rid of Hibernate compatibility libs
ECA-4437 - Update ExternalRA GUI to JEE6
EJBCA 6.3.2
2015-05-29
Bug
ECA-4198 - Regression: ScepServlet can't compile in CE
ECA-4202 - Random failure in CMP stress test
ECA-4236 - Peer connection are unable to verify server certificates with critical server auth EKU
ECA-4258 - Table PeerData creation is missing from create-tables-ejbca-*.sql
ECA-4259 - Scep Certificate Renewal is configurable in RA Mode
Improvement
ECA-4038 - Have EJBCA DB CLI fail nicely when built in Community Edition
ECA-4186 - WS - Use the "isRunningEnterprise()" method in EjbcaWSTest
ECA-4201 - SCEP test improvements
ECA-4206 - Add documentation about new WS CLI commands
ECA-4211 - Use ISO8601 date format for CA expiration in initialization log
ECA-4245 - GUI: CA creation page usability
ECA-4255 - Update EJBCA architecture diagrams
ECA-4260 - Add flowchart of SCEP enrollment/renewal to admin docs
ECA-4263 - Move static class load from CryptoTokenFactory singleton to init
ECA-4265 - Small improvements of SCEP config JSF
ECA-4268 - Improve build time
ECA-4269 - Update CMP Proxy README
New Feature
ECA-4168 - SCEP support for CA certificate rollover
ECA-4178 - Admin GUI translated in Czech language
ECA-4199 - Add Enterprise/Community identifier to internal.properties
ECA-4205 - Add new WS CA Admin commands to the WS CLI
Task
ECA-4119 - Enterprise feature
ECA-4120 - Enterprise feature
EJBCA 6.2.10
2015-05-29
---
Bug
ECA-2138 - External RA GUI cannot handle SubCA certificates with critical CDP
ECA-2282 - Publishing certificate from certificate view GUI to queued publisher causes error message but publishing works anyway
ECA-3789 - Stack trace if CAs in Certificate Profile and End Entity Profile don't match
ECA-3887 - An NPE is thrown at user when submitting invalid CSR during enrollment
ECA-3999 - Make healtcheck setting configurable for new CAs
ECA-4104 - Removing PKCS#11 token makes Cypto Token GUI unusable
ECA-4141 - Several issues regarding End Entity Rules in basic mode
ECA-4147 - Review/fix usage of getAuthorizedEndEntityProfileIds
ECA-4180 - Update FileUpload library used by ExternalRA GUI
ECA-4195 - Ocsp key renewal timer not starting automatically
ECA-4203 - "Check Certificate Status" reports incorrect/misleading status
ECA-4209 - Regression: Ad hoc upgrade of OCSP might be broken by the CachingCryptoToken
ECA-4232 - Regression: Certificate keyUsage invalid from CSR when using allowKeyUsage override
ECA-4243 - POP is not verified properly on WS requests
ECA-4246 - EJBCA Token Certificate Enrollment: Text differs from button name
ECA-4249 - ClientToolBox OCSP test does not work with HTTP GET
Improvement
ECA-4081 - Remove name lookup done by OCSP responder
ECA-4146 - Upgrade BouncyCastle to 1.52
ECA-4157 - Allow import of certificates for non-revoked end entities using importcert command
ECA-4191 - Upgrade cert-cvc project to BC 1.52
ECA-4192 - Replace deprecated methods: constructor for AuthorityKeyIdentifier, and ECPoint.getX/getY
ECA-4194 - Add possibility to prompt for password in CLI calls to setpwd
ECA-4196 - Replace EJBCA logotypes in documentation
ECA-4210 - Validate OCSP signing chain
ECA-4223 - Add favicon to ExternalRA GUI
ECA-4227 - Update EJBCA logo and favicon
ECA-4231 - Change variable names in BaseCaAdminCommand.java
ECA-4266 - Small documentation improvements
New Feature
ECA-4214 - Ability to rename end entities
ECA-4226 - CLI command to remove Publisher with dependencies
ECA-4233 - Add Certificate Profiles setting to limit certificate storage
ECA-4242 - Certificate Profile Setting for restricting certificate data being written to the CertificateData/Base64CertData tables
EJBCA 6.3.1.1
2015-06-01
Bug
ECA-4208 - OcspKeyBindings are not listed as available default responders
ECA-4209 - Regression: Ad hoc upgrade of OCSP might be broken by the CachingCryptoToken
Improvement
ECA-4038 - Have EJBCA DB CLI fail nicely when built in Community Edition
ECA-4245 - GUI: CA creation page usability
ECA-4260 - Add flowchart of SCEP enrollment/renewal to admin docs
Task
ECA-4119 - Enterprise feature
ECA-4120 - Enterprise feature
ECA-4196 - Replace EJBCA logotypes in documentation
ECA-4227 - Update EJBCA logo and favicon
EJBCA 6.3.1
2015-03-26
Bug
ECA-4044 - Ignore EJBCA test certificates from been published using the Peer connector
ECA-4048 - Peer System: Failure to connect when list of trusted certs is empty
ECA-4068 - Add PeerData to drop tables SQL script
ECA-4073 - typo in exception 'Failed to write audit log...'
Improvement
ECA-3146 - Allow an renewal of an external CA certificate by import
ECA-3951 - Add a column to InternalKeyBindingPage/CLI to warn for inactive certificate
ECA-4033 - Do not include administrators registered via certificate serial numbers in statedump
ECA-4092 - Create module for separate enterprise and community specific implementation
ECA-4093 - Lower log-level of CmsCAService "KEYSTORE is null..." message
ECA-4117 - CMPProxy not updated to work with different cmpalias
New Feature
ECA-3581 - Single Active Certificate Constraint
ECA-3754 - CLI: Create a table utility
ECA-4062 - WS API support to create a new CA and Superadmin certificate
ECA-4063 - WS APIs for monitoring certificate expiration
ECA-4064 - SCEP support for Client Certificate Renewal
ECA-4159 - Show what version documentation applies to at all times
Task
ECA-4145 - Document all audit log messages
EJBCA 6.2.9
2015-03-26
Bug
ECA-3619 - Wrong administrator removed from role when deleting at the same time with two separate CA admins
ECA-3788 - CLI needs to set argument --password together with the value when setting it
ECA-3879 - Fix logging of default OCSP responder properly
ECA-4049 - Certificates of non-CAs are accepted when importing external CAs
ECA-4071 - A base64 decoder exception is thrown when inspecting a specially-crafted CSR
ECA-4122 - Typo in Crypto Token HSM Slot
ECA-4148 - EJBCA WS Test test25CreateandGetCRL fails when delta CRLs are enabled
ECA-4152 - "Renew Browser Certificate" should require notifications to be set.
ECA-4156 - Regression: BaseCryptoToken has lost caching of keys since EJBCA4
ECA-4160 - X509CertStoreSelector does not work as used in BC 1.51
ECA-4173 - CLI command ca getcacert always outputs root CA certificate when using the -der option
ECA-4179 - SCEP stress test regression
ECA-4184 - WaitingForApprovalException declares property as public
Improvement
ECA-4128 - Replace references to deprecated class DiskFileUpload
ECA-4137 - Test throw away CA issuance over web service interface
ECA-4181 - Several EjbcaWS tests fail when EEP-limitations are enabled
ECA-4182 - Replace deprecated classes: PEMWriter, DERObjectIdentifier and DERTags
Task
ECA-4090 - Remove broken NetID integration code
EJBCA 6.2.8
2015-03-05
Bug
ECA-3602 - jboss-cli.bat fails when called from jboss.xml on JDK >= 7.21
ECA-3807 - Root CA key is always used when decrypting SCEP requests
ECA-3963 - Save and Test Connection with CT publisher should fail if no CT logs are configured
ECA-4043 - Timing issue in CaRenewCACommandTest
ECA-4065 - "Renew" button still exists for a revoked CA, produces stacktrace
ECA-4067 - Regression: Default RA Admin doesn't have access to the Add End Entity page
ECA-4070 - External CAs turn up on the list of possible CAs when creating End Entities
ECA-4074 - AlgorithmIdentifier of RFC 6960 id-pkix-ocsp-pref-sig-algs extension is not parsed correctly
ECA-4083 - OCSP configuration per certificate profile id is used for CERTPROFILE_NO_PROFILE
ECA-4094 - Remove extraneous authorization checks from PublisherDataHandler
ECA-4095 - Incorrect log output in publisher authorization check
ECA-4096 - Access rule /ca_functionality/edit_publishers does not allow role to edit publishers
ECA-4101 - Security Issue
ECA-4103 - References to deprecated rule '/super_administrator'
ECA-4107 - Allow creation of non standard conformant RAW custom extension
ECA-4110 - Approve Action - NPE after click on the username
ECA-4112 - Regression: External CAs not listed as "Available CAs" in CLI when using addadmin
ECA-4116 - Remove notes and test extension from certextensions.properties
ECA-4131 - CT options can't be changed when using only publishing
ECA-4136 - HardToken Certificate Profile Type has wrong label
Improvement
ECA-3831 - adminmenu.jsp still refers to legacy /superadmin rule
ECA-4011 - Disable "Name Constraints" fields when External CA is selected
ECA-4018 - Upgrade to BouncyCastle 1.51
ECA-4039 - Improve HealthCheck free memory control
ECA-4053 - Speed up HSMKeyTool stress test
ECA-4087 - Update EJBCA copyright notice to match homepage
ECA-4098 - Make sure sure that CAs in add/edit end entity screen are arrange alphabetically
ECA-4108 - Possibility to disable CT submission for existing non-CT certificates
ECA-4111 - Upgrade cert-cvc subproject to BC 1.51
ECA-4114 - Sort CryptoTokens by name when creating a new Key Binding
ECA-4139 - Editing CMP, SCEP and system configuration requires root privileges
Master Ticket
ECA-3971 - Improve OCSP responder performance
ECA-4054 - Reload CA certificate cache in the background
ECA-4055 - Avoid unnecessary OCSP response signature checks
ECA-4072 - Avoid interactions with AuditLogger and TransactionLogger when disabled
ECA-4082 - Improve OcspServlet.addRfc5019CacheHeaders
ECA-4084 - Improve OCSP HSM signing thread behaviour
ECA-4085 - Additional caching of objects that are the same between multiple OCSP requests
New Feature
ECA-3976 - Cache SCTs in OCSP responses
ECA-4052 - Allow override of EJBCA's subject DN ordering in web service call for issuing certificate
ECA-4106 - Allow to specify number of SCTs in OCSP responses
Task
ECA-4060 - Create a subtarget to ant ziprelease that creates a versioned zip of the statedump source.
EJBCA 6.3.0
2015-01-14
Bug
ECA-2478 - UnrevokeEndEntity unrevokes cert but not user
ECA-3528 - GUI: Some messages not localized in Admin Web
ECA-3590 - Cache the slot list
ECA-3598 - Fix handling of invalid ZIP contents when importing certificate profiles
ECA-3599 - Fix handling of invalid ZIP contents when importing end entity profiles
ECA-3609 - Name constraints properties are duplicated in CLI editca command
ECA-3631 - database valid connection sql for VA publisher is taken from database.properties instead of va-publisher.properties
ECA-3634 - OCSP does not audit and transaction log UNAUTHORIZED messages
ECA-3656 - Forbidden characters can be allowed
ECA-3719 - GUI: Publisher page usability
ECA-3745 - Some language have not the standard language code
ECA-3797 - Statedump incorrectly tries to export full BasePublisher object
ECA-3804 - httpsserver.an (altname) is ipaddress 127.0.0.1 by default, and no dnsName matching CN
ECA-3813 - GUIDGeneratorTest fails intermittently
ECA-3841 - JAR file used by CT should be rebuilt for JDK6
ECA-3849 - Admin must be authorized to all CAs to import keybinding certificate
ECA-3855 - Loading saved CMP configuration referencing a deleted EEP results in NPE
ECA-3892 - GUI: A lot of event messages not set in "View Log"
ECA-3908 - Allow OcspKeyRenewalTest to run predictably on system with existing AuthenticationKeyBindings
ECA-3949 - Status parameter in "keybind create" command shouldn't be case sensitive
ECA-3960 - CaPKCS11SessionTest fails and never recovers if test is aborted
ECA-3968 - Sort and count peer connectors correctly in statedump
ECA-3993 - ejbca-db-cli does not work due to PeerConnector
ECA-4003 - "CRL Updater" service doesn't update the CRL
ECA-4012 - Reject IP addresses in dNSName name constraints
ECA-4032 - Regression: Key Recoverable not set in EE when activated and required in profile
Improvement
ECA-2272 - Refactoring some DN attributes and Alternative names naming
ECA-2340 - GUI: Audit Log usability
ECA-2576 - New key sizes available in certificate profiles
ECA-3043 - Document SameRequestRateLimiter better
ECA-3256 - Split the va-war module into its logical parts
ECA-3412 - Rework VA/OCSP documentation
ECA-3414 - Clean up Exception handling in SignSessionBean
ECA-3601 - Enterprise feature
ECA-3654 - Enterprise feature
ECA-3674 - Allow certificate validity before current date using end entity ExtendedInformation
ECA-3720 - GUI: Certificate Profile page usability
ECA-3726 - Make CertSafe implement CustomPublisherUiSupport
ECA-3746 - GUI: Displaying the language name in configuration sections
ECA-3753 - Add OpenSC PKCS#11 to default crypto token library path
ECA-3769 - CryptoToken usage should also include internal key bindings
ECA-3773 - Add NIST PIV Card Authentication extended key usage
ECA-3809 - Improve the message for signed SubCAs regarding the need of *.pem or *chain.pem
ECA-3824 - CertSafePublisher should use a dropdown pane for setting authentication keybindings
ECA-3854 - Optimize Language tool
ECA-3869 - Sort key aliases by name in InternalKeyBinding edit view
ECA-3874 - RSA 4096 keys pre-selected in Crypto Token form
ECA-3891 - GUI: Firefox CRLs direct import removed
ECA-3930 - CryptoTokenManager: Add a column for auto-activation status.
ECA-3955 - Add some missing OCSP system tests
ECA-4051 - Correct documentation of CLI command when updating a CMP alias
Master Ticket
ECA-3144 - Improved sub system integration (EJBCA Peer Systems)
ECA-3652 - Create PeerMessage datatype, ORM and CRUD beans
ECA-3653 - Create basic JSF pages for Peer mgmt
ECA-3659 - Connect GUI with CRUD
ECA-3671 - Add auth checks to CRUD bean
ECA-3694 - Milestone: Make PingMessage work from a PeerConnector created in the GUI
ECA-3699 - Outgoing TLS configuration as part AuthenticationKeyBinding
ECA-3700 - Rename peerconnector-common to *-ejb and move common classes under ear/lib/..jar
ECA-3702 - Basic publishing to peer system
ECA-3704 - Framework for making custom publisher configuration nicer
ECA-3710 - Do parallel publishing when the same thing is published to multiple targets
ECA-3711 - Changes to publishing API for efficient publishing of full CertificateData (and Base64CertData)
ECA-3712 - Efficient resynchronization of data between CA and Peer VA
ECA-3715 - Requested capabilities should be saved when creating peer connector
ECA-3722 - Create CLI support for PeerConnector
ECA-3742 - Publish the same updateTime that is used in the CA's database
ECA-3751 - Manual renewal of OcspKeyBinding at peer
ECA-3752 - Behavioral configuration for PeerConnectors
ECA-3756 - Make InternalKeyBinding access rules configurable
ECA-3757 - Minor PeerConnector refactoring and documentation
ECA-3759 - Service for automatic renewal of remote key bindings
ECA-3762 - Documentation: Create a security model for PeerConnectors
ECA-3770 - PeerConnector GUI improvements
ECA-3775 - Forbid start and return error when background task with same id exist
ECA-3777 - ListPeersCommand improvements
ECA-3778 - Drop concept of capabilities and use regular access rules framework
ECA-3781 - Improve peer message format
ECA-3782 - Stop connection pool and prevent start when peer connector is disabled or URL changes
ECA-3784 - More fine grained access rules for peer connectors
ECA-3785 - Disable plain http connections for peers
ECA-3786 - Shorten peer connector Servlet URL
ECA-3787 - Option for synchronization dry run
ECA-3803 - Peer connector system tests
ECA-3805 - Propagation of peer connection errors to UI
ECA-3806 - CLI for generic peer connection settings
ECA-3810 - Minor PeerConnector GUI improvements
ECA-3811 - Lookup authentication token at pool startup
ECA-3825 - Allow one AuthenticationKeyBinding to be used per Peer Connector
ECA-3833 - JEE5 support for enterprise edition only SSBs
ECA-3839 - Use one connection pool per outgoing id instead of URL
ECA-3840 - Cache PeerOutgoingInformation objects
ECA-3846 - More fine grained errors than UnknownMessageTypeResponse without information leakage
ECA-3850 - Use separate GlobalConfiguration for peer connections
ECA-3867 - Correct peer module license headers
ECA-3876 - Statedump support for peer connectors and configuration
ECA-3881 - Improve error message when peer responds with an unknown or broken message
ECA-3882 - PeerConnector: Ugly errors when using illegal characters in URL
ECA-3898 - Adjust logging of handled failures during peer publishing
ECA-3899 - Show mismatched access rules for incoming peer authorization instead of fixing it
ECA-3923 - Handle additional server side certificate end entity alias from PeerConnectionsTest
ECA-3928 - Rename Remote Systems menu item to "Peer System"
New Feature
ECA-3705 - Create a plugin interface for rules
ECA-3800 - get the certificate of an ocsp keybinding
ECA-3885 - New signature algorithm SHA512withECDSA
Task
ECA-3962 - EJBCA Enterprise feature
EJBCA 6.2.7
2015-01-14
Bug
ECA-3902 - Update EJBCA user guide documentation
ECA-3973 - OCSP key renewal for all keys leads to NPE when logging
ECA-3977 - Regression: CMP algorithmId lacking DERNull when using PKCS#11
ECA-3978 - End entities aren't sorted in statedump output
ECA-3983 - External CAs turn up on the "CA Activation" list.
ECA-3991 - CertTools.stringToBcX500Name fails for sn=#foo
ECA-3994 - ejbca-db-cli copy command does not work due to invalid temp files
ECA-3995 - Upgrade documentation for CMP has wrong ordering of arguments
ECA-4000 - Potential security issue without known exploit
ECA-4007 - "Certification Authorities" and "Publishers" missing from admin menu with access rule /ca_functionality (recursive, accept)
ECA-4009 - Post upgrade fails when old admin groups don't exist
ECA-4014 - CRL Downloader doesn't store empty CRLs
ECA-4019 - Wrong error message for Name Constraint violations with short subject DNs
Improvement
ECA-3798 - Statedump: Incorrect number of end entity profiles are logged as exported
ECA-3970 - Log in OCSPResponder when revoked OCSP certificates are read to the cache
ECA-3984 - Debug log HTTP response body on CT log error
ECA-3985 - Edit CA page load is slow with many keys in referenced Crypto Token
ECA-3986 - Optimize CAToken.getTokenStatus
ECA-3989 - Allow recovery from a bad upgrade of CA Tokens to CryptoTokens
ECA-3992 - Remove critical BC warnings in order to upgrade BouncyCastle to version 1.51
ECA-4008 - Port adjustable transaction timeouts to JBoss 7 / EAP 6
ECA-4017 - Remove database lookups that can be read from cache
ECA-4024 - Add a ? link from the User Data Sources page to the admin guide
New Feature
ECA-4006 - Add test for legacy subject encoding with override enabled via CMP
EJBCA 6.2.6.8
2016-09-26
New Feature
ECA-2842 - Add SAN SRVName OtherName for XMPP Client certificates (RFC 6120)
ECA-2843 - Add SAN XmppAddr OtherName for XMPP Client certificates (RFC 6120)
EJBCA 6.2.6.7
2016-09-08
New Feature
ECA-5322 - Ability to use variables in email subject for email expiration service
EJBCA 6.2.6.6
2016-08-01
New Feature
ECA-5279 - Support RegisteredID in subject alternative name
EJBCA 6.2.6.5
2016-03-22
Improvement
ECA-4947 - Resetting an end entity password after key recovery should not require 'Edit End Entities'-rights
EJBCA 6.2.6.4
2016-03-10
Bug
ECA-4885 - Key recovery requires 'Edit End Entities'-rights
EJBCA 6.2.6
2014-12-03
Bug
ECA-3608 - EJB CLI cryptotoken create command issues
ECA-3828 - Regression: HttpMethodsTest and WebdistHttpTest test failures
ECA-3862 - Security Issue
ECA-3931 - Key recovery fails when user data has changed CA
ECA-3933 - Symmetric keys in crypto token's HSM slot prevent listing of slot keys
ECA-3935 - Regression: Wrong key length used when creating keystore from public web
ECA-3936 - Extra space at end of line in transaction log.
ECA-3937 - Result of stand-alone JUnit tests are discarded during ant test:run
ECA-3943 - Fix ServiceManifestBuilderTest
ECA-3944 - superadmin.cn value lacks quotes in cli.xml
ECA-3948 - OCSP log values ISSUER_NAME_DN and SIGN_ISSUER_NAME_DN contain SERIALNUMBER= instead of SN=
ECA-3958 - Cannot create new CertSafe publisher
ECA-3969 - Default OCSP responder is not used for external CAs without OCSP key binding
ECA-3972 - PKCS#11 keys aren't extractable when they should be
Improvement
ECA-3916 - WS: Return the EndEntity/Certificate profile of a specific profile ID
ECA-3927 - Make systemtests.properties available to peer module and PKCS#11 system tests
ECA-3938 - Add a regression test for ocsp.nonexistingisrevoked
ECA-3942 - Improve logging of ServiceManifestBuilderTest failures
ECA-3954 - Improve the properties output of InternalKeyBindingListCommand to show default property values
ECA-3956 - OCSP response if the requested certificate is revoked is identical in logs to case where issuer of signing cert is revoked.
ECA-3967 - Update httpclient and httpcore to latest version
New Feature
ECA-3939 - Add EV Certificate specific DN components
EJBCA 6.2.5
2014-11-14
Bug
ECA-3901 - Possible NPE when debug is enabled
ECA-3906 - Missing key in CryptoToken for mapped purpose in CAToken will hang healthcheck
ECA-3907 - CAToken to CryptoToken upgrade failure
ECA-3909 - InternalKeyBindingMgmtSessionBean.generateNextKeyPair fails if nextKey already exists
Improvement
ECA-3723 - Allow verbose preference for CLI
ECA-3866 - JavaDoc CLI enums
ECA-3905 - Add instructions how to import certificate profiles in GUI
ECA-3915 - External RA GUI browser enroll does not work with FF 33 and later
New Feature
ECA-3900 - Allow CT log publisher to use HTTP Proxy java system settings
EJBCA 6.2.4
2014-10-29
Bug
ECA-3633 - CMP response caPubs field contain entity certificate instead of CA certificate
ECA-3657 - RA administrator, failure while Approvement
ECA-3716 - Regression: Externally imported CAs appear in list of signers when creating a CA
ECA-3718 - Fix using trusted certificates in Internal Key Binding
ECA-3776 - Prevent API call from setting InternalKeyBinding status to "active" if there is no referenced certificate
ECA-3814 - getcacert does not return CA Certificate
ECA-3822 - CertSafePublisher.testConnection doesn't test URL properly
ECA-3834 - CertSafePublisher does not work under JDK6
ECA-3845 - Certificate Transparency, not selecting any CT log passes issuance even if Min SCTs is 1
ECA-3853 - AKID is different from CA SKID in CRLs, if not using SHA1
ECA-3868 - Attempting to use a non-ocsp certificate for an OCSPKeyBinding fails silently
Improvement
ECA-3826 - ant install shows annoying but harmless error messages
ECA-3843 - Create a link from basic access rules page to documentation
ECA-3848 - Shift GlobalConfiguration* to CESeCore, make plugin friendly
ECA-3860 - New call to get registered global configuration types
ECA-3889 - Allow more than one IKB renewal per second
New Feature
ECA-3580 - Certificate Transparency: Private Domains
ECA-3794 - Default OCSP responder improvements
Task
ECA-3801 - Enterprise feature
EJBCA 6.2.3
2014-09-25
Bug
ECA-3749 - Batch generation information for end entities in statedumps ignored during import
ECA-3755 - Regression: Modifying approval settings when editing a certificate profile is broken
ECA-3760 - Possible ClassCastException when using Subset of SubjectDN in Certificate Profile
ECA-3763 - InternalKeyBinding.getListOfTrustedCertificates trusts everything if specified with a non existing certificate
ECA-3765 - ca init command in cli.xml is missing two switches
ECA-3779 - Values from first loaded certificate profile is shown and saved when editing other profiles
ECA-3783 - Statedump can not export (custom)publisher where all classes are not on statedump classpath
New Feature
ECA-3437 - Cert Safe Publisher for EJBCA
EJBCA 6.2.2
2014-09-03
Bug
ECA-3683 - Statedump: For an uninitialised CA, it appears in its own list of possible issuers.
ECA-3687 - Error upgrading old installations to JBoss 7 (jboss serialization)
ECA-3692 - Regression: Certificate and CRL store download pages empty after server restart
ECA-3695 - 100% upgrade from EJBCA 4 to 6 fails on CertificatePolicy
ECA-3696 - If there are Ocsp key binding with messed up certificate, you can get NPE
ECA-3698 - Clear all caches makes crypto tokens off-line
ECA-3714 - Authority Information Access is deselected in Certificate Profiles under some circumstances when upgrading from EJBCA 4 to EJBCA 6
ECA-3721 - Import of internal key bindings via statedump requires crypto token to be online
ECA-3725 - EJBCA CLI prompts twice for the CLI password when using -p
ECA-3727 - Deprecated (null) extended key usages visible in Certificate profile
ECA-3729 - Statedump: Properties object is copied the wrong way when generating cryptotoken keys from a template
ECA-3730 - Not finding some OCSP request signer certificate in DB
ECA-3732 - clientToolbox ocsp test was not updated after that the root certificate was removed from the certificate chain in the OCSP response.
ECA-3733 - cryptotoken create command requires attr flag
ECA-3735 - Statedumped end entities do not keep clear password settings
ECA-3736 - Unable to "Save and Initialize" externally-signed sub-CA imported via statedump
ECA-3744 - InternalKeyBindingCreateCommand misses a null check for missing cryptotokens
Improvement
ECA-3688 - "ant build" failes on JBoss EAP 6.2 installed via RPM package from Redhat repositories
ECA-3690 - Possible information leakage
ECA-3691 - Improve message when profile changes name during work in the GUI
ECA-3707 - Do not generate non-active XKMS and CMS certificates as it can violate name constraints
New Feature
ECA-3149 - OCSP responder support for CertId using SHA256 in OCSP requests
Task
ECA-3703 - Upgrade tomahawk to latest 1.1.14
EJBCA 6.2.1
2014-08-06
Bug
ECA-3589 - First CRL not created when initialising root CA after statedump import
ECA-3613 - Regression: The CLI doesn't parse the value ca.name from install.properties if it contains spaces.
ECA-3615 - SECURITY: Security issue
ECA-3617 - Allow Enterprise Edition to run system tests sans Statedump
ECA-3620 - Import/export profiles rendered during unrelated operations
ECA-3621 - Can't save or initialize uninitialized (= statedump imported) externally-signed CA
ECA-3635 - Regression: Missing user notice and CPS in certificate policy extensions
ECA-3643 - Autoactivate switch in CryptoTokenCreateCommand is obfuscated
ECA-3645 - CLI complaining about unknown CA with id 0 (Improve output for unbound admins)
ECA-3648 - Importing certificate - no email specified error
ECA-3650 - Changing the Subject DN on an uninitialized (=statedump-imported) CA causes all extended services to be lost
ECA-3661 - Statedump can't import PKCS#11 cryptotokens with slots referenced by label
ECA-3664 - Invalid key specification for uninitialised key after importing a statedump
ECA-3670 - Fix exceptions when excluding system/cmp/admin config in statedump
ECA-3675 - Not all defined external RA datasources added in persitence.xml
ECA-3679 - Regression: CA soft keystore pwd is always default when creating CA using CLI
ECA-3685 - Int to Long cast exception upgrading OCSP
Improvement
ECA-3501 - Create CryptoToken key aliases (needed for InternalKeyBindings) during statedump import
ECA-3592 - Update CA IDs for uninitialised CAs when saving
ECA-3606 - Make HSM system tests configurable
ECA-3618 - Configurable environment for testAdminWebSecurityHeaders
ECA-3622 - Fix cosmetic issues with statedump
ECA-3624 - Hide Name Constraint textboxes for external CAs without keys
ECA-3625 - Handle external CAs (=without keys) in Statedump
ECA-3626 - Proper setup of environment for testAuthenticationWithMissingCertificate
ECA-3630 - Allow importing Key Bindings in statedump even when key aliases are missing
ECA-3638 - Don't include external CAs in statedump export by default
ECA-3640 - Modifying uninitialised CAs (from statedump) even if keys are missing/crypto token is offline
ECA-3662 - Don't export end-entity passwords from statedump
ECA-3663 - Don't export crypto token auto-activation passwords in statedump
ECA-3665 - Import all crypto tokens in inactive state during statedump import
ECA-3666 - Better error message during statedump export if crypto token is offline
ECA-3667 - Show warnings during statedump export for exclude patterns that did not match anything
ECA-3668 - Improve options format of statedump tool
ECA-3669 - Better warning/error output in statedump utility
ECA-3677 - Do not allow export of CA keystores not protected by password
ECA-3689 - Improve parameter naming per internal suggestions
New Feature
ECA-3636 - Statedump CLI command to initialize statedump-imported CA
ECA-3637 - Ability to limit what is exported in statedump
ECA-3639 - Placeholders for keys in crypto tokens imported via statedump
ECA-3642 - Include end entity information in statedump
EJBCA 6.2.0
2014-06-18
Bug
ECA-3216 - Return unsigned response "unauthorized" when no default responder configured, or wrongly configured
ECA-3299 - OCSP request signer verification does an additional database lookup
ECA-3454 - Inconsistent skip options for state dump import
ECA-3481 - Minor security hardening
ECA-3489 - Fail fast creating CVCCAs when unique certificatedata_idx12 is enabled
ECA-3492 - renameRole() tries to change primary key and triggers a HibernateException
ECA-3495 - The public part of a key is still on the P11 token after the private part is removed.
ECA-3496 - java.lang.IndexOutOfBoundsException when selecting empty crypto token for internal key binding
ECA-3499 - Overwriting a CA with StateDump can leave cert/ee profiles in an invisible state
ECA-3506 - ejbca-ws-generate target missing dependencies
ECA-3517 - "Lock wait timeout exceeded" when disabling multiple access rules with MariaDB Galera
ECA-3518 - NPE if only period length is provided for private key usage period
ECA-3521 - Certificate & End-Entity Profiles with missing CAs become invisible, even for superadmin
ECA-3534 - NullPointerException when adding a user without password
ECA-3535 - State dump unselects "Any CA" from profiles during import
ECA-3536 - ejbca-db-cli does not work since change to use ServiceLocator
ECA-3537 - Clean up exception handling in CertificateCreateSession
ECA-3551 - Certificates are not submitted to CT when generated from CLI, etc.
ECA-3582 - CMP can not handle some valid CSRs.
ECA-3587 - Update default Modifiable Fields in User Data Sources
ECA-3588 - Regression: PrintableString encoding for DNs does not work
ECA-3594 - Security related
ECA-3596 - Creating limited CertificateData fails with certain databases
ECA-3605 - Error when trying to create authenticated CVC CSR
Improvement
ECA-631 - Enforce naming constraints present in CA-certificates
ECA-2126 - Certificates that are issued in revoked state should never be active
ECA-2690 - Create a CLI parameter handler
ECA-3320 - Simpler format for specifying CA validity dates
ECA-3468 - Implement statedump Subject DN renaming properly inside EJBCA
ECA-3477 - Give focus to incorrectly marked fields in edit CA page
ECA-3482 - Minor security hardening
ECA-3483 - Minor security hardening
ECA-3484 - Minor security hardening
ECA-3490 - ICAO Master List Signer extended key usage
ECA-3491 - Allow system tests to target non-localhost interface
ECA-3494 - Suppress repeated OcspSigningCache warnings
ECA-3502 - Allow system tests to use HSM when available
ECA-3503 - SSB cached in CertificateCache
ECA-3509 - ExternalRA: Oracle Database Support in database mapping setup
ECA-3510 - Replace references to java.util.Vector
ECA-3513 - Audit log when a CT pre-certificate is generated and sent to a log
ECA-3515 - SCEP: Rewrite the configuration process to use one URL and multiple aliases
ECA-3516 - SCEP: Implement configuring SCEP in the AdminGUI
ECA-3519 - Minor security hardening
ECA-3524 - Improve memory usage during CRL generation
ECA-3525 - Do not use the HSM for hashing when signing data
ECA-3531 - SCEP: Remove DefaultCA configuration
ECA-3532 - Fix documentation of the command "ejbca.sh config cmp uploadfile"
ECA-3538 - clientToolBox p11 test multiple times in same jvm, to test if objects on a p11 token can be updated from another application.
ECA-3540 - External RA: Oracle Database mapping support in RA GUI
ECA-3544 - Make error messages and success messages easier to distinguish
ECA-3547 - GUI: Better item order for the System Functions menu
ECA-3555 - CLI: able to list key bindings with non existing cryptotokens
ECA-3557 - Add simplified CAInfo constructors
ECA-3561 - Request subCA certificate from external CA without uploading the chain
ECA-3565 - Rewrite Certificate Profile page in JSF
ECA-3566 - Encapsulate HashID properly
ECA-3569 - Effectivize the reloading of CaCertificateCache
ECA-3572 - Use JavaScript for certificate installation redirect in public web
ECA-3579 - Remove CERT_TEMP_REVOKED since it's not used
New Feature
ECA-688 - Import / Export profiles from WebUI
ECA-2114 - Rename EJB CLI for fetching CA certificates from getrootcert to getcacert
ECA-3109 - Add native support for Name Constraints
ECA-3123 - ICAO DocumentType List certificate extension
ECA-3124 - Add the Issuer Alternative Name certificate extension to the GUI
ECA-3530 - Ant targets for creating source and binary releases of CESeCore
ECA-3542 - Support for IE11 in Public Web
ECA-3543 - Support IE11 in External RA GUI
ECA-3559 - Service for populating database with revocation status of certificates from CRL
ECA-3584 - Choice of token type in Public Web self-registration page
Task
ECA-3394 - French language files updated for the new functionalities
ECA-3419 - CAAdminSessionBean.exportCAKeyStore throws Exception
ECA-3478 - Have all system tests write results to the same directory
ECA-3546 - French language files updated for SCEP Configuration
ECA-3420 - Convert all EJB CLI commands to the new standard
EJBCA 6.1.3
2014-04-28
Bug
ECA-3520 - CAs from statedump signed by external CA cannot be initialised
ECA-3523 - Backport Statedump bug fixes to 6.1
ECA-3526 - GUI: Missing l10n message keys in CMP Alias Edit page
ECA-3527 - GUI: Misspelled DN attribute in CMP Alias Edit page
EJBCA 6.1.2
2014-04-09
---
Bug
ECA-3514 - Browser enrollment link is generated with incorrect encoding
EJBCA 6.1.1
2014-03-27
---
Bug
ECA-3479 - Regression: OCSPSigningCache debug causes an NPE for internal OCSP default responders
ECA-3480 - Regression: Creating a CA in Adminweb issues Stacktrace
ECA-3485 - Regression: Certificate Profiles with EAC 2.10 AT role doesn't work with database protection
ECA-3487 - Regression: Unique certificatedata_idx12 is not detected
EJBCA 6.1.0
2014-03-24
---
Bug
ECA-3179 - Regression: NoTicket (r17302) introduced a dependency on EJBCA in a CESeCore test class
ECA-3182 - Regression: ECA-2988 introduced a dependency on EJBCA in a CESeCore test class
ECA-3427 - Syntax for jboss-cli.bat through ant targets fails in Win
ECA-3432 - CertificateCreateException: java.lang.NumberFormatException: For input string: "LU002" when trying to create a foreign DVCA
ECA-3433 - OcspResponseGeneratorSessionBean.init should not throw AuthDeniedException
ECA-3435 - JUnit failure in PublisherTest when DB protection enabled, add subjectKeyId to CertificateInfo
ECA-3439 - Creating a CA with DN: <anyfield>=, creates a StringIndexOutOfBoundsException
ECA-3447 - Regression: serial numbers in administrator list are not clickable
ECA-3452 - Make sure that decline+recursive rules aren't saved from the GUI
ECA-3455 - Files missing from cesecore-common.jar
ECA-3457 - Unnecessary WARN message
ECA-3458 - Ant paths don't work Windows via jboss-cli
ECA-3460 - State dump tool does not import any data with "-overwrite no"
ECA-3467 - Mail from address is not configured
ECA-3470 - SCEP operations may fail when using an HSM
Improvement
ECA-3348 - Add individual OCSP get cache settings for revoked, unknown and good responses
ECA-3351 - OCSP: don't include root certificate in response certificate chain
ECA-3411 - Use SHA256WithRSA as default for ManagementCA
ECA-3429 - Compile on Glassfish 4
ECA-3430 - Compile on WildFly 8
ECA-3434 - Upgrade Guava library in order to deploy in JEE7 container
ECA-3440 - Support running clientToolBox EjbcWsRaCli with IBM java
ECA-3443 - Allow empty values for start and end time without printing 'invalid' when adding end entity
ECA-3445 - Document how to use slotLabels with clientToolBox
ECA-3461 - Add encryption key information to key recovery data in database
ECA-3472 - Improve usability of edit CA page by marking required fields
New Feature
ECA-3133 - Support RFC6960 extension for client requested algorithm selection
ECA-3350 - OCSP: Add option to include signer certificate or not
ECA-3415 - CVC access control template for additional DGs
ECA-3444 - Allow longer certificate serial numbers than 64 bits
ECA-3449 - Show issuer and seralNumber after public web enroll
Task
ECA-3450 - Update the Public Web logo filename for better integration
EJBCA 6.0.4
2014-02-20
---
Bug
ECA-3055 - Not authorized to edit publisher when publisher cache disabled
ECA-3198 - Regression: ECA-2973 introduced a dependency on EJBCA in CESeCore test code
ECA-3210 - CA upgrade when ExtRACAServiceWorker fails to persist
ECA-3337 - KeyBind EJB CLI fingerprint reference is case sensitive
ECA-3361 - Cannot deploy with web-services disabled
ECA-3364 - ExternalRA: Allow SCEP GetCACaps without message parameter
ECA-3366 - Syntax in jboss-cli.bat for passing commands fails in Win
ECA-3372 - OCSP Archive Cutoff can give NPE
ECA-3373 - init() method is not called on OCSP extensions
ECA-3375 - CLI ca restorekeystore gives exception for soft ca
ECA-3382 - Test files have lost character encoding, change source file encoding to UTF-8
ECA-3383 - CertTools.genPKCS10CertificationRequest does not use the specified provider
ECA-3386 - httpserver.external.privhttps default to 8443 even though httpserver.privhttps is set to something else
ECA-3387 - Can not edit Sub CA signed by external CA
ECA-3388 - editcapage.jsp contains a slightly confusing help text
ECA-3389 - OCSP key binding properties visible for authentication key binding
ECA-3392 - InternalKeyBindingDataSessionBean.getInternalKeyBindingForEdit(int) throws NPE if no value was found.
ECA-3395 - Proper handling of certificate import/update when base64cert is not populated
ECA-3396 - InternalKeyBinding error using Postgres 9
ECA-3397 - Subject key ID not published by VA publisher
ECA-3398 - java.lang.IllegalArgumentException thrown when importing OCSP key binding certificate
ECA-3399 - Incorrect error message when editing uninitialised CAs if private keys are missing
ECA-3401 - Can not generate keys on soft crypto token with allowExport=false
ECA-3403 - Admin GUI create CRL fails with UTF-8 encoded CA DN
ECA-3405 - StateDump test fails because of refactorization
ECA-3406 - Trying to delete a non-existing keybinding causes NPE
ECA-3408 - StateDump import overwrites CAs with the same name without asking
ECA-3410 - StateDumpTest needs Hibernate compatibility jar
ECA-3421 - Upgrade jar file
ECA-3423 - Fix statedump overwrite response handling and test
Improvement
ECA-2828 - Document authorization rules in EJBCA
ECA-2982 - Add option to 'bin/ejbca.sh ca republish' command to republish only CA certificate and CRL
ECA-3081 - Improved error message during batch generate when using invalid key size
ECA-3082 - Improve message about configuration during batch generate
ECA-3150 - Remove scripts used on http://ejbca.org from bundled documentation.
ECA-3169 - Improve wording of some options of "Externally signed CA"
ECA-3290 - Cache headers still present for OCSP responses containing nonce
ECA-3365 - Audit log Internal Key Binding operations
ECA-3370 - Allow import of OCSP certificates with non-repudiation key usage
ECA-3371 - Make JBoss EAP 6 specific physical file deployment of BC provider
ECA-3374 - Add JUnit test for OCSPUnidExtension
ECA-3384 - Add a password argument to CaImportCACommand
ECA-3385 - Movie audit implementation classes to cesecore-ejb-interface
ECA-3404 - StateDump test should run from test:runsys when availabe
ECA-3407 - Optimize JBoss reload during deploy
ECA-3409 - Sort XML in statedump exports in a deterministic order
ECA-3424 - Regression: All cli commands prints out loading batch properties from default
Master Ticket
ECA-3355 - Implement Certificate Transparency
Task
ECA-3368 - Deploy on JBoss EAP 6.2.0 has disabled datasource by default
ECA-3380 - Move keybinding implementation classes from cesecore-ejb-interface to cesecore-common
ECA-3400 - Shift OcspExtension* to cesecore-common from cesecore-ejb-interface
Sub-task
ECA-3377 - Create unit tests for all CLI Commands
EJBCA 6.0.3
2013-12-30
---
Bug
ECA-3293 - Customer specific LDAP Publisher should use correct time in loginfo attribute
ECA-3297 - Other Rules for Supervisor role is not cleared if previously selected for another role type
ECA-3339 - Statedump doesn't delete certain .jar files on "ant clean"
ECA-3341 - Creating internal key binding with CLI does not consider types for property values
ECA-3344 - Regression: PKCS11 sun config does not work
ECA-3345 - Regression: Max-Age and Response validity no longer visible/editable for ocsp key bindings
ECA-3346 - CMP Config CLI command should use lazy instatiation of remote EJB
ECA-3349 - EJBCA deployment not working in WINx64 due to PKCS11
ECA-3360 - Ejbca deployment tries to use jboss-cli.sh instead of jboss-cli.bat on windows
ECA-3367 - Editing Key binding integer/long value sin GUI removes the value (becomes default 0)
Improvement
ECA-3289 - Do not cache "Unknown" OCSP GET responses
ECA-3347 - Modify EJB CLI to use ServiceLocator
ECA-3352 - Faster CLI start, use lazy instantiation in EJB CLI
ECA-3359 - Move authentication tokens from cesecore-interface to cesecore-common
New Feature
ECA-3314 - OCSP Archive Cutoff
ECA-3332 - Add Extended Revoked Definition OCSP extension when returning revoked for non existing certificate
ECA-3335 - Create a standalone manifest builder tool
Task
ECA-3316 - Modularize EAC
ECA-3338 - Modularize CMP vendor CA mode
ECA-3340 - Modularize ValidationTool
ECA-3342 - Make JUnit tests run for EJBCA Community
EJBCA 6.0.2
2013-11-29
---
Bug
ECA-2449 - Creating a CA without a valid SubjectDN causes double JS popups.
ECA-3321 - Improve CMP configuration user interface
ECA-3324 - Quote arguments of ca init during install
ECA-3327 - SaferDailyRollingFileAppender extends wrong base class
ECA-3328 - OCSP Signing cache should handle cache discrepancies gracefully
ECA-3331 - EJBCA does not deploy without ejbca-db-cli sources available
ECA-3334 - Change untilNextUpdate and maxAge properties in OcspKeyBinding from Integer to Long
Improvement
ECA-3132 - Support returning "revoked" for unknown certificates in line with RFC6960
ECA-3309 - Some versions of MySQL picks bad index mixing OR and AND
ECA-3318 - CMP: Include certificate chain in certificate responses
ECA-3323 - Reload OCSP cache manually
ECA-3325 - Minimize locking in audit log's sequence counter
EJBCA 6.0.1
2013-11-19
---
Bug
ECA-3302 - Escaping of user-provided data when no characters are forbidden
ECA-3303 - SECURITY: XSS issue
ECA-3306 - Leaving out "Validity" with Javascript disabled gives an exception
ECA-3307 - Renamed CAs not be overwritten by statedump
ECA-3308 - OCSP HealthCheck does not work with InternalKeyBindings
ECA-3310 - Wrong items are selected in uninitialized CAs
Improvement
ECA-3295 - Allow editing most fields in uninitialized CAs
ECA-3301 - Unify error messages for invalid username and pwd
ECA-3312 - Can't create CAs with DSA extended services key
ECA-3313 - Problems with extended services and uninitialized (statedumped) CAs
ECA-3317 - Allow import even if not all files exist
Master Ticket
ECA-3296 - Improve Statedump usability and fix bugs
New Feature
ECA-3311 - Ability to choose names to not overwrite during statedump import
Task
ECA-3305 - Modularize database integrity protection and database cli
EJBCA 6.0.0
2013-11-08
---
Bug
ECA-1015 - A ' is valid in an email address - but gets stripped by EJBCA.
ECA-1640 - Sample code for advanced custom extension missing some arguments
ECA-1947 - LDAPPublisher have problems with comma in DN
ECA-2144 - ExtRA PKCS10Request does not set user status to FAILED after failed requests
ECA-2150 - SignSessionTest.test37privateKeyUsagePeriod_both fails randomly
ECA-2159 - Password not cleared issuing keystores
ECA-2200 - CA defined certificate policy ignored when renewing CA
ECA-2330 - Build failure for External RA with OpenJDK if JavaScript is not available
ECA-2365 - OCSPCAService upgrade on every startup
ECA-2393 - Create Certificate Authority Page only gives blank page on wrong validity input
ECA-2442 - Multiple selectable email addresses in rfc822 altName gives wrong display in edit end entity
ECA-2477 - Import CA does not generate initial CRL
ECA-2527 - Wrong exception thrown in HardTokenSessionBean for some errors.
ECA-2534 - Regression: Not checking that the administrator has the role defined in the hard token issuer any more.
ECA-2547 - clientToolBox StressTestCommand always logs an error when a certificate is returned
ECA-2669 - Still possible to create DECLINE RECURSIVE rules in CLI
ECA-2689 - Misleading error message in JBoss log while trying create a sub CA from the CLI when the root CA is offline.
ECA-2719 - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames
ECA-2734 - OCSP rekeying not implemented in trunk yet.
ECA-2794 - EJB and WS CLI have bad type outputs
ECA-2815 - OcspExtensionsCache should be made thread safe
ECA-2834 - Unhelpful error message when changing permission rules for non-existing end entity profile in CLI
ECA-2860 - Default CRL overlap time is set to 10 hours instead of 10 minutes for imported CA
ECA-2863 - CMP FailInfo codes are sent as incorrect codes
ECA-2865 - rfc822Name field can be edited when adding new end entity even if not marked as modifiable
ECA-2877 - ant test:run breaks installation. Figure out why and fix
ECA-2894 - Messing up the Validity field in Certificate Profiles gives no warning
ECA-2905 - PrivateKeyUsagePeriod not matching notBefore of certificate when using validityOverride
ECA-2914 - Filename of downloaded keystore file is truncated
ECA-2918 - Clear all caches gives bad error message when host can not be reached
ECA-2921 - Deprecate InitializeHardTokenIssuing
ECA-2923 - JUnit class junit.framework.Assert has moved to org.junit.Assert
ECA-2934 - Revoking a CA revokes all issued certificates, but with fixed reason
ECA-2940 - Ant target test:runsys broken
ECA-2952 - Update to new logo in renewal pages
ECA-2958 - Wrong comments about PrimeCard
ECA-2961 - Button for viewing CA certificate chain has incorrect text
ECA-2964 - Native query mapping using MariaDB
ECA-2977 - ProviderException not handled in BaseCryptoToken
ECA-2989 - AccessTreeCacheTest can fail if reading the configuration takes too long time
ECA-2994 - Broken property "xkms.response.causedforsigning" in defaultvalues.properties
ECA-2996 - Update/set CryptoToken auto-activation PIN from EJB CLI
ECA-3024 - Error during startup with integrity protected audit disabled
ECA-3031 - Support EC key generation with ClientToolBox
ECA-3035 - CA and CryptoToken creation not handled in a transaction.
ECA-3036 - Cryptotoken prevents a CA to be created with the same name as a previous one.
ECA-3046 - Help reference for Windows Autoenroll broken
ECA-3052 - Minor authorization issue
ECA-3054 - OcspResponseGeneratorSessionBean merely logs a failed signature attempt
ECA-3056 - Issue PEM with full certificate chain from Public Web certificate request
ECA-3057 - CryptoTokenManagement logs success deletion even if no crypto token is deleted
ECA-3058 - CryptoTokenManagement logs success before action is tried
ECA-3061 - Clean-up CAInterface bean and dependencies
ECA-3065 - NPE: Inactive (including unsigned) CAs should be ignored by the OCSP Signing Cache
ECA-3072 - Cmp default CA setting is DN in one place and CA name in another
ECA-3074 - CMP TCP sets log level to FINEST for JBoss 7/EAP6
ECA-3079 - Close all existent resource leaks
ECA-3087 - 'bin/ejbca.sh ca info <unknownca>' tosses stacktrace instead of helpful error message
ECA-3088 - Test missing for creating a subca from CLI
ECA-3096 - 'ra finduser' command outputs password as 'null' if hidden.
ECA-3098 - Regression: Home screen in Admin GUI shows online CAs to be offline for some roles.
ECA-3101 - Regression: RequestMessage.getRequestX500Name returns SERIALNUMBER instead of SN
ECA-3103 - Test failures because of left over stuff in database
ECA-3107 - Investigate strange output from OCSP
ECA-3111 - JBoss 7 / EAP 6 always binds to 127.0.0.1
ECA-3113 - JBoss 7: Can't run ant install on HS with blank password
ECA-3115 - JBoss EAP 6 freezes with WS stress test with 30 threads
ECA-3117 - client toolbox p11 multi thread test fails when slot is given with TOKEN_LABEL.
ECA-3121 - Regression: OCSP signing cache may fail to load on startup
ECA-3129 - Keystore is used instead of truststore for validating client certificates
ECA-3131 - Encode EC private keys in generated PKCS#12 keystores with NamedCurves
ECA-3134 - JBOSS 7 / EAP 6 fails in deployment
ECA-3138 - External RA IE cert enroll ignoring (override) of encryption provider selection
ECA-3141 - Regression: ECA-3056 introduced a dependency on EJBCA in CESeCore code
ECA-3142 - Regression: ECA-2973 introduced a dependency on EJBCA in CESeCore code
ECA-3143 - Regression: ECA-3056 introduced an other dependency on EJBCA in CESeCore code
ECA-3176 - Regression: Keys possible for CA renewal are only RSA
ECA-3177 - Data is not validated before being passed to org.bouncycastle.util.encoders.Base64.decode in findActiveCertificatesByType
ECA-3183 - Healthcheck failure when there are not active OcspKeyBindings
ECA-3184 - JBOSS7 /EAP 6 fails in installation
ECA-3186 - Regression: Custom certificate extensions added to certextensions.properties
ECA-3188 - Document Internal Key Bindings
ECA-3197 - ClientToolBox requires that CA certificate be included CSP response in order to verify
ECA-3200 - Healthcheck status is enabled when editing a CA
ECA-3203 - Disable of CryptoToken auto-activation takes token offline
ECA-3207 - Regression: add-hoc upgrade of PKCS#11 keystore on VA responder not working
ECA-3209 - Regression: OCSP default responder configuration uses subject instead of issuerDN
ECA-3212 - Internal Key Binding certificate link has caid=0
ECA-3213 - Regression: CA healthcheck does not check token status
ECA-3215 - Roles renamed with RoleManagementSessionBean.renameRole get wrong primary keys
ECA-3219 - OcspKeyBinding contains values that become cast to BigDecimals instead of Integers
ECA-3220 - Regression: Reload OCSP signing cache uses wrong timer property, and a value of 0 makes timers go crazy
ECA-3221 - Can't edit an OCSPKeyBinding without filling Serial Number (for Trusted Certificates) field.
ECA-3223 - When new CA is generated with soft keys, unwanted warnings appear in jboss log
ECA-3224 - Trying to create Internal Key Binding without crypto tokens gives NPE
ECA-3227 - DirectoryCache should catch errors in initialization
ECA-3234 - Hard Token Functionality header printed twice
ECA-3235 - Unwanted warning in jboss-log when we create keys through AdminGUI
ECA-3237 - cmpTcpProxy fails to start, missing defaultvalues.properties
ECA-3239 - InternalKeyBindings with a deleted CryptoToken throw NPE when trying to view/edit
ECA-3242 - Errors in jboss log when 'ca createcrl' and some CAs are not active
ECA-3246 - Unwanted warning in jboss-log when running AuthenticationModulesTest
ECA-3251 - Activating/deactivating CA logs as Crypto Token activated/de-activated
ECA-3266 - EndEntityManagementSession.addUser throws a strange exception
ECA-3269 - Unwanted warning in jboss-log when running XKMSKRSSTest
ECA-3270 - Test 'testPublisherOperations' fails when running EjbcaWsCommonCriteriaTest
ECA-3271 - External CESeCore configuration override is read from the wrong location
ECA-3274 - Unwanted warnings in jboss-log when running RAApiTest
ECA-3276 - Unwanted error in jboss-log when running CrmfRARequestTest
ECA-3277 - Unwanted warning in jboss-log when running NestedMessageContentTest
ECA-3279 - Fix issues in OCSP TransactionLogger
ECA-3280 - Upgrade instructions need to be updated for JBoss 7 / EAP 6.1
ECA-3281 - Fix upgrade message from 4.x to 6.0
ECA-3284 - ValueExtractor fails for ApprovalId Integer in DB2
ECA-3286 - Browser enroll Firefox does not take configured encoding into account
ECA-3287 - OCSP signing exhausts threadpool after some time
ECA-3288 - Saving "Other rules" when edit access rules does not work
ECA-3294 - Security issue
ECA-3300 - OCSP Transaction Logger outputs a newline between each log entry
Improvement
ECA-519 - Move configuration file from bin/ to conf/
ECA-786 - Email notification cannot be edited correctly
ECA-1010 - Simplify installation procedure
ECA-1398 - Enforce PrivateKeyUsage period when CAs issue certificates
ECA-1594 - HashCode of Subject/Issuer DN in a certificate is not always the same as CA Id
ECA-1814 - Make non consecutive ID possible for Extended Key Usage
ECA-2023 - Trim the values in catoken.properties when importing a CA from CLI
ECA-2049 - Constants in CertificateHelper should be final
ECA-2164 - test01PinServiceToNodesIncludingThis is failing randomly
ECA-2208 - Move authorization for hard tokens into hard token session bean and remove authorization caching.
ECA-2225 - server TLS for mail requires manual configuration
ECA-2367 - Refactor CrlCreateSession for CRL publishing
ECA-2492 - Improve mysql-privileges script to allow users at different hosts etc
ECA-2500 - Upgrade to BC v1.47
ECA-2510 - Move methods in PublisherQueueSessionBean to local only.
ECA-2528 - Clean SecConst
ECA-2540 - Improve support for ipv6 in subjectAltNames
ECA-2545 - SCEP GetCaCert operation doesn't support empty message
ECA-2554 - CMP: Need better error message when a request is not signed by the sender
ECA-2558 - Improve the run times of some system tests
ECA-2561 - CMP: Remove repeated code to return the value cmp.authenticationparameter
ECA-2565 - Move CliAuthenticationToken to authentication component
ECA-2566 - Disallow server generated tokens when user submits a CSR in public web
ECA-2568 - CMP: improve ConfirmationMessageHandler
ECA-2582 - Make an enum for end entity types
ECA-2623 - Use new BC API for CRL creation.
ECA-2628 - Use BC CMP classes instead of Novosec
ECA-2641 - Use BC 1.47 OCSP classes
ECA-2680 - Clean HardTokenSessionBean of unnecessary AuthenticationToken parameters.
ECA-2683 - Clean authorization handling in AdminPreferenceSessionBean
ECA-2684 - Clean authorization in CertReqHistorySession
ECA-2685 - Clean authorization in KeyRecoverySessionBean
ECA-2686 - Clean Authorization in ServiceSessonBean
ECA-2692 - Handle HSM timeouts - handle timeouts elegantly.
ECA-2725 - CAInfo.setValidity should have long parameter
ECA-2752 - Deprecate and stop using UserDataConstants. Use EndEntityConstants instead
ECA-2757 - Add more getters and setters and null checks, use Lists instead of Collections where needed.
ECA-2793 - Improve javadoc for RoleManagementSession
ECA-2800 - Move OCSPUnid* classes from org.ejbca.core.protocol.ocsp to org.ejbca.core.protocol.ocsp.extension.unid
ECA-2807 - Remove PrimeCardHSM references from documentation
ECA-2821 - Increase concurrency in stand alone tests
ECA-2826 - RoleManagementSessionBean requires additional authorization checks
ECA-2840 - ant javatruststore -Dtrust.keystore parameter is treated relative to the ejbca/bin/ directory
ECA-2857 - EndEntityAccessSession.findUserBySubjectAndIssuerDN should return a List
ECA-2864 - Change the wording for the E-mail Domain option in end entity profiles
ECA-2879 - Add custom serialno test test that fails when there is no unique index
ECA-2895 - Provide ability to provide the administrator password through file for new admins roles GUI with CLI user
ECA-2903 - Simplify AuthenticationToken framework
ECA-2908 - Support ECC for CMP signature protection
ECA-2917 - Rename AdminCA1 to ManagementCA
ECA-2941 - Unclear description of CRL publishing conditions in Validation Authority Publisher
ECA-2943 - Modularize the CESeCore source tree
ECA-2948 - Improve handling of default profiles when using CMP RA mode
ECA-2957 - Add known PKCS#11 libraries as default available
ECA-2965 - Allow password to be supplied via command line for clientToolBox PKCS11HSMKeyTool generate
ECA-2970 - Log remote IP for ADMINISTRATOR_LOGGED_IN events and web service access
ECA-2978 - Database connection problems can give stacktrace with no msg
ECA-2986 - Property for hiding manual classpath entry from custom publishers and services
ECA-2987 - Add debug logging in AccessTreeCacheTest
ECA-3016 - Ugly errors creating CA with CLI when CryptoToken or CA already exists
ECA-3018 - Exception classes should end with "Exception" not "Error"
ECA-3020 - Fix tests using incorrect values for CRL settings
ECA-3022 - Turn of autocompletion of password on public web
ECA-3026 - Have parameters outputted from localized messages even if not found
ECA-3027 - Improve CMP configurations possibilities
ECA-3028 - Make possible using custom CMP configurations through alias in the URL
ECA-3030 - Make possible to edit CMP configurations in the AdminGUI
ECA-3033 - Upgrade BC from 1.49b01 to 1.49b15
ECA-3062 - Simplify certificate enrollment page
ECA-3064 - Disable CertReqHistory by default for new CAs
ECA-3069 - Replace deprecated class org.bouncycastle.jce.PKCS10CertificationRequest with org.bouncycastle.pkcs.PKCS10CertificationRequest
ECA-3091 - Detect browser directly instead of using of via the log-in page
ECA-3093 - Re-sort menu options in Admin GUI alphabetically
ECA-3094 - Update nomenclature in CLI
ECA-3099 - Add a "result page" after certificate enrollment has been performed
ECA-3102 - Public Web: rename password to enrollment code
ECA-3104 - Default key length for batch generation should be 2048, not 1024
ECA-3105 - Introduce ability of not having any QC statements in the QC extension in certificate profile configuration
ECA-3106 - Keylength defaults should be 2048 not 1024
ECA-3108 - Encoding of MS Certificate Template Name extension should be BMPString
ECA-3112 - Limited admins in admin GUI spams with INFO logs
ECA-3136 - Support listing of PKCS#11 slots in the AdminGUI by token label
ECA-3145 - Clean up left overs of EJBCA OCSP code
ECA-3166 - Use better wording for Certificate Request Data in Admin GUI
ECA-3175 - Clear All Caches button should also clear GUI session cache
ECA-3189 - CMP: Read the CA from the relevant End Entity instead of from the request or cmp.defaultca
ECA-3190 - CMP: Enforce configuration of EndEntityCert authentication module for KeyUpdate request
ECA-3191 - CMP: Improve the conditions and readability of CMP authentication modules
ECA-3206 - CMP: Remove PBE authenticating of ConfirmMessage
ECA-3218 - OCSP cache update logs access control
ECA-3243 - Editing Internal Key Bindings is slow
ECA-3244 - Error message about OCSP key renewal although renewal is disabled
ECA-3245 - Clean up and format the UPGRADE document
ECA-3247 - Unwanted warning in jboss-log when running CrmfRAPbeRequestTest
ECA-3254 - Unwanted warning in jboss-log when running CmpRaThrowAwayTest
ECA-3257 - Exception cancelling already cancelled OCSP renewal timers
ECA-3259 - unwanted warning in jboss-log when running ProtocolOcspSignedHttpTest
ECA-3262 - Make saving global and cmp configuration safe
ECA-3263 - Allow AnyCA to be the only selected available CA in EEPs
ECA-3285 - Datasources should have validate-on-match=true in order to reconnect from failures
Master Ticket
ECA-3049 - Optimize trunk
ECA-3116 - Possibility to Export/Import all CA configurations (a.k.a "The Great Dump")
ECA-3252 - CMP log fixes for CC test plan
ECA-3261 - Master ticket for OCSP log tickets
New Feature
ECA-862 - Command for ascii/XML dump of CA installation
ECA-1866 - WS-API to get last CRL for a CA
ECA-1998 - Support for GOST R digital signature and hash algorithms
ECA-2066 - Support for JBoss 7.1 and EAP 6
ECA-2621 - cert-cvc: upgrade to work with BouncyCastle (BC) v1.47
ECA-2691 - Handle HSM timeouts - allow creation of pure keepalive services from GUI/CLI
ECA-2722 - Validation/conformance tool for certificates and OCSP responses
ECA-2780 - Integration of DSTU4145-2002 in EJBCA
ECA-2801 - Manage HSM keys from web GUI
ECA-2881 - Ukrainian translation of admin GUI
ECA-2926 - External RA GUI and SCEP deploy on JBoss 7
ECA-2930 - SCEP RA mode for blind certificate issuance
ECA-2936 - Support ECC for database integrity protection
ECA-2972 - EJBCA support for South Slavic languages - Bosnian QA process
ECA-2973 - Unified OCSP
ECA-2974 - Use ServiceLoader for Publishers and Services
ECA-2988 - Unified OCSP: In main build, merge Standalone and Integrated OCSP into a single SSB
ECA-2992 - White listing of available CryptoToken PKCS#11 slots
ECA-3092 - Make it possible to hide the menu in publicweb
ECA-3095 - HSM slot label. Resolve existent issues from ECA-3071, add support for GUI/CLI/Upgrade
ECA-3128 - Add support for slot labels to ca init command, database protection and ocsp
Task
ECA-2296 - Master Issue: Look over authorization in all session beans.
ECA-2298 - Master issue: Unify all names in EJBCA
ECA-2317 - Migrate OCSP functionality from CESeCore to EJBCA
ECA-2350 - Add support to other match values than X500Principal based
ECA-2445 - Rename all references to "Admin Groups" to "Roles"
ECA-2462 - Rename RSASignSessionBean to SignSessionBean
ECA-2464 - Change references from 'User' to EndEntity where appropriate. UserAdminSessionBean should be renamed EndEntityManagementSessionBean
ECA-2488 - Remove all internal references to UserAdminSession.changeUser
ECA-2498 - Go through build-dependencies.xml and search for and remove nonexisting files in classpaths and include tags
ECA-2499 - Improve some @BeforeClass and @AfterClass in tests
ECA-2521 - Merge changes from ECA-1978
ECA-2522 - Merge changes from ECA-2094
ECA-2523 - Merge changes from ECA-2157
ECA-2524 - Merge changes from ECA-2468
ECA-2525 - Merge changes from ECA-2504
ECA-2526 - Merge changes from ECA-2518
ECA-2531 - Remove org.ejbca.config.ExtendedKeyUsageConfiguration
ECA-2541 - Replace the contents of EjbRemoteHelper with a clever datastructure
ECA-2550 - Remove transient from PrePersist, PreUpdate and PostLoad annotation
ECA-2555 - Merge changes from ECA-2454
ECA-2556 - Make sure that EjbRemoteHelper is used instead of JndiHelper for retrieving remote interfaces
ECA-2562 - CMP: More tests for the KeyUpdate request
ECA-2581 - Eliminate the duplicate constants in SecConst and EndEntityConstants
ECA-2596 - Merge changes from ECA-2580
ECA-2597 - Merge changes from ECA-2585
ECA-2605 - Merge changes from ECA-2575
ECA-2611 - Merge changes from ECA-1979
ECA-2619 - CliAuthenticationProviderSessionBean does not follow our naming standard
ECA-2620 - Upgrade hibernate to latest version
ECA-2622 - Merge changes from ECA-2583
ECA-2630 - Reimplement OCSP HealthCheckServlet
ECA-2631 - Merge changes from ECA-2579
ECA-2635 - Merge changes from ECA-2627
ECA-2637 - Merge changes from ECA-2634
ECA-2640 - Merge changes from ECA-2633
ECA-2646 - Merge changes from ECA-2584
ECA-2651 - Merge changes from ECA-2577
ECA-2688 - AccessRulesConstants.ROLE_SUPERADMINISTRATOR should be declared deprecated and removed internally
ECA-2702 - EjbcaWebBean code cleanup
ECA-2707 - Merge changes from ECA-2625
ECA-2735 - Verify that the functionality of ECA-2069 is ok in trunk
ECA-2744 - Merge changes from ECA-2624
ECA-2748 - Merge changes from ECA-2745
ECA-2751 - Merge changes from ECA-2750
ECA-2754 - Merge changes from ECA-2753
ECA-2756 - Merge changes from ECA-2755
ECA-2767 - Merge changes from ECA-2759
ECA-2772 - Merge changes from ECA-2769
ECA-2803 - Merge changes from ECA-2746
ECA-2831 - Merge changes from ECA-2829
ECA-2850 - Merge changes from ECA-2802
ECA-2898 - Merge changes from ECA-2897
ECA-2900 - Merge changes from ECA-2890
ECA-2902 - Merge changes from ECA-2899
ECA-2925 - Upgrade to BouncyCastle 1.49b01
ECA-2959 - UniqueSernoWSTest fails due to JBoss 7 classloader
ECA-2979 - Unified OCSP: Move StandAlone OCSP files into main build
ECA-3023 - Document JBoss 7 hardening
ECA-3041 - Make sure EJBCA builds and deploy on JBoss 7.2 and EAP 6.1
ECA-3044 - Use fast Random, instead of slow SecureRandom for GUID generation
ECA-3048 - Upgrade BouncyCastle to 1.49 final
ECA-3075 - XKMS KRSS tests not working on JBoss 7 / EAP6
ECA-3084 - OCSP transaction logging and safer log4j not working
ECA-3127 - External RA not working on JBoss 7
ECA-3130 - Update Admin GUI HSM chapter with new Crypto Token GUI
ECA-3148 - Rename the files under ejbca/doc/sql-scripts/ with the appropriate name (ejbca version)
ECA-3193 - Sample custom publisher with UID=certificate serialNo in decimal
ECA-3228 - Make sure that system tests clean up after themselves
ECA-3229 - Remove unnecessary warnings during build and startup
ECA-3241 - Eliminate deprecated values from ocsp.properties as far as possible and remove them from all but upgrade code.
ECA-3291 - Access rules unclear
Technical task
ECA-3152 - Possibility to Export/Import all CryptoTokens
ECA-3153 - Possibility to Export/Import all CAs
ECA-3154 - Possibility to Export/Import all Certificate Profiles
ECA-3155 - Possibility to Export/Import all End Entity Profiles
ECA-3156 - Possibility to Export/Import all Publishers
ECA-3157 - Possibility to Export/Import all Services
ECA-3158 - Possibility to Export/Import all Roles
ECA-3159 - Possibility to Export/Import all CMP configuration
ECA-3192 - Possibility to change Subject DN in dump files from CLI
EJBCA 5.0.14
2014-04-02
Bug
ECA-3469 - Problem adding several administrators
ECA-3473 - Internal error when using default responder on standalone OCSP for X.500 issuer DN order
EJBCA 5.0.13
2014-02-20
Bug
ECA-3293 - Customer specific LDAP Publisher should use correct time in loginfo attribute
ECA-3344 - Regression: PKCS11 sun config does not work
ECA-3421 - Upgrade jar file
Improvement
ECA-3343 - Some versions of MySQL picks bad index mixing OR and AND
EJBCA 5.0.12
2013-11-12
Bug
Security fixes
EJBCA 5.0.11
2013-11-07
---
Bug
ECA-2984 - ejbcaClientToolBox.sh CMPKeyUpdateStressTest works only with one thread
ECA-3083 - SaferLog4j jar does not build correctly
ECA-3211 - End entity username should be stripped when doing end entity look-up in CMP
ECA-3217 - Nodes in cluster not database protection stable
ECA-3268 - Inconsistent use of strip() and stripIncludingXss() methods
Improvement
ECA-2951 - Clean up CSS for new pages in 5.0 and 6.0 branches
ECA-3037 - Support for multiple Vendor CA authentication certificates for CMP
ECA-3050 - Base64CertData table
ECA-3053 - Don't show password in build summary
ECA-3066 - Support ECDSA for OCSP automatic key renewal
ECA-3071 - Allow reference of PKCS#11 slots by token label
ECA-3151 - Add hostname to startup log message
ECA-3178 - Add configuration option for specifying non-allowed characters in subject DN
New Feature
ECA-2990 - Customer specific LDAP publisher
ECA-3025 - Built in profiling capabilities
ECA-3070 - Add WS keyrecovery method for specified certificate
ECA-3194 - Allow ejbca-db-cli to work on database with only AuditRecordData
EJBCA 5.0.10
2013-05-31
---
Bug
ECA-1872 - Batch Enrollment GUI can not use JKS as keystore
ECA-2495 - Exception in view old log
ECA-2968 - IE10 browser enrollment doesn't work
ECA-3009 - Unhelpful error message when changing permission rules for non-existing end entity profile in CLI
Improvement
ECA-1826 - Possibility to create link certificates following the certificate profile
ECA-2456 - Support other CMP signature algorithms than SHA1
ECA-2944 - Remove one dependency from SignSessionBean on bean implementation in CeSeCore
ECA-2966 - ClientToolBox batch functionality for certreq and installcert
ECA-2976 - Debug log healthcheck message
ECA-2983 - Add index on CertificateData.status to index sql script
ECA-2997 - Make the CA certificate chain download provide better suggestion for file name to browser
ECA-3005 - Backport CMP ECC improvements to 5.0
ECA-3007 - Remove service execution audit events not needed
ECA-3010 - Improve CLI support for editing certificate profiles and publishers
ECA-3017 - Add parameter to ca init cli to use explicit ECC parameters
New Feature
ECA-2241 - Support STARTTLS extension for the LDAP Publisher
ECA-2985 - Add possibility to publish cert serial to LDAP custom schema
ECA-3004 - Command Line Support to Create a SubCA signed by an External CA
ECA-3006 - Add editca CLI command
ECA-3019 - Manage Services from the CLI
EJBCA 5.0.9
2013-03-21
Bug
ECA-2915 - EJBCA DB CLI verify reports error if multiple nodes are logging
ECA-2922 - Upgrade fails because not all aspects are migrated
ECA-2929 - Revocation does not perform as expected in all circumstances
ECA-2937 - Unable to create new CA with soft CA token without auto-activation
ECA-2938 - Key renewal with soft CA token does not always persist the new keys
ECA-2950 - Unsupported SubjectAltName object from a certificate request encoded to the string "null"
ECA-2954 - lastUpdate and tryCounter columns in PublisherQueueData do not get updated in case of CRL publisher failures
Improvement
ECA-2859 - CMP end entity certificate authentication requires clear text password set for user
ECA-2882 - Do not store active certificates in queue for ValidationAuthorityPublisher that only publish revoked
ECA-2904 - Compile and run on JDK7
ECA-2913 - CMP: Need better error message when a request is not signed by the sender
ECA-2960 - ClientToolbox key generation enhancement.
New Feature
ECA-2901 - CMP vendor certificate authorization
ECA-2907 - Add cache for Publishers
EJBCA 5.0.8
2012-12-18
Bug
ECA-2376 - Republishing certificates to LDAP when multiple certificates per user are allowed fails if certificate is already present
ECA-2710 - Last certificate gets republished twice when using '-all' in cli
ECA-2781 - Searching by certificate serial number fails if certificate has same subject DN across multiple end entities
ECA-2839 - CMP certificate authentication with KeyId for End Entity profile uses wrong string
ECA-2845 - End entity presence (existing username) not checked properly during import
ECA-2878 - Setting a certificate's status to CERT_NOTIFIEDABOUTEXPIRATION (21) locks out user from admin GUI
Improvement
ECA-2655 - Do not require private key to verify audit logs with ejbca-db-cli
ECA-2708 - Can not revoke certificates that are on hold
ECA-2824 - Not possible to obfuscate log signer key password.
ECA-2846 - Make the bin/ejbca.sh ca importcertdir comand output filenames in case of errors
ECA-2875 - Able to use unlimited no of arguments for clientToolBox on Windows
New Feature
ECA-2847 - Add an option to 'bin/ejbca.sh ca importcertdir' command to ignore errors
Task
ECA-2869 - Ensure EJBCA builds with ant 1.7
EJBCA 5.0.7
2012-10-31
Bug
ECA-2822 - SECURITY: Minor administrator escalation issue
EJBCA 5.0.6
2012-10-15
Bug
ECA-2695 - Creating a CA via the CLI doesn't update the ca cache.
ECA-2704 - Error in usage text for 'ejbca.sh ra listusers'
ECA-2712 - Some properties in ejbca.properties are never read
ECA-2713 - mail.contentencoding has wrong name in sample file
ECA-2715 - VA health check no longer checks if database is available
ECA-2719 - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames
ECA-2721 - Hibernate generates different hash-names for foreign constraints than list in SQL scripts
ECA-2733 - Can not edit key sequence for a CA
ECA-2736 - Key Recovery does not work when CA is signed by an external CA
ECA-2738 - NPE running EJBCA containing HSM CA when no PKCS11 provider is available
ECA-2739 - Key recovery not working using some HSMs
ECA-2743 - Can not have different database dialect for EJBCA and External RA service
ECA-2758 - Re-activating suspended certificates does not work with VA-publisher
ECA-2762 - Upgrade from v4 to v5 not working for "imported CA"
ECA-2763 - User is loosing priviliges after upgrade from v4 to v5
ECA-2764 - Multiple certificates with different subject DN for CA
ECA-2765 - Revoke CLI can not revoke certificates for a user that is revoked
ECA-2766 - setclearpwd from CLI with non-existing user
ECA-2778 - Plus character in CA DN breaks Download of Certificates
ECA-2789 - The method for creating primary keys for access user aspects is broken
ECA-2790 - SECURITY: Fix minor privilege escalation issue
ECA-2797 - Only possible to view the newest hard token for an end entity.
ECA-2799 - Improve RFC 4387 feature documentation
ECA-2809 - Unable to use "modified" at the "Search End Entities" page.
Improvement
ECA-1696 - CertTools.getCertsFromPEM(*) should declare it returns a List as the order of certificates are important
ECA-2183 - There is a code which will be never executed for external SCEP
ECA-2656 - Unable to receive certificates from external CA that has invalid algorithm id parameters
ECA-2693 - Improve error message when providing invalid signature algorithm
ECA-2700 - Rate limit health check
ECA-2776 - Disable jasper compilation in default build
New Feature
ECA-2727 - Self-registration with admin approval
ECA-2740 - Ant target for renewing application server keystore
ECA-2747 - Extended Key Usage for WiFi EAP authentication
ECA-2788 - Support CertHash extension in OCSP responder
Task
ECA-2716 - Remove unused properties
EJBCA 5.0.5
2012-06-03
Bug
ECA-2650 - A few EJB methods do not log access control
ECA-2662 - Strip whitespace from username entered in public web
ECA-2667 - AllwaysAllowLocalAuthenticationToken can be denied access
ECA-2673 - End entitiy profiles with AnyCA causes RA admins to not be able to add user
ECA-2674 - Editing access rules gives exception
ECA-2694 - Can not create CA with non default soft token pwd from CLI
Improvement
ECA-2382 - Performance improvements, profiling
ECA-2529 - Don't use Security Audit Log when doing healthchecks
ECA-2553 - Improve CRL generation memory requirements
ECA-2572 - Update index recommendations
ECA-2573 - Merge enforcement queries to save database round-trip
ECA-2618 - Remove authentication checks on CertConf messages
ECA-2632 - Internal resources speed optimizations
ECA-2639 - Do not use unneeded access control for internal CAInfo lookups and avoid ee profile cloning when not needed
ECA-2642 - Improve Tomcat configuration
ECA-2643 - Authorization checks does not always have to start a new transaction
ECA-2645 - Fix transaction management for background updates to CAData
ECA-2648 - Optimize away redundant query in WS getAdmin
ECA-2652 - Multiple authorization checks in a single access controls invocation.
ECA-2657 - Merge two CA access control log entires into one
ECA-2659 - Merge Admin GUI access controls and remove redundant checks
ECA-2675 - JBOSS with APR makes EJBCA deploy fail
ECA-2676 - Replace the string "/super_administrator" with the constant AccessRulesConstants.ROLE_SUPERADMINISTRATOR
New Feature
ECA-2629 - Add Japanese language file
ECA-2653 - Enforce issuerDN,serialNumber uniqueness with database query if no unique index is present
ECA-2687 - Allow CVC CAs to be created from the CLI
EJBCA 5.0.4
2012-03-08
New Feature
ECA-2590 - Possibility to only publish revoked certificates to external VA DB
ECA-2603 - "unknown is good" changed for some URLs used in the OCSP request.
ECA-2612 - Add Kerberos PKINIT-related EKU's to default configuration file
Task
ECA-2588 - Missing run.bat in ejbca db cli
ECA-2613 - Annotate @ApplicationException(rollback=true) in all exceptions thrown from log system
Improvement
ECA-2563 - CMP: clean up CMP tests
ECA-2600 - Add possibility to specify certificate profile to ca init CLI command
ECA-2602 - Do not allow creationg of CAs with weak key lengths
ECA-2607 - clientToolBox OCSP only accepts 16 char hex serial numbers
ECA-2614 - ClientToolBox OCSP starts slow
Bug
ECA-2564 - CMP: Correct the CrmfKeyUpdateTest
ECA-2589 - External RA Junit test target does not work on windows
ECA-2591 - Regression: ExternalRA does not work
ECA-2594 - XSS issues
ECA-2595 - EndEntityInformation.getPrintUserData compares to EndEntityConstants.USER_SENDNOTIFICATION instead of EndEntityConstants.USER_PRINT
ECA-2601 - Prevent possible SQL injection
ECA-2604 - Importing end entity profiles with an unknown CAid in it causes error
ECA-2608 - CMP revocation requests are sensitive about DN order
ECA-2609 - Publisher logs success even if publisher returns false
ECA-2610 - Certificate Profile GUI weirdness in MSIE
EJBCA 5.0.3
2012-02-24
New Feature
ECA-2539 - CMP: Get KeyUpdateRequest working even in RA mode
Improvement
ECA-2543 - We need a way to log CMP messages from CMPProxy
Task
ECA-2536 - Modify tests in CliCommandAuthenticationTest to play with Glassfish
Bug
ECA-2261 - SenderKeyID does not need to be set in a CMP request
ECA-2527 - Wrong exception thrown in HardTokenSessionBean for some errors.
ECA-2534 - Regression: Not checking that the administrator has the role defined in the hard token issuer any more.
ECA-2535 - Security Audit Log with a single empty "msg" gives NullPointerException in Admin GUI
ECA-2538 - Creating certificates from CLI with approvals enabled does not work
ECA-2544 - Upgrading Certificate Profiles can remove Authority Information access under certain conditions
ECA-2548 - Error clicking some service buttons when no service selected
ECA-2551 - test:runone does not work on windows
ECA-2552 - CMP: Skip verifying CertificateConfirmationRequest if not required
ECA-2567 - CMP: Should use EjbRemoteHelper in CrmfRARequestTest
ECA-2574 - Minor XSS issue
EJBCA 5.0.2
2012-01-23
Bug
ECA-2118 - Regression: Bug in adding new End-Entity with fixed RFC822Name in profile
ECA-2197 - VA build fails sometimes
ECA-2206 - GlobalConfiguration needs to check authorization differently
ECA-2373 - Unsafe parsing of externalra-caservice.signature.required
ECA-2403 - Custom roles do not seem to work from Basic Mode
ECA-2413 - Deleted End Entities still show up on the list of "Previously Added End Entities" in the "Add End Entities" screen
ECA-2422 - Regression: Import of profiles fails as CA IDs are different
ECA-2423 - Use selected as template changes CAs to "any CA" for certificate profiles
ECA-2424 - Default value for cmp.tcp.logdir is /log and not ./log causing Exception at startup
ECA-2425 - Can not use CLI to create admin roles
ECA-2426 - Supervisor role does not work as expected
ECA-2427 - CLI can't set role rules for rules from CESeCore
ECA-2428 - Persistent NFE after setting admin rule with certSerialNumber=qwerty_1
ECA-2429 - Inconsistency in VA health-check properties comment and used URL
ECA-2432 - Regression: tests fail on glassfish v2
ECA-2433 - Regression: Healthcheck does not give any output if not ALLOK
ECA-2435 - Chinese characters doesn't work in "Edit End Entity Profles" for DN attributes
ECA-2436 - Reading OCSP messages over http1.1 with chunked encoding can fail
ECA-2438 - Check where CAAdminSession.getCAInfo is expected to return null, but it throws
ECA-2440 - DB2 database schema test fails on CRLData
ECA-2444 - CMP Revoke Response Message is unprotected sometimes
ECA-2448 - Regression: Available languages only contains EN by default
ECA-2455 - Erroneous log output when renaming a role
ECA-2457 - Editing Access Rules doesn't log correctly
ECA-2458 - Audit logging for End Entity Profiles needs to be more detailed
ECA-2459 - Audit logging for Role Access Users needs to be more detailed
ECA-2460 - Audit logging for Role Access Rules needs to be more detailed
ECA-2472 - Failure to publish CRL do not audit log CRL_PUBLISH failure
ECA-2476 - null pointer when trying to recover lost HSM in external OCSP
ECA-2479 - Regression: admins addadmin/removeadmin command malfunctions with match_type
ECA-2480 - Regression: HARDTOKEN_REMOVE is audit logged as HARDTOKEN_ADD
ECA-2482 - Minor XSS issues
ECA-2484 - Regression: NoClassDefFound trying to run ejbca-db-cli
ECA-2502 - Token id not logged correctly when password testing fails for soft tokens
ECA-2506 - Audit log verification prints lots of errors after 1 row failed
ECA-2511 - Missing column in SQL table create scripts
ECA-2512 - NPE in WS if admin cert revoked
ECA-2516 - Not possible to view hard token in admin GUI.
ECA-2519 - SuperAdmin default role created with incorrect rule
Improvement
ECA-2384 - Move EndEntityProfile authorization from gui code to session bean
ECA-2420 - Document database and security audit integrity protection
ECA-2437 - Improve the CMP KeyUpdate stress test in ClientToolBox
ECA-2441 - Update to new EJBCA logo in public and admin webs
ECA-2446 - Log details what changed when editing services
ECA-2461 - User data source API improvements
ECA-2465 - Hard token API improvements
ECA-2469 - Audit logging for Admin Preferences needs to be more detailed
ECA-2470 - UpgradeableDataHashMap.diff does not handle String arrays
ECA-2471 - Audit log details of publisher change and don't audit log failures
ECA-2497 - Unreadable code in VerifyPKIMessage
ECA-2501 - More efficient CRL download
ECA-2508 - Audit log the security audit protection during startup
ECA-2515 - Possibility to define which symmetric encryption algorithm to use for clientToolBox HSM encrypt/decrypt
New Feature
ECA-2430 - Plugin build system
ECA-2434 - Add CMP KeyUpdate stress test in clientToolBox
ECA-2505 - Scripts for backup and restore
Task
ECA-2348 - Replace org.cesecore.util.Tuplet with AbstractMap.SimpleEntry
ECA-2352 - Move methods from ComplexAccessControlSessionBean and ComplexRoleManagementSessionBean which would rather be in CESeCore
ECA-2408 - CESeCore and EJBCA have overlapping and redundant rules for viewing logs
ECA-2415 - Move the method saveGlobalConfigurationRemote out of GlobalConfigurationSessionBean and into a test proxy
ECA-2439 - Remove unused AuthenticationToken from EndEntityProfileSession.getEndEntityProfile
ECA-2485 - ISaferAppenderListener, SaferDailyRollingFileAppender are duplicates
ECA-2490 - Authentication Logging does not conform to CC demands
ECA-2496 - Remove AuthenticationSessionBean
EJBCA 5.0.1
2011-12-02
Bug
ECA-2396 - More XSS issues
ECA-2402 - Regression: Supervisor role does not authorize the admin to view the log
ECA-2407 - CMP: Allow only NestedMessageContent when an authorized administrator is not required when sending a CMP request
ECA-2414 - CMP: When checkAdminAuthorization is set to 'false', verifying the issuer of extraCert should not be done.
ECA-2416 - CMP message handler tries to create unid req handler
Improvement
ECA-2342 - Check authorization and make methods local-only in UserAdminSession
ECA-2400 - Split xdocs in two separate sites, http://ejbca.org site and documentation site
ECA-2409 - ProfileDefault for cmp.ra.certificateprofile
New Feature
ECA-1153 - Support for Permanent Identifiers (RFC 4043)
ECA-2410 - Document EJBCA Djigzo integration
ECA-2411 - Support for authorityInformationAccess in CRLs
Task
ECA-2210 - Verify no-cache settings for CMP over HTTP
ECA-2404 - Add healthcheck doc to admin guide
EJBCA 5.0.0
2011-11-21
Bug
ECA-2035 - Document when Key Recovery checkbox can be used
ECA-2163 - Webservice warning in boot.log on JBoss 6
ECA-2201 - Mixed SSL and non-SSL cause warnings on the on-server documentation pages
ECA-2235 - External VA doesn't correctly publish CRLs from CAs with X.509 naming order
ECA-2244 - Build failure with OpenJDK if JavaScript is not available
ECA-2248 - Fix circular dependencies so that EJBCA can install
ECA-2249 - Fix all system tests so that they run in EJBCA 5.0
ECA-2251 - CertificateData.findAllOnHold is missing a query parameter
ECA-2260 - CRL file name returned from VA differs from public web, should be .crl
ECA-2271 - Bug with DN State et DN Locality attributes
ECA-2279 - Regression: Disable Command Line Interface doesn't seem to have any effect any more
ECA-2294 - Use of CMS key to sign CSV/logfile export is not logged.
ECA-2301 - Regression: Can not save access rules
ECA-2303 - NPE when trying to change a role from CLI
ECA-2310 - Regression: Can not rename Roles
ECA-2311 - Regression: Edit access rules shows wrong Role Template
ECA-2319 - Verify revocation status of internal certificates when external certificate authentication is enabled
ECA-2323 - Regression: NPE when trying to view administrators
ECA-2326 - Regression: Match type are not showing correctly
ECA-2329 - Regression: datasource.jndi-name-prefix not changed when switching to GlassFish
ECA-2331 - Regression: exception thrown if cmp.autenticationmodule is not set in cmp.properties
ECA-2339 - Audit Log GUI messages
ECA-2343 - Strange 'help' features in EJBCA CLI
ECA-2344 - Regression: admin can not access "Basic Functions" page unless access to all CAs
ECA-2349 - Regression: VA deployment fails as default config file can not be loaded
ECA-2357 - Regression: Access rule templates cannot be applied
ECA-2358 - Regression: Download audit as XML results in empty file because some properties are not included in zip or have defautl values
ECA-2360 - Regression: "Basic functions" cannot be browsed after adding an HSM CA
ECA-2362 - Sample value in install.properties.sample referes to pre-cesecore class names
ECA-2363 - Regression: databaseprotection.properties not included when doing a zip release
ECA-2366 - Regresssion: CRL not published after CRL creation
ECA-2374 - Regression: NPE when using signed external RA messages
ECA-2375 - CA expire time incorrectly shown in the CLI
ECA-2377 - Regression: can not renew a CA after upgrade from v4 to v5
ECA-2378 - Regression: upgrade CertificatePolicy of CAs after upgrade from v4 to v5
Improvement
ECA-2086 - Introduce tooltip or help-link for "Process Certificate Request" and "Sign Certificate Request" buttons in Admin GUI
ECA-2149 - Add revocation reason capability to CRL import CLI command, and add JUnit testing
ECA-2155 - UserAdminSessionBean.assertAuthorizedToEndEntityProfile() and UserAdminSessionBean.assertAuthorizedToCA () need tests.
ECA-2162 - Move some methods from CAAdminSession to CASession and use cache
ECA-2165 - Rename RaAdminSession to AdminPreferencesSession
ECA-2173 - minor optimization to PublisherSession
ECA-2177 - Constant for un-revoking not documented in extra.db.CertificateRequest
ECA-2187 - Update pt_PT translation
ECA-2203 - Make release zip 10MB smaller
ECA-2207 - Publisher Queue session should not log to logSession
ECA-2215 - Place .properties files in a jar under lib/ in the EAR
ECA-2216 - Glassfish 3 needs public access modifier for access between .jars
ECA-2217 - Dynamically loaded classes aren't found by Glassfish 3.1
ECA-2218 - Handle endorsed .jars from Glassfish 3.1
ECA-2226 - Bundle multiple ORM files with EJBCA
ECA-2234 - Make EJBCA build in production mode by default.
ECA-2246 - Upgrade system tests from Junit3.8 to Junit4
ECA-2268 - Enable database integrity protection for all internal EJBCA tables
ECA-2280 - Improve testing on CSRs
ECA-2289 - Welcome screen - workflow for CRL creation on status
ECA-2292 - Better error message when services are not running (XKMS, OCSP, CMS...)
ECA-2295 - Add to the documentation an example verify/decode of the log file export
ECA-2307 - Reduce memory consumption when using InternalResouces
ECA-2322 - Add authorization and look over token usage in PublisherSession
ECA-2333 - Support for none DN based match values in User Aspects
ECA-2341 - CMP EECAuthenticationModule: The attached extraCert does not need to be in the database
New Feature
ECA-2180 - Renew CA from CLI
ECA-2193 - Ability to use extension override in Web Service call processCertReq
ECA-2245 - Produce an authentication provider for web based requests
ECA-2263 - Implement CLI authentication
ECA-2273 - New CLI for direct database interactions
ECA-2305 - Support for setting cardnumber from WS
ECA-2306 - Integrate new CMP features in Ejbca 5
ECA-2309 - CLI command to edit fields in publishers and certificate profiles
Task
ECA-1078 - Verify that the microsoft certificateprofile works with a windows 2008 server domain
ECA-2170 - Migrate all classes from org.cesecore to org.ejbca
ECA-2171 - Master Issue: Refactor classes from CESeCore into EJBCA
ECA-2228 - Merge Security Audit from CESeCore 1.1.0 into EJBCA
ECA-2229 - Create mock SSBs to allow for implementation of secure audit.
ECA-2230 - Move org.cesecore.authentication and org.cesecore.authorization
ECA-2232 - Restructure functional tests in EJBCA to use a deployable for remote EJB access.
ECA-2236 - Remove references to EJBCA's authentication, authorization and admin groups and replace them with CESeCore equivalents.
ECA-2238 - Remove all references of the old logger and replace it with Secure Audit
ECA-2240 - Merge Certificates from CESecore 1.1.0 to EJBCA
ECA-2247 - Fix EJBCA CLI to work with EJBCA 5.0
ECA-2250 - Admin GUI to work with EJBCA 5.0
ECA-2252 - Remove faulty EJBCA references from CESeCore code
ECA-2255 - Migrate built in Extended CA services to separate classes
ECA-2258 - Refactoring 'WITH' paramerters
ECA-2262 - Move ConfigurationSessionBean into into system tests JAR
ECA-2265 - Allow EjbcaConfigurationHolder to use defaultvalues.properties
ECA-2274 - Create mock session bean for AccessControl and AuditLog to be used in standalone VA mode
ECA-2281 - Removed unused Admin from UserAdminSessionBean.existsUser
ECA-2284 - Unnerf AlwaysAllowLocalAuthenticationToken
ECA-2304 - Master Issue: Merge all changes made during CESeCore 1.1.0 to 1.1.1
ECA-2308 - Make CustomCertSerialnumberWSTest run even with no index in database
ECA-2313 - Merge issues from CESECORE-108
ECA-2315 - Merge changes from CESECORE-198
ECA-2318 - Merge revision #1208 from CESECORE-266 into EJBCA
ECA-2320 - Merge changes from CESECORE-197
ECA-2324 - Merge changes from CESECORE-269 to EJBCA
EJBCA 4.0.16
2013-06-28
Bug
ECA-2495 - Exception in view old log
ECA-3059 - Database rolled back for failed CRL publishings instead of put in queue
Improvement
ECA-3050 - Base64CertData table
EJBCA 4.0.15
2013-05-10
Bug
ECA-2991 - Add the missing variable ${user.C} for e-mails
Improvement
ECA-1826 - Possibility to create link certificates following the certificate profile
ECA-2884 - Create the variable ${user.UID} for e-mails
ECA-2976 - Debug log healthcheck message
New Feature
ECA-2985 - Add possibility to publish cert serial to LDAP custom schema
EJBCA 4.0.14
2013-02-15
Bug
ECA-2897 - Wrong example of external SSL port number in web.properties
Improvement
ECA-2882 - Do not store active certificates in queue for ValidationAuthorityPublisher that only publish revoked
ECA-2890 - GUI: Better link from Public Web to Administration Web, via reverse proxy
ECA-2899 - Do not display passwords in stdout during build
New Feature
ECA-2907 - Add cache for Publishers
EJBCA 4.0.13
2012-12-19
Bug
ECA-2376 - Republishing certificates to LDAP when multiple certificates per user are allowed fails if certificate is already present
ECA-2704 - Error in usage text for 'ejbca.sh ra listusers'
ECA-2710 - Last certificate gets republished twice when using '-all' in cli
ECA-2745 - GUI: Request Browser Certificate Renewal page update
ECA-2750 - GUI: Logout links miss on some Web Public pages
ECA-2759 - Unexpected form closing, when editing Certificate Profile
ECA-2761 - Downgraded EJBCA from 5 to 4 get NULL CA Token
ECA-2778 - Plus character in CA DN breaks Download of Certificates
ECA-2786 - GUI: Remove "OCSP" text in navigation menu of Public Web
ECA-2809 - Unable to use "modified" at the "Search End Entities" page.
Improvement
ECA-2746 - Clean up message keys, and some titles
ECA-2753 - GUI: Web Public pages improvement
ECA-2755 - GUI: Administration pages improvement (adding home link)
ECA-2769 - GUI: Key Usage form improvement
ECA-2776 - Disable jasper compilation in default build
ECA-2802 - Clean up message keys, and section titles
ECA-2813 - Class RequestInstance should allow to provide a password
ECA-2823 - Backport ECA-2244, don't require javascript to build
ECA-2829 - GUI: Update Renew title in the Public Web navigation
ECA-2832 - GUI: Fix 'Fetch CA certificate' title in the Public Web page
ECA-2875 - Able to use unlimited no of arguments for clientToolBox on Windows
New Feature
ECA-2727 - Self-registration with admin approval
ECA-2740 - Ant target for renewing application server keystore
ECA-2747 - Extended Key Usage for WiFi EAP authentication
Task
ECA-2624 - Clean up message keys
EJBCA 4.0.12
2012-08-16
New Feature
ECA-2705 - OCSP key renewal at absolute times
ECA-2706 - Allow Certificate Expiration Notification Service to specify Certificate Profiles
ECA-2709 - Publisher for sampling of issued certificates
Improvement
ECA-2069 - Better log message when querying for not existing CA and default responder CA does not exist
ECA-2714 - Hide the HARDTOKEN profiles in "Certificate Expiration Checker" configuration if "Issue Hardware Tokens" hasn't been enabled
ECA-2724 - When deleting a Certificate Profile, list which end entities/end entity profiles that use it.
Bug
ECA-2077 - OCSP rekeying does not work on JBoss 6.1.0 and JBoss EAP5
ECA-2719 - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames
Task
ECA-2625 - Language tool for developers and localizers
EJBCA 4.0.11
2012-06-18
New Feature
ECA-2629 - Add Japanese language file
ECA-2696 - Custom revocation date in EJBCA
Task
ECA-2579 - Help message keys refactoring
Bug
ECA-2662 - Strip whitespace from username entered in public web
ECA-2664 - Cleartext links (http) in documentation
ECA-2699 - ejbca.sh CLI exportprofiles function can't handle special characters in filename
Improvement
ECA-1979 - GUI: End-Entity (profile, add, edit) forms usability
ECA-2577 - GUI: Configuration forms improvement
ECA-2583 - GUI: LDAP Publishers form layout improvement
ECA-2584 - GUI: Improvement of in-line help in all forms
ECA-2627 - Process CA: forms layout improvement, and message keys refactoring
ECA-2633 - GUI: Improve Services form
ECA-2634 - GUI: View Certificate popup improvement
ECA-2661 - Possible to use aliases for CRL Naming in RFC4387 CRL Store
ECA-2675 - JBOSS with APR makes EJBCA deploy fail
EJBCA 4.0.10
2012-03-14
New Feature
ECA-2590 - Possibility to only publish revoked certificates to external VA DB
ECA-2603 - "unknown is good" changed for some URLs used in the OCSP request.
Bug
ECA-2564 - CMP: Correct the CrmfKeyUpdateTest
ECA-2594 - XSS issues
Improvement
ECA-2563 - CMP: clean up CMP tests
ECA-2575 - GUI: Administrator groups page headers improvement
ECA-2580 - GUI: Improve View CA table layout (rows: header, sections, footer)
ECA-2585 - GUI: Change Rename button in all Object lists
EJBCA 4.0.9
2012-02-13
Bug
ECA-2574 - Minor XSS issue
EJBCA 4.0.8, 2012-02-09
New Feature
ECA-2539 - CMP: Get KeyUpdateRequest working even in RA mode
Bug
ECA-2261 - SenderKeyID does not need to be set in a CMP request
ECA-2476 - null pointer when trying to recover lost HSM in external OCSP
ECA-2482 - Minor XSS issues
ECA-2504 - Rename LIST button in Approve Actions section
ECA-2544 - Upgrading Certificate Profiles can remove Authority Information access under certain conditions
ECA-2552 - CMP: Skip verifying CertificateConfirmationRequest if not required
ECA-2567 - CMP: Should use EjbRemoteHelper in CrmfRARequestTest
Improvement
ECA-1978 - Certificate Profile form improved
ECA-2094 - Edit CA form improved
ECA-2454 - Improve all table layout (rows: header, sections, footer)
ECA-2468 - Formats and Units (GUI usability and keys refactoring)
ECA-2497 - Unreadable code in VerifyPKIMessage
ECA-2501 - More efficient CRL download
ECA-2518 - Add link to Help page for ECDSA keys
Task
ECA-2157 - Clean up CSS code
EJBCA 4.0.7
2011-12-25
New Feature
ECA-2410 - Document EJBCA Djigzo intregration
ECA-2430 - Plugin build system
ECA-2434 - Add CMP KeyUpdate stress test in clientToolBox
Bug
ECA-2197 - VA build fails sometimes
ECA-2396 - More XSS issues
ECA-2429 - Inconsistency in VA health-check properties comment and used URL
ECA-2435 - Chinese charaters doesn't work in "Edit End Entity Profles" for DN attributes
ECA-2436 - Reading OCSP messages over http1.1 with chunked encoding can fail
ECA-2444 - CMP Revoke Response Message is unprotected sometimes
EJBCA 4.0.6
2011-11-17
New Feature
ECA-2368 - CMP, Implement message type KeyUpdateRequest
Bug
ECA-2369 - NestedMessageContentTest does not clean up the test certificates it creates
ECA-2380 - Minor XSS issue
ECA-2383 - Cannot import empty CRL via CLI
EJBCA 4.0.5
2011-11-02
New Feature
ECA-2332 - Admin GUI ServletFilter for client certificate emulation
Improvement
ECA-2325 - Add custom cert serno and extension parsing the generatenewuser WS command
Bug
ECA-2297 - NestedMessageContent implements version RFC2510 instead of RFC4210
ECA-2302 - Publishing Queue Fails on slow publishers
ECA-2338 - CMP End entity certificate authentication module does not work in client mode
ECA-2346 - Certificate issuance verification does not detect when CAs public key (in HSM) does not match CA certificate
ECA-2354 - Should not be possible to run service initialization after start
EJBCA 4.0.4
2011-10-05
New Feature
ECA-2105 - Add support for Signature protection of CMP confirm messages
ECA-2161 - EJBCA add-on build option
ECA-2194 - Add CMP Client mode using HMAC protection for user pwd
ECA-2195 - Add modular authentication facility for CMP
ECA-2196 - Add certificate authentication, by external cert, to CMP client mode
ECA-2202 - Certreq WS CLI command support for altName
ECA-2209 - Add new CMP client mode authentication methods
ECA-2242 - Add certificate authentication, by external cert, to CMP RA mode
ECA-2243 - Support multiple protection in CMP RA mode
ECA-2264 - Support for certificate extensions with raw and/or dynamic value
ECA-2267 - Support for adding/editing certificate extension data for an end entity in Admin Web
ECA-2269 - Certificate extension value from WS and WSCLI. Certificate serial number from WSCLI.
ECA-2275 - Add CMP tests in ClientToolBox
Improvement
ECA-2192 - Support other than DN in CMP recipient field
ECA-2205 - Link to French installation guide contributed by asyd
ECA-2285 - Allow getCA from CaSessionBean without requiring a transaction
Task
ECA-2253 - Add classes from cesecore to EJBCA sources to allow downgrade from 5.0 to 4.0
Bug
ECA-2145 - EJBCA is not prepared to receive signature protected CMP Confirm messages
ECA-2199 - Certreq WS CLI command ignores outputpath
ECA-2213 - Enforce unique subject DN does not work with unused fields in EE profile
ECA-2224 - Create Browser Certificate, Create Keystore pages have incorrect titles
ECA-2231 - SCEP enrollment with CA-name containing spaces fails
ECA-2235 - External VA doesn't correctly publish CRLs from CAs with X.509 naming order
ECA-2254 - Way to indicate that a certificate should not be generated and stored on a HW token
ECA-2256 - cmpHttpProxy does not build
ECA-2257 - When a certificate is revoked and this certificate is not in LDAP it is logged as an error that the cert can not be removed and a task to remove is queued.
ECA-2260 - CRL file name returned from VA differs from public web, should be .crl
ECA-2270 - MSIE enrollment fails under certain conditions
ECA-2276 - Approvals are denied because requestAdmin is not local admin token
ECA-2278 - Finding free ids checks the id incorrectly
ECA-2283 - Hard tokens are listed in wrong order in the GUI
ECA-2286 - The VA page listing URLs to to CA certificates and the VA page listing URLs to CRLs is blank for some installations.
ECA-2299 - Reading CMP messages over http1/1 with chunked encoding can fail
EJBCA 3.11.5
2012-03-12
Bug
ECA-2594 - Fixed some XSS issues.
EJBCA 3.11.4
2012-02-13
Bug
ECA-2557 - Minor XSS issues: merge bugfix from ECA-2482
EJBCA 3.11.3
2011-07-08
Bug
ECA-2065 - Certificate enrollment using OS X 10.6 and Safari 5.0.3
ECA-2152 - Certificate not published to OCSP when reactivating after jboss restart.
ECA-2212 - Problem between 'ant install' and 'ant deploy' on JBoss EAP 5.1.
EJBCA 4.0.3
2011-06-01
Improvement
ECA-2188 - CMP improvements and minor bug fixes
ECA-2189 - Fetch CMP regToken Control from CertRequest as well as CertReqMsg
Bug
ECA-2101 - CMP error parsing POP signing key from BC1.46 clients
ECA-2104 - CMP protection using digital signatures is missing DERNull for RSA AlgorithmParameters
ECA-2181 - Exception deleting end entity profiles, AccessRulesData.findCountByCustomQuery does not use valuextractor
ECA-2190 - POPO verification fails for BC1.46 signed CMP messages
EJBCA 4.0.2
2011-05-22
New Feature
ECA-1405 - Support for adding PrivateKeyUsagePeriod certificate extension
ECA-1678 - Support Public Web enrollment in Chrome
ECA-2172 - Storing of a secret not allowed to be in certificate in a DB with mapping to a fieald in the certificate.
Improvement
ECA-1827 - Optimize unique subject DN check
ECA-1909 - End-Entity popups layout improved
ECA-1959 - Public web layout improved
ECA-1975 - View Log layout improved
ECA-1976 - Fix PMD warnings
ECA-2075 - Use ISO 8601 date format for absolute CertificateValidity, LogjDevice and in interfaces
ECA-2076 - Change label 'CRL Publishers' to 'Publishers' for CAs
ECA-2081 - Optimize EJBCA
ECA-2084 - Create combined JDK patch for SHA224WithECDSA and RSAWithMGF1
ECA-2097 - End-Entity Search form usability
ECA-2100 - Make the number of BCrypt rounds configurable
ECA-2106 - Improve CertificateProfileCache and EndEntityProfileCache
ECA-2107 - Use getResultList instead of getSingleResult for JPA queries
ECA-2110 - Improve log error message when CMP RA CA does not exist
ECA-2111 - View History popup improved
ECA-2115 - Use StringBuilder instead of StringBuffer where thread safety isn't required
ECA-2119 - Optimize DNFieldsUtil
ECA-2125 - GUI usability: History navigation in popups
Bug
ECA-2006 - Certain hexadecimal values of the Validity field on the Edit CA page are parsed incorrectly
ECA-2065 - Certificate enrollment using OS X 10.6 and Safari 5.0.3
ECA-2085 - During install asked twice to input password
ECA-2098 - Check for unique index on (certificate serialNumber, issuerDN) does not work as expected
ECA-2108 - Property for custom available access rules miss-spelled
ECA-2113 - CA Tokentype ignored during installation
ECA-2132 - Start and end time displaying bugged in View EE popup
ECA-2133 - DN displaying bugged in View Certificate popup
ECA-2136 - Displaying of DN attributes which contains several spaces
ECA-2137 - Fix EJBCA Web Configuration layout
ECA-2143 - External RA PKCS12 request gives NPE
ECA-2152 - Certificate not published to OCSP when reactivating after jboss restart.
ECA-2153 - Error serial number start with 0
ECA-2154 - Cert-cvc date decoding does not take timezone into consideration
ECA-2158 - Export log as CSV does not work
ECA-2166 - CertificateExpireTest does not remove the test CA
ECA-2168 - If ServicetimerSessionBean.timeoutHandler throws exception multiple timers are created
ECA-2169 - Possible too much logging when violating unique user public key and/or DN
ECA-2176 - Deploying XKMS on JBoss 6 downloads dtd from w3c
Task
ECA-2073 - Update generated documentation
ECA-2091 - Upgrade Extended CA services to include implementation classpath
ECA-2147 - Clean up HTML code
ECA-2148 - Message keys refactoring
EJBCA 3.11.2
2011-04-29
Bug
ECA-1981 - End Entity History: Administrator is not listed right (NullPointerException)
ECA-1996 - NPE in approvals page when logged in as RA Admin without End Entity Profiles access rights
ECA-2008 - Date in certificate profile decreased by one if different daylight savings time
ECA-2024 - External CAs are set to expired, and treated as normal CAs giving exceptions in log
ECA-2037 - Compilations fails on JDK 5
ECA-2092 - Not possible to revoke some certificate after upgrading from 3.4.x to 3.11.1
ECA-2102 - Some WS calls do not write the DN and issuer DN of the client making the call to the WS transaction log.
ECA-2120 - External OCSP does not deploy on JBoss 5.1
ECA-2127 - Republishing a revoked certificate to VA does not work
ECA-2131 - Republish button in Admin GUI's view certificate page will not work when CertReqHistory isn't present for the certificate.
ECA-2135 - Republish button in Admin GUI does not work for special characters
Improvement
ECA-2012 - Support named curves for Brainpool ECC in PKCS11 HSMs
ECA-2082 - Add note about potential future error in fresh installations on EJBCA 3.11.0 and 3.11.1 on MySQL.
New Feature
ECA-2009 - Add GlassFish database schema for Oracle
ECA-2013 - Support SHA224WithECDSA on PKCS11 HSMs
ECA-2014 - Support signing with SHA256WithRSAandMGF1 on PKCS11 HSMs
ECA-2018 - Possibility to disable command line interface
ECA-2021 - WS Call for retrieving CA path
ECA-2022 - Add Web Service RA standalone application
ECA-2083 - Add Import CRL to the EJBCA CLI
ECA-2093 - CA CLI: Add import certificates from a directory of PEM files
ECA-2112 - Web service operation issuing certificate from public key
ECA-2141 - ExtRA certificate request that also edit user and sets serial number
EJBCA 4.0.1
2011-03-08
Bug
ECA-2090 - Can not browser enroll with IE
EJBCA 4.0.0
2011-03-03
New Feature
ECA-200 - Serialized database object not compatible between different app servers
ECA-1286 - Additional notification template tag requestAdmin.CN
ECA-1348 - Update user's SubjectDN from EJB CLI
ECA-1516 - Possibility to revoke a certificate with the ejbca.sh tools (using the serial number)
ECA-1522 - EJBCA CLI command to list lastUpdate and nextUpdate for each CA's last CRL
ECA-1595 - Add Adobe PDF Signature extended key usage
ECA-1700 - Add customLog WS CLI command
ECA-1867 - Perform ampersand escaping for XML-based database sources
ECA-1875 - New JUnit test for parsing Glassfish's JEE standard validation
ECA-1905 - Function in public web to dump/inspect contents of certificates/CSRs
ECA-2000 - Add SPOC PKI, CSN369791, extended key usages
ECA-2013 - Support SHA224WithECDSA on PKCS11 HSMs
ECA-2014 - Support signing with SHA256WithRSAandMGF1 on PKCS11 HSMs
ECA-2021 - WS Call for retrieving CA path
ECA-2022 - Add Web Service RA standalone application
ECA-2072 - Handle database with case sensitive column names
Improvement
ECA-687 - WebService API does not work on Weblogic
ECA-735 - Additional default 'chain' link on the public CRL/CA page
ECA-852 - Improve handling of error in WS-API for unknown errors like underlying SQLExceptions.
ECA-899 - Specify min password length in Bits - regardless of method used to express them
ECA-964 - Change all "revokation" to "revocation" and "revoce" to "revoke" throughout the sourcecode
ECA-1064 - Simplify configuration depending on appserver.type
ECA-1099 - PMD Warnings
ECA-1378 - Don't display Log4jLogDevice in View log function in admin-GUI
ECA-1511 - Make EJBCA JBoss 6.0 compliant
ECA-1528 - Remove CRL number from Publisher.storeCRL method
ECA-1586 - Possible to prompt for passwords during install and don't display on screen
ECA-1601 - GeneralPurposeCustomPublisher should have parameter for deltaCRL
ECA-1623 - Refactor unit tests to comply to JUnit3 standard
ECA-1648 - Date format of the setStartTime and setEndTime WS functions
ECA-1656 - Adapt ProtocolOcspHttpTest to Windows
ECA-1667 - E-mail template: use an e-mail address from SAN or entity account
ECA-1750 - The Elimination of TestTools
ECA-1755 - Replace usage of SimpleDateFormat with commons.lang FastDateFormat
ECA-1786 - Get all tests up and running post EJB3-conversion
ECA-1833 - Log devices that use the database should be responsible for creating new transactions
ECA-1839 - Remove JNDI lookup for local interfaces and replace with proper injection wherever possible.
ECA-1840 - Move CMP TCP Service to a separate appserver independent module
ECA-1843 - Move configuration from ejb-jar.xml to Commons Config read property files
ECA-1849 - Refactor HealthCheck component to allow for injection of local interfaces.
ECA-1852 - Change Log4J property file bundled with EJBCA on non-JBoss application servers to XML format
ECA-1863 - Make org.cesecore.core.ejb.ca.store.CertificateProfileSessionBean from CertificateStoreSessionBean
ECA-1868 - Extract EndEntityProfileSession from RaAdminSession in preparation for CESeCore.
ECA-1878 - Improve speed of HttpMethodsTest
ECA-1880 - Run unit JUnit tests in parallel
ECA-1886 - Add new authorization check to internal getCA method
ECA-1888 - Move detection of referenced publishers and CAs to CertificateProfileSessionBean
ECA-1890 - AuthorizationSessionBean tosses AuthorizationDeniedException for unexceptional conditions.
ECA-1896 - Remove unused methods in CreateCRLSession
ECA-1899 - Support for RSA CAs with SHA384 and SHA512 in admin GUI
ECA-1900 - Replace Class.forName(SomeClass.class.getName()) with SomeClass.class
ECA-1929 - Convert CertificateDataUtil to abstract base class for CertificateStoreSessionBean and CertificateStoreOnlyDataSessionBean
ECA-1943 - Only merge ejbca-custom once per build
ECA-1970 - Simplify query for batch users
ECA-1989 - Mildly confusing message during default install "Generating for all FAILED."
ECA-1991 - Change references to ejb-interface_ejb3 to just ejb-interface
ECA-1993 - Migrate EJBCA from junit3 to junit4
ECA-2011 - Improve build scripts
ECA-2016 - Improvement of CA Administrators access rules
ECA-2019 - Update generated documentation
ECA-2030 - Use atomic update of LogConfigurationData.logEntryRowNumber
ECA-2033 - Use @Override on all EJB methods
ECA-2064 - Ugly exception in cli trying to set pwd for non existing used
ECA-2088 - Remove CertificateData created during test for index certificatedata_idx1
Task
ECA-1319 - Upgrade apache beanutils to > 1.8
ECA-1671 - CAInfo.setincludeInHealthCheck misspelled
ECA-1716 - Migrate from J2EE to JEE5
ECA-1717 - Drop support for JDK 1.5
ECA-1718 - Convert EJB 2.1 interfaces to their EJB 3.0 counterpart
ECA-1719 - Update EJBCA WS and XKMS
ECA-1720 - Migrate Entity Beans to JPA 1.0
ECA-1721 - Migrate all Stateless Session Beans from EJB 2.1 to EJB 3.0
ECA-1722 - Use JPA QL instead of JDBC
ECA-1723 - Remove XDoclet
ECA-1728 - Refactor Admin GUI as self contained module depending on EJB interfaces
ECA-1730 - Refactor Public Web components as self contained modules depending on EJB interfaces
ECA-1777 - Add the unit test for CMP extractUsernameComponent created in ECA-1736 to EJBCA4
ECA-1832 - Remove ProtectedLog
ECA-1851 - Remove support for OC4J
ECA-1854 - Enterprise bean class must declare all class static fields as final
ECA-1879 - Extract AdminEntity and AdminGroup handling from AuthorizationSession in order to comply with the CeSeCore spec.
ECA-1884 - Drop Jasper reports
ECA-1892 - Remove unused methods in SignSession
ECA-1894 - With caching EJBCA should recover from a database failure
ECA-1903 - Remove myfaces jars
ECA-1904 - Extract CRUD operations from CreateCrlSession into a new bean
ECA-1907 - Extract some CRUD operations for CAs from CaAdminSessionBean to new SSB
ECA-1913 - Message keys refactoring
ECA-1920 - Move configuration of inistial administration CA to install.properties
ECA-1922 - Remove TableProtect mechanism
ECA-1926 - Move Log4J JBoss appenders to separate module
ECA-1927 - Upgrade commons-configuration to latest version (1.6)
ECA-1928 - Upgrade commons-lang to latest version (2.5)
ECA-1940 - Upgrade commons-logging to latest version (1.1.1)
ECA-1942 - Upgrade log4j to latest version (1.2.16)
ECA-1944 - Merge ECA-1853 and ECA-1931 to trunk
ECA-1971 - HTML/CSS compliance and code cleaning
ECA-1974 - Document current state of Test EJBCA 4 on WebLogic AS 10.3.4
ECA-1977 - Remove deprecated methods from BasePublisher and update ICustomPublisher to match.
ECA-1984 - Remove deprecated methods from CertificateProfile
ECA-1986 - Remove deprecated certtools.dnorderreverse
ECA-1987 - Document current state of EJBCA 4 on WebSphere AS 7
ECA-1992 - Remove unused env entries from CMP WAR's web.xml
ECA-2036 - Test for CVE-2010-4476
Bug
ECA-579 - Log queries for administrator data are incorrect
ECA-1151 - startTime/endTime format in end entity profile incoherence
ECA-1212 - Edit administrator groups does not work on Weblogic 9/10
ECA-1327 - Creating CA from CLI using a certificate profile not derivative of ROOTCA or SUBCA causes a NullPointerException.
ECA-1352 - The CA DN is not the CA displayed in CA certificate view
ECA-1397 - postalAddress DN component is has wrong encoding
ECA-1515 - ejbca.sh ca listexpired return revoked certificates
ECA-1591 - External OCSP tests in TestPublisher fails on Postgres
ECA-1604 - Trying to create a CVCA with incomplete SubjectDN results in NullPointerException
ECA-1615 - Forgetting to define key encryption key in hard token results in NullPointerException on certificate creation with CSR
ECA-1624 - Test test06RequestCounter in UserDataTest system test apparently does not clean up after itself
ECA-1647 - ServiceTimerSession does not loop through the correct timers in case of exception
ECA-1650 - JUnit tests cannot handle EndOfLine characters on Windows
ECA-1673 - OCSP Service Locator URI fills in default value even if we want to have it empty
ECA-1686 - CertificateStoreSessionBean.findCertificatesByXX inconsistent behavior when user does not exist
ECA-1689 - Possible NullpointerException in admin GUI if ee profile is removed in database
ECA-1695 - EjbcaWS.getAvailableCertificateProfiles and getAvailableCAsInProfile throws NullPointerException if profile does not exist
ECA-1697 - Possible NPE when merging WS DN
ECA-1699 - X.500 DN order with multiple attributes (e.g. DC, OU)
ECA-1753 - externalra-gui does not work with jBoss 5.1.0.GA.
ECA-1767 - Subject DN field with only the space character leads to Exception
ECA-1799 - notSerializableException running userquerywith remote EJBs
ECA-1806 - Get timers working again in EJBCA4
ECA-1809 - Services based on EJB Timer service does not work on Weblogic Server 10.0
ECA-1829 - XKMSKISSTest fails due to inproper matching och SubjectDNs
ECA-1841 - Error adding end entity with several required and non required OUs
ECA-1861 - Batch generation does not work when there are lots of new users with empty passwords in database
ECA-1864 - CATokenOfflineException is converted to CADoesntExistsException
ECA-1887 - Redeployment on Glassfish 2.1.1 does not work
ECA-1919 - EndEntityProfileSessionBean.findFreeEndEntityProfileId may fail and loop
ECA-1951 - Can't add admin groups when logged in as SuperAdmin
ECA-1956 - EJBCA doesn't handle well SCEP request with multivalue relative distinguishable name with a space in it
ECA-1973 - Certificate archiving does not work when creating CRLs using WS (4.0 dev regression only)
ECA-1980 - Unable to delete end entity profile
ECA-1981 - End Entity History: Administrator is not listed right (NullPointerException)
ECA-1982 - External OCSP responder does not work with ECC algorithm
ECA-1988 - WARs depend on classes from ejbca-ejb.jar and not only EAR bundled libs
ECA-1994 - Arrays.asList does not like an empty array of Integer
ECA-1995 - NullPointerException creating request if cachain is null
ECA-1996 - NPE in approvals page when logged in as RA Admin without End Entity Profiles access rights
ECA-1999 - SECURITY: Replace simple password hasing with BCrypt salted password hasing
ECA-2002 - CRLs must be published when they are created
ECA-2004 - The Edit CA form is submitted even when an error in the input is detected
ECA-2005 - Catch NoResultException for javax.persistence.Query.getSingleResult
ECA-2007 - Always check for null before trying to remove something with entityManager
ECA-2008 - Date in certificate profile decreased by one if different daylight savings time
ECA-2010 - Wrong menu displaying according to Admin access rules
ECA-2024 - External CAs are set to expired, and treated as normal CAs giving exceptions in log
ECA-2025 - Download of certificates via ejbca/adminweb/ca/endentitycert does not work
ECA-2028 - Build script error for WS
ECA-2031 - WebdistHttpTest use case sensitive check for HTTP header
ECA-2045 - CAActivation page requires wrong permission to view
ECA-2055 - Reactivation is no longer possible in Admin GUI when viewing certificate
ECA-2057 - CertificateData.findUsernamesByExpireTimeWithLimit's query is missing IS keyword.
ECA-2059 - Random hickups with services
ECA-2060 - CARepublishCommand has might publish CRL with wrong CRLNumber
ECA-2061 - CaRepublishCommand throws exception publishing server certificates
ECA-2062 - CRLs are not always created in a new transaction
ECA-2071 - AccessRuleData matching for CAs and EndEntityProfiles
ECA-2089 - ExternaRAServiceWorker cannot access external database in container managed transaction
EJBCA 3.11.1
2010-12-23
Improvement
ECA-1908 - Certificate popup layout improved
ECA-1952 - Add favicon to public and admin web
ECA-1958 - Add message "Integrated by"
ECA-1961 - Header, Footer, and global layout improved
ECA-1972 - CA information popup layout improved
Bug
ECA-1946 - cert-cvc 1.2.12 maven pom still has version tag 1.2.11
ECA-1948 - MySQL mapping for KeyRecoveryData.certSN is incorrect
ECA-1949 - MySQL mapping for UserData.cardNumber is inconsistent in in SQL create script and mapping files.
ECA-1950 - ETSI QC value limit can not have 0 value
ECA-1953 - Sybase ServiceData.nextRunTimeStamp and runTimeStamp was inconsistent compared with other long fields
ECA-1955 - Error upgrading from EJBCA 3.6.x to 3.11.x
ECA-1962 - Editing certificate profile, session information spills over to other edits when using the "Back to certificate profiles" link
ECA-1963 - Trying to use Cardnumber in EE profile gives error about missing UNSTRUCTUREDADDRESS
ECA-1964 - Ugly NPE in log for field error during add end entity
ECA-1965 - UserDoesntFullfillEndEntityProfile is wrapped twice in LocalUserAdminSessionBean
ECA-1966 - Add end entity modifies cached end entity profiles
ECA-1985 - UnstructuredAddress dn field does not work
EJBCA 3.11.0
2010-11-29
New Feature
ECA-63 - Implement RFC4387, cert store access via http
ECA-1264 - Add extended information to edit user WS-API.
ECA-1711 - GUI application for batch-enrollment from CSR:s
ECA-1784 - Add version column to database tables
ECA-1842 - Be able to separate log files depending on CA
ECA-1844 - Function to fluch caches across a cluster from admin GUI
ECA-1850 - ClientToolBox command for db managemnt in a generic ways.
ECA-1853 - External OCSP responder also a CRL Distribution point
ECA-1885 - Options to issue certificates without database storage
ECA-1893 - Supply custom certificate serial number over CMP in RA mode
ECA-1901 - Support one CMP RA secret per CA
ECA-1938 - Database mapping for Oracle on GlassFish
ECA-1859 - Add SSH extended key usages
ECA-1860 - Add MS Code Signing extended key usages
Improvement
ECA-1712 - Add End-Entity forms usability
ECA-1765 - Possibility to pin a service to specific cluster nodes
ECA-1768 - Make Ubuntu quick start guide doc
ECA-1816 - Forms layout improved
ECA-1819 - Make nextRunTimeStamp a column in database to avoid updating long column
ECA-1837 - Optimize use of ExtendedInformation to not store anything if not used
ECA-1847 - Make data types consistent across all databases
ECA-1848 - Only log CA expired warnings to server.log
ECA-1857 - End-Entity Profile form improved
ECA-1858 - Certificate Authority form improved
ECA-1862 - Optimize creation of User and Certificate objects in database
ECA-1877 - SPOC interop requires "unusual" countries which the CVC library does not permit
ECA-1895 - Set correct port in administration link in public web
ECA-1897 - Improve error message for violating unique subject DN
ECA-1912 - Add new RSA key sizes: 1536 bits, 8192 bits
ECA-1921 - Search End Entities layout improved
ECA-1935 - Use random password for autogenerated passwords in WS-API certificateRequest
ECA-1937 - New RSA 1536 Bit for Hard Token Profiles
Task
ECA-1923 - Deprecate TableProtect mechanism
ECA-1924 - Introduce new (unused) database column for future integrity protection
Bug
ECA-1841 - Error adding end entity with several required and non required OUs
ECA-1845 - Wrong reference in on line doc link for renew ca
ECA-1871 - It's possible to change the value of 'OCSP Service Locator URI' when 'Use Authority Information Access' is turned on
ECA-1914 - Import of certfificate profiles referring to CVC CAs failed i CLI
ECA-1915 - TestCustomCertSerialnumberWS not compilable without JBoss
ECA-1917 - Class not found during marshalling when running tests on GlassFish
ECA-1918 - Web services tests fails on GlassFish
ECA-1930 - Error using creatcrl cli on Glassfish
ECA-1931 - NPE in OCSP at load
ECA-1934 - Standalone VA/OCSP missing jar when deploying on GlassFish
ECA-1936 - Some characters double encoded in admin GUI
ECA-1939 - XMLEncoding/decoding of ExtendedInformation complains about BigInteger
ECA-1945 - Username not displayed in popups
EJBCA 3.10.6
2010-11-26
New Feature
ECA-1264 - Add extended information to edit user WS-API.
Improvement
ECA-1877 - SPOC interop requires "unusual" countries which the CVC library does not permit
Bug
ECA-1841 - Error adding end entity with several required and non required OUs
ECA-1845 - Wrong reference in on line doc link for renew ca
ECA-1914 - Import of certificate profiles referring to CVC CAs failed i CLI
EJBCA 3.10.5
2010-09-21
New Feature
ECA-1791 - Logging the certificate SubjectDN when an admin logs in with an external cert and displaying this info in Log View
ECA-1822 - Command line to clear internal caches
Improvement
ECA-1663 - Option to specify CRL Expire Period fields etc. in months
ECA-1741 - Clean authentication session bean
ECA-1756 - Configurable cache for end entity profiles
ECA-1795 - It should be possible to run the CMP TCP Proxy as a Windows service
ECA-1797 - Page sub-titles harmonized
ECA-1800 - Name as a word, name as a DN attribute
ECA-1802 - Improve CAInfo cache to use configurable time
ECA-1805 - Configurable cache for certificate profiles
ECA-1807 - Document 'Finish User' CA config
ECA-1811 - Improve caching of global configuration and authorization data
ECA-1813 - Re-order all the Extended Key Usage
ECA-1816 - Forms layout improved
ECA-1818 - Make log configuration cache time configurable
ECA-1823 - HSM p11 key attribute test and default.
ECA-1824 - New "fixed" username generation scheme in CMP RA mode
ECA-1831 - Lower log level from info to debug for expired CA warnings
ECA-1834 - Use only fingerprint index to check for unique cert serialnumber
Task
ECA-1745 - Can not re-publish a certificate when CertReqHistory is not used
ECA-1780 - Doc update CMP over TCP not supported on Glassfish
ECA-1830 - Update german language file
Bug
ECA-1739 - Unique subjectDN serialnumber cannot be edited.
ECA-1747 - Change how an approval administrator is identified, approval does not work with external administrators
ECA-1759 - Admin GUI crashes with a stacktrace when accessed by unauthrized user cert, on JBoss 5
ECA-1779 - Error when clicking on the Adminstrator in "View Log"
ECA-1790 - Unable to choose event in Advanced Filter Mode in View Log
ECA-1793 - Mitigate Cross Site Scripting (XSS) in the Admin GUI
ECA-1794 - Admin GUI errors on JBoss 5
ECA-1804 - ProfileMappings update and fixes, for messages
ECA-1808 - WS CLI does not support unrevocation
ECA-1812 - Activation failure when EJBCA is started at high load
ECA-1817 - EJBCA fail to install, if application server is installed in the root directory.
ECA-1820 - Certificate related events in the View Log does not display the certificate in question
ECA-1821 - NullPointerException when filling certing fields in View Log
ECA-1825 - Create CA with SerialNumber in DN regression with CLI
ECA-1836 - Use CertReqHistory should be active by default
EJBCA 3.10.4
2010-08-12
New Feature
ECA-1727 - User defined serial number using UserDataVO
ECA-1733 - Possible to configure CA to not use Certificate Request History
ECA-1735 - Add configuration to fully cache CA objects, to minimize database roundtrips
Improvement
ECA-1729 - EJBCA on Glassfish with MySQL
ECA-1734 - Add throws clause for CADoesntExistException to add/change user in user admin session bean, and optimize away one read of CA info in cert req session
ECA-1743 - Improve file log for parsing, prefix dn and quote it in log
ECA-1752 - Harmonized themes for home page
ECA-1757 - Harmonized themes for CA Activation page
ECA-1762 - Harmonized GUI for all pages
ECA-1763 - Make country DV renewals optionally take CVCA certificate from the EJBCA store
ECA-1783 - CertTools.checkValidity should not log with error when a CVC certificate has expired
Task
ECA-1725 - Make test34CaRenewCertRequest JUnit test also for ECC keys
Bug
ECA-1321 - Single-qoute bug when creating CRL from Admin GUI
ECA-1710 - Certrequest session (and now CMP) requires ee profile to use 'Batch', i.e. clear pwd
ECA-1724 - Mitigate Cross Site Scripting (XSS) in the Admin GUI
ECA-1731 - EJBCA WS KeyRevocerNewest always returns 0 as approval Id in WaitingForApprovalException
ECA-1736 - extractUsernameComponent in CMP client mode broken
ECA-1737 - Error while setup admin permissions for superadmin when superadmin.cn contains a space
ECA-1738 - Nullpointer exception editing end entity profiles when printer is null
ECA-1746 - EjbcaWS does not work with external admin certificates
ECA-1761 - Error parsing certificate serialnumber
ECA-1778 - webconfiguraiton.jspf displays HTML
ECA-1785 - Error when filling the Subject Directory Attribute Fields
ECA-1789 - ocsphealthcheck does not deploy on JBoss 5
EJBCA 3.10.3
2010-06-24
Improvement
ECA-1709 - Typo in ejbca-ws-cli
Bug
ECA-1704 - Tomcat's server.xml must have URIEncoding also for port 8080
ECA-1710 - Certrequest session (and now CMP) requires ee profile to use 'Batch', i.e. clear pwd
ECA-1713 - Mitigate Cross Site Scripting (XSS) in the error page of Admin GUI
ECA-1714 - Issuer CA DN is HTML escaped when revoking through Admin GUI
ECA-1715 - Error creating DVs using ECC
EJBCA 3.10.2
2010-06-17
New Feature
ECA-1622 - CMP Proxy
ECA-1677 - Enforce unique SubjectDN Serial Number
ECA-1693 - Validate content of End Entity Fields
ECA-1705 - Support MySQL 5.1 Cluster 7
ECA-1707 - Display a search-link when trying to add a user that already exists.
Improvement
ECA-714 - Document how ROOT CA revocation works, and what to do
ECA-1655 - Restrict http methods other than get and post
ECA-1674 - Output the servers time to the first page of the Admin GUI.
ECA-1682 - Allow multiple CA policy OIDs and URLs when creating a CA from the EJB CLI
ECA-1683 - Use CertificateRequestSessionBean for CMP to make it transaction safe
ECA-1685 - Look over exception handling in UserAdminSessionBean findUser and optimize usage to existsUser where possible
ECA-1687 - LocalUserAdminSessionBean.findAllUsersByCaId method declares throws FinderException that it does not throw
ECA-1690 - Possible to define custom CN of superadmin on install
ECA-1658 - Supervision of the validity time of the signing certificates for the OCSP responder
Task
ECA-1631 - Update pre-defined windows smart card logon profiles
Bug
ECA-715 - Possible to issue certificates from a revoked CA
ECA-1266 - Upgrade may cause "use authority information access" to be enabled though it was not before in certificate profile
ECA-1639 - The CAR of a CV Certificate can hold an incorrect sequence number (which makes the CAR incorrect)
ECA-1645 - Exception in CertTools parsing CRL Distribution Point with name but no URI
ECA-1646 - class isolation does not work with JBoss AS 4.2.3 GA : unable to "ant install" successfully
ECA-1651 - Some cli commands does not work on JBoss 5
ECA-1652 - Trying to use plus sign in DN with WS-API results in double escaping
ECA-1653 - Trying to get delta CRL when none exists with cli gives ugly error message
ECA-1654 - Perform check for illegal SQL query characters from LocalUserAdminSession.query
ECA-1657 - export profiles cli gives error for CA certificate profiles
ECA-1660 - Visiting adminweb using port 442 for the first time gives NPE
ECA-1661 - Adding a CA with PKCS11 token but without HSM installed gives NPE
ECA-1662 - Password masking in "ant install" not working on Windows Server 2008
ECA-1666 - Not possible to use subject DN EMAIL field when creating certificate with CMP.
ECA-1668 - Tooltip title missing in Edit Administrator Privileges
ECA-1670 - Upgrade of existing CA should set EnforceUniqueDistinguishedName and PublicKey to false
ECA-1672 - /log_functionality/log_custom_events authorization not verified in WS API
ECA-1675 - Download CRL from Basic functions give ugly filename with space in CN
ECA-1676 - Error downloading certificate request created by X509 CA
ECA-1679 - Can not create a new certificate request from a CVC CA with no previous signing key
ECA-1680 - When superadmin.dn is modified, authentication on adminweb is impossible
ECA-1681 - MakeRequest button when SignedBy=External CA is not enabled
EJBCA 3.10.1
2010-05-03
New Feature
ECA-1542 - New WS API methods for caRenewCertRequest and caCertResponse
ECA-1622 - CMP Proxy
ECA-1630 - Support SHA384withECDSA signature algorithm
Improvement
ECA-958 - Allow DVCA renewal of keys without activating them immediately
ECA-1585 - Renew CA signed by external does not accept binary CA certificate input
ECA-1616 - cvcRequest gives unclear error message when the exact same request is passed
ECA-1618 - OCSP responder, log startup, with version, and shutdown
ECA-1627 - Support DSA keys in ejbca.sh batch.
ECA-1635 - Specify a ca certificate profile when creating a ca with CLI
Task
ECA-1346 - Write version information etc in ejbca-util.jar's manifest file
ECA-1529 - Remove the SafeNetLuna JCE CA token
ECA-1563 - EJBCA does not deploy on JBoss EAP 5.0.0.GA
Bug
ECA-1058 - Multiple DCs in CA's sujectDN break CRL generation when LDAP DN order switched off
ECA-1072 - Got exception when adding an end entity from ejbcarawscli.sh when approval is enabled
ECA-1136 - User interface does not update correctly when changing Admingroup privileges
ECA-1189 - Error saving RA Admin access rules, End Entity Rules
ECA-1197 - Mail notifications does not work for CA's about to expire.
ECA-1541 - CMP servlet does not verify input length
ECA-1587 - CLI for getting delta CRL does not work
ECA-1602 - A Root CA can not renew certificate of an External CA
ECA-1603 - Approval Notifications gives nullpointerexception
ECA-1608 - Approval notification does not include requestAdmin
ECA-1609 - A new CRL is not created when a CA is renewed.
ECA-1610 - An error is logged when publishing CRL for a CA not using delta CRL.
ECA-1614 - ERROR logged erroneous when renewing root CA
ECA-1617 - Process time in OCSP logging fails when request fails
ECA-1619 - "CA issuer URI" can not be deleted on the "Edit Certificate Profile" page if the string start or ends with space.
ECA-1620 - Listing end entities with expiring certificates generates Exception
ECA-1626 - addUser ejb method does not always throw DuplicateKeyException if user exists
ECA-1629 - Error saving RA Admin access rules, Other Rules
ECA-1633 - document boolean usepreviouskey in X509CA.signRequest better
ECA-1638 - activateca cli does not work for expired CAs
ECA-1641 - Expired CAs makes CA cert download from public web fail
ECA-1644 - ejbca.sh listcas does not work with CVCAs
EJBCA 3.10.0
2010-03-26
New Feature
ECA-1530 - Support signing NewWithOld after CA key rollover
ECA-1557 - Enforcement of Unique Public keys
ECA-1566 - External RA: Web based GUI for enrolling entites
ECA-1567 - Enforcement of Unique Distinguished Name
ECA-1589 - Support for Ingres 9.3
Task
ECA-1465 - Preparations for EJBCA 4
ECA-1466 - Build ejbca-util with a minimal number of classes
ECA-1467 - Move the ejbca-ws build to modules
ECA-1468 - Move the ejbca-xkms build to modules
ECA-1470 - Deprecate ProtectedLog
ECA-1476 - Move external RA to modules
ECA-1482 - Update JavaDoc build
ECA-1484 - Disable XKMS service by default
ECA-1531 - Restructure documentation into separate admin and user guides
ECA-1550 - Internal OCSP responder should always use the CA signing certificate to sign responses
ECA-1582 - Upgrade bouncycastle to 1.45
Improvement
ECA-668 - Possibility to change keyStorePassword in an already installed setup
ECA-892 - WS-cli should work with pkcs12 file as well in addition to jks files.
ECA-1237 - External RA: possibility to deploy to other deploy directory
ECA-1239 - Build ClientToolBox without application server present
ECA-1251 - Name returned certificates from public web after the username
ECA-1336 - Add Spanish commonly used OID's NIF/CIF
ECA-1380 - Use commons configuration for all configuration
ECA-1381 - Use JPA in ExtRA client library
ECA-1383 - Separate system and functional JUnit tests
ECA-1396 - Create new WS and bean method that creates/edits user and issues a certificate in a single transaction
ECA-1428 - More effective stress test.
ECA-1432 - Refactor and create new module for EJBCA's remote EJB CLI
ECA-1469 - Rename LogEntryDataBean comment and comment_ column to logComment for all database types
ECA-1488 - Property in mail.properties for setting SMTP port missing
ECA-1495 - Enforce dependency check for all components of the EJBCA core and improve structure
ECA-1505 - Optimize isRevoked method in CertificateStoreSessionbean
ECA-1537 - Display min and max time for stress test jobs
ECA-1575 - Get length of message from ASN1 length value.
ECA-1576 - Default certificate profile should not allow key usage override
ECA-1596 - Possibility to run SCEPTest directly against EJBCA.
ECA-1599 - EJBCA EJB CLI subcommand 'encryptpwd' should not echo password
Bug
ECA-1050 - Revoke and renew button on OCSP/XKMS/CMS extended services only revokes and does not renew
ECA-1536 - Extra test client does not compile with JBoss 5
ECA-1578 - Use of DN from CA data when searching for last CRL number.
ECA-1579 - Root CA certificate could have different subject and issuer DN.
ECA-1583 - EJBCA EJB CLI is not working with JBoss 5
ECA-1584 - PublisherQueue process service does not work in PostgreSQL
ECA-1590 - Hash of a CA certificates can not be used to get "CA" if the subject DN of the certificate is not the same as the subject DN of the CA data.
EJBCA 3.9.10
2010-03-01
Bug
ECA-1699 - X.500 DN order with multiple attributes (e.g. DC, OU)
EJBCA 3.9.9
2010-11-02
New Feature
ECA-1264 - Add extended information to edit user WS-API.
Bug
ECA-1704 - Tomcat's server.xml must have URIEncoding also for port 8080
ECA-1714 - Issuer CA DN is HTML escaped when revoking through Admin GUI
ECA-1773 - Using multiple of the same Custom OID field for OtherName in Subject Alternative Names results in double values
ECA-1841 - Error adding end entity with several required and non required OUs
EJBCA 3.9.8
2010-06-17
Improvement
ECA-1658 - Supervision of the validity time of the signing certificates for the OCSP responder
Bug
ECA-1266 - Upgrade may cause "use authority information access" to be enabled though it was not before in certificate profile
ECA-1639 - The CAR of a CV Certificate can hold an incorrect sequence number (which makes the CAR incorrect)
EJBCA 3.9.7
2010-05-03
Improvement
ECA-1616 - cvcRequest gives unclear error message when the exact same request is passed
ECA-1618 - OCSP responder, log startup, with version, and shutdown
Bug
ECA-1636 - Error creating DVs signed by external CVCAs
ECA-1643 - Possible NullpointerException in EjbcaWS.getAvailableCertificateProfiles
EJBCA 3.9.6
2010-03-30
New Feature
ECA-1542 - New WS API methods for caRenewCertRequest and caCertResponse
Improvement
ECA-958 - Allow DVCA renewal of keys without activating them immediately
ECA-1585 - Renew CA signed by external does not accept binary CA certificate input
Bug
ECA-1587 - CLI for getting delta CRL does not work
ECA-1602 - A Root CA can not renew certificate of an External CA
ECA-1603 - Approval Notifications gives nullpointerexception
ECA-1608 - Approval notification does not include requestAdmin
EJBCA 3.9.5
2010-03-05
Improvement
ECA-1523 - Display and accessibility of CA status table on home page
ECA-1538 - OCSP service closes ServletInputStream uneccesarily
ECA-1539 - When downloading a CVC certificate or request the name of the downloaded file should contain the CAR and the CHR (certificates only)
ECA-1543 - Remove hardcoded paths in CertReqServlet.java for OpenVPN installer creation
ECA-1547 - Add processtime variable to OCSP transaction logging
ECA-1574 - Possibility to prompt for password in install and ca init cli
ECA-1577 - Possibility to initilize authorization module when importing CA certificate of external CA
Bug
ECA-1479 - relative path to the catoken.properties file in conf/ejbca.properties not working
ECA-1533 - EracomCAToken (old deprecated) uses sSlotLabel before it has been set
ECA-1534 - generation of new HSM keys does not update keyStrings in BaseCAToken
ECA-1540 - When generating new keys using a hard token the new key label is generated incorrectly, if the old sequence contained non numeric characters
ECA-1544 - Compile error in jsp in some cases
ECA-1545 - External OCSP signing is failing at the period of re-keying.
ECA-1546 - The key sequence is incremented decimal when renewing a key, but it could be incremented alphanumeric
ECA-1548 - OCSP responder performance drop i 3.9.4
ECA-1549 - mTransactionID in OCSPServletBase may not be thread safe
ECA-1552 - Iaik provider not working
ECA-1554 - PKCS11HSMKeyTool fails test command using IAIK provider in some cases
ECA-1555 - Can not use . (dot) in username when editing end entity profiles
ECA-1558 - Can not view log when using cvc sequences in alfanumeric form
ECA-1560 - No default value for ca.name
ECA-1562 - ejbca-mail-service is overridden by default mailservice in JBoss 5
ECA-1572 - clientToolBox not configuring logging on windows
ECA-1573 - Charcters in German languagefile causes JavaScript errors in adminweb
EJBCA 3.9.4
2010-01-07
Improvement
ECA-1518 - Language files encoded in UTF-8
Task
ECA-1521 - Document how to use of Brainpool curves for EAC
Bug
ECA-1441 - Old CA cert published to LDAP after CA renewal.
ECA-1443 - Bogus CRL published to LDAP at some occations.
ECA-1471 - Don't publish certificates for inactive CA services
ECA-1514 - CMP requests with DN characters requiring escaping fails
ECA-1519 - Not possible to renew soft CA ECC CA keys
ECA-1524 - Unable to renew expired CAs (regression)
ECA-1525 - SafeNetLunaCAToken (old class) does not work
ECA-1526 - SecConst.CERT_EXPIRED, should not be used, Import cert cli uses EXPIRED instead of ARCHIVED.
ECA-1527 - OCSP responder returns good for expired and archived certificates
EJBCA 3.9.3
2009-12-21
New Feature
ECA-1389 - Make it possible to add several notifications for expiring certificates.
ECA-1439 - End date for certificate profile and CA.
ECA-1480 - Possible to generate EC certificate requests with explicit parameters
ECA-1492 - Add configuration of allowed signing algorithms to certificate profiles
Task
ECA-1312 - Test browser enrollment with Windows 7
ECA-1483 - Update database schema at http://ejbca.org
Improvement
ECA-1386 - Generate new keys on HSM in Admin GUI does not support ECC
ECA-1400 - New navigation menu GUI
ECA-1401 - GUI improvement with IE fixes CSS
ECA-1417 - name CV certificates .cvcert instead of .crt when downloading from public web
ECA-1440 - Configureable error output on admin gui error page.
ECA-1449 - Rename "Download to Internet Explorer" to "Download binary/to IE"
ECA-1451 - Display EC public key in view certificate pop-up
ECA-1453 - WS command to get length of queue for an issuer.
ECA-1455 - Possibility to change DN of superadmin user created by 'ant install'
ECA-1456 - clientToolBox createCertReq should handle ECC keys as well
ECA-1493 - Possibility to use part of user data in LDAP DN but not in certificate DN when publishing certificate to LDAP
Bug
ECA-1429 - Renewing keys on a CA in admin GUI forces reload of all CAs
ECA-1436 - Export CA keystore, download issues with IE
ECA-1442 - Mail Expiration Checker cannot send mail for user SYSTEMCERT
ECA-1444 - CertificateExpirationWorker does not work with CV certificates
ECA-1445 - Java 5's XMLEncoder breaks when using Collections.EMPTY_LIST
ECA-1447 - InvalidKeyException för HSM during deploy or startup under load
ECA-1448 - When issuing certificates, sometimes it is not checked if CA is off-line, only CA token
ECA-1450 - NullpointerException making CA offline if CAToken can not be created
ECA-1454 - p11slot keeps adding numerous tokens
ECA-1457 - ECC brainpool curves does not work due to Sun certificate provider
ECA-1458 - Can not import exported ECC CVCA
ECA-1460 - Approval and finishuser settings missing from CVC CA configuration
ECA-1461 - Exception on import CA keystore
ECA-1463 - ca info cli command does not work for cvc CAs
ECA-1464 - Having a trailing '\' at the end of a field (e.g. username) gives a StringIndexOutOfBoundsException on search
ECA-1471 - Don't publish certificates for inactive services
ECA-1473 - CAFingerprint in database not set correctly for SubCAs
ECA-1475 - OutOfMemory when failing to publish large CRLs with connection closed error
ECA-1481 - Not possible to get PUK from issued card of the type "turkish profile" with WS
ECA-1485 - Remove StdErr logging when editing approvals in certificate profiles
ECA-1496 - End Entity Profile check fails for CMP requests with E in subject DN
ECA-1502 - Remove ocsp from bin/ejbca.sh
ECA-1504 - clientToolBox.bat does not work with space in path
ECA-1509 - cert-cvc: ECPoint can be wrongly encoded in 1 out of 2^16 keys
ECA-1517 - Notification status interferes with "Search/edit end entities"
EJBCA 3.9.2
2009-10-21
New Feature
ECA-1377 - Sign and verify of files with clientToolBox when the private key is stored on a HSM.
ECA-1390 - Possible to limit signing keys for an external OCSP responder to keys within a set of key aliases.
ECA-1412 - Add support for the TSL signer extended key usage
Improvement
ECA-1360 - use improved validity period parsing in Certificate Profiles
ECA-1364 - Deleting certificate profiles in large database slow, new index
ECA-1366 - Improve debug logging in ProtectedLog
ECA-1369 - Add command to cli to sign specified nodeGUID
ECA-1384 - Property in mail.properties for sending start TLS
ECA-1385 - PKCS11HSMKeyTool test does not work with ECC keys
ECA-1426 - Rename keystore password to authentication code in admin GUI to make it consistent.
ECA-1427 - remove ocsp client
ECA-1433 - Add option to use publisher queue or not for CRLs and certificates
Task
ECA-1359 - Upgrade commons-upload jar.
ECA-1399 - Add debug logging of keys and signature when testing CA token keys
ECA-1425 - Document MS application policies extension
Bug
ECA-1361 - Wrong default value listed for "build.compiler" property in "ejbca.properties.sample"
ECA-1363 - CA de-activation can give NPE if CA in some conditions
ECA-1368 - Setting nodeIP in protectedlog.properties does not work
ECA-1371 - Revocation is very slow if a user have many certificates. Remove side-effect of revoking user from revokeCert method.
ECA-1373 - ejbca.sh log accept or log does not increase the counter
ECA-1379 - ejbcaClientToolBox.bat only accepts 9 parameters
ECA-1392 - Fix potential NPE with extendedInformation
ECA-1393 - Handle database exceptions properly for CMP
ECA-1394 - Error adding end entity does not log username
ECA-1395 - Error using IAIK provider with several CAs
ECA-1403 - cert-cvc: bad encoding of EC points in certificates in rare cases where affineX and affineY is not same size.
ECA-1404 - ClientToolBox PKCS11 key test gives NullPointerException if there are symmetrci keys in the slot
ECA-1406 - Autoactivation PIN is showed in clear in debug log file
ECA-1410 - Ldap publisher may "hang" if LDAP server hangs during operations
ECA-1414 - FNR from UNID not working
ECA-1415 - Strange errors when reading keys in external OCSP responder
ECA-1416 - FNR lookup stress test
ECA-1419 - CRL service may stop running if database is stopped for some period
ECA-1420 - Check of ProbeableErrorHandler for OCSP audit/transaction log always return false
ECA-1421 - AdminCA1 does not get a CMS certificate during installation
ECA-1423 - cert-cvc: getting expiration date returns 00.00 hours but it means it's valid the whole day
ECA-1430 - Publish CRLs may fail to keep in publisher queue if publish fails
ECA-1431 - ejbcaClientToolBox.bat does not work
ECA-1434 - cert-cvc: OIDField.getEncoded() works only for values < 128
ECA-1437 - Issuing Distribution Point on CRLs is default in CA configuration
EJBCA 3.9.1
2009-08-16
New Feature
ECA-1275 - Corporate User Requests User Cert
ECA-1276 - Non-corporate User Requests Cert
ECA-1277 - User (corporate or non corporate user) Requests Certificate Renewal
ECA-1287 - Configurable List of extKeyUsage OIDs in certificate profiles
ECA-1299 - Transacion log for web service certificate issuance
ECA-1309 - Ability to specify approvals on certificate profiles
ECA-1334 - Run single JUnit test from CLI
ECA-1337 - Removal of SoftCA key and possibility to import it back again
ECA-1344 - Fixed absolute date for latest certificate expire
ECA-1347 - Ability to set max-age and next update values on a per certificate profile basis.
Task
ECA-1354 - ExtRA: update BC jars to match version in EJCBA 3.9.1
Improvement
ECA-967 - Add CVC WS CLI to client toolbox
ECA-1073 - Possible to schedule CRLs more often than hourly
ECA-1180 - Be able to specify Any CA in end entity profiles
ECA-1270 - create support for clover coverage testing
ECA-1298 - Dynamic update of max-age and nextUpdate for OCSP responders
ECA-1302 - Optimize republishing performance to use less queries during publish
ECA-1307 - do not create new P11 provider when reloading
ECA-1308 - Display the key instead of "not text available" for missing language strings
ECA-1310 - View end entity profile id in edit window
ECA-1315 - Allow null debug object to disable debugging in RequestHelper
ECA-1320 - Options which CA to generate CRLs for in CRL update service
ECA-1324 - Bad error message in adduser cli when type is not a number
ECA-1331 - Improve error message in GUI when HSM activation fails
ECA-1335 - Support for CRL distribution points with URI:s containing semicolon
ECA-1338 - Remove passwords from properties files
ECA-1341 - Change publishing message to say that it is "queued" instead of "published"
ECA-1342 - Improved error message when trying to create CA with incompatible key/signing algorithm
ECA-1343 - CA certificate validity in years
ECA-1345 - More userfriendly error messages instead of only stacktrace for instance when DB connection is down
Bug
ECA-1295 - Error making advanced log search for CA on DB2
ECA-1300 - Nullpointer exception editing end entity profiles when printer has no name
ECA-1303 - Runtime exception when uplaoding a certificate response and no certificate chain exists
ECA-1304 - ca listexpired cli command prints certificaste serialnumber in decimal instead of hex
ECA-1305 - Serching for end entities by certificate serial no does not find all if DN changed
ECA-1306 - external OCSP responder healt check not checking keys.
ECA-1313 - Error creating CRL publisher on DB2
ECA-1314 - Key could be used at same time as the rekeying is generating new cert.
ECA-1322 - Mixing EJBs and PreparedStatement gives NullpointerException in Glassfish
ECA-1323 - Import of entity profiles removes certificate profile links from the profile
ECA-1325 - Log Configuration : message keys missing
ECA-1340 - ejbca.cmd requires additional libraries in classpath
ECA-1355 - Revoke user does not work if a certificate is already revoked
ECA-1356 - JPA entity CertificateData does not set certificateProfileId when adding new certificate
ECA-1357 - create CA with initial deltaCRL does not work on glassfish
ECA-1358 - getCertSignatureAlgorithmAsString does not work for SHA256WithECDSA on java 5
EJBCA 3.9.0
2009-06-05
New Feature
ECA-648 - Add a configurable revocation status to end entity profiles
ECA-877 - Patch level showing
ECA-987 - Add cli command for processing certificate requests in ejbca.sh
ECA-1054 - User Certificate Validity Start/End Time as a editUser Web Service parameter
ECA-1076 - CMP stress test
ECA-1093 - Support for static custom enroll forms
ECA-1100 - CAs using DSA algorithm
ECA-1172 - Validity override in certificate profiles should be able to override startdate to set earlier start than "now"
ECA-1188 - Permit to install on JBOSS with Tomcat Native Connector
ECA-1202 - Implement extension override for PKCS#10 requests
ECA-1203 - Allow DN override from requests
ECA-1207 - Option in OCSP publisher to only use queue and not publish directly
ECA-1213 - Display length of publisher queue in external OCSP GUI
ECA-1218 - Stand-alone monitoring tool for comparing CA and OCSP databases
ECA-1219 - Add CA status overview portal on first page of admin GUI
ECA-1220 - Show certificate profile id in admin GUI
ECA-1222 - Show CA id in Admin GUI
ECA-1242 - Configurable to show CA status on front page
ECA-1263 - Add new WS stress-test to test behaviour when there are many certificates per user
Improvement
ECA-550 - Bad error message when receiving PEM files from external CA
ECA-603 - Add a property to specify the module to use when using nCipher HSM
ECA-857 - Improve error message "Error occured when receiving file, are you sure it is valid and in PEM encoding."
ECA-878 - Start up welcome page(s) admin and normal one
ECA-965 - Hide CRL-related fields when creating a CVC CA
ECA-988 - Document database privileges
ECA-1003 - EJBCA CLI requires APPSRV_HOME
ECA-1008 - A CA could be activated with any password (PIN) after it has been deactivated
ECA-1011 - Output time of successful ant commands often used in development
ECA-1041 - Errormessage "User xxxx has status '40', NEW, FAILED or INPROCESS required" could be improved
ECA-1067 - JavaScript "Enabled" test
ECA-1074 - Add Name DN attribute to supported attributes
ECA-1094 - CN for httpsserver.dn property can be inherited from httpsserver.hostname
ECA-1101 - ExtRA: Make RA CA service as an EJBCA service and make clusterable and support multiple RAs
ECA-1129 - use same functionality in the OCSP respnder as in the CA to handle P11 HSMs
ECA-1131 - Filter what is published to CertificateData on standalone OCSP
ECA-1139 - Use Commons Configuration for OCSP config
ECA-1163 - Save/cancel certificate profiles should bring you back to profiles list
ECA-1165 - required and modifyable checkboxes for username in entity profiles not needed
ECA-1166 - Rename mozilla/netscape to firefox
ECA-1167 - activatecas cli command should be able to prompt for activation code
ECA-1168 - Don't display the password user types in import CA command.
ECA-1170 - Display signature algorithm with providers text in view certiifcate
ECA-1175 - Improve default DB2 CMP mapping
ECA-1176 - Add cvcwscli.cmd for windows
ECA-1178 - Add issuerDN to edit CA page
ECA-1179 - Possible to specify multiple parameters in cmp.ra.namegenerationparameters
ECA-1180 - Be able to specify Any CA in end entity profiles
ECA-1196 - Change ERROR to INFO message for mail notifications
ECA-1198 - Implement robust re-publishing if publishing fails
ECA-1199 - Don't log error for missconfigured service that is not active
ECA-1200 - GUI for the External OCSP Publisher
ECA-1208 - Log4jLogDevice logs INFO exceptions as ERROR
ECA-1209 - Upgrade certificateProfileId to new server profile during 'ant upgrade' to avoid problems on SSL certificate renewal.
ECA-1215 - Don't set start and end time for end entity if not entered
ECA-1221 - Ugly error message in LDAP publisher if no certificate to remove exists
ECA-1231 - Optimize performace of getCertificateInfo
ECA-1233 - Prevent accidental runs of JUnit tests and deploy/ocsp-deploy in production environment
ECA-1235 - No point in swapping identical times
ECA-1240 - Remove error log for cases where CVC sequence is not numerical, we handle it gracefully.
ECA-1249 - ClientToolBox PKCS11 operations echoes the password back to the user
ECA-1255 - AdminGroupData etc should be marked as read-only for get methods
ECA-1256 - Optimize authorization to lower number of SQL queries for AuthorizationTreeUpdateData
ECA-1259 - Rename List button to Search
ECA-1260 - Rename "Create Server Certificate" to "Create Certificate from CSR"
ECA-1261 - improve behaviour of External CAs
ECA-1265 - Error messages that we handle when editing users should be info
ECA-1267 - Inherit getCATokenStatus() from BaseCAToken on SafeNetLunaCAToken
ECA-1269 - Improve performance by caching common database queries
ECA-1271 - ca init cli commands should be able to create sub CAs
ECA-1290 - Don't log error creating CRLs when a CA is offline
ECA-1291 - CRL service should not try to create CRLs for external CAs
Task
ECA-1116 - Avoid usage of class strings
ECA-1173 - Drop upgrade support for EJBCA 3.1.x
ECA-1195 - Upgrade to BC 1.43
ECA-1205 - Create new tag-field for CertificateData to be able to distinguish between different certificate types in database queries
ECA-1214 - Ask for algorithm before key size in installation script
ECA-1247 - Add KCA-EJBCA migration guide to docs
ECA-1297 - Warnings about incorrect JSF navigation rules during startup
Bug
ECA-632 - Path length constraints not selectable in cert profile
ECA-922 - DBCHANGE: Particular Log query with ProtectedLog fails on Derby
ECA-1077 - Not possible to get algorithm name from OID for CMP with latest BC
ECA-1085 - Email notifications may not treat foreign characters correct
ECA-1109 - Rare threading issues in OCSP certificate cache
ECA-1110 - XKMS only works with JDK 1.5
ECA-1122 - Cancel button on Edit Certificate Profiles page doesn't work.
ECA-1135 - Do not issue CRLs for expired CAs
ECA-1137 - Serialnumbers starting with 0 do not behave properly
ECA-1138 - nCipherHSM script with preload is broken
ECA-1142 - First delta CRL is not issued when a CA is created
ECA-1147 - NullpointerException in ProtectedLog
ECA-1156 - OCSP ClientToolBox test failing when CA key is signing the OCSP response.
ECA-1157 - NullPointerException when invoking createcrl CLI with bad CA name
ECA-1160 - When a fast HSM is used then OCSP responder is not as fast as it should be.
ECA-1162 - external OCSP responder freezing after HSM failure.
ECA-1164 - Hex serial number for admin certificates in admin groups should not be limited to only 16 char hex strings
ECA-1169 - Error verifying JCE using pkcs12req WS cli
ECA-1171 - Possible to change OCSP signing keys in a running external OCSP responder.
ECA-1174 - Can not batch generate users using SHA256WithRSAAndMGF1
ECA-1186 - Batch generation set user status to generated even if request counter exists
ECA-1187 - no such provider BC when EJBCA starts when protected log is enabled
ECA-1191 - Unable to deploy on PostgreSQL + Glassfish combination
ECA-1193 - cli.xml ejbca:noprompt missing ca.signaturealgorithm property
ECA-1194 - "ejbca.sh ca info" fails for ECDSA CA
ECA-1201 - Incorrect display of HTML escaped characters on Access Rules comboboxes
ECA-1216 - Add userPassword in LDAP should only happen if addNonExisting or modifyExisting is checked
ECA-1217 - Possible extensive CPU usage for crafted messages to CMP RA service (not default config)
ECA-1223 - NullpointerException in CMP when unknown keyId is sent
ECA-1224 - CertTools.getCertfromByteArray never throws CertificateException as the JavaDoc says but can return null
ECA-1225 - Freshest CRL extension (aka Delta CRL Distribution Point) on a CRL must not be critical
ECA-1227 - AccessRules link for admin privileges does not work on weblogic or oracle
ECA-1229 - Internalresources may fail in rare contidtions
ECA-1234 - Error message is shown when editing end entity profiles when no printers are defined
ECA-1245 - CRL reason entry extensions in CMP revocation requests are not read
ECA-1246 - Deadlock when load testing CMP with same user
ECA-1248 - Cannot unselect last Custom Certificate Extension in Certificate Profile
ECA-1254 - ProtectedLog reloading CA token unnessecarily
ECA-1257 - Importing wrong certificate using PKCS11 will make the key unavailable on nCipher netHSM
ECA-1258 - cursor:hand style on links should be cursor:pointer
ECA-1266 - Upgrade may cause "use authority information access" to be enabled though it was not before in certificate profile
ECA-1268 - Missing Exception handling for super.deactivate() calls on SafeNetLunaCAToken
ECA-1272 - Authorization issue during stress test
ECA-1273 - Services will stop running if database goes down
ECA-1293 - ProtectedLog on idling system warns about missing log rows if protectionIntensity > 0
ECA-1294 - Issuing certificate with + sign does not work in cmp requests
ECA-1295 - Error making advanced log search for CA on DB2
ECA-1296 - Fetching cert or keystore from Public Web generates an error when cert-profile is the default in UserData
EJBCA 3.8.3
2009-06-04
Improvement
ECA-1221 - Ugly error message in LDAP publisher if no certificate to remove exists
Bug
ECA-1191 - Unable to deploy on PostgreSQL + Glassfish combination
ECA-1217 - Possible extensive CPU usage for crafted messages to CMP RA service (not default config)
EJBCA 3.8.2
2009-03-27
New Feature
ECA-552 - Add support for nextUpdate, thisUpdate and producedAt in OCSP responses
ECA-1124 - Configurable to use HTTP headers for standalone OCSP
ECA-1053 - Pseudonym as a subject DN attribute
ECA-1133 - Configurable in ExternalOCSPPublisher to only publish certificates with and OCSP URI extension.
Improvement
ECA-1123 - Create dummy object for TransactionLogger and AuditLogger
ECA-1088 - Default public exponent for lunaHSM.sh should be 65537 (0x1001)
ECA-1055 - Support OCSP by HTTP GET
ECA-1117 - Use info instead of error messages in Standalone OCSP Responder.
ECA-1144 - Add "userPassword" attribute in LDAP publisher
ECA-1114 - Add street DN component
ECA-1096 - Improve handling of invalid requests and streams in OCSP responder
ECA-1146 - Stress Test does not print out no of failed tests
ECA-748 - Order certificates in view certificates with newest first
ECA-1121 - Unnecessary signing operations
Bug
ECA-1158 - CA-certificate, but no signing key from a CA on the external OCSP generates an Exception
ECA-1141 - CRL Distribution Point in CRLs must be encapsulated into an Issuing Distribution Point
ECA-1092 - Code not thread-safe in certificate-request Servlet
ECA-1154 - Concurrency issue when reloading soft keys for external OCSP responder
ECA-1113 - JCE error on JBoss 5 on some platforms
ECA-1148 - ServiceData cached in bean making synchronization between cluster nodes fail.
ECA-1090 - Wrong encoding of issuer DN on retrieval public web pages
ECA-1150 - Wrong language tag for "Certificate Validity End Time" in viewendentity.jsp
ECA-1095 - Allow comma in directoryName subject alt names
ECA-1145 - CvcRequestMessage not serializable
ECA-1143 - Freshest CRL is lost when creating a new CA
EJBCA 3.8.1
2009-01-29
Improvement
ECA-966 - NPE when using a non-existing ECC algorithm during CVC CA creation
ECA-983 - Allow logging of REPLY_TIME in both audit and transaction logs
ECA-1006 - Database index script fails for MySQL using UTF-8
ECA-1057 - Run EJBCA in JBoss 5.0
ECA-1059 - Fix ipv6 altname ipaddress and allow it in admin-GUI
ECA-1060 - Throw CertificateExpiredException when certificate used to verify cvc request has expired
ECA-1070 - Windows .BAT file for using clientToolBox
ECA-1080 - Option to set internally used password in CMP
ECA-1081 - Improve support for Weblogic 10.3
ECA-1086 - Allow to set null password in WS cli editUser call
ECA-1087 - Increase timeout for CRL generation transaction on JBoss and document how it could be done
Bug
ECA-984 - ejbca.cmd does not work with spaces in JBoss path
ECA-1039 - CVC certificate requests with error leaves user status as new
ECA-1040 - cvcgetchain does not return latest cert
ECA-1056 - REQUIREDCARDNUMBER language string missing
ECA-1061 - Wrong header displayed for different groups of access rules
ECA-1062 - Verifying OCSP requests can throw InvalidKeyException which is not caught
ECA-1063 - Not working on Glassfish
ECA-1068 - CMP tcp service does not work on JBoss 5
ECA-1069 - Wrong errormessage in checkValidity when endDate is wrong
ECA-1071 - OCSP responder does not handle TelephoneNumber, PostalAddress and PostalCode in DN
ECA-1079 - KeyId decoding in CMP uses platform charset
ECA-1084 - External RA: SCEP enrollment from Cisco IOS gets wrong DN
EJBCA 3.8.0
2008-12-15
New Feature
ECA-904 - Add a CLI subcommand to add an administrator in an admin group using the serial number
ECA-935 - Restructure administrator validation to allow admins using externally issued certificates
ECA-953 - List objects in Luna HSM partition
ECA-969 - Possible to generate CA PKCS#10 request without giving CA certificate
ECA-993 - Add KRB5PrincipalName subjectAltName
ECA-1000 - Sign releases and deployed code
ECA-1007 - Enhanced basic certificate extensions
ECA-1033 - Possible to enroll for CV certificates on public web
ECA-1051 - Possibility give a user defined DN to a new certificate request for an HSM
Improvement
ECA-917 - Allow to use inverse LDAP order in DN for end entities
ECA-918 - Handle web service error code when CA is down
ECA-936 - Drop administrator flag in end entities
ECA-937 - Allow use of emailAddress in Admin interface
ECA-963 - Ability to distinguish between non-existing CA and authorization problems through WS
ECA-990 - Allow auto-activation of CAs dispite not having strong crypto policy installed
ECA-1001 - tool to change key alias
ECA-1012 - Option to enter email manually for import cert cli command
ECA-1014 - Display ejbca version in startup log message
ECA-1016 - Make error messages from CertReqServlet localizeable
ECA-1034 - Use TRACE logging for certain debug log
ECA-1038 - Use Commons Configuration for CMP service
ECA-1043 - Upload of binary certificate requests in public web enrol
ECA-1045 - Add support for SEIS Card Number extension in certificates
ECA-1049 - CMP raVerified can sometimes by zero bytes DEROctetString instead of DERNUll
Task
ECA-971 - ExtRA: upgrade to commons-lang 2.4 and commons-collections 3.2
ECA-1013 - Upgrade BC to 1.41
Bug
ECA-664 - Adding Administrator Access rule; username with not-allowed character is possible
ECA-782 - Listing user certificates from the public web fails if the serial number of the cert begins with "0"
ECA-882 - Add Administrator - cert serial number not checked
ECA-968 - Key length changes when editing CA in admin-GUI
ECA-970 - LdapPublisher searches for old objects on certDN instead of Ldap DN
ECA-972 - Merge on DN - Problems with rfc822name and email
ECA-992 - Cannot add "OtherName" SubjectAltName in end entity profile
ECA-996 - Merge of DN doesn't work properly
ECA-1046 - view certificate on Public web gives error for CVC certificates
ECA-1048 - Can not install with initial CA with space in name
EJBCA 3.7.5
2009-01-19
New Feature
ECA-1035 - Add Brazilian Portuguese Translation
Improvement
ECA-983 - Allow logging of REPLY_TIME in both audit and transaction logs
ECA-1031 - Get server certificate in public web shoud not show password
ECA-1032 - Add cli command to convert cvc certificates between binary and pem
ECA-1036 - Hide keytool-errors during install.
ECA-1060 - Throw CertificateExpiredException when certificate used to verify cvc request has expired
Bug
ECA-244 - Problem during installation with schema: DC=bigcorp,DC=com
ECA-1037 - CLI for fetching user certificate fails
ECA-1039 - CVC certificate requests with error leaves user status as new
ECA-1040 - cvcgetchain does not return latest cert
ECA-1042 - LdapPublisher does not work with CVC certificates
ECA-1044 - Nullpointer in BasicFunctions when admin not authorized to CA
ECA-1046 - view certificate on Public web gives error for CVC certificates
ECA-1065 - Password needed to update CVC certificate with WS-API
ECA-1069 - Wrong errormessage in checkValidity when endDate is wrong
EJBCA 3.7.4
2008-11-18
New Feature
ECA-1024 - Substitute email from- and to- as well in user notifications
Improvement
ECA-1021 - Fix the default ENDUSER Certificate Profile
ECA-1026 - Create a built-in Server certificate profile
Bug
ECA-1023 - External RA SCEP service fails on cisco message with wrongly encoded request extension
ECA-1025 - Missing ErrorCode class in ejbca-util.jar
ECA-1027 - OCSP should not respond with responseBytes when an error code is sent
ECA-1029 - OCSP responder should answer with OCSP error MalformedRequest when a badly encoded request is received
EJBCA 3.7.3
2008-11-07
New Feature
ECA-1022 - Glassfish support for PostgreSQL
Improvement
ECA-1020 - External RA, clarify documentation about signing and encrypting using Scep RA
ECA-1021 - Fix the default ENDUSER Certificate Profile (broken patch, EJBCA 3.7.3 withdrawn)
Bug
ECA-1017 - Build on Glassfish broken
ECA-1018 - Missing language string in intresources
EJBCA 3.7.2
2008-10-31
New Feature
ECA-974 - Add Intel AMT extended key usage
ECA-1005 - Give OCSP error if audit or transaction logging fails
Improvement
ECA-950 - Optimize OCSP servlet
ECA-973 - external OCSP responder: trying to reload the p11 provider when the HSM removed/disconnected.
ECA-976 - WS-API, make mathtype contains with with matchwith username
ECA-982 - Explicitly close maintenance file in health check
ECA-989 - add cmd=deltacrl command on CertDistServlet (with patch)
Bug
ECA-957 - ocspclient.jar cannot handle answers with responderID of type Name.
ECA-959 - Public web can give NPE in rare conditions
ECA-960 - reference to "bin/ejbca.sh ca processreq" in manual
ECA-968 - Key length changes when editing CA in admin-GUI
ECA-970 - LdapPublisher searches for old objects on certDN instead of Ldap DN
ECA-975 - CA certificates with SerialNumber in DN does not work with External OCSP
ECA-977 - Error editing RenewCAWorker if CA has been removed
ECA-978 - NullPointerException using WS-API to revoke non-existing certificate
ECA-979 - The transactionlogger and auditlogger set incorrect CERT_STATUS and STATUS
ECA-985 - Wrong default value for OCSP helathcheck database query
ECA-986 - Can't run ejbca.sh from $EJBCA_HOME/bin
ECA-995 - getAuthorityInformationAccessOcspUrl in CertTools fails to retrieve OCSP Locator url from AIA for cert with mutliple AIA points
ECA-997 - Error publishing deltaCRL to LDAP
ECA-999 - CRLIssuer can not be removed in CDP
ECA-1009 - Validity of certificates in signed OCSP requests not checked for expiration
EJBCA 3.7.1
2008-09-16
New Feature
ECA-896 - CVC support for EC keys
ECA-925 - Import of external CA certificates
ECA-940 - possibility to use an EC key stored on a HSM
Improvement
ECA-748 - Order certificates in view certificates with newest first
ECA-927 - CVC requests should not include CARef if null
ECA-928 - cvcprint cli command should handle verification of authenticated requests
ECA-934 - Possible to authenticate CVC request by outer CA signature
ECA-941 - Possible to download CA certrequests and certs as binary
ECA-942 - possible to receive certiifcate requests and certs in binary format
ECA-946 - Not possible to create CVC link certificates with soft CA tokens
ECA-947 - Making certificate request from a CA should ask for CA cert of target CA
ECA-948 - cvcrequest cli command should not automatically add end entities
ECA-951 - Possible to set sequence of catoken manually
Bug
ECA-926 - CVC requests can be assigned to wrong CA when sequence is same
ECA-930 - cert-cvc: authenticated requests does not include CARef in TBS
ECA-931 - getrootcert cli command does not work for CVC certificates
ECA-932 - CVC requests from SubCAs does not have the target CA as CARef
ECA-939 - Upgrade 3.6 to 3.7 cases error when autogenerated password are used
ECA-943 - NullPointer when clicking Sign Certificate Request
ECA-944 - Import soft CVCA does not set sequence
ECA-945 - Not possible to delete admin entities with ' in name
ECA-949 - Make certificate request button should not be available for external CAs
ECA-956 - NullPointerException in LdapPublisher when base node does not exist
EJBCA 3.7.0
2008-08-28
New Feature
ECA-792 - Support for CV Certificates (CVC) for EU EAC ePassports
ECA-811 - Possible to create certificate request from any CA
ECA-825 - WS-API call to get users last cert and chain
ECA-827 - Service to renew CAs
ECA-830 - Possible to use IAIK PKCS#11 provider instead of Sun
ECA-920 - Client tool box.
Improvement
ECA-819 - New WS-API call to get EJBCA version
ECA-871 - Enhance error management in EJBCA web services.
ECA-893 - Able to use TelephoneNumber and PostalAddress in DN and publish to LDAP attributes
ECA-915 - Display hostname on admin-GUI
ECA-923 - Use of EEP informations when using WS editUser.
ECA-929 - Handle error code if certificate revocation has been invoked twice.
Bug
ECA-813 - Upgraded profiles not saved until edited
ECA-829 - Advanced mode for log viewer is not working
ECA-832 - syscheck script sc_08_crl_from_web.sh shell problem
ECA-839 - Problem activating CA tokens for expired CAs
ECA-879 - Failure to create a new CA due to CRL creation failure
ECA-921 - EjbcaHealthCheck does not work on OC4J
ECA-924 - Language variable misspelled (name="UTF8")
EJBCA 3.6.4
2009-02-13
Bug
ECA-921 - EjbcaHealthCheck does not work on OC4J
EJBCA 3.6.3
2008-10-06
Bug
ECA-952 - Entity Profile : the text "Use entity e-mail field" is not localizable
ECA-954 - TestProtectedLog fails if ProtectedLogDevice is not enabled in configuration
ECA-955 - PKCS11 support problem on OCSP responder
ECA-957 - ocspclient.jar cannot handle answers with responderID of type Name.
ECA-968 - Key length changes when editing CA in admin-GUI
ECA-970 - LdapPublisher searches for old objects on certDN instead of Ldap DN
EJBCA 3.6.2
2008-08-20
New Feature
ECA-348 - Option to generate non-exportable private keys in IE
ECA-739 - Accounting log on OCSP responder
ECA-740 - When requiring signed OCSP request, configure allowed issuers
ECA-865 - Add tool for importing certificates from a MS CA
ECA-876 - Generated documentation should be reachable from within the EJBCA Web GUI
ECA-908 - Support MS document signing extended key usage
ECA-914 - Configure if OCSP responses should use KeyId or Name as ResponderId
Improvement
ECA-390 - Make it possible to select password generation parameters for autogenerated user password
ECA-547 - Send custom certificate publisher information found in certificate or CRL.
ECA-640 - Popup window with valid ${Foo} variables near any field in which they can be used
ECA-657 - Import and export of end entity profiles should not have to depend on existing CAs.
ECA-696 - Import profiles improvement.
ECA-760 - Relocate 'p12' to 'ejbca-custom' if/when present (by default)
ECA-765 - Log whenever an attempt to activate a CA with the wrong activation code is made
ECA-789 - Display issuer in listcas cli command
ECA-790 - ejbcarawscli should print error message if it can not find the admin keystore
ECA-795 - Notifications are not editable, but looks editable.
ECA-810 - Make advanced search for ProtectedLog available
ECA-822 - Default healthcheck db query causes table scan
ECA-826 - EjbcaWsHelper makes double allocations when looking up remote beans
ECA-833 - Simple LDAPPublisher failover
ECA-854 - Remove confusing error message about not finding ejbca-custom directory when running ant
ECA-859 - Delta CRL generation message
ECA-870 - Accept PEM certificates with BEGIN TRUSTED CERTIFICATE
ECA-872 - Improve public page for CA certificate retrieval
ECA-874 - General JUint test improvements
ECA-880 - Better defaults and help for Freshest CRL Extension / DeltaCRLs
ECA-881 - Be able to drop the 0, O, l and 1 from the auto generated passwords
ECA-884 - Add approvalDN variables to add/edit end entity notifications
ECA-885 - Add email variables where possible for use in notifications
ECA-887 - Document how validity is assigned for a CA
ECA-913 - Configure if OCSP responses should include whoe cert chain or only signer
Task
ECA-702 - JDK 1.6 u4 causes EjbcaWS to stop working
ECA-796 - Add documentation on how to use EJBCA with GemSAFE Toolbox
ECA-805 - Update German translation
Bug
ECA-496 - When using a fixed Certificate Profile as template, the FIXED property is inherited.
ECA-682 - WS Cli error message is not good when it cannot find the .jks file
ECA-770 - Protected Log Device always sends 'missing row' email alerts when it shouldn't with MySQL using InnoDB
ECA-783 - During the last step if IE enroll, the URL-path is missing the "ejbca"-part.
ECA-788 - Bull TrustWay support
ECA-793 - Using of module protected keys with netHSM-500 failed
ECA-797 - Cannot activate a CA with a Safenet Luna SA Token.
ECA-798 - A card key or a soft key must be defined in order to run the P11 external OCSP responder.
ECA-802 - Exception when approving KeyRecovery
ECA-803 - PKCS10 requests from OCSP responder uses null attributes
ECA-806 - Equal error code contants in OCSPUnidResponse
ECA-809 - ocsp cli client can not sign requests
ECA-812 - EJBCA 3.6 does not deploy on Glassfish
ECA-815 - NullpointerException downloading CA certificated without CN
ECA-817 - Possible NullpointerException when no extended information exists for user
ECA-820 - Signing CMP responses does not work with most PKCS#11 HSMs
ECA-823 - Deadlock in ProtectedLogData with stresstest
ECA-824 - CA activation page does not display correct for Expired CAs
ECA-831 - High load on ProtectedLog might generate false alarm on MySQL
ECA-836 - Email notifications are not able to handle autogenerated passwords.
ECA-837 - PKCS10 with no attributes causes NullPointer exception
ECA-841 - ExtRA PKCS12 request does not work with approvals
ECA-843 - Some words not localizables in CA Activation
ECA-850 - CN name like 'Graham O'Regan' cannot be entered case sensitive in the 'Add Administrator'
ECA-851 - No messages are created during CA Activation
ECA-861 - Misdirected error output from "ra listusers" CLI to standard output
ECA-866 - Import of externally chained PEM failes
ECA-875 - Trying to reset Subject AltName or Email for a end entity fails
ECA-888 - Profiles allow you to enter things like 'Peter & Partners' in the O and OU field - but a 'Add Entity' will fail
ECA-889 - NPE when running TestEjbcaWS
ECA-895 - Batch generation doesn't work on initial user creation (WebUI / profiles)
ECA-898 - Incorrect initialization of NumberArray in EndEntityProfile causes annoying log output
ECA-901 - email modified in LDAP even if attributes should not be modified
ECA-902 - LdapSearchPublisher can not modify attributes
ECA-903 - LdapSearchPublisher uses Ldap DN instead of Cert DN to search
ECA-905 - java.lang.NullPointerException when creating new end entity with only end time, with end entity profile limitations enabled
ECA-909 - OCSP responder not working on Weblogic
ECA-911 - OCSP not responding for CAs that have been notified about expiration
ECA-912 - NPE on Glassfish on error.jsp in publiweb
EJBCA 3.6.1
2008-05-02
Improvement
ECA-554 - nCipherHSM asks for password which is shown in plain text
Task
ECA-771 - Update french translation
Bug
ECA-540 - Exception if you try to issue a certificate from public web with a CA that is offline
ECA-779 - Cannot enroll with end entities created with CAs with approval setting active
ECA-780 - Index collision in profilemappings.properties.
EJBCA 3.6.0
2008-04-06
New Feature
ECA-257 - Support for IBM Websphere
ECA-515 - Autoenroll certificates for Microsoft systems.
ECA-564 - Support for DB2 database
ECA-595 - Issuance of delta CRL
ECA-596 - Add Freshest CRL extension
ECA-597 - Support for multiple policy statements
ECA-598 - Add support for id-pkix-ocsp-nocheck extension
ECA-619 - Ability to create intermediate LDAP nodes
ECA-624 - New EJBCA WS calls for listing CAs and profiles
ECA-633 - Log signing with real signature keys and row chaining
ECA-635 - Request multiple certificates for a user
ECA-649 - Service to expire user passwords
ECA-651 - Support for Oracle application server
ECA-661 - KeyRecoverNewest command in Ejbca WS API
ECA-662 - Email notifications to admin when user enrols
ECA-665 - Plug-in mechanism for user notification recipient email
ECA-669 - ExtRA SCEP, possible to use pre-registered users and verify their passwords
ECA-673 - Add support for id-ad-caIssuers (authority information access)
ECA-679 - New EJBCA WS calls for CRL generation and CRMF requests
ECA-684 - Allow setting and overriding any extension from a CRMF request
ECA-697 - Support $UID as replacement variable in LdapSearchPublisher
ECA-703 - Possible to use 32 bit serial numbers in cert, instead of 64 bit.
ECA-721 - PKCS#11 HSM support on external OCSP responder
ECA-723 - Option in OCSP to return good status for certificates not in database
ECA-727 - Extended key usages for SCVP
ECA-737 - Allow hexencoded DERObject in custom certificate extensions.
ECA-747 - CLI command to change certificate profile of a CA
ECA-759 - Add ETSI retention period to QC extension
Task
ECA-698 - Remove deprecated JBoss mbean create crl service
ECA-706 - Create instructions for setting up an Apache web server as a proxy in front of EJBCA.
Improvement
ECA-477 - OCSP responder require that signed request are issued by a known CA
ECA-478 - If a signed OCSP request is received, info-log which certificate the request was signed by
ECA-485 - If requiring signed OCSP requests, the responder should return "signature required" for unsigned requests
ECA-617 - External RA SCEP module only returns RA certificate in cert reply, not CA certificate
ECA-637 - Possible to use email for search in Ldap Search Publisher
ECA-645 - Make all default values visible when creating a CA and add a default CRL expiration interval.
ECA-656 - Option to override KeyUsage with key usage from CMP request
ECA-658 - CLI possible to get CRL in PEM format
ECA-663 - Allow @ in username
ECA-671 - Handle SCEP messages where client does not properly encode plus sign in HTTP GET url
ECA-672 - SCEP pending message should have an empty content
ECA-677 - Use CRL Distribution Point On CRL
ECA-678 - Change default CA's LDAP object class to certificationAuthority-V2
ECA-683 - Improve internal code for certificate extensions
ECA-685 - Easy configuration if OCSP requires signature on requests
ECA-689 - Display a "BUILD FAILED" message during the install phase if no superadmin.p12 is created.
ECA-694 - EFS certificates support
ECA-695 - Using PrimeCardHSM on install it does not have enough time to poll readers
ECA-700 - Improve LdapPublisher with option to not update attributes
ECA-704 - better P11 support for nCipher
ECA-705 - Make UTF-8 default encoding for web
ECA-707 - Extra: make configuration of scep ra easier
ECA-708 - Generating module protected JCA keys for nCipher should be simplier.
ECA-712 - Support creation of externally signed EC CAs and handling certificate requests signed by EC key.
ECA-716 - Confirmation when reomving a CA
ECA-720 - Publish attributes postalcode and businesscategory in LDAP
ECA-725 - Improve translations
ECA-726 - Remove obsoleted extended key usages for ipsec, add ipsecIKE
ECA-731 - Increase maximum validity of SubCA profile to 25 years
ECA-738 - Checks for max request size and no of reqs in an OCSP req
ECA-741 - Update pt_PT translation
ECA-752 - Make the description of a publisher readable from custom publisher implementations
ECA-754 - For Oracle db change LONG to CLOB
Bug
ECA-606 - ExtRA SCEP servlet should init directly at startup
ECA-643 - Error with weblogic and 4096 bit CA
ECA-652 - findbyApprovalIdNonExpired searches for expired instead of rejected
ECA-670 - ExtRA SCEP, GetCACertChain return wrong content type
ECA-674 - LdapSearchPublisher should not change other attributes
ECA-680 - Derby database does not work with large 4096 bit CAs
ECA-681 - Null Pointer Exception throught editUser when CANAME is invalid
ECA-686 - Overflow causing archiving of non-expired certificates when CRLPeriod is very large
ECA-690 - EJBCA uses sun internal java class
ECA-692 - Removal of CA generates database exception under DB2
ECA-699 - Generating browser certificate failed; user still in 'new' status
ECA-701 - Sorting of approvals in Admin GUI does not work.
ECA-709 - Errors in upgrade scripts for MS-SQL
ECA-710 - bin/pkcs11HSM.cmd not working
ECA-711 - EJBCA WS Cli does not handle number of arguments correctly
ECA-713 - the keys can not be used in EJBCA for some HSMs
ECA-717 - SCEP does not work with Luna SHM
ECA-724 - CertificateExpirationNotifier service not working on Weblogic-Oracle
ECA-728 - Lockdown of an enduser profile to fill out to just a CN only not possible
ECA-729 - ArrayIndexOutOfBoundsException on Approval Page
ECA-730 - SCEP to CA signed by some External CAs fail
ECA-734 - Not working on Sybase
ECA-742 - ant javatruststore does not work for CA names with space
ECA-745 - EJB REF to "ejb/RaAdminSessionLocal" has wrong case in glassfish deployment file "ejbca_3_6_b1/src/publicweb/publicweb/WEB-INF/sun-web.xml"
ECA-746 - Not possible to renew CA that does not use default keystore pwd or autoaactivation.
ECA-758 - Under some conditions it's not possible to edit rfc822name altname field for user in admin-gui
ECA-766 - Error saving CRL Service on Weblogic 10
EJBCA 3.5.12
2009-03-13
Improvement
ECA-1111 - Optimize performance of findCerts WS call
ECA-1112 - Create a new ant target similar to create-lot-of-users, but creates fewer users with many certs per user
Bug
ECA-1091 - Serious bug in UserDataSource Authorization
EJBCA 3.5.11
2009-01-28
Improvement
ECA-778 - change genTokenCertificates WS call behavior to not temporary revoke certificates for MS logon
Bug
ECA-1052 - Error in EJBCAWS.genTokenCertificate temporary cards aren't revoked properly
EJBCA 3.5.10
2008-11-14
Bug
ECA-724 - CertificateExpirationNotifier service not working on Weblogic-Oracle
EJBCA 3.5.9
2008-10-06
Improvement
ECA-891 - Avoid unnecessary database searches during HealthCheck
Bug
ECA-886 - Upgrade fails to set internal state of CA expire time for externally signed CAs
ECA-906 - EjbcaHealthCheck may use same session bean object for concurrent accesses
ECA-968 - Key length changes when editing CA in admin-GUI
EJBCA 3.5.8
2008-07-23
Improvement
ECA-845 - Attempt to revoke a certificate.user that is already revoked generates an error
ECA-847 - Option to Health Check to perform sign test on CA token
EJBCA 3.5.7
2008-06-29
Improvement
ECA-808 - Errors that should not be errors but info messages
Bug
ECA-799 - Deadlock when running stress test that is revoking certificates
ECA-800 - Importing certificate to CA with off-line token causes status to be wrong
ECA-801 - CRL generation for CAs waiting for certificate response throws excepton
ECA-807 - Error enrolling though SSL with client cert
ECA-818 - NPE when issuing sparecard with cert without extended keyusage through HTMF
EJBCA 3.5.6
2008-05-02
New Feature
ECA-768 - Create mechanism for Health Check to report nodes as Down for maintenance
ECA-769 - Activation Page. Create an easy access page for activating many CA's. The current function in the admin-GUI requires a lot of clicking to activate many CA's. Combine with one page access to configure monitoring of CA's
Improvement
ECA-756 - CRLUpdateWorkers may run in same vm in parallel if too slow
ECA-773 - Add distingushable string to health check return to know which test failed
ECA-774 - Make CRL generation be in one transaction for each CA
ECA-775 - Introduce a random add-on to the service interval
ECA-778 - change genTokenCertificates WS call behaivor to not temporary revoke ceritificates for MS logon
ECA-784 - Improve lunahsm shell script
Bug
ECA-743 - GenerateToken And ViewHardTokenData approvalIds was not calculated correctly
ECA-744 - Wrong DN was used in non-admin generate spacecard pages.
ECA-751 - DemoCertReqServlet gets reference to old template file
ECA-753 - CMP only working with DEBUG log enabled
ECA-755 - Listing log entries does not show the latest when limiting on too many rows
ECA-763 - Listing end entities query displays wrong values
ECA-764 - Under some circumstances two CRLs with the same CRLNumber is stored in the db
ECA-772 - External OCSP publisher does not work on oracle DB
ECA-777 - External OCSP health check not working
EJBCA 3.5.5
2008-02-29
New Feature
ECA-718 - Add Approval option for activation of CAToken
Improvement
ECA-719 - Add support for the fields PostalCode and BusinessCategory, now natively supported by BouncyCastle.
Bug
ECA-736 - LDAPPublisher initialized the fakeCRL incorrectly
EJBCA 3.5.4
2008-01-24
New Feature
ECA-691 - A preference file that could specify custom attributes for keys generated by pkcs11HSM.sh
Bug
ECA-693 - Potential Duplicate Key exception on old logging system when log-method is executed simultaneously.
EJBCA 3.5.3
2008-01-04
New Feature
ECA-676 - A stress test is needed to test EJBCA certificate signing performance when access though https
Bug
ECA-666 - NullPointerException in LogEntryDataBean
ECA-667 - pkcs11HSM.sh does not run
ECA-675 - Generated keys on some P11 HSMs (AEP Keyper) can not be used for decryption.
EJBCA 3.5.2
2007-11-09
New Feature
ECA-530 - Debian package for EJBCA-MySQL
ECA-599 - Add pt_PT l10n
Improvement
ECA-529 - Pass extra parameters to JBoss through nCipherJBoss.sh/cmd
ECA-580 - Optimize CRL generation for large CRLs (>100.000 revoked)
ECA-618 - External RA SCEP module should include ip and dns altNames from request
ECA-623 - Possible to use an internal CA as external
ECA-625 - Add the missing text label along with the message "Text not available"
ECA-626 - ExtRA, possible to require SCEP password
ECA-642 - In lunaHSM.sh warn i EJBCA_HOME is not set
Bug
ECA-541 - Null pointer exception when you enter wrong values or forget to enter values in "Hard CA token properties".
ECA-543 - It should be possible to run ejbca.sh from any directory in the file system.
ECA-590 - unconsistent labels in publisher (:)
ECA-605 - Wrong parameter name in ca republish
ECA-608 - Luna HSM support broken
ECA-609 - XKMS cli not working
ECA-612 - Can not run Glassfish off-line
ECA-614 - Ugly error when entering non hex encoded serial number in check status on public web
ECA-615 - Java exception when editing an external CA
ECA-616 - Can't fetch the certificate of external CA after signing it
ECA-620 - PKCS10 requests to external CA can not be PrintableString encoded
ECA-621 - Error creating a external OCSP-responder on JBoss 4.2.x
ECA-627 - Large comments and CA Subject DNs generates SQL exceptions.
ECA-629 - When you create a new soft CA and enter an "Authentication Code" you get null pointer exception.
ECA-646 - ExtRA CA service throws exception when RAIssuer is signed by external CA
EJBCA 3.5.1
2007-09-18
Improvement
ECA-593 - Tool for checking translation files for missing tags
ECA-602 - Enable use of multiple CRL Distribution points by changing GUI length constraints
Task
ECA-592 - Update french language file
Bug
ECA-445 - JBoss deadlock problems
ECA-542 - Null pointer exception when you run "$EJBCA_HOME/bin/ejbca.sh ca republish -all"
ECA-591 - Install does not work unless web.properties is defined
ECA-594 - Certificate enrollment on card does not work using https only http
ECA-600 - Removing certificates from LDAP does not work using LDAP search publisher and username match
ECA-601 - checkCertificateStatus for certificates that doesn't exists in database throws a Nullpointer exception
ECA-604 - Advanced Access Rules visual bug, End entity profiles rule haven't the id to name replaced correctly
EJBCA 3.5.0
2007-09-04
New Feature
ECA-81 - Editing validity per End Entity
ECA-115 - Serial Number Check
ECA-138 - HardToken PIN data should be encrypted in database
ECA-249 - Possible to configure specific validity dates in certificate profiles
ECA-398 - Support multiple email altnames in admin-GUI
ECA-414 - Possibility to choose reverse DN for a CA
ECA-419 - Improve CA softs security to use individual passwords
ECA-470 - PKCS11 tokens for new CA and support for Utimaco CryptoServer (using pkcs11)
ECA-472 - Custom Logging
ECA-480 - Import Hard Token Data in CLI
ECA-489 - New ant argument that outputs the version number of the EJBCA installation.
ECA-505 - Enable download of CA certificate as jks-file from Basic Functions in Admin GUI.
ECA-516 - Present warning in the Admin GUI when JCE Unlimited Strength Jurisdiction Policy Files isn't used.
ECA-520 - Experimental reporting functionality using JasperReports
ECA-526 - Possible to install with initial AdminCA on HSM
ECA-527 - Possible to retrieve entity certs with CLI
ECA-545 - Allow initial superadmin enroll on smartcard
ECA-573 - Root-less install, use custom SSL truststore for JBoss/Tomcat
Improvement
ECA-35 - make better looking public enroll pages
ECA-232 - When listing administrators in access rights, make the link clickable
ECA-291 - Option to specify certificate validity begin time drift
ECA-331 - Hide HardToken Puk Data in View HardToken page
ECA-426 - Include nonce in requests from OCSP client
ECA-461 - Build script does not check for actual version of java that is used.
ECA-462 - Possible to keep configuration/modifications in an external directory
ECA-465 - Possible to use different profiles in CMP RA mode
ECA-468 - Create a PKCS7 with the web service interface to import it in IE
ECA-471 - New Calls in the EJBCA Web Services interface
ECA-473 - Interface of UserDataSources improved for support of UserData Deletion
ECA-475 - Improved functionality in Extended CMS Service
ECA-482 - Move scep servlet to its own web application
ECA-494 - Better default datasource for ScepRAServer in External RA
ECA-495 - ScepRAServer in External RA will process the same message until it is approved
ECA-502 - build.xml should use $JAVA_HOME/bin/keytool instead of first one in path, if available.
ECA-507 - Add description on UPN field.
ECA-508 - When using Validity Override, don't allow validity to start before current time.
ECA-509 - When using Validity Override, don't allow validity to to extend beyond the validity of the certificate profile
ECA-510 - AD Publisher should use different container for certificateRevocationList
ECA-513 - Not consequent text in profiles menu choices
ECA-514 - Java exception when removing newly added service
ECA-518 - Support new key purpose CAKEYPURPOSE_HARDTOKENENCRYPT
ECA-531 - Improve Approvals with multiple steps of non-executable approvals
ECA-532 - Support Approvals for the getHardTokenData and genTokenCertificates call
ECA-536 - Import CA function supports HSM CAs
ECA-537 - Require approvals for revocation
ECA-572 - Confusing text in conf/ejbca.properties.sample
ECA-581 - Bad presentation of approvalId, sometimes it is displayed with - sign in notification
ECA-584 - Not possible to use comma in CA DN when creating CA
Bug
ECA-412 - Try to create service after re-deploy gives exception
ECA-413 - When choosing "Hard Token Type", all previously made "Settings" are deleted.
ECA-443 - If you execute ./ejbca.sh batch in "ejbca/bin" the script creates ejbca/bin/p12 and puts the new p12:s in there instad of ejbca/p12
ECA-460 - Get certificate chain link in public enroll pages does not work when CA is signed by external Root.
ECA-467 - Private EC keys report different algorithm after application server restart
ECA-501 - Weblogic throws TransactionRolledBackLocalException on duplicate log lines
ECA-512 - Java exception when editing services
ECA-525 - ExtRATestClient not working according to doc
ECA-539 - Removing any but last of dynamic fields in an End Entity Profile generates errors when creating an end entity.
ECA-548 - Automatic token activation fails when using nCipher HSM
ECA-549 - No space triming in DN of a CA
ECA-556 - Security: XSS possibility on public web
ECA-559 - Autoactivate of Hard CA tokens does not show as active in Admin-GUI
ECA-560 - Renew of keys for soft token CA must not regenerate encryption keys
ECA-561 - CA levels displayed incorrectly in Basic Functions at depth > 2
ECA-571 - PKCS#11 times out after some time on Utimaco
ECA-574 - Wrong validity of created CAs, maximum two years
ECA-583 - Bug in advances access rules view, UserDataSources displayed id instead of name i rule
Task
ECA-491 - Remove support for JDK 1.4
ECA-538 - Remove CA import restrictions depending on keyusage field in CA-cert.
ECA-576 - Remove support for JBoss < 4.0
EJBCA 3.4.5
2007-08-10
Bug
ECA-567 - XKMS register operation fails when user's token is JKS or PEM.
ECA-568 - Parsing of some DERBitStrings in custom certfificate extensions.
ECA-569 - If KeyIdentifiers from ExternalCAs are not standard format, key identifieres will missmatch
ECA-570 - Approvalqueries can fail in some circumstances
Improvement
ECA-524 - Configurable which interface tomcat listens on
EJBCA 3.4.4
2007-07-20
Bug
ECA-486 - Can't activate a (nethsm) hard CA where cardset is not protected
ECA-544 - Servlet is not able to return Open VPN Installer executable.
ECA-553 - CRLUpdate worker not working with TableProtection enabled on JBoss 4.2.0
Task
ECA-555 - Add instructions for using module protected keys with EJBCA and nCipher to User Guide.
EJBCA 3.4.3
2007-06-08
New Feature
ECA-484 - Support for JavaDb/Derby
Task
ECA-500 - Support for JBoss 4.2.0
ECA-522 - XKMS/WS does not work on JBoss 4.2.0
Improvement
ECA-474 - Support RSASHA256WithRSAAndMGF1 again
ECA-504 - possible to specify keystore name to ant javatruststore
ECA-511 - Spelling errors
Bug
ECA-360 - End entity details fails to display in log
ECA-479 - invalid error message when i create an external ac
ECA-483 - cli: ./bin/ejbca.sh ra unrevoke dont set a correct userstatus
ECA-487 - Exception on glassfish when removing and adding a CA with same DN
ECA-488 - ejbca.sh may fail to find weblogic/glassfish if jars are not executable
ECA-497 - LdapSearchPublisher not working
ECA-498 - LdapSearchPublisher does not publish to old entry if search returns more than one entry
ECA-499 - ./bin/ejbca.sh ca importca gives exception
ECA-503 - No good error message when using non existing alias for keystore in the encryption decryption CLI
EJBCA 3.4.2
2007-04-26
New Feature
ECA-41 - Export soft CA token to pkcs12 file
ECA-338 - EJBCA deploys and runs on Glassfish
ECA-425 - Support for MD5withRSA as signature algorithm for CAs
ECA-434 - CLI to automatically add HW token CA.
ECA-435 - simple CLI to be able to use nCipher HSM to encrypt and decrypt
ECA-444 - JSF admin pages work on Glassfish
ECA-452 - Publish CRL with user defined script
ECA-464 - Scep RA functionality in ExtRA API
Improvement
ECA-429 - Public web link from admin-GUI should open in new window/tab
ECA-431 - Better support for customized extention when processing external CAs
ECA-432 - Possiblity to store customized data in ExtendedInformation
ECA-457 - New logo for admin-GUI
ECA-458 - Basic custom extension support for asn.1 IA5String
ECA-463 - Publish cert and revokation with user defined script
ECA-481 - Remove track-statements config in JBoss to enhance performance
Task
ECA-410 - Oracle JDBC does not support ResultSet.relative
ECA-411 - Support for JSF in Weblogic
ECA-450 - Update german language file
ECA-454 - Include dncomponents.properties and profilemappings.properties in ejbca-util jar
Bug
ECA-374 - ServiceTimer Startup throws exception on startup on Glassfish
ECA-421 - Certificate Enrollment Internet Explorer 7 Windows VISTA
ECA-424 - Ocspclient stopped working
ECA-427 - Bug showing fixed OCSPSIGNER certificate profile when adding end entities
ECA-428 - XKMS key recovery issue on platforms not using ISO8859-1 language encoding
ECA-430 - Upgrade XKMS external service for External CAs give NPE
ECA-433 - Impossoble to remove CAs with customly defied profiles
ECA-437 - Missing property YOUCANTADDFIXEDCERT in language files
ECA-438 - When X is enabled on server, Edit end entity profiles gives sun.print.CUPSPrinter exception
ECA-439 - Renew Root CA does not give new validity period
ECA-440 - Renew Root CA might give different encoding for subject and issuer
ECA-446 - Not possible to use | in DirectoryName, altname and email not stripped
ECA-447 - Downloading certs on public web gives no file extension when filename contains space
ECA-449 - CRLUpdateWorker not working, missing reference to CRLSession bean
ECA-451 - Service timer runs amok on Weblogic
ECA-453 - nCipherHSM.sh runs out of memory for large backups.
ECA-455 - Public web pages not working in Weblogic
ECA-459 - Be able to use email in LDAP dn
EJBCA 3.4.1
2007-01-27
Bug
ECA-417 - Cli throws exception on windows
ECA-422 - OCSP not working in Mozilla
EJBCA 3.4.0
2007-01-19
New Feature
ECA-97 - Possibility to dynamically configure new OtherNames in subjectAltName.
ECA-99 - Suport for CMP (rfc 4210)
ECA-251 - Email for certificate expiration warning
ECA-296 - New access rule to delete generated
ECA-297 - Simple approval function for RA
ECA-332 - Inital EJBCA WebService interface
ECA-346 - Monitoring Services Framework, mail on certificate expire
ECA-349 - Support custom OID fields in subject alternative names
ECA-359 - Allow validity override from requests
ECA-362 - Support for ECDSA signature keys
ECA-371 - Support CRLIssuer in crl distribution point
ECA-381 - Make DN components configurable, support custom OIDs
ECA-393 - CSV export of log entries from admin-GUI
ECA-394 - XKMS v2 Service
ECA-400 - Custom Certificate Extension framework
Improvement
ECA-30 - Unify DN and AltName handling
ECA-304 - Mail notification of new passwords without re-setting status
ECA-330 - Add access rule to access system configuration
ECA-333 - Improve Batch Tool functionality
ECA-335 - Printing of new and edited userdata
ECA-337 - Make reverse dn ordering easy configurable
ECA-339 - Move ejbca.properties to conf subdirectory to be able to split up different part in different files
ECA-341 - Approval Email notification
ECA-342 - Internal log and exception localization
ECA-343 - Key recovery should be approvable
ECA-344 - Deploy CRL creation service by setting a simple property
ECA-345 - Cache CA objects to avoid loading keystores often
ECA-355 - implement the withlimit flag in useradminsession.query
ECA-368 - Configurable order of unknown DN oids
ECA-372 - Allow multiple policy oids in certificates
ECA-377 - possibility to store certs on the card with Mozilla braowser
ECA-379 - Add dnQualifier as a DN component
ECA-382 - possibility to set public exponent when generating RSA keys for nCipher.
ECA-388 - Possibility to retrieve PKCS7 response in ExtRA API
ECA-391 - Release zip-file should unpack in directory with version number
ECA-392 - Improve Weblogic support for Weblogic 9.x.
ECA-396 - Support multiple email altnames using CLI
ECA-399 - Calculate certtype automatically in publishCACertificate
Task
ECA-327 - Make UTF8 encoding default in DNs (for new CAs)
ECA-351 - Upgrade XDoclet jars
ECA-401 - Change default java version to 1.5 when building EJBCA
Bug
ECA-299 - Changing CPS in profile does not save always
ECA-336 - Using reversed DN makes DN wrong in some places
ECA-352 - Language files must be placed under /tmp in Weblogic
ECA-386 - Not possible to revoke external CAs
ECA-406 - Changing log configuration gives NullpointerException when using other languages
EJBCA 3.3.3
2006-12-22
Bug
ECA-347 - Sun One Directory Server doesn't understand the gn attribute, it wait for givenName
ECA-370 - CRLs are generated with default DN encoding, not the same as issuer in ca certificate
ECA-373 - Typo in ejbca.properties.sample
Improvement
ECA-376 - Include serialNumber LDAP attribute if selected in DN
ECA-383 - Option to remove entity in LDAP when cert revoked
EJBCA 3.3.2
2006-11-13
Bug
ECA-328 - EJBCA requires Myfaces in appserver to deploy admin-GUI
ECA-350 - Errors deploying on Weblogic
ECA-357 - OCSP with lookup test not workin. ocspclient.jar
ECA-363 - EJBCA does not work with Oracle DB
Improvement
ECA-353 - Automatic column name change for logentrydata.comment in Weblogic/Oracle
ECA-356 - ant javatruststore should be able to install any CAs certificate
ECA-365 - Turkish profile
Task
ECA-358 - Upgrade to latest log4j jar
EJBCA 3.3.1
2006-09-29
Bug
ECA-326 - Use MySQL specific command in ExternalOCSPPublisher.java
ECA-334 - Not possible to activate a Luna HSM CA
ECA-340 - Some errors in deployment descriptors (not noticable in JBoss)
EJBCA 3.3.0
2006-09-13
New Feature
ECA-98 - Commands and status for certificate suspend
ECA-143 - Option to generate new keys when renewing a CA
ECA-215 - Loadbalancer Health Check Servlet
ECA-234 - Support for directoryName in SubjectAltNames
ECA-238 - Generate OpenVPN install packages for token enrollment
ECA-248 - External RA API and service
ECA-268 - Revoke certificate in Ldap search publisher
ECA-271 - Option in publishers to not remove certificate when revoked
ECA-272 - Configurable CRL overlap time
ECA-274 - Support Subject Directory Attributes extension
ECA-275 - Support Custom UTF8String QC Statement
ECA-276 - Asn1dump cli command
ECA-281 - Option to specify UTF8String for all subject DNs
ECA-289 - Possibility to use smart card HSM on external OCSP responder
ECA-290 - Basic signing function to verify the integrity of audit logs
ECA-306 - Inital Framwork for User Data Sources
ECA-314 - Inital Approval implementation
ECA-316 - Basic integrity protection of external OCSP database
ECA-321 - k/n operator card authentication when enabling nCipher keys in nCipher cards
ECA-322 - Support for German in admin-GUI
Improvement
ECA-84 - Add UserNotice and CPS url to certificate policy extension
ECA-166 - Request to external CA gives bad error messages
ECA-187 - Better sizing of the 'View Certificates' windows
ECA-255 - Templates for Hard Token Profile printouts
ECA-266 - Issue CRLs periodically before CRL expire date
ECA-279 - Added new classes to ejbca-util.jar to compile with timestamp server
ECA-280 - Support of Safe Net Luna HSM
ECA-285 - If possible it should be possible to define the auth code of the HSM when configuring the CA.
ECA-294 - Limit user cert validity to CAs validity
ECA-309 - Healthcheck servlet for the External OCSP Service
ECA-310 - Simplified EJBCA healthcheck deployment
ECA-312 - Option in cli to re-publish all certificates, not only latest
ECA-320 - Authorization denied displays as error 500 in IE
ECA-324 - ant task to add ca-certificate to java truststore
Task
ECA-174 - Publish (optionally) multiple certificate values in LDAP
ECA-207 - Remove redundant code from Profiles
ECA-298 - Latest version (1.33) of bouncycastle jars
Bug
ECA-57 - I18N issues with resource bundle
ECA-150 - Can get user certificate from another CA than the user is registered for
ECA-189 - LogSession can miss to log events under multithreaded heavy load
ECA-236 - Internationalize webconfiguration.jspf
ECA-250 - Error in default PIN envelope for hard tokens
ECA-258 - JBoss hangs when deleting publisher used in CA
ECA-262 - You cannot leave out defaultKey in nfast ca token configuration
ECA-267 - Bug in searching for certificates for user that have been removed
ECA-284 - Wrong exception thrown in EracomCAToken.
ECA-287 - It is only possbile to use one key for each CA with Eracom HSM.
ECA-292 - Creating CA with national chars in DN fails for some encodings
ECA-300 - "Hard CA Token Properties" not stored permanently after editing.
ECA-301 - External OCSP responder doesn't work with jboss-4.0.4
ECA-302 - In the Edit End Entity Page it not possible to set a user back to genereated if it have been set to new by mistake
ECA-303 - ant ocsp-deploy does not work without tomcat.jks file
ECA-305 - Wrong responderId in response from OCSP responder when not using CA-signing
ECA-307 - Custom Publishers doesn't reload after save of properties
ECA-308 - Exception is thrown when trying to republish to external OCSP publisher
ECA-311 - Re-publish should not add revoked certificates in LDAP
ECA-313 - BC provider can be missing if running multiple apps simultaneously (rare)
ECA-315 - Many calls to internal OCSP responder can give 'Reentrant method call detected' error
ECA-317 - ca republish cli command uses wrong username for CA
ECA-318 - Scep only works against RootCAs, not SubCAs
ECA-319 - Surname and Givenname is always added as attriubtes in LDAP even if not required
ECA-323 - Html encoded characters not displayed correctly on jsf pages
ECA-325 - CRL Issue interval overflows when too large value entered
EJBCA 3.2.2
2006-06-25
Improvement
ECA-282 - Distribute files with stricter permissions
ECA-286 - Remove logging in publisher.getAuthorizedPublisher calls
ECA-295 - Allow dot in username
Bug
ECA-202 - Too long primary keys when using UTF-8 encoding in MySQL
ECA-277 - Error deploying on MS-SQL and Sybase
ECA-278 - SQLException on MS-SQL
ECA-283 - Web enrollment with Eracom HSM fails
EJBCA 3.2.1
2006-05-29
New Feature
ECA-263 - Alternitive way of checking end entity profile data
Bug
ECA-139 - It is not possible to use a HSM to sign a pkcs10 req to an external root CA.
ECA-259 - Exception when importing certificate signed by external CA
ECA-264 - Remove field restrictions for QC statement
ECA-273 - Jboss 4.0.4 throws tomcat clustering exceptions with distributable tag in web.xml
Improvement
ECA-265 - Allow ':' in username and DN
ECA-269 - Web-encoded characters in spanish language file
ECA-270 - Public web cert dist sensitive to DN order
EJBCA 3.2.0
2006-04-06
New Feature
ECA-89 - New LdapSearchPublisher, obtain LDAP DN from directory server, using UID attribute, with LdapPublisher
ECA-179 - Support Qualified Certificate Statement (RFC3739)
ECA-190 - LDAP search cababilities in AD Publisher
ECA-192 - Support for Eracom HSM (now SafeNet)
ECA-208 - Swedish Translation of Admin-GUI
ECA-220 - OCSP extension mechanism
ECA-221 - Possibility to run OCSP responder(s) separated from CA
ECA-224 - Support for Informix 9.2 database
ECA-225 - Chinese translation of Admin-GUI
ECA-228 - Key Recovery of soft tokens should support reuse of certificates
ECA-229 - Make OCSPSignerCertificateProfile Visible
ECA-239 - possible to select if a printout should be "scaled to page" or not.
ECA-245 - Utility script to initialize creation of administrator token
ECA-195 - CLI function to activate HSM CAs
ECA-216 - CRL in PEM format since OpenVPN requires PEM format
Bug
ECA-66 - Certificate fingerprint (hex encoding)
ECA-134 - Not possible to select 'no value' when a dn value is set in entity profile
ECA-137 - AdminGUI not working on different machines in a multi-machine environment
ECA-152 - ejbca-ejb.jar contains web.xmls
ECA-164 - Spelling error in language file
ECA-184 - EJBCA changed the order of issuer's subject DN when creating a certificate
ECA-202 - Too long primary keys when using UTF-8 encoding in MySQL
ECA-203 - Exception when accesing adminGUI due to duplicate log entries
ECA-205 - server.xml contains some static fields that should be taken form ejbca.properties
ECA-209 - Weblogic/Oracle needs special deployment descriptors for LONG columns
ECA-210 - In edit CA page will 'Edit' and 'Delete' action generate nullpointer when spacevalue is selected
ECA-223 - Links not URLEncoded on public page for downloading CA-cert
ECA-227 - Testscript causes OutOfMemory exception
ECA-230 - After enabling "issue hardware token" in sys config you need to manually reload menu-frame
ECA-231 - Edit hardwaretoken is broken
ECA-235 - ant deploywithjbossservices messes up EJBCA
ECA-237 - Generate CRL on off-line CA gives exception
ECA-240 - All hard token CAs are displayed as online after ejbca start
ECA-241 - Userdefined text in enhanced eid hard token profile misspelled
ECA-242 - getAllCACertificates fails when there are external CAs waiting for certificate
ECA-243 - Install script error when JBoss runs on nonstandard ports
ECA-247 - ejbca does not set a CA to offline when the HW has been reseted.
Task
ECA-83 - Upgrade to the lastest ldap.jar
ECA-212 - Make database upgrade script for EJBCA 3.1.x to 3.2.x
Improvement
ECA-60 - Move CDP to CA.jsp page instead of Certificate Profile
ECA-85 - Restructure source tree
ECA-93 - link from admin-GUI to public index page
ECA-158 - Wrong default CRL distribution point
ECA-206 - Remove internal implementation of Hex and use only bouncycastle
ECA-214 - Refactor addUser, changeUser to take UserDataVO as parameter
ECA-217 - Change column type for extendedInformationData in UserDataBean table
ECA-218 - Make pageEncoding in JSP pages same as web.contentencoding
ECA-219 - Change BaseURL behaviour to work with multi-machine setups
ECA-246 - Small fix to UserMatch, possible to search for subjectDN contains data from future webservice interface.
EJBCA 3.1.4
2006-02-13
Bug
ECA-193 - reentrant property of Entity beans is "false" instead of "False", breaks Weblogic
ECA-194 - Fix deployment descriptors to work with Weblogic 8.1
ECA-196 - wrong size of some PrimeCard printouts
ECA-198 - Private fields in CMP beans are not cached in Weblogic
ECA-199 - Weblogic/Oracle can not use DISTINCT in SQL with LONG columns
ECA-201 - DataSource jndi name must be EjbcaDS not java:/EjbcaDS in Weblogic
ECA-211 - Unable to reload existing session
Improvement
ECA-197 - Some entity beans does not define transacton settings in ejb-jar.xml
ECA-204 - possibility to include classes for HW token in the ear file
ECA-222 - Make installation done with ealy pre-release of nCipher support work out-of-the-box
ECA-226 - Improved error logging for nCipher HSMs
EJBCA 3.1.3
2005-11-30
Bug
ECA-75 - SCEP not working with Hard token CAs (HSMs)
ECA-107 - can't view logs using oracle due to column 'comment'
ECA-139 - It is not possible to use a HSM to sign a pkcs10 req to an external root CA.
ECA-141 - Unstable default idle-timeout for datasource
ECA-144 - Scep not working with Cryptlib
ECA-145 - Bug in hard token profile pages, Nullpointer when changing profile type or saving new pages
ECA-147 - Star (*) not working in subject alt names
ECA-148 - Scep not working with Cisco PIX
ECA-149 - unstructuredName/address in DN does not work
ECA-153 - cli not working on windows when java_home contains space char
ECA-154 - install does not work when JAVA_HOME contain space char
ECA-155 - OCSP using CA key does not work with HSMs
ECA-156 - binary chars in ejbca-mail-service.xml
ECA-160 - display of mail.smtp.host during ant deploy is wrong (cosmetic)
ECA-165 - Not possible to remove UnstructuredName from entity profile
ECA-167 - CN Postfix doesn't work if UID have the same value or DN is reversed
ECA-168 - Hard Token SN search doesn't work with primecard 1.3 >
ECA-169 - Hard Token Profiles cannot be cloned
ECA-170 - Malformed SVG Template craches the Hard Token Profile pages
ECA-171 - Typo in language file
ECA-176 - Method CertUtil.getEMailAddress(X509Certificate certificate) hangs jboss
ECA-177 - SCEP not working with Netscreen/Juniper boxes
ECA-180 - Select, unselect javascript features doesn't work anymort
New Feature
ECA-109 - Support RSASSA-PSS signatures
ECA-140 - Add $UID as a variable to the SVG templates
ECA-181 - Javascript checks use unicode for internationlized chars
ECA-182 - Possible to select a subset of fields in DN and Subject AltNames in the certificate profiles
ECA-186 - Possibility to specify the BasicConstraint path length
Task
ECA-127 - Add references of installations to EJBCA home page
Improvement
ECA-146 - Device schema for sun directory server missing X-ORIGIN
ECA-159 - Not possible to view historical data in CertReqHistory
ECA-161 - easy configuration of smtp auth
ECA-163 - Describe how to install com.mysql.jdbc.Driver in the documentation
ECA-178 - Better error messages when HSM provider not found
ECA-183 - Possible to configure for different JBoss targets
ECA-185 - new version of batik lib
EJBCA 3.1.2
2005-08-18
New Feature
ECA-46 - multiple instances of altNames in certificates
ECA-130 - Implement new Scep mode using POST
Bug
ECA-118 - Imported OpenSSL CA not working
ECA-121 - Can not publish certificate with comma in DN to LDAP
ECA-123 - Dash not allowed in username
ECA-124 - User passwords leak into debug log
ECA-125 - Admiweb too restrictive for estonian chars.
ECA-126 - Some imported CA certificate contains the field "friendlyName" in PKCS#12 twice
ECA-131 - Problem with certificate import CLI command
ECA-133 - Single quote in DN does not work
ECA-136 - senderNonce in returned SCEP messages longer than 16 bytes
Improvement
ECA-108 - Add changelog to ejbca web site
EJBCA 3.1.1
2005-06-30
Bug
ECA-113 - key Ids looks critical when editing certificate profiles
Task
ECA-111 - Remove obsolete cli commands
Improvement
ECA-114 - add CA id to 'ca info' cli command
ECA-116 - Added caid to create certificate method
EJBCA 3.1.0
2005-06-20
General (not from Jira):
Usage of XDoclet to generate ejb interfaces and deployment descriptors. Lots of XDoclet tagging to simplify development and deployment.
Changed packaging to avoid classes duplication between jars.
Much improved configuration, installation and deployment, now there is a single point of configuration using a config file.
Added French, Italian and spanish translations for the admin-GUI.
Add parameter for jboss/weblogic to install.
Changed database configuration to make it more flexible for deployment.
BatchMake has been changed to support a dir (directory attribute). Default is still 'p12'.
LDAP object classes for devices.
New structure for the cli, it now lives in the bin subdirectory.
Reorganization of documentation tree, new xml based web site for http://ejbca.sf.net/ .
New version, 1.28, of bouncycatle provider.
Lots of minor and structural changes.
New features:
ECA-6 - Download certificate link in 'View Certificate' window
ECA-12 - CA keystore randomizer in the ant script
ECA-19 - Create Servlet for initial installation
ECA-45 - Add SHA256WithRSA as signature algorithm for certs
ECA-62 - Add Receipt and address templates
ECA-67 - Republish button in view certificate window
ECA-68 - CN Postfix in certificate profile
ECA-69 - Only domain used for UPN in End Entity Profile
ECA-70 - Key Recover button in view hard token window
ECA-86 - Javascript changed so all new small windows automatically gets focused.
ECA-87 - Added a new getCATokenStatus method in the IHardCAToken interface
ECA-90 - Support for nCipher HSM (sponsored by Linagora)
ECA-96 - Add importcert cli function
Improvements:
ECA-48 - make web page encoding selectable by parameter
ECA-56 - Bad error message when authorization fails
ECA-61 - Enable Advanced Profiles
ECA-73 - Add more information regarding Critical Extension
ECA-76 - Installation on JBoss 4.0.2
ECA-82 - Available languages (EN, FR, IT, ES) selectable by default in admin-GUI.
ECA-88 - Added a 'reuse old certificate' flag to the hard token profiles
Bugs fixed:
ECA-13 - Exception after editing entity profile
ECA-28 - RA Admin privileges don't work
ECA-34 - Multiple bugs in Hard Token Issuing handling.
ECA-38 - register users with int'l characters in dn does not work
ECA-39 - HTML error in view end entity jsp page when displaying subjectDN
ECA-43 - exception during CRL generation
ECA-44 - no key length selection for p12 generated server certs
ECA-55 - export/import profiles does not ignore fixed HARDTOKEN profiles
ECA-71 - CRL creation in batch mode is not possible if a CA is not active
ECA-72 - cmd-line not working
ECA-74 - CRLCreateService not working
ECA-77 - bug when signing certificate with "card CA token"
ECA-78 - CRLCreatService has no overlap
ECA-79 - View ocsp certificate not working (exception)
ECA-80 - wrong PIN type is stored in DB
ECA-91 - Bug in base64 decoder
ECA-92 - UserGenerated Certificates doesn't work with enhanced EID hard tokens and IE
ECA-100 - Subject DN with "'" (ASCII 27) displays as "\" in admin GUI.
ECA-102 - missing break; causes IllegalKeystoreException
ECA-104 - Handle language encodings in demo servlet
ECA-106 - non-superadmin cannot press cancel in my_preferences page
EJBCA 3.0.7
2005-04-04
-----
ECA-54 - HardCATokens goes off-line when bean gets passivated
ECA-49 - saving of generated request from CA fails on IE
ECA-50 - Key Recovery status and change password in Edit End Entity doesn't work
ECA-52 - In Create CA page should the CAToken authentication info be a password field instead
EJBCA 3.0.6
2005-02-23
-----
ECA-40 - defined hardtoken issuer and profiles disapears after some time
ECA-42 - <enterpris-beans> tag missing in xml fil
EJBCA 3.0.5
2005-02-09
-----
Added support for activation of hardcatokens in View CA Info page.
Added MS Template for DomainController functionallity.
Fixed Certificate upgrade problems.
SECURITY: Add checks in adminweb for illegal SQL chars in advanced modes in list end entities and view log.
Weblogic xml files for WLS 8.1 (still needs patch for complete function).
Possibility to set 2048 bit keys in Swedish hardtoken profile.
Changed error message when unlimithed strengh policy files not installed during install.
Handle double type encoding in install.en.properties for other languages.
Tested with JBoss 4.0.1.
Support for PostgreSQL 8.0 on JBoss 4.
Fix for 'rule' column name in config for MS SQL server 2000.
Fixed problem where requiring RFC822Name caused error when editing end entity.
Fixed bug with extra commas in publishers when selected DN components don't exist in DN.
Changed 'Batch' text in adminweb to be more descriptive.
Changed 'Use fields in DN' in adminweb to be more descriptive.
Added StaticRegistering to CA hard token manager.
Fixed error during install when CA-cert does not exist in java truststore.
Fixed weblink to force a browser type when using an unknown browser.
Added cli method to re-publish a CA and all it's users to ldap.
Fixed so EMPTY profile is not selectable for admin groups not authorized to it.
Fixed sending of notification messages not working on certain occasions.
Fixed cache control issues with download of ca cert and CRL from admin pages to IE.
EJBCA 3.0.4
2004-11-11
-----
Fixed integer overflow when setting CRLPeriod longer than 596 hours.
CLI command to import a CA from an existing PKCS12 file (openssl CA).
Fixed bug where own fp instead of CA fp was written to the database.
Fixed bug where an administrator could not use the admin GUI if signed by a CA using multiple DC attributes.
Fixed bugs with AD publishing, useraccountcontrol temporarly removed.
Changed the default extended keyusages for hard token profiles.
EJBCA 3.0.3
2004-09-27
-----
Fixed wrong encoding of BasicConstraints when false.
Fixed bug in CA functions page viewing certificates with intl chars.
Fixed bugg in the publisher page where the top publisher wasn't shown.
Fixed bugg in adduser page where email address wasn't saved when user existed.
Fixed bugg where IPADDRESS and GUID subject altname wasn't shown in certificate view.
Fixed email field check bugg in add and edit user jsp pages.
Fixed bugg in certificate profiles jsp page where critical extended keyusade couldn't be unchecked.
Added missing class in admin.jar for 'ca processreq'.
Fixes to demo servlet.
Fixed error message when enrolling with un-allowed keysize from browser.
Fixed minor error in authorization log text.
Fixed error for DATE var in notifications.
Fixed bug adding email and uid attributes in LDAP.
Added more extra attributes to LDAP publisher.
Make o,ou,st selectable as 'Use Fields in DN' for publishers.
Fixed publishing of CA certificates and CRLs.
Works with Java 1.5 and 4096 bit keys.
Fixed bug in webpage checking for revocation.
Added pageEncoding for jsp pages and removed explicit encoding tag in meta-inf for adminpages.
Fixed bug with republishing CA certificates.
Check execute permission on batch.sh from install script.
Many clarifications in docs.
Tested on MacOSX.
EJBCA 3.0.2
2004-06-29
-----
Removed writing of testfile foo.crt.
Changed version in web-GUI.
EJBCA 3.0.1
2004-06-27
-----
Fixed subject DN field removal bugg of UNSTRUCTURED IPADDRESS and UNSTRUCTURED NAME
Fixed bugg where PKCS7 header and footer always was generated when using manual pkcs10
Fixed warning in SSL deployment with JBoss 3.2.4.
Long timeout for ca creation in JBoss 3.2.4.
Fix for keystore path in Tomcat41-JBoss32.
Some doc and xml fixes.
EJBCA 3.0
2004-06-01
---
Added unstructuredname, unstructuredaddress to subjectdn.
Cleaned system.out debug logs.
Digital signature in default key usage to make ocsp work out of the box.
Added support for iPAddress alternative name.
Added support for MS GUID alternative name.
Better check on altnames when adding user with cli.
Fix CRL import in Mozilla.
Allow . in usernames i webGUI.
SCEP GetCRL method implemented.
Fixed minor errors in deployment descriptors.
EJBCA 3.0 beta 3
2004-05-17
----------
Upgrade function from ejbca2 with MySQL.
Added password and extendedinformation to publisher interface.
Fixed CA renew bugg where new certificates wasn't published to publishers.
Fixed Hard Token Issuer authorization bug.
Fixed Hard Token Profile authorization bug when logging in as CA Administrator.
Fixed Authorizer.java so it doesn't throw NullPointerException.
Added initial support for HSM plug-ins.
Fixed install script freeze when installing adminweb. Added -noprompt.
Added Sybase as target for 'ant replaceDS'.
Support for JBoss3.2.4/Tomcat5.0.
Fixed bugg in Administrative deligations where a CA administrator could edit an superadmin group.
Changed so 'enable end entity limitations' is enabled by default.
Strip DN when creating new CAs.
Added test if strong crypto is installed in the install script.
EJBCA 3.0 beta 2
2004-03-21
----------
Made SUN specific algorithms and providers configurable, to be able to use other jvm.
Fixed serious bug that caused certs to be signed by wrong CA after ejbPassivate.
Made DN order configurable with switch in source.
Alias in PKCS12 is now CN by default and username if CN does not exist.
Added possibility to configure publishers (LDAP, AD) through administrative web interface.
Implemented more SCEP functions, tested with Cisco VPN client.
Compound primary key for HardTokenPropertyBean.
Added junit tests of entity beans
EJBCA 3.0 beta 1
2004-02-09
----------
Virtual CAs, run a complete hierarchy (or several) in one instance of EJBCA.
Easier installation and configuration with new install script.
Complete support for OCSP.
Added 'Authority Information Access' extension for OCSP service URL in certificates.
LDAP schema now correctly follows RFC 2256 and works with OpenLDAP 2.2.
LDAP Publishing controlled from certificate profiles.
Possible to configure autogenerated passwords in admin web gui.
Improved support for keyrecovery.
Improved configuration of administrative privileges.
Many minor fixes and enhancements.
EJBCA 2.1.3
2004-03-29
-----
Fixed a bug when applying with IE, wrong csp could be used.
EJBCA 2.1.2
2004-01-30
-----
LDAP schema now correctly follows RFC 2256 and works with OpenLDAP 2.2.
EJBCA 2.1.1
2004-01-09
-----
Improved error handing for batch generation.
Fixed some SQL for PostgreSQL.
Set Content-Type on OCSP responses.
Setup-adminweb supports JBoss 3.2.3.
For for internatinalization of admin-web with non ISO chars.
Minor debug cleanups.
EJBCA 2.1
2003-10-11
----
Initial SCEP support.
Initial OCSP support.
Support for multiple CDPs separated by ';'
Removed unneded debug output of cert during creation
Fixed bug in setup-adminweb.sh
Fixed missing submit button with PEM/P12 users
New cmd line command to export/import profiles to XML files
Fixed bug in 'ca makereq' when rootCA has no CN
Added encoding=iso8859-1 to javac to fix compile on strange locales
Fixed API for active directory publisher
Support for more than two levels of CAs
Fixed small bug if using null revocation date
Default revocation reason to new reason NOT_REVOKED
Fixed utitlity method that returned wrong subject key id
Getroot cert in PEM or DER format
Fixed bug when saving system configuration in admin-GUI.
EJBCA 2.0.1
2003-05-12
-----
Java 1.4.x is now required.
Support for JBoss_Jetty and JBoss 3.2.x.
Microsoft UPN altName and smart card logon extended key usage.
Enrollment page can now handle both patched and unpatched IE
clients.
EJBCA 2.0
2003-03-19
---
Added Hard Token funtionallity, EJBCA can now store store
pin/puk data in
database.
Added email notification to added end entities.
Added Key Recover funtionallity.
Changed initial temporary super administrator from "CN=Walter"
to "CN=
SuperAdmin".
Removed CA and ROOTCA types in "ra adduser" cmd, from now on use
certificate
profiles.
Added allowOverrideKeyUsage in certificate profiles.
New fields in DN, givenname, surname, initials.
ExtendedKeyUsage extension (for use in OutLook).
New servlet in adminweb, AdminCertReqServlet that creates users
out of PKCS10-
requests.
Moved batch and deploy scripts into build.xml.
Moved external jars into ear-file.
Tested on Weblogic 7.1.
Lots of bugfixes and cleanups.
EJBCA 2.0b1
2002-12-05
-----
Moved to EJB 2.0 (JBoss 3 now required).
Enhanced database schema, for EJB 2.0 and the many new features.
Web GUI for administration using SSL.
Improved speed using EJB 2.0.
Type of signing device completely soft configurable.
New access control on method invocation.
Option to generate JKS or PEM keystores.
Added CertificatePolicies extension.
Return PKCS7 with full path to browsers.
New configurable certificate profiles.
More alternative names.
User profiles for administrators of different groups.
Improved serial number generation,
New logging mechanism.
Many small improvements.
Many bugfixes, and new bugs.
EJBCA 1.4
2002-10-29
---
Fixed bug with case-sensitivity for column names in Sybase.
Fixed bug when rolling over subCAs without subjectKeyId in cert.
Fixed bug with using country=CN in DN.
Fixed encoding bug in CRL distribution points.
Fixed LDAP issue with email address.
Added method for easily getting certificates with different
keyUsage.
Better separated and better looking web pages.
Deployed with EAR-files.
Architectural changes.
New version of Log4j, 1.2.
Tested with Orion app-server.
EJBCA 1.3.2
2002-04-16
-----
Fixed compilation error with JDK1.3.
Fixed bug where order in IssuerDN could be wrong.
Fixed typo in deploy.cmd/sh.
EJBCA 1.3.1
2002-04-11
-----
Fixed wrong template path for IE certificate enrollment.
EJBCA 1.3
2002-04-01
---
Configuration howto/support for Oracle.
Tested on Weblogic.
Function to batch-generate PEM-files for Apache etc.
Function to rollover subCA with same key pair in ca.sh/cmd.
Function to change password for user.
Function to list certificates about to expire.
New version (112) of BC JCE-provider.
Architectural overview in documentation.
Better deployment scripts.
Sample Linux firewall script.
Added demo accept-all authentication module,
NullAuthenticationSession.
CA-certs can now be downloaded from webdist.
Lots of minor cosmetic, architectural, installation and GUI
changes.
EJBCA 1.2
2002-02-01
---
Command for batch processing, and other batch fixes.
Better error messages when user applies for cert with browser.
Fixed bug where NextUpdate in CRLs were incorrect.
Fixed problem receiving certificate replies for subCAs.
Function to rollover Root CA with same key pair in ca.sh/cmd.
Listusers function in ra.sh/cmd.
Info function in ca.sh/cmd.
Minor improvements and bugfixes.
EJBCA 1.1
2002-01-09
---
Tested with additional databases (mySQL, PostgreSQL).
The Datasource used is configurable.
New architecture for Publishers where certificates can be
published in addition
to the main database.
Change DN order to match RFC1779. WARNING! See doc/RELEASE_NOTES
for information
about upgrading from v1.0.
LDAP Publisher to store for certificates and CRLs in LDAP
directory.
Minor bugfixes.
EJBCA 1.0
2001-12-05
---
Fixed bug with not returning correct content-length to browser
when returning
PEM-certificates.
New version of BouncyCastle provider with minor PKCS12 fix.
Updated docs.
Added FAQ.
EJBCA 1.0b2
2001-11-26
-----
New version of Bouncycastle JCE provider.
Added and clarified some documentation.
New version of BC provider fixed compatibility of PKCS10
requests with KeyTool
and MS CA.
Fixed process of PKCS10 request from KeyTool (they use different
header).
Fixed bug during key generation of CA that always generated 1024
bit keys.
Creates p12-files during test in real temporary dir.
EJBCA 1.0b1
2001-11-21
-----
Initial release of EJBCA