forked from rgorosito/ejbca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathChangelog.txt
4819 lines (4365 loc) · 262 KB
/
Changelog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
EJBCA 6.5.2, 2016-05-13
---
Bug
[ECA-4684] - Possible to enter more pages than there are results in View Audit Logs page
[ECA-5020] - Statedump bash script is unintentionally included with release zip
[ECA-5021] - Regression: Statedump is no longer able to import crypto tokens without activating them
[ECA-5022] - CMP: Unable to find existing end entity profiles
[ECA-5030] - Can't select uninitialised root CA as signer for local uninitialised sub-CA
[ECA-5033] - Role display issue adding end entities
[ECA-5034] - Can't use negative values in FieldEditor / editcertificateprofile command
[ECA-5043] - If the folder defined by cmp.backend.extracertissuer does not exist, an NPE is thrown.
[ECA-5048] - Single Active Certificate Constraint does not cause publishing
[ECA-5069] - editca CLI command fails when renaming a CA
[ECA-5071] - NPE thrown when importing statedump with prefix for CA CN field in subject DN
[ECA-5073] - Security Issue
[ECA-5075] - Possible session caching issues on SCEP alias page
[ECA-5081] - Viewing deleted userdata may show session cached value of previously viewed user
Improvement
[ECA-5007] - Use last full CRL generation date as input to certificate expiration
[ECA-5024] - Don't log error when cAId column does not exist in AdminGroupData
[ECA-5076] - Log as failed login event if certificate does not belong to any role
New Feature
[ECA-4610] - eIDAS: New ETSI DN attribute "organizationIdentifier"
EJBCA 6.5.1, 2016-04-15
---
Bug
[ECA-4549] - In Basic Access Rules, 'All' is listed last in the list of CAs
[ECA-4834] - Security hardening
[ECA-4856] - Security Hardening
[ECA-4858] - Confusing audit log message when reactivating a crypto token
[ECA-4860] - CryptoToken Id not updated when importing a statedump with the merge option
[ECA-4862] - CmpMessageHelper.createUnprotectedErrorMessage throws an NPE if a nonce is not included in the CMP message
[ECA-4872] - System configuration page broken in WildFly 10
[ECA-4882] - CMP Proxy: Message signer chain should have its own configuration key in cmpProxy.properties
[ECA-4883] - CMP Proxy: NPE when the right CA certificate is not found
[ECA-4884] - Reference to Hudson in code when deploying ant
[ECA-4885] - Key recovery requires 'Edit End Entities'-rights
[ECA-4889] - Change all references from "Enrolment" to "Enrollment"
[ECA-4892] - Clearing caches fails locally if clearing the cache on any clustered nodes fails as well.
[ECA-4893] - CMP Proxy: Revocation status cache is read incorrectly
[ECA-4923] - ClientToolBox is missing lib/ejbca-ws.jar dependency
[ECA-4925] - Old version of cert-cvc still under lib
[ECA-4928] - CMP Proxy Servlet doesn't properly handle messages with faulty ASN.1 syntax
[ECA-4931] - Minor security issue
[ECA-4945] - Edit admin entities broken in WildFly 10
[ECA-4955] - CMP Proxy swallows underlying error message when verifying certificate path
[ECA-4956] - Regression: Key alias in CMS CA service was changed so it can not be read after upgrade
[ECA-4974] - Regression: SecureXMLDecoder doesn't allow import of CertificatePolicy objects
[ECA-4988] - CMP Aliases can't handle that End Entity Profiles are renamed
[ECA-4990] - CMP aliases can't handle CA removal
[ECA-4992] - SHA256WithRSAAndMGF1 broken in some cases
[ECA-4996] - Editing a CMP configuration while having limited access leads to hidden aliases being deleted
Improvement
[ECA-4673] - Downloading an non-existent delta-CRL on the public web leads to a 404
[ECA-4795] - External RA: NPE in external RA gui when externalra-gui.issuerchain points to a non existing file
[ECA-4906] - Limit OCSP Nonce to 32 bytes
[ECA-4932] - Exclude install properties files from ejbca.ear
[ECA-4947] - Resetting an end entity password after key recovery should not require 'Edit End Entities'-rights
[ECA-4963] - Certificate Profiles: Keep sorting, but sort default profile types first.
[ECA-4998] - Document that CMP Unid support currently isn't supported
New Feature
[ECA-4473] - Shell script for running statedump tool
Task
[ECA-4868] - Security Issue
EJBCA 6.5.0, 2016-02-29
---
Bug
[ECA-2841] - Document Password Limitation in manuals and sample files.
[ECA-3600] - The /ca_functionality/edit_ca is missing from advanced Access Rules
[ECA-3859] - E-mail doesn't work in usernamemapping in self-registration
[ECA-4262] - Name constraints encoding incorrect in a certain case
[ECA-4310] - Certificate profile key length restriction ignored when creating CA
[ECA-4478] - Display "Base64 log ids" when listing CT logs
[ECA-4518] - Cloning a fixed hard token certificate profile leads to GUI bug
[ECA-4535] - ArrayIndexOutOfBounds when upgrading EJBCA 4 installations
[ECA-4546] - Regression: Approvals page ignores 'Expired' status
[ECA-4551] - Implement non-partitioned CRLs that will work with name-changed CSCA
[ECA-4579] - GUI: Some spaces added in original values in End Entity profile
[ECA-4582] - Regression: Edit end entity profile notifications bug
[ECA-4584] - GUI: Display problem of Extended Key Usages, in View Certificates
[ECA-4587] - Regression: test20MaliciousOcspRequest hangs forever on everything but Wildfly8
[ECA-4588] - "Renew Browser Certificate"-link in Public Web broken
[ECA-4602] - CMP: EEC authmodule - Checking for CA authorization does not work
[ECA-4613] - Don't allow deletion of CT logs that are still in use by a Certificate Profile
[ECA-4616] - Regression: EJBCA WS CLI shows a lot of warnings
[ECA-4623] - Handle CertificateCreateException with null ErrorCode in public web
[ECA-4626] - Duplicate DN values fail in the Self-Registration forms
[ECA-4627] - Security Hardening
[ECA-4628] - GUI: CA Structure & CRLs usability
[ECA-4631] - Security Issue
[ECA-4634] - The check whether Subject Directory Attributes fulfill profile always fails in Self-Registration
[ECA-4644] - Fix the jbosslogsigning target
[ECA-4656] - NPE on system configuration page if no other page has been loaded before it
[ECA-4662] - Test CrmfRAPbeRequestTest does not clean up correctly
[ECA-4663] - Regression: Standard superadmin shows up as 'Custom' in Basic Access Rules View
[ECA-4664] - CompressedCollection silently allows add() after closeForWrite()
[ECA-4666] - CmpTestCase can't be run against CmpProxy
[ECA-4669] - Revoking/Republishing certificate by selecting its serial number from audit log outputs NPE
[ECA-4671] - Possible infinite recursion, leading to OOM in intresources
[ECA-4677] - Audit log: Only show valid conditions for each search column
[ECA-4683] - Trying to view deleted end entity gives NPE
[ECA-4686] - Approval requests from Self Registration appear to originate from CLI
[ECA-4694] - CMP: EEC authmodule - Checking for CA authorization still does not work
[ECA-4700] - Fix bugs related to Auditor role
[ECA-4707] - PeerInternalKeyBindingUpdaterWorker should check status of CA's CryptoToken before trying renewal
[ECA-4709] - NPE when trying to display remote IKB where remote cert is not present on CA
[ECA-4714] - Security issue
[ECA-4718] - Regression: EndEntityManagementSessionTest.test07MergeWithWS fails on the community release
[ECA-4719] - ocsp.reqsigncertrevcachetime not defined in defaultvalues.properties
[ECA-4721] - Certificate Transparency tab in System Configuration shows up in Community Edition
[ECA-4733] - Security hardening of new Statedump GUI
[ECA-4736] - Handle changed Subject DN in statedump files
[ECA-4738] - Missing properties in cesecore-common library
[ECA-4740] - CmpProxyServlet doesn't calculate process time correctly
[ECA-4745] - Certificate Profile: Don't save values of disabled fields to make audit easier
[ECA-4747] - Imported certificate profile does not include AvailableCAs in the GUI
[ECA-4752] - Possible NPE in ConcurrentCache when using DEBUG logging
[ECA-4754] - ejbca.org index page broken in chromium
[ECA-4757] - Help reference not visible in services page
[ECA-4762] - RA Administrators (Pre-defined role template) privileges are missing
[ECA-4765] - GeneralPurposeCustomPublisher doesn't surround command arguments with quotes.
[ECA-4812] - Healthcheck of CAs get key count wrong and checks for previousCertSignKey
[ECA-4814] - SQL error in schema for Postgres databases
[ECA-4815] - Fix some JUnit test failures in JDK8
[ECA-4824] - Information leak in debug log
[ECA-4830] - Minor security hardening
[ECA-4832] - Security issue
[ECA-4839] - Certificate download redirect does not work with non-ASCII characters in the Subject DN
[ECA-4841] - Regression: Events are not shown in the 'View Log'
[ECA-4843] - Regression: ConfigurationHolder can no longer read built in properties
[ECA-4847] - Don't lock down statedump in fresh installations
Improvement
[ECA-659] - Add restriction for key algorithm in certificate profiles
[ECA-1910] - CAs in alphabetic order in the CA Structure & CRLs page
[ECA-3204] - Re-factoring of P11Slot
[ECA-3780] - Split and kill the src-directory
[ECA-3929] - Improve rendering of crypto tokens on the CA Activation page.
[ECA-4075] - Document that naming in IS end entities should not be changed
[ECA-4237] - Peer connections should send full client certificate chain
[ECA-4274] - Eliminate redundant images from docs
[ECA-4393] - Reduce number of errors from the OCSP signing cache about expired CAs
[ECA-4401] - Can not read private key with alias containing åäö from keystore
[ECA-4403] - Parallel CT log submission
[ECA-4404] - TLS session re-use for CT submission
[ECA-4481] - Cache revocation status of request signers in OCSP responder
[ECA-4482] - Make new transaction log variable for ISSUER_NAME and REQ_NAME in original order
[ECA-4543] - Implement CSCA "CA Name Change" feature from ICAO 9303 7th part 12
[ECA-4552] - Allow statedump to merge existing CryptoTokens
[ECA-4562] - Make sure that there is only one set of code handling HSM keys.
[ECA-4563] - CMP: ResponseStatus in CmpErrorResponseMessage is not used and should be removed
[ECA-4564] - CMP: return message SYSTEM_UNAVAILABLE when profiles can not be read/found in RA mode
[ECA-4570] - Document validation error messages returned by CMP Proxy
[ECA-4574] - GUI: System Configuration sub-section order
[ECA-4575] - GUI: Better CryptoToken alias default value
[ECA-4576] - Several SAN DNSname in EMPTY profile
[ECA-4577] - GUI: SHA-256 by default in CA creation form
[ECA-4583] - GUI: CryptoToken page usability (private key export)
[ECA-4595] - GUI: CA creation form usability
[ECA-4598] - Make SecConst.MAXIMUM_QUERY_ROWCOUNT into a configurable value
[ECA-4599] - EndEntityManagementSessionBean.revokeCert needlessly tries to revoke all certificates
[ECA-4601] - Don't require "/ct/v1" in CT log URL
[ECA-4607] - Allow CT Log public keys to be uploaded in DER format
[ECA-4620] - Security issue
[ECA-4629] - General code improvement
[ECA-4633] - New RSA key sizes for the Extended Services in CAs
[ECA-4638] - Minor improvements to CT Logs timeouts
[ECA-4643] - Remove Dependency checker test.
[ECA-4648] - Better configuration default values for languages
[ECA-4668] - Proactive public web security hardening
[ECA-4672] - Change CMP errors codes, missing aliases and already revoked
[ECA-4674] - Proactive web security hardening
[ECA-4676] - Allow CMP Proxy server to use multiple CA keychains
[ECA-4696] - Add path to SafeNet Luna Client 6.1 to default PKCS11 libraries
[ECA-4697] - Add path to SoftHSM to default PKCS11 libraries
[ECA-4699] - Replace deprecated references CertTools methods
[ECA-4701] - Update XStream and limit classes that can be deserialized by Statedump
[ECA-4703] - Use newer BC pattern in CertTools to get rid of some warnings
[ECA-4704] - Upgrade BouncyCastle to 1.54
[ECA-4712] - Remove BaseCryptoToken.extractKey(String, String, String)
[ECA-4720] - Document that the site search uses Google
[ECA-4726] - Make "CA Name Change" configurable through Global Configuration
[ECA-4734] - Document getAuthorizedAvailableAccessRules better
[ECA-4737] - Combine the efforts of ECA-4566 and ECA-4568
[ECA-4742] - Clarify error message when admin certificate does not belong to a user
[ECA-4748] - cmpclient: Use SHA256 as signature algorithm
[ECA-4773] - Lock down statedump when upgrading
[ECA-4775] - Improve statedump CLI lockdown handling
[ECA-4827] - Default healthcheck.publisherconnections to 'false' as documented in the admin guide
[ECA-4845] - Improve error messages for approvals.
New Feature
[ECA-4164] - Support for importing DER-encoded CA certificate file via CLI command "ca importcacert"
[ECA-4177] - DER-encoded format as output option during enrollment via CSR
[ECA-4319] - Include information in key binding CSR when creating from CLI
[ECA-4474] - Prefix/override support for statedump during import
[ECA-4504] - Make sure that a signature algorithm supported by the HSM is used when the algorithm is not specified.
[ECA-4508] - Ability to define custom order of DN in issued certificates
[ECA-4561] - Add restriction for EC curve names in certificate profiles
[ECA-4566] - Add signature validation of signed requests in CmpProxy
[ECA-4567] - Add HMAC PBE validation of signed requests in CmpProxy
[ECA-4568] - Revocation checking of signature certificates in CMP Proxy
[ECA-4569] - Separate library for certificate path validation
[ECA-4600] - Add a CMP client for test purposes
[ECA-4608] - Add Bull HSM default options for GUI access
[ECA-4609] - GUI: Display the SHA-256 certificate fingerprint
[ECA-4640] - GUI enabled statedump import of uploaded file
[ECA-4641] - GUI enabled statedump import of bundled file
[ECA-4698] - Add generics to CertTools.getCertfromByteArray methods
[ECA-4761] - CA name should be displayed in the delete CA prompt
Task
[ECA-4138] - Write complete system tests for ClientToolBox
[ECA-4497] - Remove .cvsignore files from SVN repository
[ECA-4498] - Remove the CESeCore backup/restore scripts from the release zips
[ECA-4618] - CMSIncrementalMode is deprecated in Java 8 and should be removed from our config
[ECA-4717] - Add systemd sample configuration for RHEL/CentOD
[ECA-4730] - Remove old install guides from doc/howto
EJBCA 6.4.2, 2015-12-29
---
Bug
[ECA-4555] - PKCS#11 credentials are displayed incorrectly when creating CryptoToken
[ECA-4646] - Clear caches failing with NPE in OcspExtensionsCache when an extension class is not found
Improvement
[ECA-4463] - Add additional pages to Auditor Role
[ECA-4682] - Log X-Forwarded-For if present in OCSP requests
EJBCA 6.4.1, 2015-12-01
---
Bug
[ECA-4262] - Name constraints encoding incorrect in a certain case
[ECA-4535] - ArrayIndexOutOfBounds when upgrading EJBCA 4 installations
[ECA-4582] - Regression: Edit end entity profile notifications bug
[ECA-4592] - Approvals contains no relevant information
[ECA-4602] - CMP: EEC authmodule - Checking for CA authorization does not work
[ECA-4623] - Handle CertificateCreateException with null ErrorCode in public web
[ECA-4631] - Security Issue
Improvement
[ECA-4574] - GUI: System Configuration sub-section order
[ECA-4575] - GUI: Better CryptoToken alias default value
[ECA-4576] - Several SAN DNSname in EMPTY profile
[ECA-4577] - GUI: SHA-256 by default in CA creation form
[ECA-4583] - GUI: CryptoToken page usability (private key export)
[ECA-4595] - GUI: CA creation form usability
[ECA-4612] - Security Issue
EJBCA 6.4.0, 2015-10-26
---
Bug
[ECA-3576] - 'Enforce unique DN' creates a stack trace in public web
[ECA-4016] - Unable to activate a crypto token imported by statedump after restarting JBoss
[ECA-4022] - Can not use Brainpool or explicit ECC curve in CLI (e.g. import CA certificate, list/export CA)
[ECA-4030] - "Key sequence" always set to 00000 when saving uninitialised CA with available crypto token
[ECA-4171] - Missing parameter for the --end-entity-password option does not cause statedump import command to fail immediately
[ECA-4172] - End entities inaccessible after changing the subject DN of an uninitialised CA
[ECA-4197] - Role access rules not updated when changing subject DN of an uninitialised CA
[ECA-4228] - Clean redundant method declaration in PublisherSession and PublisherSessionLocal
[ECA-4276] - External RA SCEP junit test broken after BC updates
[ECA-4283] - Warning about missing intresources running External RA SCEP
[ECA-4284] - Possible to create a rollover certificate for a CA waiting for CSR
[ECA-4286] - ClientToolBox PKCS11HSMKeyTool can no longer handle sun config file
[ECA-4288] - Change usage license info in csv_to_endentity.sh
[ECA-4295] - Incorrect documentation on "Finish User" setting.
[ECA-4296] - SCEP Client Certificate Renewal shouldn't demand a challenge password
[ECA-4298] - Probably wrong description of parameters in help for importcacert command
[ECA-4306] - Use UTF-8 in German Admin GUI translation
[ECA-4326] - CRLDownload service can't handle multiple revocation changes in a CRL
[ECA-4327] - Links from cert enrollment completed page for IE is broken
[ECA-4333] - Detect available EC curves in JDK by OID
[ECA-4339] - DirectoryName subjectAltName is not added
[ECA-4356] - Regression: Sorting of certificates has become random
[ECA-4357] - Regression: external-ra-gui doesn't deploy
[ECA-4364] - Regression: Error editing Publishers under CA Functions in Admin Web
[ECA-4367] - ejbca-ws-generate not run after the addition of CA rollover WS operations
[ECA-4368] - intresources missing in externalra-gui war file
[ECA-4369] - NPE when trying to create custom publisher that is not pre-edited
[ECA-4371] - SCEP Client Certificate Renewal allows renewal using expired certificates
[ECA-4381] - OCSP TransactionLogger prints SERIALNUMBER instead of SN for REQ_NAME
[ECA-4385] - Internal issue
[ECA-4397] - Include custpubl publishers in build
[ECA-4399] - System test auth token classes should be commonly accessible
[ECA-4400] - Security Issue
[ECA-4402] - Subject alternative names dropped when using "Allow merge DN Web Services"
[ECA-4405] - ra addendentity CLI command breaks when hard token issuers are enabled
[ECA-4414] - Typo error in System Configuration page
[ECA-4416] - Verification of CRLs on CAs using Brainpool ECC does not always work
[ECA-4418] - Expect OCSP signing if EKU in OCSP signing certificate is marked critical
[ECA-4419] - Statedump 6.3 can't import 6.2 dump because ValidationAuthorityPublisher in not on the classpath
[ECA-4435] - SCEP: Use empty content in CACert PKCS#7 messages
[ECA-4453] - Peerconnector tests and Statedump fails to start due to JNDI problems (NoInitialContextException)
[ECA-4457] - EjbcaWS.findCerts(username, isValid=true) should not fetch expired certificates from database
[ECA-4469] - 'Edit Service' page: uppercase/lowercase inconsistency in drop down menu
[ECA-4471] - Unable to view certificate with E field in issuer DN
[ECA-4472] - EJB CLI fails if standalone argument is used after a standalone-enabled switch
[ECA-4475] - Validation javascript on End Entity Profile page throws exception
[ECA-4479] - CMP RA requests with only notBefore requested does not work
[ECA-4483] - Remote EJB serialization of Collection<Certificate> hangs on JBoss 7.1.1.GA
[ECA-4484] - EjbcaEventTypes.CA_ROLLEDOVER is missing its language reference
[ECA-4489] - No checkbox "Renew keys” on 'Edit CA' page
[ECA-4492] - NPE during standard SCEP Certificate Renewal
[ECA-4494] - Single Active Certificate Constraint misses certificates due to subject DN differing between UserData and CertificateData
[ECA-4495] - NPE in EJBCA WS findCerts when no base64CertData is stored
[ECA-4503] - Test case in CertificateCreateSessionTest uses wrong status constants
[ECA-4510] - Can't delete admin in access role
[ECA-4513] - Unchecking auto-activate does not persist for auto-generated crypto tokens using default password
[ECA-4523] - Security Issue, information leak
[ECA-4525] - CustomCertExtensions and ExtendedKeyUsages are sorted alphabetically instead of numerically
[ECA-4536] - Regression: Approve Action Name not displayed
[ECA-4542] - 'List of End Entity Profiles' displays nothing in Auditor pre-defined role
[ECA-4554] - NPE in remote IKB page when multiple CA clusters connect to the same VA
Improvement
[ECA-3418] - Optimize JBoss reload during install
[ECA-3815] - Improve batch command instructions
[ECA-4034] - Include end entities in statedump export by default
[ECA-4113] - Modify BatchCreateTool to allow easy cleanup of files from p12 directory
[ECA-4163] - Move ScepRequestGenerator out of general code
[ECA-4174] - PKCS#11 symmetric key unwrapping for KeyRecovery broken for some HSMs on JDK >= 1.7.0_75
[ECA-4248] - Swap username and serialnumber for PUBLISHER_STORE_CERTIFICATE audit event
[ECA-4254] - Document prerequisite for trusting external CA's leaf cert from IKB
[ECA-4273] - Cosmetic cleanup of IEjbcaWS
[ECA-4281] - GUI: Optimization of the header banner of Admin GUI
[ECA-4287] - Pre-emptive rewrite of CertificateProfile cache
[ECA-4291] - Add system tests for EjbcaWS.caCertResponseForRollover
[ECA-4300] - Convert System Configuration page to JSF
[ECA-4301] - Add tabs to System Configuration Page
[ECA-4304] - Allow prefix for self registered users
[ECA-4305] - Disable choice in self registration when referenced profile does not exist
[ECA-4313] - Allow help text for custom publishers in language file
[ECA-4317] - Document how to encrypt the datasource password in standalone.xml for JBoss EAP 6.4/JBoss AS 7.1
[ECA-4325] - Remove CertificateCreationException from code
[ECA-4330] - Backport ECA-2576 to 6.2
[ECA-4331] - Make the static values for revocation reasons into a new type.
[ECA-4342] - Have cryptotokens excluded from Clear All Caches by default.
[ECA-4351] - Lower log level of misconfigured CertificatePolicies to WARN
[ECA-4352] - Always use EC curves OID when possible for key generation
[ECA-4361] - Add logging of 'X-Forwarded-For' in OCSP transaction log
[ECA-4365] - Document that Healtch check can be enabled/disabled per CA
[ECA-4376] - Add "All CAs" option to Rollover Service worker.
[ECA-4390] - GUI: System Configuration page usability
[ECA-4406] - Improve how upgrade versions are read, making migration from 6.2.10+ to 6.3+ possible
[ECA-4407] - Clarify Illegal key length exception message as limitation by certificate policy
[ECA-4415] - GUI: Certificate Profiles page usability
[ECA-4430] - Bundle JEE6 API library to minimize appserver build time dependency
[ECA-4431] - Update XML schemas for JEE6
[ECA-4440] - Fix use of deprecated version of storeCertificateRemote in CertificateStoreSessionRemote
[ECA-4441] - Rewrite the ExternalRA GUI to use JSF 2.0 and CSS
[ECA-4449] - GUI: CryptoToken page usability
[ECA-4454] - Certificate Profiles: Sort Custom Certificate Extension and EKUs alphabetically by label.
[ECA-4455] - CustomCertExtensions: Remove limit on number of certificate extensions (was: Identify by OID instead of ID)
[ECA-4456] - Allow EjbcaWS.findCerts(usename, isValid) to work without UserData
[ECA-4458] - Improvements to Certificate Extensions overview page
[ECA-4460] - Extended Key Usages overview page should be sorted by OID.
[ECA-4461] - Add input validation control to SAN in EEP
[ECA-4462] - Minor improvements to Auditor role
[ECA-4465] - GUI: End-Entity Profile usability
[ECA-4470] - Document how EKUs and CCEs are imported in upgrade
[ECA-4480] - ExtRA GUI DB2 support
[ECA-4490] - Upgrade EJBCA to BC 1.53
[ECA-4515] - Remove translation of CustomCertExtension displayname into readable text
[ECA-4517] - Buttons for type of Certificate Profile etc. are confusing for new users
[ECA-4531] - ExtendedKeyUsages: remove deprecated method
[ECA-4537] - 'End Entity Profiles' are not displayed in Access Rules
New Feature
[ECA-3436] - Support WildFly 8
[ECA-4264] - Ability to generate link certificate from key on HSM
[ECA-4279] - Add ability to specify revocation reason and revocation date when importing certificates in the CLI
[ECA-4282] - Allow CMP Proxy to work with External RA backend
[ECA-4341] - Add CertificateProfileID to OCSP transaction logs
[ECA-4343] - Custom Certificate Extensions and EKUs without recompilation
[ECA-4344] - Introduce a Read-Only admin to EJBCA
[ECA-4345] - Granular control over elements of the DN in End Entity Profiles
[ECA-4360] - SCEP Client Certificate Renewal on a rollover CA
[ECA-4372] - New setting for specifying certificate chain order in the public web.
[ECA-4396] - Compile and deploy on WildFly 9
[ECA-4459] - Certificate Extensions should define their own property fields
[ECA-4502] - Improve upgrade procedure with database version detection.
Task
[ECA-4289] - Remove outdated sample file change_p12_pwd.c
[ECA-4292] - Remove Support for XKMS
[ECA-4466] - AdminWeb CSS styles clean up
[ECA-4468] - Remove site:publish ant target
Master Ticket
[ECA-4432] - Remove JEE5 and JDK6 support
[ECA-4375] - Update documentation to reflect dropped JBoss5 and JDK6 support.
[ECA-4417] - Remove build and install script specifics for JEE5 app servers and JDK6.
[ECA-4433] - Get rid of Hibernate compatibility libs
[ECA-4437] - Update ExternalRA GUI to JEE6
EJBCA 6.3.2, 2015-05-29
---
Bug
[ECA-4198] - Regression: ScepServlet can't compile in CE
[ECA-4202] - Random failure in CMP stress test
[ECA-4236] - Peer connection are unable to verify server certificates with critical server auth EKU
[ECA-4258] - Table PeerData creation is missing from create-tables-ejbca-*.sql
[ECA-4259] - Scep Certificate Renewal is configurable in RA Mode
Improvement
[ECA-4038] - Have EJBCA DB CLI fail nicely when built in Community Edition
[ECA-4186] - WS - Use the "isRunningEnterprise()" method in EjbcaWSTest
[ECA-4201] - SCEP test improvements
[ECA-4206] - Add documentation about new WS CLI commands
[ECA-4211] - Use ISO8601 date format for CA expiration in initialization log
[ECA-4245] - GUI: CA creation page usability
[ECA-4255] - Update EJBCA architecture diagrams
[ECA-4260] - Add flowchart of SCEP enrollment/renewal to admin docs
[ECA-4263] - Move static class load from CryptoTokenFactory singleton to init
[ECA-4265] - Small improvements of SCEP config JSF
[ECA-4268] - Improve build time
[ECA-4269] - Update CMP Proxy README
New Feature
[ECA-4168] - SCEP support for CA certificate rollover
[ECA-4178] - Admin GUI translated in Czech language
[ECA-4199] - Add Enterprise/Community identifier to internal.properties
[ECA-4205] - Add new WS CA Admin commands to the WS CLI
Task
[ECA-4119] - Enterprise feature
[ECA-4120] - Enterprise feature
EJBCA 6.2.10, 2015-05-29
---
Bug
[ECA-2138] - External RA GUI cannot handle SubCA certificates with critical CDP
[ECA-2282] - Publishing certificate from certificate view GUI to queued publisher causes error message but publishing works anyway
[ECA-3789] - Stack trace if CAs in Certificate Profile and End Entity Profile don't match
[ECA-3887] - An NPE is thrown at user when submitting invalid CSR during enrollment
[ECA-3999] - Make healtcheck setting configurable for new CAs
[ECA-4104] - Removing PKCS#11 token makes Cypto Token GUI unusable
[ECA-4141] - Several issues regarding End Entity Rules in basic mode
[ECA-4147] - Review/fix usage of getAuthorizedEndEntityProfileIds
[ECA-4180] - Update FileUpload library used by ExternalRA GUI
[ECA-4195] - Ocsp key renewal timer not starting automatically
[ECA-4203] - "Check Certificate Status" reports incorrect/misleading status
[ECA-4209] - Regression: Ad hoc upgrade of OCSP might be broken by the CachingCryptoToken
[ECA-4232] - Regression: Certificate keyUsage invalid from CSR when using allowKeyUsage override
[ECA-4243] - POP is not verified properly on WS requests
[ECA-4246] - EJBCA Token Certificate Enrollment: Text differs from button name
[ECA-4249] - ClientToolBox OCSP test does not work with HTTP GET
Improvement
[ECA-4081] - Remove name lookup done by OCSP responder
[ECA-4146] - Upgrade BouncyCastle to 1.52
[ECA-4157] - Allow import of certificates for non-revoked end entities using importcert command
[ECA-4191] - Upgrade cert-cvc project to BC 1.52
[ECA-4192] - Replace deprecated methods: constructor for AuthorityKeyIdentifier, and ECPoint.getX/getY
[ECA-4194] - Add possibility to prompt for password in CLI calls to setpwd
[ECA-4196] - Replace EJBCA logotypes in documentation
[ECA-4210] - Validate OCSP signing chain
[ECA-4223] - Add favicon to ExternalRA GUI
[ECA-4227] - Update EJBCA logo and favicon
[ECA-4231] - Change variable names in BaseCaAdminCommand.java
[ECA-4266] - Small documentation improvements
New Feature
[ECA-4214] - Ability to rename end entities
[ECA-4226] - CLI command to remove Publisher with dependencies
[ECA-4233] - Add Certificate Profiles setting to limit certificate storage
[ECA-4242] - Certificate Profile Setting for restricting certificate data being written to the CertificateData/Base64CertData tables
EJBCA 6.3.1, 2015-03-26
---
Bug
[ECA-4044] - Ignore EJBCA test certificates from been published using the Peer connector
[ECA-4048] - Peer System: Failure to connect when list of trusted certs is empty
[ECA-4068] - Add PeerData to drop tables SQL script
[ECA-4073] - typo in exception 'Failed to write audit log...'
Improvement
[ECA-3146] - Allow an renewal of an external CA certificate by import
[ECA-3951] - Add a column to InternalKeyBindingPage/CLI to warn for inactive certificate
[ECA-4033] - Do not include administrators registered via certificate serial numbers in statedump
[ECA-4092] - Create module for separate enterprise and community specific implementation
[ECA-4093] - Lower log-level of CmsCAService "KEYSTORE is null..." message
[ECA-4117] - CMPProxy not updated to work with different cmpalias
New Feature
[ECA-3581] - Single Active Certificate Constraint
[ECA-3754] - CLI: Create a table utility
[ECA-4062] - WS API support to create a new CA and Superadmin certificate
[ECA-4063] - WS APIs for monitoring certificate expiration
[ECA-4064] - SCEP support for Client Certificate Renewal
[ECA-4159] - Show what version documentation applies to at all times
Task
[ECA-4145] - Document all audit log messages
EJBCA 6.2.9, 2015-03-26
---
Bug
[ECA-3619] - Wrong administrator removed from role when deleting at the same time with two separate CA admins
[ECA-3788] - CLI needs to set argument --password together with the value when setting it
[ECA-3879] - Fix logging of default OCSP responder properly
[ECA-4049] - Certificates of non-CAs are accepted when importing external CAs
[ECA-4071] - A base64 decoder exception is thrown when inspecting a specially-crafted CSR
[ECA-4122] - Typo in Crypto Token HSM Slot
[ECA-4148] - EJBCA WS Test test25CreateandGetCRL fails when delta CRLs are enabled
[ECA-4152] - "Renew Browser Certificate" should require notifications to be set.
[ECA-4156] - Regression: BaseCryptoToken has lost caching of keys since EJBCA4
[ECA-4160] - X509CertStoreSelector does not work as used in BC 1.51
[ECA-4173] - CLI command ca getcacert always outputs root CA certificate when using the -der option
[ECA-4179] - SCEP stress test regression
[ECA-4184] - WaitingForApprovalException declares property as public
Improvement
[ECA-4128] - Replace references to deprecated class DiskFileUpload
[ECA-4137] - Test throw away CA issuance over web service interface
[ECA-4181] - Several EjbcaWS tests fail when EEP-limitations are enabled
[ECA-4182] - Replace deprecated classes: PEMWriter, DERObjectIdentifier and DERTags
Task
[ECA-4090] - Remove broken NetID integration code
EJBCA 6.2.8, 2015-03-05
---
Bug
[ECA-3602] - jboss-cli.bat fails when called from jboss.xml on JDK >= 7.21
[ECA-3807] - Root CA key is always used when decrypting SCEP requests
[ECA-3963] - Save and Test Connection with CT publisher should fail if no CT logs are configured
[ECA-4043] - Timing issue in CaRenewCACommandTest
[ECA-4065] - "Renew" button still exists for a revoked CA, produces stacktrace
[ECA-4067] - Regression: Default RA Admin doesn't have access to the Add End Entity page
[ECA-4070] - External CAs turn up on the list of possible CAs when creating End Entities
[ECA-4074] - AlgorithmIdentifier of RFC 6960 id-pkix-ocsp-pref-sig-algs extension is not parsed correctly
[ECA-4083] - OCSP configuration per certificate profile id is used for CERTPROFILE_NO_PROFILE
[ECA-4094] - Remove extraneous authorization checks from PublisherDataHandler
[ECA-4095] - Incorrect log output in publisher authorization check
[ECA-4096] - Access rule /ca_functionality/edit_publishers does not allow role to edit publishers
[ECA-4101] - Security Issue
[ECA-4103] - References to deprecated rule '/super_administrator'
[ECA-4107] - Allow creation of non standard conformant RAW custom extension
[ECA-4110] - Approve Action - NPE after click on the username
[ECA-4112] - Regression: External CAs not listed as "Available CAs" in CLI when using addadmin
[ECA-4116] - Remove notes and test extension from certextensions.properties
[ECA-4131] - CT options can't be changed when using only publishing
[ECA-4136] - HardToken Certificate Profile Type has wrong label
Improvement
[ECA-3831] - adminmenu.jsp still refers to legacy /superadmin rule
[ECA-4011] - Disable "Name Constraints" fields when External CA is selected
[ECA-4018] - Upgrade to BouncyCastle 1.51
[ECA-4039] - Improve HealthCheck free memory control
[ECA-4053] - Speed up HSMKeyTool stress test
[ECA-4087] - Update EJBCA copyright notice to match homepage
[ECA-4098] - Make sure sure that CAs in add/edit end entity screen are arrange alphabetically
[ECA-4108] - Possibility to disable CT submission for existing non-CT certificates
[ECA-4111] - Upgrade cert-cvc subproject to BC 1.51
[ECA-4114] - Sort CryptoTokens by name when creating a new Key Binding
[ECA-4139] - Editing CMP, SCEP and system configuration requires root privileges
Master Ticket
[ECA-3971] - Improve OCSP responder performance
[ECA-4054] - Reload CA certificate cache in the background
[ECA-4055] - Avoid unnecessary OCSP response signature checks
[ECA-4072] - Avoid interactions with AuditLogger and TransactionLogger when disabled
[ECA-4082] - Improve OcspServlet.addRfc5019CacheHeaders
[ECA-4084] - Improve OCSP HSM signing thread behaviour
[ECA-4085] - Additional caching of objects that are the same between multiple OCSP requests
New Feature
[ECA-3976] - Cache SCTs in OCSP responses
[ECA-4052] - Allow override of EJBCA's subject DN ordering in web service call for issuing certificate
[ECA-4106] - Allow to specify number of SCTs in OCSP responses
Task
[ECA-4060] - Create a subtarget to ant ziprelease that creates a versioned zip of the statedump source.
EJBCA 6.3.0, 2015-01-14
Bug
[ECA-2478] - UnrevokeEndEntity unrevokes cert but not user
[ECA-3528] - GUI: Some messages not localized in Admin Web
[ECA-3590] - Cache the slot list
[ECA-3598] - Fix handling of invalid ZIP contents when importing certificate profiles
[ECA-3599] - Fix handling of invalid ZIP contents when importing end entity profiles
[ECA-3609] - Name constraints properties are duplicated in CLI editca command
[ECA-3631] - database valid connection sql for VA publisher is taken from database.properties instead of va-publisher.properties
[ECA-3634] - OCSP does not audit and transaction log UNAUTHORIZED messages
[ECA-3656] - Forbidden characters can be allowed
[ECA-3719] - GUI: Publisher page usability
[ECA-3745] - Some language have not the standard language code
[ECA-3797] - Statedump incorrectly tries to export full BasePublisher object
[ECA-3804] - httpsserver.an (altname) is ipaddress 127.0.0.1 by default, and no dnsName matching CN
[ECA-3813] - GUIDGeneratorTest fails intermittently
[ECA-3841] - JAR file used by CT should be rebuilt for JDK6
[ECA-3849] - Admin must be authorized to all CAs to import keybinding certificate
[ECA-3855] - Loading saved CMP configuration referencing a deleted EEP results in NPE
[ECA-3892] - GUI: A lot of event messages not set in "View Log"
[ECA-3908] - Allow OcspKeyRenewalTest to run predictably on system with existing AuthenticationKeyBindings
[ECA-3949] - Status parameter in "keybind create" command shouldn't be case sensitive
[ECA-3960] - CaPKCS11SessionTest fails and never recovers if test is aborted
[ECA-3968] - Sort and count peer connectors correctly in statedump
[ECA-3993] - ejbca-db-cli does not work due to PeerConnector
[ECA-4003] - "CRL Updater" service doesn't update the CRL
[ECA-4012] - Reject IP addresses in dNSName name constraints
[ECA-4032] - Regression: Key Recoverable not set in EE when activated and required in profile
Improvement
[ECA-2272] - Refactoring some DN attributes and Alternative names naming
[ECA-2340] - GUI: Audit Log usability
[ECA-2576] - New key sizes available in certificate profiles
[ECA-3043] - Document SameRequestRateLimiter better
[ECA-3256] - Split the va-war module into its logical parts
[ECA-3412] - Rework VA/OCSP documentation
[ECA-3414] - Clean up Exception handling in SignSessionBean
[ECA-3601] - Enterprise feature
[ECA-3654] - Enterprise feature
[ECA-3674] - Allow certificate validity before current date using end entity ExtendedInformation
[ECA-3720] - GUI: Certificate Profile page usability
[ECA-3726] - Make CertSafe implement CustomPublisherUiSupport
[ECA-3746] - GUI: Displaying the language name in configuration sections
[ECA-3753] - Add OpenSC PKCS#11 to default crypto token library path
[ECA-3769] - CryptoToken usage should also include internal key bindings
[ECA-3773] - Add NIST PIV Card Authentication extended key usage
[ECA-3809] - Improve the message for signed SubCAs regarding the need of *.pem or *chain.pem
[ECA-3824] - CertSafePublisher should use a dropdown pane for setting authentication keybindings
[ECA-3854] - Optimize Language tool
[ECA-3869] - Sort key aliases by name in InternalKeyBinding edit view
[ECA-3874] - RSA 4096 keys pre-selected in Crypto Token form
[ECA-3891] - GUI: Firefox CRLs direct import removed
[ECA-3930] - CryptoTokenManager: Add a column for auto-activation status.
[ECA-3955] - Add some missing OCSP system tests
[ECA-4051] - Correct documentation of CLI command when updating a CMP alias
Master Ticket
[ECA-3144] - Improved sub system integration (EJBCA Peer Systems)
[ECA-3652] - Create PeerMessage datatype, ORM and CRUD beans
[ECA-3653] - Create basic JSF pages for Peer mgmt
[ECA-3659] - Connect GUI with CRUD
[ECA-3671] - Add auth checks to CRUD bean
[ECA-3694] - Milestone: Make PingMessage work from a PeerConnector created in the GUI
[ECA-3699] - Outgoing TLS configuration as part AuthenticationKeyBinding
[ECA-3700] - Rename peerconnector-common to *-ejb and move common classes under ear/lib/..jar
[ECA-3702] - Basic publishing to peer system
[ECA-3704] - Framework for making custom publisher configuration nicer
[ECA-3710] - Do parallel publishing when the same thing is published to multiple targets
[ECA-3711] - Changes to publishing API for efficient publishing of full CertificateData (and Base64CertData)
[ECA-3712] - Efficient resynchronization of data between CA and Peer VA
[ECA-3715] - Requested capabilities should be saved when creating peer connector
[ECA-3722] - Create CLI support for PeerConnector
[ECA-3742] - Publish the same updateTime that is used in the CA's database
[ECA-3751] - Manual renewal of OcspKeyBinding at peer
[ECA-3752] - Behavioral configuration for PeerConnectors
[ECA-3756] - Make InternalKeyBinding access rules configurable
[ECA-3757] - Minor PeerConnector refactoring and documentation
[ECA-3759] - Service for automatic renewal of remote key bindings
[ECA-3762] - Documentation: Create a security model for PeerConnectors
[ECA-3770] - PeerConnector GUI improvements
[ECA-3775] - Forbid start and return error when background task with same id exist
[ECA-3777] - ListPeersCommand improvements
[ECA-3778] - Drop concept of capabilities and use regular access rules framework
[ECA-3781] - Improve peer message format
[ECA-3782] - Stop connection pool and prevent start when peer connector is disabled or URL changes
[ECA-3784] - More fine grained access rules for peer connectors
[ECA-3785] - Disable plain http connections for peers
[ECA-3786] - Shorten peer connector Servlet URL
[ECA-3787] - Option for synchronization dry run
[ECA-3803] - Peer connector system tests
[ECA-3805] - Propagation of peer connection errors to UI
[ECA-3806] - CLI for generic peer connection settings
[ECA-3810] - Minor PeerConnector GUI improvements
[ECA-3811] - Lookup authentication token at pool startup
[ECA-3825] - Allow one AuthenticationKeyBinding to be used per Peer Connector
[ECA-3833] - JEE5 support for enterprise edition only SSBs
[ECA-3839] - Use one connection pool per outgoing id instead of URL
[ECA-3840] - Cache PeerOutgoingInformation objects
[ECA-3846] - More fine grained errors than UnknownMessageTypeResponse without information leakage
[ECA-3850] - Use separate GlobalConfiguration for peer connections
[ECA-3867] - Correct peer module license headers
[ECA-3876] - Statedump support for peer connectors and configuration
[ECA-3881] - Improve error message when peer responds with an unknown or broken message
[ECA-3882] - PeerConnector: Ugly errors when using illegal characters in URL
[ECA-3898] - Adjust logging of handled failures during peer publishing
[ECA-3899] - Show mismatched access rules for incoming peer authorization instead of fixing it
[ECA-3923] - Handle additional server side certificate end entity alias from PeerConnectionsTest
[ECA-3928] - Rename Remote Systems menu item to "Peer System"
New Feature
[ECA-3705] - Create a plugin interface for rules
[ECA-3800] - get the certificate of an ocsp keybinding
[ECA-3885] - New signature algorithm SHA512withECDSA
Task
[ECA-3962] - EJBCA Enterprise feature
EJBCA 6.2.7, 2015-01-14
---
Bug
[ECA-3902] - Update EJBCA user guide documentation
[ECA-3973] - OCSP key renewal for all keys leads to NPE when logging
[ECA-3977] - Regression: CMP algorithmId lacking DERNull when using PKCS#11
[ECA-3978] - End entities aren't sorted in statedump output
[ECA-3983] - External CAs turn up on the "CA Activation" list.
[ECA-3991] - CertTools.stringToBcX500Name fails for sn=#foo
[ECA-3994] - ejbca-db-cli copy command does not work due to invalid temp files
[ECA-3995] - Upgrade documentation for CMP has wrong ordering of arguments
[ECA-4000] - Potential security issue without known exploit
[ECA-4007] - "Certification Authorities" and "Publishers" missing from admin menu with access rule /ca_functionality (recursive, accept)
[ECA-4009] - Post upgrade fails when old admin groups don't exist
[ECA-4014] - CRL Downloader doesn't store empty CRLs
[ECA-4019] - Wrong error message for Name Constraint violations with short subject DNs
Improvement
[ECA-3798] - Statedump: Incorrect number of end entity profiles are logged as exported
[ECA-3970] - Log in OCSPResponder when revoked OCSP certificates are read to the cache
[ECA-3984] - Debug log HTTP response body on CT log error
[ECA-3985] - Edit CA page load is slow with many keys in referenced Crypto Token
[ECA-3986] - Optimize CAToken.getTokenStatus
[ECA-3989] - Allow recovery from a bad upgrade of CA Tokens to CryptoTokens
[ECA-3992] - Remove critical BC warnings in order to upgrade BouncyCastle to version 1.51
[ECA-4008] - Port adjustable transaction timeouts to JBoss 7 / EAP 6
[ECA-4017] - Remove database lookups that can be read from cache
[ECA-4024] - Add a [?] link from the User Data Sources page to the admin guide
New Feature
[ECA-4006] - Add test for legacy subject encoding with override enabled via CMP
EJBCA 6.2.6, 2014-12-03
---
Bug
[ECA-3608] - EJB CLI cryptotoken create command issues
[ECA-3828] - Regression: HttpMethodsTest and WebdistHttpTest test failures
[ECA-3862] - Security Issue
[ECA-3931] - Key recovery fails when user data has changed CA
[ECA-3933] - Symmetric keys in crypto token's HSM slot prevent listing of slot keys
[ECA-3935] - Regression: Wrong key length used when creating keystore from public web
[ECA-3936] - Extra space at end of line in transaction log.
[ECA-3937] - Result of stand-alone JUnit tests are discarded during ant test:run
[ECA-3943] - Fix ServiceManifestBuilderTest
[ECA-3944] - superadmin.cn value lacks quotes in cli.xml
[ECA-3948] - OCSP log values ISSUER_NAME_DN and SIGN_ISSUER_NAME_DN contain SERIALNUMBER= instead of SN=
[ECA-3958] - Cannot create new CertSafe publisher
[ECA-3969] - Default OCSP responder is not used for external CAs without OCSP key binding
[ECA-3972] - PKCS#11 keys aren't extractable when they should be
Improvement
[ECA-3916] - WS: Return the EndEntity/Certificate profile of a specific profile ID
[ECA-3927] - Make systemtests.properties available to peer module and PKCS#11 system tests
[ECA-3938] - Add a regression test for ocsp.nonexistingisrevoked
[ECA-3942] - Improve logging of ServiceManifestBuilderTest failures
[ECA-3954] - Improve the properties output of InternalKeyBindingListCommand to show default property values
[ECA-3956] - OCSP response if the requested certificate is revoked is identical in logs to case where issuer of signing cert is revoked.
[ECA-3967] - Update httpclient and httpcore to latest version
New Feature
[ECA-3939] - Add EV Certificate specific DN components
EJBCA 6.2.5, 2014-11-14
---
Bug
[ECA-3901] - Possible NPE when debug is enabled
[ECA-3906] - Missing key in CryptoToken for mapped purpose in CAToken will hang healthcheck
[ECA-3907] - CAToken to CryptoToken upgrade failure
[ECA-3909] - InternalKeyBindingMgmtSessionBean.generateNextKeyPair fails if nextKey already exists
Improvement
[ECA-3723] - Allow verbose preference for CLI
[ECA-3866] - JavaDoc CLI enums
[ECA-3905] - Add instructions how to import certificate profiles in GUI
[ECA-3915] - External RA GUI browser enroll does not work with FF 33 and later
New Feature
[ECA-3900] - Allow CT log publisher to use HTTP Proxy java system settings
EJBCA 6.2.4, 2014-10-29
---
Bug
[ECA-3633] - CMP response caPubs field contain entity certificate instead of CA certificate
[ECA-3657] - RA administrator, failure while Approvement
[ECA-3716] - Regression: Externally imported CAs appear in list of signers when creating a CA
[ECA-3718] - Fix using trusted certificates in Internal Key Binding
[ECA-3776] - Prevent API call from setting InternalKeyBinding status to "active" if there is no referenced certificate
[ECA-3814] - getcacert does not return CA Certificate
[ECA-3822] - CertSafePublisher.testConnection doesn't test URL properly
[ECA-3834] - CertSafePublisher does not work under JDK6
[ECA-3845] - Certificate Transparency, not selecting any CT log passes issuance even if Min SCTs is 1
[ECA-3853] - AKID is different from CA SKID in CRLs, if not using SHA1
[ECA-3868] - Attempting to use a non-ocsp certificate for an OCSPKeyBinding fails silently
Improvement
[ECA-3826] - ant install shows annoying but harmless error messages
[ECA-3843] - Create a link from basic access rules page to documentation
[ECA-3848] - Shift GlobalConfiguration* to CESeCore, make plugin friendly
[ECA-3860] - New call to get registered global configuration types
[ECA-3889] - Allow more than one IKB renewal per second
New Feature
[ECA-3580] - Certificate Transparency: Private Domains
[ECA-3794] - Default OCSP responder improvements
Task
[ECA-3801] - Enterprise feature
EJBCA 6.2.3, 2014-09-25
---
Bug
[ECA-3749] - Batch generation information for end entities in statedumps ignored during import
[ECA-3755] - Regression: Modifying approval settings when editing a certificate profile is broken
[ECA-3760] - Possible ClassCastException when using Subset of SubjectDN in Certificate Profile
[ECA-3763] - InternalKeyBinding.getListOfTrustedCertificates trusts everything if specified with a non existing certificate
[ECA-3765] - ca init command in cli.xml is missing two switches
[ECA-3779] - Values from first loaded certificate profile is shown and saved when editing other profiles
[ECA-3783] - Statedump can not export (custom)publisher where all classes are not on statedump classpath
New Feature
[ECA-3437] - Cert Safe Publisher for EJBCA
EJBCA 6.2.2, 2014-09-03
---
Bug
[ECA-3683] - Statedump: For an uninitialised CA, it appears in its own list of possible issuers.
[ECA-3687] - Error upgrading old installations to JBoss 7 (jboss serialization)
[ECA-3692] - Regression: Certificate and CRL store download pages empty after server restart
[ECA-3695] - 100% upgrade from EJBCA 4 to 6 fails on CertificatePolicy
[ECA-3696] - If there are Ocsp key binding with messed up certificate, you can get NPE
[ECA-3698] - Clear all caches makes crypto tokens off-line
[ECA-3714] - Authority Information Access is deselected in Certificate Profiles under some circumstances when upgrading from EJBCA 4 to EJBCA 6
[ECA-3721] - Import of internal key bindings via statedump requires crypto token to be online
[ECA-3725] - EJBCA CLI prompts twice for the CLI password when using -p
[ECA-3727] - Deprecated (null) extended key usages visible in Certificate profile
[ECA-3729] - Statedump: Properties object is copied the wrong way when generating cryptotoken keys from a template
[ECA-3730] - Not finding some OCSP request signer certificate in DB
[ECA-3732] - clientToolbox ocsp test was not updated after that the root certificate was removed from the certificate chain in the OCSP response.
[ECA-3733] - cryptotoken create command requires attr flag
[ECA-3735] - Statedumped end entities do not keep clear password settings
[ECA-3736] - Unable to "Save and Initialize" externally-signed sub-CA imported via statedump
[ECA-3744] - InternalKeyBindingCreateCommand misses a null check for missing cryptotokens
Improvement
[ECA-3688] - "ant build" failes on JBoss EAP 6.2 installed via RPM package from Redhat repositories
[ECA-3690] - Possible information leakage
[ECA-3691] - Improve message when profile changes name during work in the GUI
[ECA-3707] - Do not generate non-active XKMS and CMS certificates as it can violate name constraints
New Feature
[ECA-3149] - OCSP responder support for CertId using SHA256 in OCSP requests
Task
[ECA-3703] - Upgrade tomahawk to latest 1.1.14
EJBCA 6.2.1, 2014-08-06
---
Bug
[ECA-3589] - First CRL not created when initialising root CA after statedump import
[ECA-3613] - Regression: The CLI doesn't parse the value ca.name from install.properties if it contains spaces.
[ECA-3615] - SECURITY: Security issue
[ECA-3617] - Allow Enterprise Edition to run system tests sans Statedump
[ECA-3620] - Import/export profiles rendered during unrelated operations
[ECA-3621] - Can't save or initialize uninitialized (= statedump imported) externally-signed CA
[ECA-3635] - Regression: Missing user notice and CPS in certificate policy extensions
[ECA-3643] - Autoactivate switch in CryptoTokenCreateCommand is obfuscated
[ECA-3645] - CLI complaining about unknown CA with id 0 (Improve output for unbound admins)
[ECA-3648] - Importing certificate - no email specified error
[ECA-3650] - Changing the Subject DN on an uninitialized (=statedump-imported) CA causes all extended services to be lost
[ECA-3661] - Statedump can't import PKCS#11 cryptotokens with slots referenced by label
[ECA-3664] - Invalid key specification for uninitialised key after importing a statedump
[ECA-3670] - Fix exceptions when excluding system/cmp/admin config in statedump
[ECA-3675] - Not all defined external RA datasources added in persitence.xml
[ECA-3679] - Regression: CA soft keystore pwd is always default when creating CA using CLI
[ECA-3685] - Int to Long cast exception upgrading OCSP
Improvement
[ECA-3501] - Create CryptoToken key aliases (needed for InternalKeyBindings) during statedump import
[ECA-3592] - Update CA IDs for uninitialised CAs when saving
[ECA-3606] - Make HSM system tests configurable
[ECA-3618] - Configurable environment for testAdminWebSecurityHeaders
[ECA-3622] - Fix cosmetic issues with statedump
[ECA-3624] - Hide Name Constraint textboxes for external CAs without keys
[ECA-3625] - Handle external CAs (=without keys) in Statedump
[ECA-3626] - Proper setup of environment for testAuthenticationWithMissingCertificate
[ECA-3630] - Allow importing Key Bindings in statedump even when key aliases are missing
[ECA-3638] - Don't include external CAs in statedump export by default
[ECA-3640] - Modifying uninitialised CAs (from statedump) even if keys are missing/crypto token is offline
[ECA-3662] - Don't export end-entity passwords from statedump
[ECA-3663] - Don't export crypto token auto-activation passwords in statedump
[ECA-3665] - Import all crypto tokens in inactive state during statedump import
[ECA-3666] - Better error message during statedump export if crypto token is offline
[ECA-3667] - Show warnings during statedump export for exclude patterns that did not match anything
[ECA-3668] - Improve options format of statedump tool
[ECA-3669] - Better warning/error output in statedump utility
[ECA-3677] - Do not allow export of CA keystores not protected by password
[ECA-3689] - Improve parameter naming per internal suggestions
New Feature
[ECA-3636] - Statedump CLI command to initialize statedump-imported CA
[ECA-3637] - Ability to limit what is exported in statedump
[ECA-3639] - Placeholders for keys in crypto tokens imported via statedump
[ECA-3642] - Include end entity information in statedump
EJBCA 6.2.0, 2014-06-18
---
Bug
[ECA-3216] - Return unsigned response "unauthorized" when no default responder configured, or wrongly configured
[ECA-3299] - OCSP request signer verification does an additional database lookup
[ECA-3454] - Inconsistent skip options for state dump import
[ECA-3481] - Minor security hardening
[ECA-3489] - Fail fast creating CVCCAs when unique certificatedata_idx12 is enabled
[ECA-3492] - renameRole() tries to change primary key and triggers a HibernateException
[ECA-3495] - The public part of a key is still on the P11 token after the private part is removed.
[ECA-3496] - java.lang.IndexOutOfBoundsException when selecting empty crypto token for internal key binding
[ECA-3499] - Overwriting a CA with StateDump can leave cert/ee profiles in an invisible state
[ECA-3506] - ejbca-ws-generate target missing dependencies
[ECA-3517] - "Lock wait timeout exceeded" when disabling multiple access rules with MariaDB Galera
[ECA-3518] - NPE if only period length is provided for private key usage period
[ECA-3521] - Certificate & End-Entity Profiles with missing CAs become invisible, even for superadmin
[ECA-3534] - NullPointerException when adding a user without password
[ECA-3535] - State dump unselects "Any CA" from profiles during import
[ECA-3536] - ejbca-db-cli does not work since change to use ServiceLocator
[ECA-3537] - Clean up exception handling in CertificateCreateSession
[ECA-3551] - Certificates are not submitted to CT when generated from CLI, etc.
[ECA-3582] - CMP can not handle some valid CSRs.
[ECA-3587] - Update default Modifiable Fields in User Data Sources
[ECA-3588] - Regression: PrintableString encoding for DNs does not work
[ECA-3594] - Security related
[ECA-3596] - Creating limited CertificateData fails with certain databases
[ECA-3605] - Error when trying to create authenticated CVC CSR
Improvement
[ECA-631] - Enforce naming constraints present in CA-certificates
[ECA-2126] - Certificates that are issued in revoked state should never be active
[ECA-2690] - Create a CLI parameter handler
[ECA-3320] - Simpler format for specifying CA validity dates
[ECA-3468] - Implement statedump Subject DN renaming properly inside EJBCA
[ECA-3477] - Give focus to incorrectly marked fields in edit CA page
[ECA-3482] - Minor security hardening
[ECA-3483] - Minor security hardening
[ECA-3484] - Minor security hardening
[ECA-3490] - ICAO Master List Signer extended key usage
[ECA-3491] - Allow system tests to target non-localhost interface
[ECA-3494] - Suppress repeated OcspSigningCache warnings
[ECA-3502] - Allow system tests to use HSM when available
[ECA-3503] - SSB cached in CertificateCache
[ECA-3509] - ExternalRA: Oracle Database Support in database mapping setup
[ECA-3510] - Replace references to java.util.Vector
[ECA-3513] - Audit log when a CT pre-certificate is generated and sent to a log
[ECA-3515] - SCEP: Rewrite the configuration process to use one URL and multiple aliases
[ECA-3516] - SCEP: Implement configuring SCEP in the AdminGUI
[ECA-3519] - Minor security hardening
[ECA-3524] - Improve memory usage during CRL generation
[ECA-3525] - Do not use the HSM for hashing when signing data
[ECA-3531] - SCEP: Remove DefaultCA configuration
[ECA-3532] - Fix documentation of the command "ejbca.sh config cmp uploadfile"
[ECA-3538] - clientToolBox p11 test multiple times in same jvm, to test if objects on a p11 token can be updated from another application.
[ECA-3540] - External RA: Oracle Database mapping support in RA GUI
[ECA-3544] - Make error messages and success messages easier to distinguish
[ECA-3547] - GUI: Better item order for the System Functions menu
[ECA-3555] - CLI: able to list key bindings with non existing cryptotokens
[ECA-3557] - Add simplified CAInfo constructors
[ECA-3561] - Request subCA certificate from external CA without uploading the chain
[ECA-3565] - Rewrite Certificate Profile page in JSF
[ECA-3566] - Encapsulate HashID properly
[ECA-3569] - Effectivize the reloading of CaCertificateCache
[ECA-3572] - Use JavaScript for certificate installation redirect in public web
[ECA-3579] - Remove CERT_TEMP_REVOKED since it's not used
New Feature
[ECA-688] - Import / Export profiles from WebUI
[ECA-2114] - Rename EJB CLI for fetching CA certificates from getrootcert to getcacert
[ECA-3109] - Add native support for Name Constraints
[ECA-3123] - ICAO DocumentType List certificate extension
[ECA-3124] - Add the Issuer Alternative Name certificate extension to the GUI
[ECA-3530] - Ant targets for creating source and binary releases of CESeCore
[ECA-3542] - Support for IE11 in Public Web
[ECA-3543] - Support IE11 in External RA GUI
[ECA-3559] - Service for populating database with revocation status of certificates from CRL
[ECA-3584] - Choice of token type in Public Web self-registration page
Task
[ECA-3394] - French language files updated for the new functionalities
[ECA-3419] - CAAdminSessionBean.exportCAKeyStore throws Exception
[ECA-3478] - Have all system tests write results to the same directory
[ECA-3546] - French language files updated for SCEP Configuration
[ECA-3420] - Convert all EJB CLI commands to the new standard
EJBCA 6.1.3, 2014-04-28
---
Bug
[ECA-3520] - CAs from statedump signed by external CA cannot be initialised
[ECA-3523] - Backport Statedump bug fixes to 6.1
[ECA-3526] - GUI: Missing l10n message keys in CMP Alias Edit page