Changelog

EJBCA 6.5.0.
5, 2017-04-06
---
Bug
[ECA-5767] - Soft CA Token key alias set to wrong value in upgrade from 4.0
[ECA-5764] - Backport: Key alias in CMS CA service was changed so it can not be
read after upgrade
[ECA-5784] - Legacy script based autoenrolment should not remove end entity
profile
[ECA-5798] - Backport clientToolBox fix to EJBCA Community
EJBCA 6.5.0.4, 2017-02-10

---
Bug
[ECA-4872] - System configuration page broken in WildFly 10
[ECA-4945] - Edit admin entities broken in WildFly 10
[ECA-5687] - EJBCA 6.5.0 Community post-upgrade does not fail gracefully
EJBCA 6.5.0.3, 2016-03-23

---
Bug
[ECA-4931] - Minor security issue
[ECA-4955] - CMP Proxy swallows underlying error message when verifying
certificate path
EJBCA 6.5.0.2, 2016-03-01

---
Bug
[ECA-4860] - CryptoToken Id not updated when importing a statedump with the
merge option
EJBCA 6.5.0.1, 2016-03-01

---
Bug
[ECA-4862] - CmpMessageHelper.createUnprotectedErrorMessage throws an NPE if a
nonce is not included in the CMP message
EJBCA 6.5.0, 2016-02-29

---
Bug
[ECA-2841] - Document Password Limitation in manuals and sample files.
[ECA-3600] - The /ca_functionality/edit_ca is missing from advanced Access
Rules
[ECA-3859] - E-mail doesn't work in usernamemapping in self-registration
[ECA-4262] - Name constraints encoding incorrect in a certain case
[ECA-4310] - Certificate profile key length restriction ignored when creating
CA
[ECA-4478] - Display "Base64 log ids" when listing CT logs
[ECA-4518] - Cloning a fixed hard token certificate profile leads to GUI bug
[ECA-4535] - ArrayIndexOutOfBounds when upgrading EJBCA 4 installations
[ECA-4546] - Regression: Approvals page ignores 'Expired' status
[ECA-4551] - Implement non-partitioned CRLs that will work with name-changed
CSCA
[ECA-4579] - GUI: Some spaces added in original values in End Entity profile
[ECA-4582] - Regression: Edit end entity profile notifications bug
[ECA-4584] - GUI: Display problem of Extended Key Usages, in View Certificates
[ECA-4587] - Regression: test20MaliciousOcspRequest hangs forever on everything
but Wildfly8
[ECA-4588] - "Renew Browser Certificate"-link in Public Web broken
[ECA-4602] - CMP: EEC authmodule - Checking for CA authorization does not work
[ECA-4613] - Don't allow deletion of CT logs that are still in use by a
Certificate Profile
[ECA-4616] - Regression: EJBCA WS CLI shows a lot of warnings
[ECA-4623] - Handle CertificateCreateException with null ErrorCode in public
web
[ECA-4626] - Duplicate DN values fail in the Self-Registration forms
[ECA-4627] - Security Hardening
[ECA-4628] - GUI: CA Structure & CRLs usability
[ECA-4631] - Security Issue
[ECA-4634] - The check whether Subject Directory Attributes fulfill profile
always fails in Self-Registration
[ECA-4644] - Fix the jbosslogsigning target
[ECA-4656] - NPE on system configuration page if no other page has been loaded
before it
[ECA-4662] - Test CrmfRAPbeRequestTest does not clean up correctly
[ECA-4663] - Regression: Standard superadmin shows up as 'Custom' in Basic
Access Rules View
[ECA-4664] - CompressedCollection silently allows add() after closeForWrite()
[ECA-4666] - CmpTestCase can't be run against CmpProxy
[ECA-4669] - Revoking/Republishing certificate by selecting its serial number
from audit log outputs NPE
[ECA-4671] - Possible infinite recursion, leading to OOM in intresources
[ECA-4677] - Audit log: Only show valid conditions for each search column
[ECA-4683] - Trying to view deleted end entity gives NPE
[ECA-4686] - Approval requests from Self Registration appear to originate from
CLI
[ECA-4694] - CMP: EEC authmodule - Checking for CA authorization still does not
work
[ECA-4700] - Fix bugs related to Auditor role
[ECA-4707] - PeerInternalKeyBindingUpdaterWorker should check status of CA's
CryptoToken before trying renewal
[ECA-4709] - NPE when trying to display remote IKB where remote cert is not
present on CA
[ECA-4714] - Security issue
[ECA-4718] - Regression: EndEntityManagementSessionTest.test07MergeWithWS fails
on the community release
[ECA-4719] - ocsp.reqsigncertrevcachetime not defined in
defaultvalues.properties
[ECA-4721] - Certificate Transparency tab in System Configuration shows up in
Community Edition
[ECA-4733] - Security hardening of new Statedump GUI
[ECA-4736] - Handle changed Subject DN in statedump files
[ECA-4738] - Missing properties in cesecore-common library
[ECA-4740] - CmpProxyServlet doesn't calculate process time correctly
[ECA-4745] - Certificate Profile: Don't save values of disabled fields to make
audit easier
[ECA-4747] - Imported certificate profile does not include AvailableCAs in the
GUI
[ECA-4752] - Possible NPE in ConcurrentCache when using DEBUG logging
[ECA-4754] - ejbca.org index page broken in chromium
[ECA-4757] - Help reference not visible in services page
[ECA-4762] - RA Administrators (Pre-defined role template) privileges are
missing
[ECA-4765] - GeneralPurposeCustomPublisher doesn't surround command arguments
with quotes.
[ECA-4812] - Healthcheck of CAs get key count wrong and checks for
previousCertSignKey
[ECA-4814] - SQL error in schema for Postgres databases
[ECA-4815] - Fix some JUnit test failures in JDK8
[ECA-4824] - Information leak in debug log
[ECA-4830] - Minor security hardening
[ECA-4839] - Certificate download redirect does not work with non-ASCII
characters in the Subject DN
[ECA-4841] - Regression: Events are not shown in the 'View Log'
[ECA-4843] - Regression: ConfigurationHolder can no longer read built in
properties
[ECA-4847] - Don't lock down statedump in fresh installations
Improvement
[ECA-659] - Add restriction for key algorithm in certificate profiles
[ECA-1910] - CAs in alphabetic order in the CA Structure & CRLs page
[ECA-3204] - Re-factoring of P11Slot
[ECA-3780] - Split and kill the src-directory
[ECA-3929] - Improve rendering of crypto tokens on the CA Activation page.
[ECA-4075] - Document that naming in IS end entities should not be changed
[ECA-4237] - Peer connections should send full client certificate chain
[ECA-4274] - Eliminate redundant images from docs
[ECA-4393] - Reduce number of errors from the OCSP signing cache about expired
CAs
[ECA-4401] - Can not read private key with alias containing åäö from keystore
[ECA-4403] - Parallel CT log submission
[ECA-4404] - TLS session re-use for CT submission
[ECA-4481] - Cache revocation status of request signers in OCSP responder
[ECA-4482] - Make new transaction log variable for ISSUER_NAME and REQ_NAME in
original order
[ECA-4543] - Implement CSCA "CA Name Change" feature from ICAO 9303 7th part 12
[ECA-4552] - Allow statedump to merge existing CryptoTokens
[ECA-4562] - Make sure that there is only one set of code handling HSM keys.
[ECA-4563] - CMP: ResponseStatus in CmpErrorResponseMessage is not used and
should be removed
[ECA-4564] - CMP: return message SYSTEM_UNAVAILABLE when profiles can not be
read/found in RA mode
[ECA-4570] - Document validation error messages returned by CMP Proxy
[ECA-4574] - GUI: System Configuration sub-section order
[ECA-4575] - GUI: Better CryptoToken alias default value
[ECA-4576] - Several SAN DNSname in EMPTY profile
[ECA-4577] - GUI: SHA-256 by default in CA creation form
[ECA-4583] - GUI: CryptoToken page usability (private key export)
[ECA-4595] - GUI: CA creation form usability
[ECA-4598] - Make SecConst.MAXIMUM_QUERY_ROWCOUNT into a configurable value
[ECA-4599] - EndEntityManagementSessionBean.revokeCert needlessly tries to
revoke all certificates
[ECA-4601] - Don't require "/ct/v1" in CT log URL
[ECA-4607] - Allow CT Log public keys to be uploaded in DER format
[ECA-4629] - General code improvement
[ECA-4633] - New RSA key sizes for the Extended Services in CAs
[ECA-4638] - Minor improvements to CT Logs timeouts
[ECA-4643] - Remove Dependency checker test.
[ECA-4648] - Better configuration default values for languages
[ECA-4668] - Proactive public web security hardening
[ECA-4672] - Change CMP errors codes, missing aliases and already revoked
[ECA-4674] - Proactive web security hardening
[ECA-4676] - Allow CMP Proxy server to use multiple CA keychains
[ECA-4696] - Add path to SafeNet Luna Client 6.1 to default PKCS11 libraries
[ECA-4697] - Add path to SoftHSM to default PKCS11 libraries
[ECA-4699] - Replace deprecated references CertTools methods
[ECA-4701] - Update XStream and limit classes that can be deserialized by
Statedump
[ECA-4703] - Use newer BC pattern in CertTools to get rid of some warnings
[ECA-4704] - Upgrade BouncyCastle to 1.54
[ECA-4712] - Remove BaseCryptoToken.extractKey(String, String, String)
[ECA-4720] - Document that the site search uses Google
[ECA-4726] - Make "CA Name Change" configurable through Global Configuration
[ECA-4734] - Document getAuthorizedAvailableAccessRules better
[ECA-4737] - Combine the efforts of ECA-4566 and ECA-4568
[ECA-4742] - Clarify error message when admin certificate does not belong to a
user
[ECA-4748] - cmpclient: Use SHA256 as signature algorithm
[ECA-4773] - Lock down statedump when upgrading
[ECA-4775] - Improve statedump CLI lockdown handling
[ECA-4827] - Default healthcheck.publisherconnections to 'false' as documented
in the admin guide
[ECA-4845] - Improve error messages for approvals.
New Feature
[ECA-4164] - Support for importing DER-encoded CA certificate file via CLI
command "ca importcacert"
[ECA-4177] - DER-encoded format as output option during enrollment via CSR
[ECA-4319] - Include information in key binding CSR when creating from CLI
[ECA-4474] - Prefix/override support for statedump during import
[ECA-4504] - Make sure that a signature algorithm supported by the HSM is used
when the algorithm is not specified.
[ECA-4508] - Ability to define custom order of DN in issued certificates
[ECA-4561] - Add restriction for EC curve names in certificate profiles
[ECA-4566] - Add signature validation of signed requests in CmpProxy
[ECA-4567] - Add HMAC PBE validation of signed requests in CmpProxy
[ECA-4568] - Revocation checking of signature certificates in CMP Proxy
[ECA-4569] - Separate library for certificate path validation
[ECA-4600] - Add a CMP client for test purposes
[ECA-4608] - Add Bull HSM default options for GUI access
[ECA-4609] - GUI: Display the SHA-256 certificate fingerprint
[ECA-4640] - GUI enabled statedump import of uploaded file
[ECA-4641] - GUI enabled statedump import of bundled file
[ECA-4698] - Add generics to CertTools.getCertfromByteArray methods
[ECA-4761] - CA name should be displayed in the delete CA prompt
Task
[ECA-4138] - Write complete system tests for ClientToolBox
[ECA-4497] - Remove .cvsignore files from SVN repository
[ECA-4498] - Remove the CESeCore backup/restore scripts from the release zips
[ECA-4618] - CMSIncrementalMode is deprecated in Java 8 and should be removed
from our config
[ECA-4717] - Add systemd sample configuration for RHEL/CentOD
[ECA-4730] - Remove old install guides from doc/howto
EJBCA 6.4.2, 2015-12-29

---
Bug
[ECA-4555] - PKCS#11 credentials are displayed incorrectly when creating
CryptoToken
[ECA-4646] - Clear caches failing with NPE in OcspExtensionsCache when an
extension class is not found
Improvement
[ECA-4463] - Add additional pages to Auditor Role
[ECA-4682] - Log X-Forwarded-For if present in OCSP requests
EJBCA 6.4.1, 2015-12-01

---
Bug
[ECA-4262] - Name constraints encoding incorrect in a certain case
[ECA-4535] - ArrayIndexOutOfBounds when upgrading EJBCA 4 installations
[ECA-4582] - Regression: Edit end entity profile notifications bug
[ECA-4592] - Approvals contains no relevant information
[ECA-4602] - CMP: EEC authmodule - Checking for CA authorization does not
work
[ECA-4623] - Handle CertificateCreateException with null ErrorCode in public
web
Improvement
[ECA-4574] - GUI: System Configuration sub-section order
[ECA-4575] - GUI: Better CryptoToken alias default value
[ECA-4576] - Several SAN DNSname in EMPTY profile
[ECA-4577] - GUI: SHA-256 by default in CA creation form
[ECA-4583] - GUI: CryptoToken page usability (private key export)
[ECA-4595] - GUI: CA creation form usability
EJBCA 6.4.0, 2015-10-26

---
Bug
[ECA-3576] - 'Enforce unique DN' creates a stack trace in public web
[ECA-4016] - Unable to activate a crypto token imported by statedump after
restarting JBoss
[ECA-4022] - Can not use Brainpool or explicit ECC curve in CLI (e.g. import
CA certificate, list/export CA)
[ECA-4030] - "Key sequence" always set to 00000 when saving uninitialised CA
with available crypto token
[ECA-4171] - Missing parameter for the --end-entity-password option does not
cause statedump import command to fail immediately
[ECA-4172] - End entities inaccessible after changing the subject DN of an
uninitialised CA
[ECA-4197] - Role access rules not updated when changing subject DN of an
uninitialised CA
[ECA-4228] - Clean redundant method declaration in PublisherSession and
PublisherSessionLocal
[ECA-4276] - External RA SCEP junit test broken after BC updates
[ECA-4283] - Warning about missing intresources running External RA SCEP
[ECA-4284] - Possible to create a rollover certificate for a CA waiting for
CSR
[ECA-4286] - ClientToolBox PKCS11HSMKeyTool can no longer handle sun config
file
[ECA-4288] - Change usage license info in csv_to_endentity.sh
[ECA-4295] - Incorrect documentation on "Finish User" setting.
[ECA-4296] - SCEP Client Certificate Renewal shouldn't demand a challenge
password
[ECA-4298] - Probably wrong description of parameters in help for
importcacert command
[ECA-4306] - Use UTF-8 in German Admin GUI translation
[ECA-4326] - CRLDownload service can't handle multiple revocation changes in
a CRL
[ECA-4327] - Links from cert enrollment completed page for IE is broken
[ECA-4333] - Detect available EC curves in JDK by OID
[ECA-4339] - DirectoryName subjectAltName is not added
[ECA-4356] - Regression: Sorting of certificates has become random
[ECA-4357] - Regression: external-ra-gui doesn't deploy
[ECA-4364] - Regression: Error editing Publishers under CA Functions in Admin
Web
[ECA-4367] - ejbca-ws-generate not run after the addition of CA rollover WS
operations
[ECA-4368] - intresources missing in externalra-gui war file
[ECA-4369] - NPE when trying to create custom publisher that is not pre-
edited
[ECA-4371] - SCEP Client Certificate Renewal allows renewal using expired
certificates
[ECA-4381] - OCSP TransactionLogger prints SERIALNUMBER instead of SN for
REQ_NAME
[ECA-4385] - Internal issue
[ECA-4397] - Include custpubl publishers in build
[ECA-4399] - System test auth token classes should be commonly accessible
[ECA-4402] - Subject alternative names dropped when using "Allow merge DN Web
Services"
[ECA-4405] - ra addendentity CLI command breaks when hard token issuers are
enabled
[ECA-4414] - Typo error in System Configuration page
[ECA-4416] - Verification of CRLs on CAs using Brainpool ECC does not always
work
[ECA-4418] - Expect OCSP signing if EKU in OCSP signing certificate is marked
critical
[ECA-4419] - Statedump 6.3 can't import 6.2 dump because
ValidationAuthorityPublisher in not on the classpath
[ECA-4435] - SCEP: Use empty content in CACert PKCS#7 messages
[ECA-4453] - Peerconnector tests and Statedump fails to start due to JNDI
problems (NoInitialContextException)
[ECA-4457] - EjbcaWS.findCerts(username, isValid=true) should not fetch
expired certificates from database
[ECA-4469] - 'Edit Service' page: uppercase/lowercase inconsistency in drop
down menu
[ECA-4471] - Unable to view certificate with E field in issuer DN
[ECA-4472] - EJB CLI fails if standalone argument is used after a standalone-
enabled switch
[ECA-4475] - Validation javascript on End Entity Profile page throws
exception
[ECA-4479] - CMP RA requests with only notBefore requested does not work
[ECA-4483] - Remote EJB serialization of Collection<Certificate> hangs on
JBoss 7.1.1.GA
[ECA-4484] - EjbcaEventTypes.CA_ROLLEDOVER is missing its language reference
[ECA-4489] - No checkbox "Renew keys” on 'Edit CA' page
[ECA-4492] - NPE during standard SCEP Certificate Renewal
[ECA-4494] - Single Active Certificate Constraint misses certificates due to
subject DN differing between UserData and CertificateData
[ECA-4495] - NPE in EJBCA WS findCerts when no base64CertData is stored
[ECA-4503] - Test case in CertificateCreateSessionTest uses wrong status
constants
[ECA-4510] - Can't delete admin in access role
[ECA-4513] - Unchecking auto-activate does not persist for auto-generated
crypto tokens using default password
[ECA-4523] - Security Issue, information leak
[ECA-4525] - CustomCertExtensions and ExtendedKeyUsages are sorted
alphabetically instead of numerically
[ECA-4536] - Regression: Approve Action Name not displayed
[ECA-4542] - 'List of End Entity Profiles' displays nothing in Auditor pre-
defined role
[ECA-4554] - NPE in remote IKB page when multiple CA clusters connect to the
same VA
Improvement
[ECA-3418] - Optimize JBoss reload during install
[ECA-3815] - Improve batch command instructions
[ECA-4034] - Include end entities in statedump export by default
[ECA-4113] - Modify BatchCreateTool to allow easy cleanup of files from p12
directory
[ECA-4163] - Move ScepRequestGenerator out of general code
[ECA-4174] - PKCS#11 symmetric key unwrapping for KeyRecovery broken for some
HSMs on JDK >= 1.7.0_75
[ECA-4248] - Swap username and serialnumber for PUBLISHER_STORE_CERTIFICATE
audit event
[ECA-4254] - Document prerequisite for trusting external CA's leaf cert from
IKB
[ECA-4273] - Cosmetic cleanup of IEjbcaWS
[ECA-4281] - GUI: Optimization of the header banner of Admin GUI
[ECA-4287] - Pre-emptive rewrite of CertificateProfile cache
[ECA-4291] - Add system tests for EjbcaWS.caCertResponseForRollover
[ECA-4300] - Convert System Configuration page to JSF
[ECA-4301] - Add tabs to System Configuration Page
[ECA-4304] - Allow prefix for self registered users
[ECA-4305] - Disable choice in self registration when referenced profile does
not exist
[ECA-4313] - Allow help text for custom publishers in language file
[ECA-4317] - Document how to encrypt the datasource password in
standalone.xml for JBoss EAP 6.4/JBoss AS 7.1
[ECA-4325] - Remove CertificateCreationException from code
[ECA-4330] - Backport ECA-2576 to 6.2
[ECA-4331] - Make the static values for revocation reasons into a new type.
[ECA-4342] - Have cryptotokens excluded from Clear All Caches by default.
[ECA-4351] - Lower log level of misconfigured CertificatePolicies to WARN
[ECA-4352] - Always use EC curves OID when possible for key generation
[ECA-4361] - Add logging of 'X-Forwarded-For' in OCSP transaction log
[ECA-4365] - Document that Healtch check can be enabled/disabled per CA
[ECA-4376] - Add "All CAs" option to Rollover Service worker.
[ECA-4390] - GUI: System Configuration page usability
[ECA-4406] - Improve how upgrade versions are read, making migration from
6.2.10+ to 6.3+ possible
[ECA-4407] - Clarify Illegal key length exception message as limitation by
certificate policy
[ECA-4415] - GUI: Certificate Profiles page usability
[ECA-4430] - Bundle JEE6 API library to minimize appserver build time
dependency
[ECA-4431] - Update XML schemas for JEE6
[ECA-4440] - Fix use of deprecated version of storeCertificateRemote in
CertificateStoreSessionRemote
[ECA-4441] - Rewrite the ExternalRA GUI to use JSF 2.0 and CSS
[ECA-4449] - GUI: CryptoToken page usability
[ECA-4454] - Certificate Profiles: Sort Custom Certificate Extension and EKUs
alphabetically by label.
[ECA-4455] - CustomCertExtensions: Remove limit on number of certificate
extensions (was: Identify by OID instead of ID)
[ECA-4456] - Allow EjbcaWS.findCerts(usename, isValid) to work without
UserData
[ECA-4458] - Improvements to Certificate Extensions overview page
[ECA-4460] - Extended Key Usages overview page should be sorted by OID.
[ECA-4461] - Add input validation control to SAN in EEP
[ECA-4462] - Minor improvements to Auditor role
[ECA-4465] - GUI: End-Entity Profile usability
[ECA-4470] - Document how EKUs and CCEs are imported in upgrade
[ECA-4480] - ExtRA GUI DB2 support
[ECA-4490] - Upgrade EJBCA to BC 1.53
[ECA-4515] - Remove translation of CustomCertExtension displayname into
readable text
[ECA-4517] - Buttons for type of Certificate Profile etc. are confusing for
new users
[ECA-4531] - ExtendedKeyUsages: remove deprecated method
[ECA-4537] - 'End Entity Profiles' are not displayed in Access Rules
New Feature
[ECA-3436] - Support WildFly 8
[ECA-4264] - Ability to generate link certificate from key on HSM
[ECA-4279] - Add ability to specify revocation reason and revocation date
when importing certificates in the CLI
[ECA-4282] - Allow CMP Proxy to work with External RA backend
[ECA-4341] - Add CertificateProfileID to OCSP transaction logs
[ECA-4343] - Custom Certificate Extensions and EKUs without recompilation
[ECA-4344] - Introduce a Read-Only admin to EJBCA
[ECA-4345] - Granular control over elements of the DN in End Entity Profiles
[ECA-4360] - SCEP Client Certificate Renewal on a rollover CA
[ECA-4372] - New setting for specifying certificate chain order in the public
web.
[ECA-4396] - Compile and deploy on WildFly 9
[ECA-4459] - Certificate Extensions should define their own property fields
[ECA-4502] - Improve upgrade procedure with database version detection.
Task
[ECA-4289] - Remove outdated sample file change_p12_pwd.c
[ECA-4292] - Remove Support for XKMS
[ECA-4466] - AdminWeb CSS styles clean up
[ECA-4468] - Remove site:publish ant target
Master Ticket
[ECA-4432] - Remove JEE5 and JDK6 support
[ECA-4375] - Update documentation to reflect dropped JBoss5 and JDK6
support.
[ECA-4417] - Remove build and install script specifics for JEE5 app
servers and JDK6.
[ECA-4433] - Get rid of Hibernate compatibility libs
[ECA-4437] - Update ExternalRA GUI to JEE6
EJBCA 6.3.2, 2015-05-29

---
Bug
[ECA-4198] - Regression: ScepServlet can't compile in CE
[ECA-4202] - Random failure in CMP stress test
[ECA-4236] - Peer connection are unable to verify server certificates with
critical server auth EKU
[ECA-4258] - Table PeerData creation is missing from create-tables-ejbca-
*.sql
[ECA-4259] - Scep Certificate Renewal is configurable in RA Mode
Improvement
[ECA-4038] - Have EJBCA DB CLI fail nicely when built in Community Edition
[ECA-4186] - WS - Use the "isRunningEnterprise()" method in EjbcaWSTest
[ECA-4201] - SCEP test improvements
[ECA-4206] - Add documentation about new WS CLI commands
[ECA-4211] - Use ISO8601 date format for CA expiration in initialization log
[ECA-4245] - GUI: CA creation page usability
[ECA-4255] - Update EJBCA architecture diagrams
[ECA-4260] - Add flowchart of SCEP enrollment/renewal to admin docs
[ECA-4263] - Move static class load from CryptoTokenFactory singleton to init
[ECA-4265] - Small improvements of SCEP config JSF
[ECA-4268] - Improve build time
[ECA-4269] - Update CMP Proxy README
New Feature
[ECA-4168] - SCEP support for CA certificate rollover
[ECA-4178] - Admin GUI translated in Czech language
[ECA-4199] - Add Enterprise/Community identifier to internal.properties
[ECA-4205] - Add new WS CA Admin commands to the WS CLI
Task
[ECA-4119] - Enterprise feature
EJBCA 6.2.10, 2015-05-29

---
Bug
[ECA-2138] - External RA GUI cannot handle SubCA certificates with critical
CDP
[ECA-2282] - Publishing certificate from certificate view GUI to queued
publisher causes error message but publishing works anyway
[ECA-3789] - Stack trace if CAs in Certificate Profile and End Entity Profile
don't match
[ECA-3887] - An NPE is thrown at user when submitting invalid CSR during
enrollment
[ECA-3999] - Make healtcheck setting configurable for new CAs
[ECA-4104] - Removing PKCS#11 token makes Cypto Token GUI unusable
[ECA-4141] - Several issues regarding End Entity Rules in basic mode
[ECA-4147] - Review/fix usage of getAuthorizedEndEntityProfileIds
[ECA-4180] - Update FileUpload library used by ExternalRA GUI
[ECA-4195] - Ocsp key renewal timer not starting automatically
[ECA-4203] - "Check Certificate Status" reports incorrect/misleading status
[ECA-4209] - Regression: Ad hoc upgrade of OCSP might be broken by the
CachingCryptoToken
[ECA-4232] - Regression: Certificate keyUsage invalid from CSR when using
allowKeyUsage override
[ECA-4243] - POP is not verified properly on WS requests
[ECA-4246] - EJBCA Token Certificate Enrollment: Text differs from button
name
[ECA-4249] - ClientToolBox OCSP test does not work with HTTP GET
Improvement
[ECA-4081] - Remove name lookup done by OCSP responder
[ECA-4146] - Upgrade BouncyCastle to 1.52
[ECA-4157] - Allow import of certificates for non-revoked end entities using
importcert command
[ECA-4191] - Upgrade cert-cvc project to BC 1.52
[ECA-4192] - Replace deprecated methods: constructor for
AuthorityKeyIdentifier, and ECPoint.getX/getY
[ECA-4194] - Add possibility to prompt for password in CLI calls to setpwd
[ECA-4196] - Replace EJBCA logotypes in documentation
[ECA-4210] - Validate OCSP signing chain
[ECA-4223] - Add favicon to ExternalRA GUI
[ECA-4227] - Update EJBCA logo and favicon
[ECA-4231] - Change variable names in BaseCaAdminCommand.java
[ECA-4266] - Small documentation improvements
New Feature
[ECA-4214] - Ability to rename end entities
[ECA-4226] - CLI command to remove Publisher with dependencies
[ECA-4233] - Add Certificate Profiles setting to limit certificate storage
[ECA-4242] - Certificate Profile Setting for restricting certificate data
being written to the CertificateData/Base64CertData tables
EJBCA 6.3.1, 2015-03-26

---
Bug
[ECA-4044] - Ignore EJBCA test certificates from been published using the
Peer connector
[ECA-4048] - Peer System: Failure to connect when list of trusted certs is
empty
[ECA-4068] - Add PeerData to drop tables SQL script
[ECA-4073] - typo in exception 'Failed to write audit log...'
Improvement
[ECA-3146] - Allow an renewal of an external CA certificate by import
[ECA-3951] - Add a column to InternalKeyBindingPage/CLI to warn for inactive
certificate
[ECA-4033] - Do not include administrators registered via certificate serial
numbers in statedump
[ECA-4092] - Create module for separate enterprise and community specific
implementation
[ECA-4093] - Lower log-level of CmsCAService "KEYSTORE is null..." message
[ECA-4117] - CMPProxy not updated to work with different cmpalias
New Feature
[ECA-3581] - Single Active Certificate Constraint
[ECA-3754] - CLI: Create a table utility
[ECA-4062] - WS API support to create a new CA and Superadmin certificate
[ECA-4063] - WS APIs for monitoring certificate expiration
[ECA-4064] - SCEP support for Client Certificate Renewal
[ECA-4159] - Show what version documentation applies to at all times
Task
[ECA-4145] - Document all audit log messages
EJBCA 6.2.9, 2015-03-26

---
Bug
[ECA-3619] - Wrong administrator removed from role when deleting at the same
time with two separate CA admins
[ECA-3788] - CLI needs to set argument --password together with the value
when setting it
[ECA-3879] - Fix logging of default OCSP responder properly
[ECA-4049] - Certificates of non-CAs are accepted when importing external CAs
[ECA-4071] - A base64 decoder exception is thrown when inspecting a
specially-crafted CSR
[ECA-4122] - Typo in Crypto Token HSM Slot
[ECA-4148] - EJBCA WS Test test25CreateandGetCRL fails when delta CRLs are
enabled
[ECA-4152] - "Renew Browser Certificate" should require notifications to be
set.
[ECA-4156] - Regression: BaseCryptoToken has lost caching of keys since
EJBCA4
[ECA-4160] - X509CertStoreSelector does not work as used in BC 1.51
[ECA-4173] - CLI command ca getcacert always outputs root CA certificate when
using the -der option
[ECA-4179] - SCEP stress test regression
[ECA-4184] - WaitingForApprovalException declares property as public
Improvement
[ECA-4128] - Replace references to deprecated class DiskFileUpload
[ECA-4137] - Test throw away CA issuance over web service interface
[ECA-4181] - Several EjbcaWS tests fail when EEP-limitations are enabled
[ECA-4182] - Replace deprecated classes: PEMWriter, DERObjectIdentifier and
DERTags
Task
[ECA-4090] - Remove broken NetID integration code
EJBCA 6.2.8, 2015-03-05

---
Bug
[ECA-3602] - jboss-cli.bat fails when called from jboss.xml on JDK >= 7.21
[ECA-3807] - Root CA key is always used when decrypting SCEP requests
[ECA-3963] - Save and Test Connection with CT publisher should fail if no CT
logs are configured
[ECA-4043] - Timing issue in CaRenewCACommandTest
[ECA-4065] - "Renew" button still exists for a revoked CA, produces
stacktrace
[ECA-4067] - Regression: Default RA Admin doesn't have access to the Add End
Entity page
[ECA-4070] - External CAs turn up on the list of possible CAs when creating
End Entities
[ECA-4074] - AlgorithmIdentifier of RFC 6960 id-pkix-ocsp-pref-sig-algs
extension is not parsed correctly
[ECA-4083] - OCSP configuration per certificate profile id is used for
CERTPROFILE_NO_PROFILE
[ECA-4094] - Remove extraneous authorization checks from PublisherDataHandler
[ECA-4095] - Incorrect log output in publisher authorization check
[ECA-4096] - Access rule /ca_functionality/edit_publishers does not allow
role to edit publishers
[ECA-4103] - References to deprecated rule '/super_administrator'
[ECA-4107] - Allow creation of non standard conformant RAW custom extension
[ECA-4110] - Approve Action - NPE after click on the username
[ECA-4112] - Regression: External CAs not listed as "Available CAs" in CLI
when using addadmin
[ECA-4116] - Remove notes and test extension from certextensions.properties
[ECA-4131] - CT options can't be changed when using only publishing
[ECA-4136] - HardToken Certificate Profile Type has wrong label
Improvement
[ECA-3831] - adminmenu.jsp still refers to legacy /superadmin rule
[ECA-4011] - Disable "Name Constraints" fields when External CA is selected
[ECA-4018] - Upgrade to BouncyCastle 1.51
[ECA-4039] - Improve HealthCheck free memory control
[ECA-4053] - Speed up HSMKeyTool stress test
[ECA-4087] - Update EJBCA copyright notice to match homepage
[ECA-4098] - Make sure sure that CAs in add/edit end entity screen are
arrange alphabetically
[ECA-4108] - Possibility to disable CT submission for existing non-CT
certificates
[ECA-4111] - Upgrade cert-cvc subproject to BC 1.51
[ECA-4114] - Sort CryptoTokens by name when creating a new Key Binding
[ECA-4139] - Editing CMP, SCEP and system configuration requires root
privileges
Master Ticket
[ECA-3971] - Improve OCSP responder performance
[ECA-4054] - Reload CA certificate cache in the background
[ECA-4055] - Avoid unnecessary OCSP response signature checks
[ECA-4072] - Avoid interactions with AuditLogger and TransactionLogger
when disabled
[ECA-4082] - Improve OcspServlet.addRfc5019CacheHeaders
[ECA-4084] - Improve OCSP HSM signing thread behaviour
[ECA-4085] - Additional caching of objects that are the same between
multiple OCSP requests
New Feature
[ECA-3976] - Cache SCTs in OCSP responses
[ECA-4052] - Allow override of EJBCA's subject DN ordering in web service
call for issuing certificate
[ECA-4106] - Allow to specify number of SCTs in OCSP responses
Task
[ECA-4060] - Create a subtarget to ant ziprelease that creates a versioned
zip of the statedump source.
EJBCA 6.3.0, 2015-01-14

Bug
[ECA-2478] - UnrevokeEndEntity unrevokes cert but not user
[ECA-3528] - GUI: Some messages not localized in Admin Web
[ECA-3590] - Cache the slot list
[ECA-3598] - Fix handling of invalid ZIP contents when importing certificate
profiles
[ECA-3599] - Fix handling of invalid ZIP contents when importing end entity
profiles
[ECA-3609] - Name constraints properties are duplicated in CLI editca command
[ECA-3631] - database valid connection sql for VA publisher is taken from
database.properties instead of va-publisher.properties
[ECA-3634] - OCSP does not audit and transaction log UNAUTHORIZED messages
[ECA-3656] - Forbidden characters can be allowed
[ECA-3719] - GUI: Publisher page usability
[ECA-3745] - Some language have not the standard language code
[ECA-3797] - Statedump incorrectly tries to export full BasePublisher object
[ECA-3804] - httpsserver.an (altname) is ipaddress 127.0.0.1 by default, and
no dnsName matching CN
[ECA-3813] - GUIDGeneratorTest fails intermittently
[ECA-3841] - JAR file used by CT should be rebuilt for JDK6
[ECA-3849] - Admin must be authorized to all CAs to import keybinding
certificate
[ECA-3855] - Loading saved CMP configuration referencing a deleted EEP
results in NPE
[ECA-3892] - GUI: A lot of event messages not set in "View Log"
[ECA-3908] - Allow OcspKeyRenewalTest to run predictably on system with
existing AuthenticationKeyBindings
[ECA-3949] - Status parameter in "keybind create" command shouldn't be case
sensitive
[ECA-3960] - CaPKCS11SessionTest fails and never recovers if test is aborted
[ECA-3968] - Sort and count peer connectors correctly in statedump
[ECA-3993] - ejbca-db-cli does not work due to PeerConnector
[ECA-4003] - "CRL Updater" service doesn't update the CRL
[ECA-4012] - Reject IP addresses in dNSName name constraints
[ECA-4032] - Regression: Key Recoverable not set in EE when activated and
required in profile
Improvement
[ECA-2272] - Refactoring some DN attributes and Alternative names naming
[ECA-2340] - GUI: Audit Log usability
[ECA-2576] - New key sizes available in certificate profiles
[ECA-3043] - Document SameRequestRateLimiter better
[ECA-3256] - Split the va-war module into its logical parts
[ECA-3412] - Rework VA/OCSP documentation
[ECA-3414] - Clean up Exception handling in SignSessionBean
[ECA-3674] - Allow certificate validity before current date using end entity
ExtendedInformation
[ECA-3720] - GUI: Certificate Profile page usability
[ECA-3726] - Make CertSafe implement CustomPublisherUiSupport
[ECA-3746] - GUI: Displaying the language name in configuration sections
[ECA-3753] - Add OpenSC PKCS#11 to default crypto token library path
[ECA-3769] - CryptoToken usage should also include internal key bindings
[ECA-3773] - Add NIST PIV Card Authentication extended key usage
[ECA-3809] - Improve the message for signed SubCAs regarding the need of
*.pem or *chain.pem
[ECA-3824] - CertSafePublisher should use a dropdown pane for setting
authentication keybindings
[ECA-3854] - Optimize Language tool
[ECA-3869] - Sort key aliases by name in InternalKeyBinding edit view
[ECA-3874] - RSA 4096 keys pre-selected in Crypto Token form
[ECA-3891] - GUI: Firefox CRLs direct import removed
[ECA-3930] - CryptoTokenManager: Add a column for auto-activation status.
[ECA-3955] - Add some missing OCSP system tests
[ECA-4051] - Correct documentation of CLI command when updating a CMP alias
Master Ticket
[ECA-3144] - Improved sub system integration (EJBCA Peer Systems)
[ECA-3652] - Create PeerMessage datatype, ORM and CRUD beans
[ECA-3653] - Create basic JSF pages for Peer mgmt
[ECA-3659] - Connect GUI with CRUD
[ECA-3671] - Add auth checks to CRUD bean
[ECA-3694] - Milestone: Make PingMessage work from a PeerConnector
created in the GUI
[ECA-3699] - Outgoing TLS configuration as part
AuthenticationKeyBinding
[ECA-3700] - Rename peerconnector-common to *-ejb and move common
classes under ear/lib/..jar
[ECA-3702] - Basic publishing to peer system
[ECA-3704] - Framework for making custom publisher configuration nicer
[ECA-3710] - Do parallel publishing when the same thing is published to
multiple targets
[ECA-3711] - Changes to publishing API for efficient publishing of full
CertificateData (and Base64CertData)
[ECA-3712] - Efficient resynchronization of data between CA and Peer VA
[ECA-3715] - Requested capabilities should be saved when creating peer
connector
[ECA-3722] - Create CLI support for PeerConnector
[ECA-3742] - Publish the same updateTime that is used in the CA's
database
[ECA-3751] - Manual renewal of OcspKeyBinding at peer
[ECA-3752] - Behavioral configuration for PeerConnectors
[ECA-3756] - Make InternalKeyBinding access rules configurable
[ECA-3757] - Minor PeerConnector refactoring and documentation
[ECA-3759] - Service for automatic renewal of remote key bindings
[ECA-3762] - Documentation: Create a security model for PeerConnectors
[ECA-3770] - PeerConnector GUI improvements
[ECA-3775] - Forbid start and return error when background task with
same id exist
[ECA-3777] - ListPeersCommand improvements
[ECA-3778] - Drop concept of capabilities and use regular access rules
framework
[ECA-3781] - Improve peer message format
[ECA-3782] - Stop connection pool and prevent start when peer connector
is disabled or URL changes
[ECA-3784] - More fine grained access rules for peer connectors
[ECA-3785] - Disable plain http connections for peers
[ECA-3786] - Shorten peer connector Servlet URL
[ECA-3787] - Option for synchronization dry run
[ECA-3803] - Peer connector system tests
[ECA-3805] - Propagation of peer connection errors to UI
[ECA-3806] - CLI for generic peer connection settings
[ECA-3810] - Minor PeerConnector GUI improvements
[ECA-3811] - Lookup authentication token at pool startup
[ECA-3825] - Allow one AuthenticationKeyBinding to be used per Peer
Connector
[ECA-3833] - JEE5 support for enterprise edition only SSBs
[ECA-3839] - Use one connection pool per outgoing id instead of URL
[ECA-3840] - Cache PeerOutgoingInformation objects
[ECA-3846] - More fine grained errors than UnknownMessageTypeResponse
without information leakage
[ECA-3850] - Use separate GlobalConfiguration for peer connections
[ECA-3867] - Correct peer module license headers
[ECA-3876] - Statedump support for peer connectors and configuration
[ECA-3881] - Improve error message when peer responds with an unknown
or broken message
[ECA-3882] - PeerConnector: Ugly errors when using illegal characters
in URL
[ECA-3898] - Adjust logging of handled failures during peer publishing
[ECA-3899] - Show mismatched access rules for incoming peer
authorization instead of fixing it
[ECA-3923] - Handle additional server side certificate end entity alias
from PeerConnectionsTest
[ECA-3928] - Rename Remote Systems menu item to "Peer System"
New Feature
[ECA-3705] - Create a plugin interface for rules
[ECA-3800] - get the certificate of an ocsp keybinding
[ECA-3885] - New signature algorithm SHA512withECDSA
Task
[ECA-3962] - EJBCA Enterprise feature
EJBCA 6.2.7, 2015-01-14
---
Bug
[ECA-3902] - Update EJBCA user guide documentation
[ECA-3973] - OCSP key renewal for all keys leads to NPE when logging
[ECA-3977] - Regression: CMP algorithmId lacking DERNull when using PKCS#11
[ECA-3978] - End entities aren't sorted in statedump output
[ECA-3983] - External CAs turn up on the "CA Activation" list.
[ECA-3991] - CertTools.stringToBcX500Name fails for sn=#foo
[ECA-3994] - ejbca-db-cli copy command does not work due to invalid temp
files
[ECA-3995] - Upgrade documentation for CMP has wrong ordering of arguments
[ECA-4000] - Potential security issue without known exploit
[ECA-4007] - "Certification Authorities" and "Publishers" missing from admin
menu with access rule /ca_functionality (recursive, accept)
[ECA-4009] - Post upgrade fails when old admin groups don't exist
[ECA-4014] - CRL Downloader doesn't store empty CRLs
[ECA-4019] - Wrong error message for Name Constraint violations with short
subject DNs
Improvement
[ECA-3798] - Statedump: Incorrect number of end entity profiles are logged as
exported
[ECA-3970] - Log in OCSPResponder when revoked OCSP certificates are read to
the cache
[ECA-3984] - Debug log HTTP response body on CT log error
[ECA-3985] - Edit CA page load is slow with many keys in referenced Crypto
Token
[ECA-3986] - Optimize CAToken.getTokenStatus
[ECA-3989] - Allow recovery from a bad upgrade of CA Tokens to CryptoTokens
[ECA-3992] - Remove critical BC warnings in order to upgrade BouncyCastle to
version 1.51
[ECA-4008] - Port adjustable transaction timeouts to JBoss 7 / EAP 6
[ECA-4017] - Remove database lookups that can be read from cache
[ECA-4024] - Add a [?] link from the User Data Sources page to the admin
guide
New Feature
[ECA-4006] - Add test for legacy subject encoding with override enabled via
CMP
EJBCA 6.2.6, 2014-12-03

---
Bug
[ECA-3608] - EJB CLI cryptotoken create command issues
[ECA-3828] - Regression: HttpMethodsTest and WebdistHttpTest test failures
[ECA-3931] - Key recovery fails when user data has changed CA
[ECA-3933] - Symmetric keys in crypto token's HSM slot prevent listing of
slot keys
[ECA-3935] - Regression: Wrong key length used when creating keystore from
public web
[ECA-3936] - Extra space at end of line in transaction log.
[ECA-3937] - Result of stand-alone JUnit tests are discarded during ant
test:run
[ECA-3943] - Fix ServiceManifestBuilderTest
[ECA-3944] - superadmin.cn value lacks quotes in cli.xml
[ECA-3948] - OCSP log values ISSUER_NAME_DN and SIGN_ISSUER_NAME_DN contain
SERIALNUMBER= instead of SN=
[ECA-3958] - Cannot create new CertSafe publisher
[ECA-3969] - Default OCSP responder is not used for external CAs without OCSP
key binding
[ECA-3972] - PKCS#11 keys aren't extractable when they should be
Improvement
[ECA-3916] - WS: Return the EndEntity/Certificate profile of a specific
profile ID
[ECA-3927] - Make systemtests.properties available to peer module and PKCS#11
system tests
[ECA-3938] - Add a regression test for ocsp.nonexistingisrevoked
[ECA-3942] - Improve logging of ServiceManifestBuilderTest failures
[ECA-3954] - Improve the properties output of InternalKeyBindingListCommand
to show default property values
[ECA-3956] - OCSP response if the requested certificate is revoked is
identical in logs to case where issuer of signing cert is revoked.
[ECA-3967] - Update httpclient and httpcore to latest version
New Feature
[ECA-3939] - Add EV Certificate specific DN components
EJBCA 6.2.5, 2014-11-14

---
Bug
[ECA-3901] - Possible NPE when debug is enabled
[ECA-3906] - Missing key in CryptoToken for mapped purpose in CAToken will
hang healthcheck
[ECA-3907] - CAToken to CryptoToken upgrade failure
[ECA-3909] - InternalKeyBindingMgmtSessionBean.generateNextKeyPair fails if
nextKey already exists
Improvement
[ECA-3723] - Allow verbose preference for CLI
[ECA-3866] - JavaDoc CLI enums
[ECA-3905] - Add instructions how to import certificate profiles in GUI
[ECA-3915] - External RA GUI browser enroll does not work with FF 33 and
later
New Feature
[ECA-3900] - Allow CT log publisher to use HTTP Proxy java system settings
EJBCA 6.2.4, 2014-10-29

---
Bug
[ECA-3633] - CMP response caPubs field contain entity certificate instead of
CA certificate
[ECA-3657] - RA administrator, failure while Approvement
[ECA-3716] - Regression: Externally imported CAs appear in list of signers
when creating a CA
[ECA-3718] - Fix using trusted certificates in Internal Key Binding
[ECA-3776] - Prevent API call from setting InternalKeyBinding status to
"active" if there is no referenced certificate
[ECA-3814] - getcacert does not return CA Certificate
[ECA-3822] - CertSafePublisher.testConnection doesn't test URL properly
[ECA-3834] - CertSafePublisher does not work under JDK6
[ECA-3845] - Certificate Transparency, not selecting any CT log passes
issuance even if Min SCTs is 1
[ECA-3853] - AKID is different from CA SKID in CRLs, if not using SHA1
[ECA-3868] - Attempting to use a non-ocsp certificate for an OCSPKeyBinding
fails silently
Improvement
[ECA-3826] - ant install shows annoying but harmless error messages
[ECA-3843] - Create a link from basic access rules page to documentation
[ECA-3848] - Shift GlobalConfiguration* to CESeCore, make plugin friendly
[ECA-3860] - New call to get registered global configuration types
[ECA-3889] - Allow more than one IKB renewal per second
New Feature
[ECA-3580] - Certificate Transparency: Private Domains
[ECA-3794] - Default OCSP responder improvements
Task
EJBCA 6.2.3, 2014-09-25

---
Bug
[ECA-3749] - Batch generation information for end entities in statedumps
ignored during import
[ECA-3755] - Regression: Modifying approval settings when editing a
certificate profile is broken
[ECA-3760] - Possible ClassCastException when using Subset of SubjectDN in
Certificate Profile
[ECA-3763] - InternalKeyBinding.getListOfTrustedCertificates trusts
everything if specified with a non existing certificate
[ECA-3765] - ca init command in cli.xml is missing two switches
[ECA-3779] - Values from first loaded certificate profile is shown and saved
when editing other profiles
[ECA-3783] - Statedump can not export (custom)publisher where all classes are
not on statedump classpath
New Feature
[ECA-3437] - Cert Safe Publisher for EJBCA
EJBCA 6.2.2, 2014-09-03

---
Bug
[ECA-3683] - Statedump: For an uninitialised CA, it appears in its own list
of possible issuers.
[ECA-3687] - Error upgrading old installations to JBoss 7 (jboss
serialization)
[ECA-3692] - Regression: Certificate and CRL store download pages empty after
server restart
[ECA-3695] - 100% upgrade from EJBCA 4 to 6 fails on CertificatePolicy
[ECA-3696] - If there are Ocsp key binding with messed up certificate, you
can get NPE
[ECA-3698] - Clear all caches makes crypto tokens off-line
[ECA-3714] - Authority Information Access is deselected in Certificate
Profiles under some circumstances when upgrading from EJBCA 4 to EJBCA 6
[ECA-3721] - Import of internal key bindings via statedump requires crypto
token to be online
[ECA-3725] - EJBCA CLI prompts twice for the CLI password when using -p
[ECA-3727] - Deprecated (null) extended key usages visible in Certificate
profile
[ECA-3729] - Statedump: Properties object is copied the wrong way when
generating cryptotoken keys from a template
[ECA-3730] - Not finding some OCSP request signer certificate in DB
[ECA-3732] - clientToolbox ocsp test was not updated after that the root
certificate was removed from the certificate chain in the OCSP response.
[ECA-3733] - cryptotoken create command requires attr flag
[ECA-3735] - Statedumped end entities do not keep clear password settings
[ECA-3736] - Unable to "Save and Initialize" externally-signed sub-CA
imported via statedump
[ECA-3744] - InternalKeyBindingCreateCommand misses a null check for missing
cryptotokens
Improvement
[ECA-3688] - "ant build" failes on JBoss EAP 6.2 installed via RPM package
from Redhat repositories
[ECA-3690] - Possible information leakage
[ECA-3691] - Improve message when profile changes name during work in the GUI
[ECA-3707] - Do not generate non-active XKMS and CMS certificates as it can
violate name constraints
New Feature
[ECA-3149] - OCSP responder support for CertId using SHA256 in OCSP requests
Task
[ECA-3703] - Upgrade tomahawk to latest 1.1.14
EJBCA 6.2.1, 2014-08-06

---
Bug
[ECA-3589] - First CRL not created when initialising root CA after statedump
import
[ECA-3613] - Regression: The CLI doesn't parse the value ca.name from
install.properties if it contains spaces.
[ECA-3615] - SECURITY: Security issue
[ECA-3617] - Allow Enterprise Edition to run system tests sans Statedump
[ECA-3620] - Import/export profiles rendered during unrelated operations
[ECA-3621] - Can't save or initialize uninitialized (= statedump imported)
externally-signed CA
[ECA-3635] - Regression: Missing user notice and CPS in certificate policy
extensions
[ECA-3643] - Autoactivate switch in CryptoTokenCreateCommand is obfuscated
[ECA-3645] - CLI complaining about unknown CA with id 0 (Improve output for
unbound admins)
[ECA-3648] - Importing certificate - no email specified error
[ECA-3650] - Changing the Subject DN on an uninitialized (=statedump-
imported) CA causes all extended services to be lost
[ECA-3661] - Statedump can't import PKCS#11 cryptotokens with slots
referenced by label
[ECA-3664] - Invalid key specification for uninitialised key after importing
a statedump
[ECA-3670] - Fix exceptions when excluding system/cmp/admin config in
statedump
[ECA-3675] - Not all defined external RA datasources added in persitence.xml
[ECA-3679] - Regression: CA soft keystore pwd is always default when creating
CA using CLI
[ECA-3685] - Int to Long cast exception upgrading OCSP
Improvement
[ECA-3501] - Create CryptoToken key aliases (needed for InternalKeyBindings)
during statedump import
[ECA-3592] - Update CA IDs for uninitialised CAs when saving
[ECA-3606] - Make HSM system tests configurable
[ECA-3618] - Configurable environment for testAdminWebSecurityHeaders
[ECA-3622] - Fix cosmetic issues with statedump
[ECA-3624] - Hide Name Constraint textboxes for external CAs without keys
[ECA-3625] - Handle external CAs (=without keys) in Statedump
[ECA-3626] - Proper setup of environment for
testAuthenticationWithMissingCertificate
[ECA-3630] - Allow importing Key Bindings in statedump even when key aliases
are missing
[ECA-3638] - Don't include external CAs in statedump export by default
[ECA-3640] - Modifying uninitialised CAs (from statedump) even if keys are
missing/crypto token is offline
[ECA-3662] - Don't export end-entity passwords from statedump
[ECA-3663] - Don't export crypto token auto-activation passwords in statedump
[ECA-3665] - Import all crypto tokens in inactive state during statedump
import
[ECA-3666] - Better error message during statedump export if crypto token is
offline
[ECA-3667] - Show warnings during statedump export for exclude patterns that
did not match anything
[ECA-3668] - Improve options format of statedump tool
[ECA-3669] - Better warning/error output in statedump utility
[ECA-3677] - Do not allow export of CA keystores not protected by password
[ECA-3689] - Improve parameter naming per internal suggestions
New Feature
[ECA-3636] - Statedump CLI command to initialize statedump-imported CA
[ECA-3637] - Ability to limit what is exported in statedump
[ECA-3639] - Placeholders for keys in crypto tokens imported via statedump
[ECA-3642] - Include end entity information in statedump
EJBCA 6.2.0, 2014-06-18

---
Bug
[ECA-3216] - Return unsigned response "unauthorized" when no default
responder configured, or wrongly configured
[ECA-3299] - OCSP request signer verification does an additional database
lookup
[ECA-3454] - Inconsistent skip options for state dump import
[ECA-3489] - Fail fast creating CVCCAs when unique certificatedata_idx12 is
enabled
[ECA-3492] - renameRole() tries to change primary key and triggers a
HibernateException
[ECA-3495] - The public part of a key is still on the P11 token after the
private part is removed.
[ECA-3496] - java.lang.IndexOutOfBoundsException when selecting empty crypto
token for internal key binding
[ECA-3499] - Overwriting a CA with StateDump can leave cert/ee profiles in an
invisible state
[ECA-3506] - ejbca-ws-generate target missing dependencies
[ECA-3517] - "Lock wait timeout exceeded" when disabling multiple access
rules with MariaDB Galera
[ECA-3518] - NPE if only period length is provided for private key usage
period
[ECA-3521] - Certificate & End-Entity Profiles with missing CAs become
invisible, even for superadmin
[ECA-3534] - NullPointerException when adding a user without password
[ECA-3535] - State dump unselects "Any CA" from profiles during import
[ECA-3536] - ejbca-db-cli does not work since change to use ServiceLocator
[ECA-3537] - Clean up exception handling in CertificateCreateSession
[ECA-3551] - Certificates are not submitted to CT when generated from CLI,
etc.
[ECA-3582] - CMP can not handle some valid CSRs.
[ECA-3587] - Update default Modifiable Fields in User Data Sources
[ECA-3588] - Regression: PrintableString encoding for DNs does not work
[ECA-3594] - Security related
[ECA-3596] - Creating limited CertificateData fails with certain databases
[ECA-3605] - Error when trying to create authenticated CVC CSR
Improvement
[ECA-631] - Enforce naming constraints present in CA-certificates
[ECA-2126] - Certificates that are issued in revoked state should never be
active
[ECA-2690] - Create a CLI parameter handler
[ECA-3320] - Simpler format for specifying CA validity dates
[ECA-3468] - Implement statedump Subject DN renaming properly inside EJBCA
[ECA-3477] - Give focus to incorrectly marked fields in edit CA page
[ECA-3490] - ICAO Master List Signer extended key usage
[ECA-3491] - Allow system tests to target non-localhost interface
[ECA-3494] - Suppress repeated OcspSigningCache warnings
[ECA-3502] - Allow system tests to use HSM when available
[ECA-3503] - SSB cached in CertificateCache
[ECA-3509] - ExternalRA: Oracle Database Support in database mapping setup
[ECA-3510] - Replace references to java.util.Vector
[ECA-3513] - Audit log when a CT pre-certificate is generated and sent to a
log
[ECA-3515] - SCEP: Rewrite the configuration process to use one URL and
multiple aliases
[ECA-3516] - SCEP: Implement configuring SCEP in the AdminGUI
[ECA-3524] - Improve memory usage during CRL generation
[ECA-3525] - Do not use the HSM for hashing when signing data
[ECA-3531] - SCEP: Remove DefaultCA configuration
[ECA-3532] - Fix documentation of the command "ejbca.sh config cmp
uploadfile"
[ECA-3538] - clientToolBox p11 test multiple times in same jvm, to test if
objects on a p11 token can be updated from another application.
[ECA-3540] - External RA: Oracle Database mapping support in RA GUI
[ECA-3544] - Make error messages and success messages easier to distinguish
[ECA-3547] - GUI: Better item order for the System Functions menu
[ECA-3555] - CLI: able to list key bindings with non existing cryptotokens
[ECA-3557] - Add simplified CAInfo constructors
[ECA-3561] - Request subCA certificate from external CA without uploading the
chain
[ECA-3565] - Rewrite Certificate Profile page in JSF
[ECA-3566] - Encapsulate HashID properly
[ECA-3569] - Effectivize the reloading of CaCertificateCache
[ECA-3572] - Use JavaScript for certificate installation redirect in public
web
[ECA-3579] - Remove CERT_TEMP_REVOKED since it's not used
New Feature
[ECA-688] - Import / Export profiles from WebUI
[ECA-2114] - Rename EJB CLI for fetching CA certificates from getrootcert to
getcacert
[ECA-3109] - Add native support for Name Constraints
[ECA-3123] - ICAO DocumentType List certificate extension
[ECA-3124] - Add the Issuer Alternative Name certificate extension to the GUI
[ECA-3530] - Ant targets for creating source and binary releases of CESeCore
[ECA-3542] - Support for IE11 in Public Web
[ECA-3543] - Support IE11 in External RA GUI
[ECA-3559] - Service for populating database with revocation status of
certificates from CRL
[ECA-3584] - Choice of token type in Public Web self-registration page
Task
[ECA-3394] - French language files updated for the new functionalities
[ECA-3419] - CAAdminSessionBean.exportCAKeyStore throws Exception
[ECA-3478] - Have all system tests write results to the same directory
[ECA-3546] - French language files updated for SCEP Configuration
[ECA-3420] - Convert all EJB CLI commands to the new standard
EJBCA 6.1.3, 2014-04-28

---
Bug
[ECA-3520] - CAs from statedump signed by external CA cannot be initialised
[ECA-3523] - Backport Statedump bug fixes to 6.1
[ECA-3526] - GUI: Missing l10n message keys in CMP Alias Edit page
[ECA-3527] - GUI: Misspelled DN attribute in CMP Alias Edit page
EJBCA 6.1.2, 2014-04-09

---
Bug
[ECA-3514] - Browser enrollment link is generated with incorrect encoding
EJBCA 6.1.1, 2014-03-27

---
Bug
[ECA-3479] - Regression: OCSPSigningCache debug causes an NPE for internal OCSP
default responders
[ECA-3480] - Regression: Creating a CA in Adminweb issues Stacktrace
[ECA-3485] - Regression: Certificate Profiles with EAC 2.10 AT role doesn't
work with database protection
[ECA-3487] - Regression: Unique certificatedata_idx12 is not detected
EJBCA 6.1.0, 2014-03-24

---
Bug
[ECA-3179] - Regression: NoTicket (r17302) introduced a dependency on EJBCA in
a CESeCore test class
[ECA-3182] - Regression: ECA-2988 introduced a dependency on EJBCA in a
CESeCore test class
[ECA-3427] - Syntax for jboss-cli.bat through ant targets fails in Win
[ECA-3432] - CertificateCreateException: java.lang.NumberFormatException: For
input string: "LU002" when trying to create a foreign DVCA
[ECA-3433] - OcspResponseGeneratorSessionBean.init should not throw
AuthDeniedException
[ECA-3435] - JUnit failure in PublisherTest when DB protection enabled, add
subjectKeyId to CertificateInfo
[ECA-3439] - Creating a CA with DN: <anyfield>=, creates a
StringIndexOutOfBoundsException
[ECA-3447] - Regression: serial numbers in administrator list are not clickable
[ECA-3452] - Make sure that decline+recursive rules aren't saved from the GUI
[ECA-3455] - Files missing from cesecore-common.jar
[ECA-3457] - Unnecessary WARN message
[ECA-3458] - Ant paths don't work Windows via jboss-cli
[ECA-3460] - State dump tool does not import any data with "-overwrite no"
[ECA-3467] - Mail from address is not configured
[ECA-3470] - SCEP operations may fail when using an HSM
Improvement
[ECA-3348] - Add individual OCSP get cache settings for revoked, unknown and
good responses
[ECA-3351] - OCSP: don't include root certificate in response certificate chain
[ECA-3411] - Use SHA256WithRSA as default for ManagementCA
[ECA-3429] - Compile on Glassfish 4
[ECA-3430] - Compile on WildFly 8
[ECA-3434] - Upgrade Guava library in order to deploy in JEE7 container
[ECA-3440] - Support running clientToolBox EjbcWsRaCli with IBM java
[ECA-3443] - Allow empty values for start and end time without printing
'invalid' when adding end entity
[ECA-3445] - Document how to use slotLabels with clientToolBox
[ECA-3461] - Add encryption key information to key recovery data in database
[ECA-3472] - Improve usability of edit CA page by marking required fields
New Feature
[ECA-3133] - Support RFC6960 extension for client requested algorithm selection
[ECA-3350] - OCSP: Add option to include signer certificate or not
[ECA-3415] - CVC access control template for additional DGs
[ECA-3444] - Allow longer certificate serial numbers than 64 bits
[ECA-3449] - Show issuer and seralNumber after public web enroll
Task
[ECA-3450] - Update the Public Web logo filename for better integration
EJBCA 6.0.4, 2014-02-20

---
Bug
[ECA-3055] - Not authorized to edit publisher when publisher cache disabled
[ECA-3198] - Regression: ECA-2973 introduced a dependency on EJBCA in CESeCore
test code
[ECA-3210] - CA upgrade when ExtRACAServiceWorker fails to persist
[ECA-3337] - KeyBind EJB CLI fingerprint reference is case sensitive
[ECA-3361] - Cannot deploy with web-services disabled
[ECA-3364] - ExternalRA: Allow SCEP GetCACaps without message parameter
[ECA-3366] - Syntax in jboss-cli.bat for passing commands fails in Win
[ECA-3372] - OCSP Archive Cutoff can give NPE
[ECA-3373] - init() method is not called on OCSP extensions
[ECA-3375] - CLI ca restorekeystore gives exception for soft ca
[ECA-3382] - Test files have lost character encoding, change source file
encoding to UTF-8
[ECA-3383] - CertTools.genPKCS10CertificationRequest does not use the specified
provider
[ECA-3386] - httpserver.external.privhttps default to 8443 even though
httpserver.privhttps is set to something else
[ECA-3387] - Can not edit Sub CA signed by external CA
[ECA-3388] - editcapage.jsp contains a slightly confusing help text
[ECA-3389] - OCSP key binding properties visible for authentication key binding
[ECA-3392] -
InternalKeyBindingDataSessionBean.getInternalKeyBindingForEdit(int) throws NPE if
no value was found.
[ECA-3395] - Proper handling of certificate import/update when base64cert is
not populated
[ECA-3396] - InternalKeyBinding error using Postgres 9
[ECA-3397] - Subject key ID not published by VA publisher
[ECA-3398] - java.lang.IllegalArgumentException thrown when importing OCSP key
binding certificate
[ECA-3399] - Incorrect error message when editing uninitialised CAs if private
keys are missing
[ECA-3401] - Can not generate keys on soft crypto token with allowExport=false
[ECA-3403] - Admin GUI create CRL fails with UTF-8 encoded CA DN
[ECA-3405] - StateDump test fails because of refactorization
[ECA-3406] - Trying to delete a non-existing keybinding causes NPE
[ECA-3408] - StateDump import overwrites CAs with the same name without asking
[ECA-3410] - StateDumpTest needs Hibernate compatibility jar
[ECA-3421] - Upgrade jar file
[ECA-3423] - Fix statedump overwrite response handling and test
Improvement
[ECA-2828] - Document authorization rules in EJBCA
[ECA-2982] - Add option to 'bin/ejbca.sh ca republish' command to republish
only CA certificate and CRL
[ECA-3081] - Improved error message during batch generate when using invalid
key size
[ECA-3082] - Improve message about configuration during batch generate
[ECA-3150] - Remove scripts used on ejbca.org from bundled documentation.
[ECA-3169] - Improve wording of some options of "Externally signed CA"
[ECA-3290] - Cache headers still present for OCSP responses containing nonce
[ECA-3365] - Audit log Internal Key Binding operations
[ECA-3370] - Allow import of OCSP certificates with non-repudiation key usage
[ECA-3371] - Make JBoss EAP 6 specific physical file deployment of BC provider
[ECA-3374] - Add JUnit test for OCSPUnidExtension
[ECA-3384] - Add a password argument to CaImportCACommand
[ECA-3385] - Movie audit implementation classes to cesecore-ejb-interface
[ECA-3404] - StateDump test should run from test:runsys when availabe
[ECA-3407] - Optimize JBoss reload during deploy
[ECA-3409] - Sort XML in statedump exports in a deterministic order
[ECA-3424] - Regression: All cli commands prints out loading batch properties
from default
Master Ticket
[ECA-3355] - Implement Certificate Transparency
Task
[ECA-3368] - Deploy on JBoss EAP 6.2.0 has disabled datasource by default
[ECA-3380] - Move keybinding implementation classes from cesecore-ejb-interface
to cesecore-common
[ECA-3400] - Shift OcspExtension* to cesecore-common from cesecore-ejb-
interface
Sub-task
[ECA-3377] - Create unit tests for all CLI Commands
EJBCA 6.0.3, 2013-12-30

---
Bug
[ECA-3293] - Customer specific LDAP Publisher should use correct time in
loginfo attribute
[ECA-3297] - Other Rules for Supervisor role is not cleared if previously
selected for another role type
[ECA-3339] - Statedump doesn't delete certain .jar files on "ant clean"
[ECA-3341] - Creating internal key binding with CLI does not consider types for
property values
[ECA-3344] - Regression: PKCS11 sun config does not work
[ECA-3345] - Regression: Max-Age and Response validity no longer
visible/editable for ocsp key bindings
[ECA-3346] - CMP Config CLI command should use lazy instatiation of remote EJB
[ECA-3349] - EJBCA deployment not working in WINx64 due to PKCS11
[ECA-3360] - Ejbca deployment tries to use jboss-cli.sh instead of jboss-
cli.bat on windows
[ECA-3367] - Editing Key binding integer/long value sin GUI removes the value
(becomes default 0)
Improvement
[ECA-3289] - Do not cache "Unknown" OCSP GET responses
[ECA-3347] - Modify EJB CLI to use ServiceLocator
[ECA-3352] - Faster CLI start, use lazy instantiation in EJB CLI
[ECA-3359] - Move authentication tokens from cesecore-interface to cesecore-
common
New Feature
[ECA-3314] - OCSP Archive Cutoff
[ECA-3332] - Add Extended Revoked Definition OCSP extension when returning
revoked for non existing certificate
[ECA-3335] - Create a standalone manifest builder tool
Task
[ECA-3316] - Modularize EAC
[ECA-3338] - Modularize CMP vendor CA mode
[ECA-3340] - Modularize ValidationTool
[ECA-3342] - Make JUnit tests run for EJBCA Community
EJBCA 6.0.2, 2013-11-29

---
Bug
[ECA-2449] - Creating a CA without a valid SubjectDN causes double JS popups.
[ECA-3321] - Improve CMP configuration user interface
[ECA-3324] - Quote arguments of ca init during install
[ECA-3327] - SaferDailyRollingFileAppender extends wrong base class
[ECA-3328] - OCSP Signing cache should handle cache discrepancies gracefully
[ECA-3331] - EJBCA does not deploy without ejbca-db-cli sources available
[ECA-3334] - Change untilNextUpdate and maxAge properties in OcspKeyBinding
from Integer to Long
Improvement
[ECA-3132] - Support returning "revoked" for unknown certificates in line with
RFC6960
[ECA-3309] - Some versions of MySQL picks bad index mixing OR and AND
[ECA-3318] - CMP: Include certificate chain in certificate responses
[ECA-3323] - Reload OCSP cache manually
[ECA-3325] - Minimize locking in audit log's sequence counter
EJBCA 6.0.1, 2013-11-19

---
Bug
[ECA-3302] - Escaping of user-provided data when no characters are forbidden
[ECA-3303] - SECURITY: XSS issue
[ECA-3306] - Leaving out "Validity" with Javascript disabled gives an exception
[ECA-3307] - Renamed CAs not be overwritten by statedump
[ECA-3308] - OCSP HealthCheck does not work with InternalKeyBindings
[ECA-3310] - Wrong items are selected in uninitialized CAs
Improvement
[ECA-3295] - Allow editing most fields in uninitialized CAs
[ECA-3301] - Unify error messages for invalid username and pwd
[ECA-3312] - Can't create CAs with DSA extended services key
[ECA-3313] - Problems with extended services and uninitialized (statedumped)
CAs
[ECA-3317] - Allow import even if not all files exist
Master Ticket
[ECA-3296] - Improve Statedump usability and fix bugs
New Feature
[ECA-3311] - Ability to choose names to not overwrite during statedump import
Task
[ECA-3305] - Modularize database integrity protection and database cli
EJBCA 6.0.0, 2013-11-08

---
Bug
[ECA-1015] - A ' is valid in an email address - but gets stripped by EJBCA.
[ECA-1640] - Sample code for advanced custom extension missing some arguments
[ECA-1947] - LDAPPublisher have problems with comma in DN
[ECA-2144] - ExtRA PKCS10Request does not set user status to FAILED after
failed requests
[ECA-2150] - SignSessionTest.test37privateKeyUsagePeriod_both fails randomly
[ECA-2159] - Password not cleared issuing keystores
[ECA-2200] - CA defined certificate policy ignored when renewing CA
[ECA-2330] - Build failure for External RA with OpenJDK if JavaScript is not
available
[ECA-2365] - OCSPCAService upgrade on every startup
[ECA-2393] - Create Certificate Authority Page only gives blank page on wrong
validity input
[ECA-2442] - Multiple selectable email addresses in rfc822 altName gives
wrong display in edit end entity
[ECA-2477] - Import CA does not generate initial CRL
[ECA-2527] - Wrong exception thrown in HardTokenSessionBean for some errors.
[ECA-2534] - Regression: Not checking that the administrator has the role
defined in the hard token issuer any more.
[ECA-2547] - clientToolBox StressTestCommand always logs an error when a
certificate is returned
[ECA-2669] - Still possible to create DECLINE RECURSIVE rules in CLI
[ECA-2689] - Misleading error message in JBoss log while trying create a sub
CA from the CLI when the root CA is offline.
[ECA-2719] - Download of certificates from Admin GUI fails in Chrome when
using "strange" usernames
[ECA-2734] - OCSP rekeying not implemented in trunk yet.
[ECA-2794] - EJB and WS CLI have bad type outputs
[ECA-2815] - OcspExtensionsCache should be made thread safe
[ECA-2834] - Unhelpful error message when changing permission rules for non-
existing end entity profile in CLI
[ECA-2860] - Default CRL overlap time is set to 10 hours instead of 10
minutes for imported CA
[ECA-2863] - CMP FailInfo codes are sent as incorrect codes
[ECA-2865] - rfc822Name field can be edited when adding new end entity even
if not marked as modifiable
[ECA-2877] - ant test:run breaks installation. Figure out why and fix
[ECA-2894] - Messing up the Validity field in Certificate Profiles gives no
warning
[ECA-2905] - PrivateKeyUsagePeriod not matching notBefore of certificate when
using validityOverride
[ECA-2914] - Filename of downloaded keystore file is truncated
[ECA-2918] - Clear all caches gives bad error message when host can not be
reached
[ECA-2921] - Deprecate InitializeHardTokenIssuing
[ECA-2923] - JUnit class junit.framework.Assert has moved to org.junit.Assert
[ECA-2934] - Revoking a CA revokes all issued certificates, but with fixed
reason
[ECA-2940] - Ant target test:runsys broken
[ECA-2952] - Update to new logo in renewal pages
[ECA-2958] - Wrong comments about PrimeCard
[ECA-2961] - Button for viewing CA certificate chain has incorrect text
[ECA-2964] - Native query mapping using MariaDB
[ECA-2977] - ProviderException not handled in BaseCryptoToken
[ECA-2989] - AccessTreeCacheTest can fail if reading the configuration takes
too long time
[ECA-2994] - Broken property "xkms.response.causedforsigning" in
defaultvalues.properties
[ECA-2996] - Update/set CryptoToken auto-activation PIN from EJB CLI
[ECA-3024] - Error during startup with integrity protected audit disabled
[ECA-3031] - Support EC key generation with ClientToolBox
[ECA-3035] - CA and CryptoToken creation not handled in a transaction.
[ECA-3036] - Cryptotoken prevents a CA to be created with the same name as a
previous one.
[ECA-3046] - Help reference for Windows Autoenroll broken
[ECA-3052] - Minor authorization issue
[ECA-3054] - OcspResponseGeneratorSessionBean merely logs a failed signature
attempt
[ECA-3056] - Issue PEM with full certificate chain from Public Web
certificate request
[ECA-3057] - CryptoTokenManagement logs success deletion even if no crypto
token is deleted
[ECA-3058] - CryptoTokenManagement logs success before action is tried
[ECA-3061] - Clean-up CAInterface bean and dependencies
[ECA-3065] - NPE: Inactive (including unsigned) CAs should be ignored by the
OCSP Signing Cache
[ECA-3072] - Cmp default CA setting is DN in one place and CA name in another
[ECA-3074] - CMP TCP sets log level to FINEST for JBoss 7/EAP6
[ECA-3079] - Close all existent resource leaks
[ECA-3087] - 'bin/ejbca.sh ca info <unknownca>' tosses stacktrace instead of
helpful error message
[ECA-3088] - Test missing for creating a subca from CLI
[ECA-3096] - 'ra finduser' command outputs password as 'null' if hidden.
[ECA-3098] - Regression: Home screen in Admin GUI shows online CAs to be
offline for some roles.
[ECA-3101] - Regression: RequestMessage.getRequestX500Name returns
SERIALNUMBER instead of SN
[ECA-3103] - Test failures because of left over stuff in database
[ECA-3107] - Investigate strange output from OCSP
[ECA-3111] - JBoss 7 / EAP 6 always binds to 127.0.0.1
[ECA-3113] - JBoss 7: Can't run ant install on HS with blank password
[ECA-3115] - JBoss EAP 6 freezes with WS stress test with 30 threads
[ECA-3117] - client toolbox p11 multi thread test fails when slot is given
with TOKEN_LABEL.
[ECA-3121] - Regression: OCSP signing cache may fail to load on startup
[ECA-3129] - Keystore is used instead of truststore for validating client
certificates
[ECA-3131] - Encode EC private keys in generated PKCS#12 keystores with
NamedCurves
[ECA-3134] - JBOSS 7 / EAP 6 fails in deployment
[ECA-3138] - External RA IE cert enroll ignoring (override) of encryption
provider selection
[ECA-3141] - Regression: ECA-3056 introduced a dependency on EJBCA in
CESeCore code
[ECA-3142] - Regression: ECA-2973 introduced a dependency on EJBCA in
CESeCore code
[ECA-3143] - Regression: ECA-3056 introduced an other dependency on EJBCA in
CESeCore code
[ECA-3176] - Regression: Keys possible for CA renewal are only RSA
[ECA-3177] - Data is not validated before being passed to
org.bouncycastle.util.encoders.Base64.decode in findActiveCertificatesByType
[ECA-3183] - Healthcheck failure when there are not active OcspKeyBindings
[ECA-3184] - JBOSS7 /EAP 6 fails in installation
[ECA-3186] - Regression: Custom certificate extensions added to
certextensions.properties
[ECA-3188] - Document Internal Key Bindings
[ECA-3197] - ClientToolBox requires that CA certificate be included CSP
response in order to verify
[ECA-3200] - Healthcheck status is enabled when editing a CA
[ECA-3203] - Disable of CryptoToken auto-activation takes token offline
[ECA-3207] - Regression: add-hoc upgrade of PKCS#11 keystore on VA responder
not working
[ECA-3209] - Regression: OCSP default responder configuration uses subject
instead of issuerDN
[ECA-3212] - Internal Key Binding certificate link has caid=0
[ECA-3213] - Regression: CA healthcheck does not check token status
[ECA-3215] - Roles renamed with RoleManagementSessionBean.renameRole get
wrong primary keys
[ECA-3219] - OcspKeyBinding contains values that become cast to BigDecimals
instead of Integers
[ECA-3220] - Regression: Reload OCSP signing cache uses wrong timer property,
and a value of 0 makes timers go crazy
[ECA-3221] - Can't edit an OCSPKeyBinding without filling Serial Number (for
Trusted Certificates) field.
[ECA-3223] - When new CA is generated with soft keys, unwanted warnings
appear in jboss log
[ECA-3224] - Trying to create Internal Key Binding without crypto tokens
gives NPE
[ECA-3227] - DirectoryCache should catch errors in initialization
[ECA-3234] - Hard Token Functionality header printed twice
[ECA-3235] - Unwanted warning in jboss-log when we create keys through
AdminGUI
[ECA-3237] - cmpTcpProxy fails to start, missing defaultvalues.properties
[ECA-3239] - InternalKeyBindings with a deleted CryptoToken throw NPE when
trying to view/edit
[ECA-3242] - Errors in jboss log when 'ca createcrl' and some CAs are not
active
[ECA-3246] - Unwanted warning in jboss-log when running
AuthenticationModulesTest
[ECA-3251] - Activating/deactivating CA logs as Crypto Token activated/de-
activated
[ECA-3266] - EndEntityManagementSession.addUser throws a strange exception
[ECA-3269] - Unwanted warning in jboss-log when running XKMSKRSSTest
[ECA-3270] - Test 'testPublisherOperations' fails when running
EjbcaWsCommonCriteriaTest
[ECA-3271] - External CESeCore configuration override is read from the wrong
location
[ECA-3274] - Unwanted warnings in jboss-log when running RAApiTest
[ECA-3276] - Unwanted error in jboss-log when running CrmfRARequestTest
[ECA-3277] - Unwanted warning in jboss-log when running
NestedMessageContentTest
[ECA-3279] - Fix issues in OCSP TransactionLogger
[ECA-3280] - Upgrade instructions need to be updated for JBoss 7 / EAP 6.1
[ECA-3281] - Fix upgrade message from 4.x to 6.0
[ECA-3284] - ValueExtractor fails for ApprovalId Integer in DB2
[ECA-3286] - Browser enroll Firefox does not take configured encoding into
account
[ECA-3287] - OCSP signing exhausts threadpool after some time
[ECA-3288] - Saving "Other rules" when edit access rules does not work
[ECA-3300] - OCSP Transaction Logger outputs a newline between each log entry
Improvement
[ECA-519] - Move configuration file from bin/ to conf/
[ECA-786] - Email notification cannot be edited correctly
[ECA-1010] - Simplify installation procedure
[ECA-1398] - Enforce PrivateKeyUsage period when CAs issue certificates
[ECA-1594] - HashCode of Subject/Issuer DN in a certificate is not always the
same as CA Id
[ECA-1814] - Make non consecutive ID possible for Extended Key Usage
[ECA-2023] - Trim the values in catoken.properties when importing a CA from
CLI
[ECA-2049] - Constants in CertificateHelper should be final
[ECA-2164] - test01PinServiceToNodesIncludingThis is failing randomly
[ECA-2208] - Move authorization for hard tokens into hard token session bean
and remove authorization caching.
[ECA-2225] - server TLS for mail requires manual configuration
[ECA-2367] - Refactor CrlCreateSession for CRL publishing
[ECA-2492] - Improve mysql-privileges script to allow users at different
hosts etc
[ECA-2500] - Upgrade to BC v1.47
[ECA-2510] - Move methods in PublisherQueueSessionBean to local only.
[ECA-2528] - Clean SecConst
[ECA-2540] - Improve support for ipv6 in subjectAltNames
[ECA-2545] - SCEP GetCaCert operation doesn't support empty message
[ECA-2554] - CMP: Need better error message when a request is not signed by
the sender
[ECA-2558] - Improve the run times of some system tests
[ECA-2561] - CMP: Remove repeated code to return the value
cmp.authenticationparameter
[ECA-2565] - Move CliAuthenticationToken to authentication component
[ECA-2566] - Disallow server generated tokens when user submits a CSR in
public web
[ECA-2568] - CMP: improve ConfirmationMessageHandler
[ECA-2582] - Make an enum for end entity types
[ECA-2623] - Use new BC API for CRL creation.
[ECA-2628] - Use BC CMP classes instead of Novosec
[ECA-2641] - Use BC 1.47 OCSP classes
[ECA-2680] - Clean HardTokenSessionBean of unnecessary AuthenticationToken
parameters.
[ECA-2683] - Clean authorization handling in AdminPreferenceSessionBean
[ECA-2684] - Clean authorization in CertReqHistorySession
[ECA-2685] - Clean authorization in KeyRecoverySessionBean
[ECA-2686] - Clean Authorization in ServiceSessonBean
[ECA-2692] - Handle HSM timeouts - handle timeouts elegantly.
[ECA-2725] - CAInfo.setValidity should have long parameter
[ECA-2752] - Deprecate and stop using UserDataConstants. Use
EndEntityConstants instead
[ECA-2757] - Add more getters and setters and null checks, use Lists instead
of Collections where needed.
[ECA-2793] - Improve javadoc for RoleManagementSession
[ECA-2800] - Move OCSPUnid* classes from org.ejbca.core.protocol.ocsp to
org.ejbca.core.protocol.ocsp.extension.unid
[ECA-2807] - Remove PrimeCardHSM references from documentation
[ECA-2821] - Increase concurrency in stand alone tests
[ECA-2826] - RoleManagementSessionBean requires additional authorization
checks
[ECA-2840] - ant javatruststore -Dtrust.keystore parameter is treated
relative to the ejbca/bin/ directory
[ECA-2857] - EndEntityAccessSession.findUserBySubjectAndIssuerDN should
return a List
[ECA-2864] - Change the wording for the E-mail Domain option in end entity
profiles
[ECA-2879] - Add custom serialno test test that fails when there is no unique
index
[ECA-2895] - Provide ability to provide the administrator password through
file for new admins roles GUI with CLI user
[ECA-2903] - Simplify AuthenticationToken framework
[ECA-2908] - Support ECC for CMP signature protection
[ECA-2917] - Rename AdminCA1 to ManagementCA
[ECA-2941] - Unclear description of CRL publishing conditions in Validation
Authority Publisher
[ECA-2943] - Modularize the CESeCore source tree
[ECA-2948] - Improve handling of default profiles when using CMP RA mode
[ECA-2957] - Add known PKCS#11 libraries as default available
[ECA-2965] - Allow password to be supplied via command line for clientToolBox
PKCS11HSMKeyTool generate
[ECA-2970] - Log remote IP for ADMINISTRATOR_LOGGED_IN events and web service
access
[ECA-2978] - Database connection problems can give stacktrace with no msg
[ECA-2986] - Property for hiding manual classpath entry from custom
publishers and services
[ECA-2987] - Add debug logging in AccessTreeCacheTest
[ECA-3016] - Ugly errors creating CA with CLI when CryptoToken or CA already
exists
[ECA-3018] - Exception classes should end with "Exception" not "Error"
[ECA-3020] - Fix tests using incorrect values for CRL settings
[ECA-3022] - Turn of autocompletion of password on public web
[ECA-3026] - Have parameters outputted from localized messages even if not
found
[ECA-3027] - Improve CMP configurations possibilities
[ECA-3028] - Make possible using custom CMP configurations through alias in
the URL
[ECA-3030] - Make possible to edit CMP configurations in the AdminGUI
[ECA-3033] - Upgrade BC from 1.49b01 to 1.49b15
[ECA-3062] - Simplify certificate enrollment page
[ECA-3064] - Disable CertReqHistory by default for new CAs
[ECA-3069] - Replace deprecated class
org.bouncycastle.jce.PKCS10CertificationRequest with
org.bouncycastle.pkcs.PKCS10CertificationRequest
[ECA-3091] - Detect browser directly instead of using of via the log-in page
[ECA-3093] - Re-sort menu options in Admin GUI alphabetically
[ECA-3094] - Update nomenclature in CLI
[ECA-3099] - Add a "result page" after certificate enrollment has been
performed
[ECA-3102] - Public Web: rename password to enrollment code
[ECA-3104] - Default key length for batch generation should be 2048, not 1024
[ECA-3105] - Introduce ability of not having any QC statements in the QC
extension in certificate profile configuration
[ECA-3106] - Keylength defaults should be 2048 not 1024
[ECA-3108] - Encoding of MS Certificate Template Name extension should be
BMPString
[ECA-3112] - Limited admins in admin GUI spams with INFO logs
[ECA-3136] - Support listing of PKCS#11 slots in the AdminGUI by token label
[ECA-3145] - Clean up left overs of EJBCA OCSP code
[ECA-3166] - Use better wording for Certificate Request Data in Admin GUI
[ECA-3175] - Clear All Caches button should also clear GUI session cache
[ECA-3189] - CMP: Read the CA from the relevant End Entity instead of from
the request or cmp.defaultca
[ECA-3190] - CMP: Enforce configuration of EndEntityCert authentication
module for KeyUpdate request
[ECA-3191] - CMP: Improve the conditions and readability of CMP
authentication modules
[ECA-3206] - CMP: Remove PBE authenticating of ConfirmMessage
[ECA-3218] - OCSP cache update logs access control
[ECA-3243] - Editing Internal Key Bindings is slow
[ECA-3244] - Error message about OCSP key renewal although renewal is
disabled
[ECA-3245] - Clean up and format the UPGRADE document
[ECA-3247] - Unwanted warning in jboss-log when running CrmfRAPbeRequestTest
[ECA-3254] - Unwanted warning in jboss-log when running CmpRaThrowAwayTest
[ECA-3257] - Exception cancelling already cancelled OCSP renewal timers
[ECA-3259] - unwanted warning in jboss-log when running
ProtocolOcspSignedHttpTest
[ECA-3262] - Make saving global and cmp configuration safe
[ECA-3263] - Allow AnyCA to be the only selected available CA in EEPs
[ECA-3285] - Datasources should have validate-on-match=true in order to
reconnect from failures
Master Ticket
[ECA-3049] - Optimize trunk
[ECA-3116] - Possibility to Export/Import all CA configurations (a.k.a "The
Great Dump")
[ECA-3252] - CMP log fixes for CC test plan
[ECA-3261] - Master ticket for OCSP log tickets
New Feature
[ECA-862] - Command for ascii/XML dump of CA installation
[ECA-1866] - WS-API to get last CRL for a CA
[ECA-1998] - Support for GOST R digital signature and hash algorithms
[ECA-2066] - Support for JBoss 7.1 and EAP 6
[ECA-2621] - cert-cvc: upgrade to work with BouncyCastle (BC) v1.47
[ECA-2691] - Handle HSM timeouts - allow creation of pure keepalive services
from GUI/CLI
[ECA-2722] - Validation/conformance tool for certificates and OCSP responses
[ECA-2780] - Integration of DSTU4145-2002 in EJBCA
[ECA-2801] - Manage HSM keys from web GUI
[ECA-2881] - Ukrainian translation of admin GUI
[ECA-2926] - External RA GUI and SCEP deploy on JBoss 7
[ECA-2930] - SCEP RA mode for blind certificate issuance
[ECA-2936] - Support ECC for database integrity protection
[ECA-2972] - EJBCA support for South Slavic languages - Bosnian QA process
[ECA-2973] - Unified OCSP
[ECA-2974] - Use ServiceLoader for Publishers and Services
[ECA-2988] - Unified OCSP: In main build, merge Standalone and Integrated
OCSP into a single SSB
[ECA-2992] - White listing of available CryptoToken PKCS#11 slots
[ECA-3092] - Make it possible to hide the menu in publicweb
[ECA-3095] - HSM slot label. Resolve existent issues from ECA-3071, add
support for GUI/CLI/Upgrade
[ECA-3128] - Add support for slot labels to ca init command, database
protection and ocsp
Task
[ECA-2296] - Master Issue: Look over authorization in all session beans.
[ECA-2298] - Master issue: Unify all names in EJBCA
[ECA-2317] - Migrate OCSP functionality from CESeCore to EJBCA
[ECA-2350] - Add support to other match values than X500Principal based
[ECA-2445] - Rename all references to "Admin Groups" to "Roles"
[ECA-2462] - Rename RSASignSessionBean to SignSessionBean
[ECA-2464] - Change references from 'User' to EndEntity where appropriate.
UserAdminSessionBean should be renamed EndEntityManagementSessionBean
[ECA-2488] - Remove all internal references to UserAdminSession.changeUser
[ECA-2498] - Go through build-dependencies.xml and search for and remove
nonexisting files in classpaths and include tags
[ECA-2499] - Improve some @BeforeClass and @AfterClass in tests
[ECA-2521] - Merge changes from ECA-1978
[ECA-2531] - Remove org.ejbca.config.ExtendedKeyUsageConfiguration
[ECA-2541] - Replace the contents of EjbRemoteHelper with a clever
datastructure
[ECA-2550] - Remove transient from PrePersist, PreUpdate and PostLoad
annotation
[ECA-2556] - Make sure that EjbRemoteHelper is used instead of JndiHelper for
retrieving remote interfaces
[ECA-2562] - CMP: More tests for the KeyUpdate request
[ECA-2581] - Eliminate the duplicate constants in SecConst and
EndEntityConstants
[ECA-2619] - CliAuthenticationProviderSessionBean does not follow our naming
standard
[ECA-2620] - Upgrade hibernate to latest version
[ECA-2630] - Reimplement OCSP HealthCheckServlet
[ECA-2688] - AccessRulesConstants.ROLE_SUPERADMINISTRATOR should be declared
deprecated and removed internally
[ECA-2702] - EjbcaWebBean code cleanup
[ECA-2735] - Verify that the functionality of ECA-2069 is ok in trunk
[ECA-2925] - Upgrade to BouncyCastle 1.49b01
[ECA-2959] - UniqueSernoWSTest fails due to JBoss 7 classloader
[ECA-2979] - Unified OCSP: Move StandAlone OCSP files into main build
[ECA-3023] - Document JBoss 7 hardening
[ECA-3041] - Make sure EJBCA builds and deploy on JBoss 7.2 and EAP 6.1
[ECA-3044] - Use fast Random, instead of slow SecureRandom for GUID
generation
[ECA-3048] - Upgrade BouncyCastle to 1.49 final
[ECA-3075] - XKMS KRSS tests not working on JBoss 7 / EAP6
[ECA-3084] - OCSP transaction logging and safer log4j not working
[ECA-3127] - External RA not working on JBoss 7
[ECA-3130] - Update Admin GUI HSM chapter with new Crypto Token GUI
[ECA-3148] - Rename the files under ejbca/doc/sql-scripts/ with the
appropriate name (ejbca version)
[ECA-3193] - Sample custom publisher with UID=certificate serialNo in decimal
[ECA-3228] - Make sure that system tests clean up after themselves
[ECA-3229] - Remove unnecessary warnings during build and startup
[ECA-3241] - Eliminate deprecated values from ocsp.properties as far as
possible and remove them from all but upgrade code.
[ECA-3291] - Access rules unclear
Technical task
[ECA-3152] - Possibility to Export/Import all CryptoTokens
[ECA-3153] - Possibility to Export/Import all CAs
[ECA-3154] - Possibility to Export/Import all Certificate Profiles
[ECA-3155] - Possibility to Export/Import all End Entity Profiles
[ECA-3156] - Possibility to Export/Import all Publishers
[ECA-3157] - Possibility to Export/Import all Services
[ECA-3158] - Possibility to Export/Import all Roles
[ECA-3159] - Possibility to Export/Import all CMP configuration
[ECA-3192] - Possibility to change Subject DN in dump files from CLI
EJBCA 5.0.14, 2014-04-02

---
Bug
[ECA-3469] - Problem adding several administrators
[ECA-3473] - Internal error when using default responder on standalone OCSP for
X.500 issuer DN order
EJBCA 5.0.13, 2014-02-20

---
Bug
[ECA-3293] - Customer specific LDAP Publisher should use correct time in
loginfo attribute
[ECA-3344] - Regression: PKCS11 sun config does not work
[ECA-3421] - Upgrade jar file
Improvement
[ECA-3343] - Some versions of MySQL picks bad index mixing OR and AND
EJBCA 5.0.12, 2013-11-12

---
Bug
Security fixes
EJBCA 5.0.11, 2013-11-07

---
Bug
[ECA-2984] - ejbcaClientToolBox.sh CMPKeyUpdateStressTest works only with one
thread
[ECA-3083] - SaferLog4j jar does not build correctly
[ECA-3211] - End entity username should be stripped when doing end entity look-
up in CMP
[ECA-3217] - Nodes in cluster not database protection stable
[ECA-3268] - Inconsistent use of strip() and stripIncludingXss() methods
Improvement
[ECA-2951] - Clean up CSS for new pages in 5.0 and 6.0 branches
[ECA-3037] - Support for multiple Vendor CA authentication certificates for CMP
[ECA-3050] - Base64CertData table
[ECA-3053] - Don't show password in build summary
[ECA-3066] - Support ECDSA for OCSP automatic key renewal
[ECA-3071] - Allow reference of PKCS#11 slots by token label
[ECA-3151] - Add hostname to startup log message
[ECA-3178] - Add configuration option for specifying non-allowed characters in
subject DN
New Feature
[ECA-2990] - Customer specific LDAP publisher
[ECA-3025] - Built in profiling capabilities
[ECA-3070] - Add WS keyrecovery method for specified certificate
[ECA-3194] - Allow ejbca-db-cli to work on database with only AuditRecordData
EJBCA 5.0.10, 2013-05-31

---
Bug
[ECA-1872] - Batch Enrollment GUI can not use JKS as keystore
[ECA-2495] - Exception in view old log
[ECA-2968] - IE10 browser enrollment doesn't work
[ECA-3009] - Unhelpful error message when changing permission rules for non-
existing end entity profile in CLI
Improvement
[ECA-1826] - Possibility to create link certificates following the certificate
profile
[ECA-2456] - Support other CMP signature algorithms than SHA1
[ECA-2944] - Remove one dependency from SignSessionBean on bean implementation
in CeSeCore
[ECA-2966] - ClientToolBox batch functionality for certreq and installcert
[ECA-2976] - Debug log healthcheck message
[ECA-2983] - Add index on CertificateData.status to index sql script
[ECA-2997] - Make the CA certificate chain download provide better suggestion
for file name to browser
[ECA-3005] - Backport CMP ECC improvements to 5.0
[ECA-3007] - Remove service execution audit events not needed
[ECA-3010] - Improve CLI support for editing certificate profiles and
publishers
[ECA-3017] - Add parameter to ca init cli to use explicit ECC parameters
New Feature
[ECA-2241] - Support STARTTLS extension for the LDAP Publisher
[ECA-2985] - Add possibility to publish cert serial to LDAP custom schema
[ECA-3004] - Command Line Support to Create a SubCA signed by an External CA
[ECA-3006] - Add editca CLI command
[ECA-3019] - Manage Services from the CLI
EJBCA 5.0.9, 2013-03-21

---
Bug
[ECA-2915] - EJBCA DB CLI verify reports error if multiple nodes are logging
[ECA-2922] - Upgrade fails because not all aspects are migrated
[ECA-2929] - Revocation does not perform as expected in all circumstances
[ECA-2937] - Unable to create new CA with soft CA token without auto-activation
[ECA-2938] - Key renewal with soft CA token does not always persist the new
keys
[ECA-2950] - Unsupported SubjectAltName object from a certificate request
encoded to the string "null"
[ECA-2954] - lastUpdate and tryCounter columns in PublisherQueueData do not get
updated in case of CRL publisher failures
Improvement
[ECA-2859] - CMP end entity certificate authentication requires clear text

password set for user
[ECA-2882] - Do not store active certificates in queue for
ValidationAuthorityPublisher that only publish revoked
[ECA-2904] - Compile and run on JDK7
[ECA-2913] - CMP: Need better error message when a request is not signed by the
sender
[ECA-2960] - ClientToolbox key generation enhancement.
New Feature
[ECA-2901] - CMP vendor certificate authorization

[ECA-2907] - Add cache for Publishers
EJBCA 5.0.8, 2012-12-18

---
Bug
[ECA-2376] - Republishing certificates to LDAP when multiple certificates per
user are allowed fails if certificate is already present
[ECA-2710] - Last certificate gets republished twice when using '-all' in cli
[ECA-2781] - Searching by certificate serial number fails if certificate has
same subject DN across multiple end entities
[ECA-2839] - CMP certificate authentication with KeyId for End Entity profile
uses wrong string
[ECA-2845] - End entity presence (existing username) not checked properly
during import
[ECA-2878] - Setting a certificate's status to CERT_NOTIFIEDABOUTEXPIRATION
(21) locks out user from admin GUI
Improvement
[ECA-2655] - Do not require private key to verify audit logs with ejbca-db-cli
[ECA-2708] - Can not revoke certificates that are on hold
[ECA-2824] - Not possible to obfuscate log signer key password.
[ECA-2846] - Make the bin/ejbca.sh ca importcertdir comand output filenames in
case of errors
[ECA-2875] - Able to use unlimited no of arguments for clientToolBox on Windows
New Feature
[ECA-2847] - Add an option to 'bin/ejbca.sh ca importcertdir' command to ignore
errors
Task
[ECA-2869] - Ensure EJBCA builds with ant 1.7
EJBCA 5.0.7, 2012-10-31

---
Bug
[ECA-2822] - SECURITY: Minor administrator escalation issue
EJBCA 5.0.6, 2012-10-15

---
Bug
[ECA-2695] - Creating a CA via the CLI doesn't update the ca cache.
[ECA-2704] - Error in usage text for 'ejbca.sh ra listusers'
[ECA-2712] - Some properties in ejbca.properties are never read
[ECA-2713] - mail.contentencoding has wrong name in sample file
[ECA-2715] - VA health check no longer checks if database is available
[ECA-2719] - Download of certificates from Admin GUI fails in Chrome when
using "strange" usernames
[ECA-2721] - Hibernate generates different hash-names for foreign constraints
than list in SQL scripts
[ECA-2733] - Can not edit key sequence for a CA
[ECA-2736] - Key Recovery does not work when CA is signed by an external CA
[ECA-2738] - NPE running EJBCA containing HSM CA when no PKCS11 provider is
available
[ECA-2739] - Key recovery not working using some HSMs
[ECA-2743] - Can not have different database dialect for EJBCA and External
RA service
[ECA-2758] - Re-activating suspended certificates does not work with VA-
publisher
[ECA-2762] - Upgrade from v4 to v5 not working for "imported CA"
[ECA-2763] - User is loosing priviliges after upgrade from v4 to v5
[ECA-2764] - Multiple certificates with different subject DN for CA
[ECA-2765] - Revoke CLI can not revoke certificates for a user that is
revoked
[ECA-2766] - setclearpwd from CLI with non-existing user
[ECA-2778] - Plus character in CA DN breaks Download of Certificates
[ECA-2789] - The method for creating primary keys for access user aspects is
broken
[ECA-2790] - SECURITY: Fix minor privilege escalation issue
[ECA-2797] - Only possible to view the newest hard token for an end entity.
[ECA-2799] - Improve RFC 4387 feature documentation
[ECA-2809] - Unable to use "modified" at the "Search End Entities" page.
Improvement
[ECA-1696] - CertTools.getCertsFromPEM(*) should declare it returns a List as
the order of certificates are important
[ECA-2183] - There is a code which will be never executed for external SCEP
[ECA-2656] - Unable to receive certificates from external CA that has invalid
algorithm id parameters
[ECA-2693] - Improve error message when providing invalid signature algorithm
[ECA-2700] - Rate limit health check
[ECA-2776] - Disable jasper compilation in default build
New Feature
[ECA-2727] - Self-registration with admin approval
[ECA-2740] - Ant target for renewing application server keystore
[ECA-2747] - Extended Key Usage for WiFi EAP authentication
[ECA-2788] - Support CertHash extension in OCSP responder
Task
[ECA-2716] - Remove unused properties
EJBCA 5.0.5, 2012-06-03
Bug
[ECA-2650] - A few EJB methods do not log access control
[ECA-2662] - Strip whitespace from username entered in public web
[ECA-2667] - AllwaysAllowLocalAuthenticationToken can be denied access
[ECA-2673] - End entitiy profiles with AnyCA causes RA admins to not be able to
add user
[ECA-2674] - Editing access rules gives exception
[ECA-2694] - Can not create CA with non default soft token pwd from CLI
Improvement
[ECA-2382] - Performance improvements, profiling
[ECA-2529] - Don't use Security Audit Log when doing healthchecks
[ECA-2553] - Improve CRL generation memory requirements
[ECA-2572] - Update index recommendations
[ECA-2573] - Merge enforcement queries to save database round-trip
[ECA-2618] - Remove authentication checks on CertConf messages
[ECA-2632] - Internal resources speed optimizations
[ECA-2639] - Do not use unneeded access control for internal CAInfo lookups and
avoid ee profile cloning when not needed
[ECA-2642] - Improve Tomcat configuration
[ECA-2643] - Authorization checks does not always have to start a new
transaction
[ECA-2645] - Fix transaction management for background updates to CAData
[ECA-2648] - Optimize away redundant query in WS getAdmin
[ECA-2652] - Multiple authorization checks in a single access controls
invocation.
[ECA-2657] - Merge two CA access control log entires into one
[ECA-2659] - Merge Admin GUI access controls and remove redundant checks
[ECA-2675] - JBOSS with APR makes EJBCA deploy fail
[ECA-2676] - Replace the string "/super_administrator" with the constant
AccessRulesConstants.ROLE_SUPERADMINISTRATOR
New Feature
[ECA-2629] - Add Japanese language file
[ECA-2653] - Enforce issuerDN,serialNumber uniqueness with database query if no
unique index is present
[ECA-2687] - Allow CVC CAs to be created from the CLI
EJBCA 5.0.4, 2012-03-08

---
New Feature
[ECA-2590] - Possibility to only publish revoked certificates to external VA DB
[ECA-2603] - "unknown is good" changed for some URLs used in the OCSP request.
[ECA-2612] - Add Kerberos PKINIT-related EKU's to default configuration file
Task
[ECA-2588] - Missing run.bat in ejbca db cli
[ECA-2613] - Annotate @ApplicationException(rollback=true) in all exceptions
thrown from log system
Improvement
[ECA-2563] - CMP: clean up CMP tests
[ECA-2600] - Add possibility to specify certificate profile to ca init CLI
command
[ECA-2602] - Do not allow creationg of CAs with weak key lengths
[ECA-2607] - clientToolBox OCSP only accepts 16 char hex serial numbers
[ECA-2614] - ClientToolBox OCSP starts slow
Bug
[ECA-2564] - CMP: Correct the CrmfKeyUpdateTest
[ECA-2589] - External RA Junit test target does not work on windows
[ECA-2591] - Regression: ExternalRA does not work
[ECA-2594] - XSS issues
[ECA-2595] - EndEntityInformation.getPrintUserData compares to
EndEntityConstants.USER_SENDNOTIFICATION instead of EndEntityConstants.USER_PRINT
[ECA-2601] - Prevent possible SQL injection
[ECA-2604] - Importing end entity profiles with an unknown CAid in it causes
error
[ECA-2608] - CMP revocation requests are sensitive about DN order
[ECA-2609] - Publisher logs success even if publisher returns false
[ECA-2610] - Certificate Profile GUI weirdness in MSIE
EJBCA 5.0.3, 2012-02-24

---
New Feature
[ECA-2539] - CMP: Get KeyUpdateRequest working even in RA mode
Improvement
[ECA-2543] - We need a way to log CMP messages from CMPProxy
Task
[ECA-2536] - Modify tests in CliCommandAuthenticationTest to play with
Glassfish
Bug
[ECA-2261] - SenderKeyID does not need to be set in a CMP request
[ECA-2527] - Wrong exception thrown in HardTokenSessionBean for some errors.
[ECA-2534] - Regression: Not checking that the administrator has the role
defined in the hard token issuer any more.
[ECA-2535] - Security Audit Log with a single empty "msg" gives
NullPointerException in Admin GUI
[ECA-2538] - Creating certificates from CLI with approvals enabled does not
work
[ECA-2544] - Upgrading Certificate Profiles can remove Authority Information
access under certain conditions
[ECA-2548] - Error clicking some service buttons when no service selected
[ECA-2551] - test:runone does not work on windows
[ECA-2552] - CMP: Skip verifying CertificateConfirmationRequest if not required
[ECA-2567] - CMP: Should use EjbRemoteHelper in CrmfRARequestTest
[ECA-2574] - Minor XSS issue
EJBCA 5.0.2, 2012-01-23

---
Bug
[ECA-2118] - Regression: Bug in adding new End-Entity with fixed RFC822Name in
profile
[ECA-2197] - VA build fails sometimes
[ECA-2206] - GlobalConfiguration needs to check authorization differently
[ECA-2373] - Unsafe parsing of externalra-caservice.signature.required
[ECA-2403] - Custom roles do not seem to work from Basic Mode
[ECA-2413] - Deleted End Entities still show up on the list of "Previously
Added End Entities" in the "Add End Entities" screen
[ECA-2422] - Regression: Import of profiles fails as CA IDs are different
[ECA-2423] - Use selected as template changes CAs to "any CA" for certificate
profiles
[ECA-2424] - Default value for cmp.tcp.logdir is /log and not ./log causing
Exception at startup
[ECA-2425] - Can not use CLI to create admin roles
[ECA-2426] - Supervisor role does not work as expected
[ECA-2427] - CLI can't set role rules for rules from CESeCore
[ECA-2428] - Persistent NFE after setting admin rule with
certSerialNumber=qwerty_1
[ECA-2429] - Inconsistency in VA health-check properties comment and used URL
[ECA-2432] - Regression: tests fail on glassfish v2
[ECA-2433] - Regression: Healthcheck does not give any output if not ALLOK
[ECA-2435] - Chinese characters doesn't work in "Edit End Entity Profles" for
DN attributes
[ECA-2436] - Reading OCSP messages over http1.1 with chunked encoding can fail
[ECA-2438] - Check where CAAdminSession.getCAInfo is expected to return null,
but it throws
[ECA-2440] - DB2 database schema test fails on CRLData
[ECA-2444] - CMP Revoke Response Message is unprotected sometimes
[ECA-2448] - Regression: Available languages only contains EN by default
[ECA-2455] - Erroneous log output when renaming a role
[ECA-2457] - Editing Access Rules doesn't log correctly
[ECA-2458] - Audit logging for End Entity Profiles needs to be more detailed
[ECA-2459] - Audit logging for Role Access Users needs to be more detailed
[ECA-2460] - Audit logging for Role Access Rules needs to be more detailed
[ECA-2472] - Failure to publish CRL do not audit log CRL_PUBLISH failure
[ECA-2476] - null pointer when trying to recover lost HSM in external OCSP
[ECA-2479] - Regression: admins addadmin/removeadmin command malfunctions with
match_type
[ECA-2480] - Regression: HARDTOKEN_REMOVE is audit logged as HARDTOKEN_ADD
[ECA-2482] - Minor XSS issues
[ECA-2484] - Regression: NoClassDefFound trying to run ejbca-db-cli
[ECA-2502] - Token id not logged correctly when password testing fails for soft
tokens
[ECA-2506] - Audit log verification prints lots of errors after 1 row failed
[ECA-2511] - Missing column in SQL table create scripts
[ECA-2512] - NPE in WS if admin cert revoked
[ECA-2516] - Not possible to view hard token in admin GUI.
[ECA-2519] - SuperAdmin default role created with incorrect rule
Improvement
[ECA-2384] - Move EndEntityProfile authorization from gui code to session bean
[ECA-2420] - Document database and security audit integrity protection
[ECA-2437] - Improve the CMP KeyUpdate stress test in ClientToolBox
[ECA-2441] - Update to new EJBCA logo in public and admin webs
[ECA-2446] - Log details what changed when editing services
[ECA-2461] - User data source API improvements
[ECA-2465] - Hard token API improvements
[ECA-2469] - Audit logging for Admin Preferences needs to be more detailed
[ECA-2470] - UpgradeableDataHashMap.diff does not handle String arrays
[ECA-2471] - Audit log details of publisher change and don't audit log failures
[ECA-2497] - Unreadable code in VerifyPKIMessage
[ECA-2501] - More efficient CRL download
[ECA-2508] - Audit log the security audit protection during startup
[ECA-2515] - Possibility to define which symmetric encryption algorithm to use
for clientToolBox HSM encrypt/decrypt
New Feature
[ECA-2430] - Plugin build system
[ECA-2434] - Add CMP KeyUpdate stress test in clientToolBox
[ECA-2505] - Scripts for backup and restore
Task
[ECA-2348] - Replace org.cesecore.util.Tuplet with AbstractMap.SimpleEntry
[ECA-2352] - Move methods from ComplexAccessControlSessionBean and
ComplexRoleManagementSessionBean which would rather be in CESeCore
[ECA-2408] - CESeCore and EJBCA have overlapping and redundant rules for
viewing logs
[ECA-2415] - Move the method saveGlobalConfigurationRemote out of
GlobalConfigurationSessionBean and into a test proxy
[ECA-2439] - Remove unused AuthenticationToken from
EndEntityProfileSession.getEndEntityProfile
[ECA-2485] - ISaferAppenderListener, SaferDailyRollingFileAppender are
duplicates
[ECA-2490] - Authentication Logging does not conform to CC demands
[ECA-2496] - Remove AuthenticationSessionBean
EJBCA 5.0.1, 2011-12-02

---
Bug
[ECA-2396] - More XSS issues
[ECA-2402] - Regression: Supervisor role does not authorize the admin to view
the log
[ECA-2407] - CMP: Allow only NestedMessageContent when an authorized
administrator is not required when sending a CMP request
[ECA-2414] - CMP: When checkAdminAuthorization is set to 'false', verifying the
issuer of extraCert should not be done.
[ECA-2416] - CMP message handler tries to create unid req handler
Improvement
[ECA-2342] - Check authorization and make methods local-only in
UserAdminSession
[ECA-2400] - Split xdocs in two separate sites, ejbca.org site and
documentation site
[ECA-2409] - ProfileDefault for cmp.ra.certificateprofile
New Feature
[ECA-1153] - Support for Permanent Identifiers (RFC 4043)
[ECA-2410] - Document EJBCA Djigzo integration
[ECA-2411] - Support for authorityInformationAccess in CRLs
Task
[ECA-2210] - Verify no-cache settings for CMP over HTTP
[ECA-2404] - Add healthcheck doc to admin guide
EJBCA 5.0.0, 2011-11-21

---
Bug
[ECA-2035] - Document when Key Recovery checkbox can be used
[ECA-2163] - Webservice warning in boot.log on JBoss 6
[ECA-2201] - Mixed SSL and non-SSL cause warnings on the on-server
documentation pages
[ECA-2235] - External VA doesn't correctly publish CRLs from CAs with X.509
naming order
[ECA-2244] - Build failure with OpenJDK if JavaScript is not available
[ECA-2248] - Fix circular dependencies so that EJBCA can install
[ECA-2249] - Fix all system tests so that they run in EJBCA 5.0
[ECA-2251] - CertificateData.findAllOnHold is missing a query parameter
[ECA-2260] - CRL file name returned from VA differs from public web, should
be .crl
[ECA-2271] - Bug with DN State et DN Locality attributes
[ECA-2279] - Regression: Disable Command Line Interface doesn't seem to have
any effect any more
[ECA-2294] - Use of CMS key to sign CSV/logfile export is not logged.
[ECA-2301] - Regression: Can not save access rules
[ECA-2303] - NPE when trying to change a role from CLI
[ECA-2310] - Regression: Can not rename Roles
[ECA-2311] - Regression: Edit access rules shows wrong Role Template
[ECA-2319] - Verify revocation status of internal certificates when external
certificate authentication is enabled
[ECA-2323] - Regression: NPE when trying to view administrators
[ECA-2326] - Regression: Match type are not showing correctly
[ECA-2329] - Regression: datasource.jndi-name-prefix not changed when switching
to GlassFish
[ECA-2331] - Regression: exception thrown if cmp.autenticationmodule is not set
in cmp.properties
[ECA-2339] - Audit Log GUI messages
[ECA-2343] - Strange 'help' features in EJBCA CLI
[ECA-2344] - Regression: admin can not access "Basic Functions" page unless
access to all CAs
[ECA-2349] - Regression: VA deployment fails as default config file can not be
loaded
[ECA-2357] - Regression: Access rule templates cannot be applied
[ECA-2358] - Regression: Download audit as XML results in empty file because
some properties are not included in zip or have defautl values
[ECA-2360] - Regression: "Basic functions" cannot be browsed after adding an
HSM CA
[ECA-2362] - Sample value in install.properties.sample referes to pre-cesecore
class names
[ECA-2363] - Regression: databaseprotection.properties not included when doing
a zip release
[ECA-2366] - Regresssion: CRL not published after CRL creation
[ECA-2374] - Regression: NPE when using signed external RA messages
[ECA-2375] - CA expire time incorrectly shown in the CLI
[ECA-2377] - Regression: can not renew a CA after upgrade from v4 to v5
[ECA-2378] - Regression: upgrade CertificatePolicy of CAs after upgrade from
v4 to v5
Improvement
[ECA-2086] - Introduce tooltip or help-link for "Process Certificate Request"
and "Sign Certificate Request" buttons in Admin GUI
[ECA-2149] - Add revocation reason capability to CRL import CLI command, and
add JUnit testing
[ECA-2155] - UserAdminSessionBean.assertAuthorizedToEndEntityProfile() and
UserAdminSessionBean.assertAuthorizedToCA () need tests.
[ECA-2162] - Move some methods from CAAdminSession to CASession and use cache
[ECA-2165] - Rename RaAdminSession to AdminPreferencesSession
[ECA-2173] - minor optimization to PublisherSession
[ECA-2177] - Constant for un-revoking not documented in
extra.db.CertificateRequest
[ECA-2187] - Update pt_PT translation
[ECA-2203] - Make release zip 10MB smaller
[ECA-2207] - Publisher Queue session should not log to logSession
[ECA-2215] - Place .properties files in a jar under lib/ in the EAR
[ECA-2216] - Glassfish 3 needs public access modifier for access between .jars
[ECA-2217] - Dynamically loaded classes aren't found by Glassfish 3.1
[ECA-2218] - Handle endorsed .jars from Glassfish 3.1
[ECA-2226] - Bundle multiple ORM files with EJBCA
[ECA-2234] - Make EJBCA build in production mode by default.
[ECA-2246] - Upgrade system tests from Junit3.8 to Junit4
[ECA-2268] - Enable database integrity protection for all internal EJBCA tables
[ECA-2280] - Improve testing on CSRs
[ECA-2289] - Welcome screen - workflow for CRL creation on status
[ECA-2292] - Better error message when services are not running (XKMS, OCSP,
CMS...)
[ECA-2295] - Add to the documentation an example verify/decode of the log file
export
[ECA-2307] - Reduce memory consumption when using InternalResouces
[ECA-2322] - Add authorization and look over token usage in PublisherSession
[ECA-2333] - Support for none DN based match values in User Aspects
[ECA-2341] - CMP EECAuthenticationModule: The attached extraCert does not need
to be in the database
New Feature
[ECA-2180] - Renew CA from CLI
[ECA-2193] - Ability to use extension override in Web Service call
processCertReq
[ECA-2245] - Produce an authentication provider for web based requests
[ECA-2263] - Implement CLI authentication
[ECA-2273] - New CLI for direct database interactions
[ECA-2305] - Support for setting cardnumber from WS
[ECA-2306] - Integrate new CMP features in Ejbca 5
[ECA-2309] - CLI command to edit fields in publishers and certificate profiles
Task
[ECA-1078] - Verify that the microsoft certificateprofile works with a windows
2008 server domain
[ECA-2170] - Migrate all classes from org.cesecore to org.ejbca
[ECA-2171] - Master Issue: Refactor classes from CESeCore into EJBCA
[ECA-2228] - Merge Security Audit from CESeCore 1.1.0 into EJBCA
[ECA-2229] - Create mock SSBs to allow for implementation of secure audit.
[ECA-2230] - Move org.cesecore.authentication and org.cesecore.authorization
[ECA-2232] - Restructure functional tests in EJBCA to use a deployable for
remote EJB access.
[ECA-2236] - Remove references to EJBCA's authentication, authorization and
admin groups and replace them with CESeCore equivalents.
[ECA-2238] - Remove all references of the old logger and replace it with Secure
Audit
[ECA-2240] - Merge Certificates from CESecore 1.1.0 to EJBCA
[ECA-2247] - Fix EJBCA CLI to work with EJBCA 5.0
[ECA-2250] - Admin GUI to work with EJBCA 5.0
[ECA-2252] - Remove faulty EJBCA references from CESeCore code
[ECA-2255] - Migrate built in Extended CA services to separate classes
[ECA-2258] - Refactoring 'WITH' paramerters
[ECA-2262] - Move ConfigurationSessionBean into into system tests JAR
[ECA-2265] - Allow EjbcaConfigurationHolder to use defaultvalues.properties
[ECA-2274] - Create mock session bean for AccessControl and AuditLog to be used
in standalone VA mode
[ECA-2281] - Removed unused Admin from UserAdminSessionBean.existsUser
[ECA-2284] - Unnerf AlwaysAllowLocalAuthenticationToken
[ECA-2304] - Master Issue: Merge all changes made during CESeCore 1.1.0 to
1.1.1
[ECA-2308] - Make CustomCertSerialnumberWSTest run even with no index in
database
[ECA-2313] - Merge issues from CESECORE-108
[ECA-2315] - Merge changes from CESECORE-198
[ECA-2318] - Merge revision #1208 from CESECORE-266 into EJBCA
[ECA-2320] - Merge changes from CESECORE-197
[ECA-2324] - Merge changes from CESECORE-269 to EJBCA
EJBCA 4.0.16, 2013-06-28

---
Bug
[ECA-2495] - Exception in view old log
[ECA-3059] - Database rolled back for failed CRL publishings instead of put in
queue
Improvement
[ECA-3050] - Base64CertData table
EJBCA 4.0.15, 2013-05-10

---
Bug
[ECA-2991] - Add the missing variable ${user.C} for e-mails
Improvement
[ECA-1826] - Possibility to create link certificates following the certificate
profile
[ECA-2884] - Create the variable ${user.UID} for e-mails
[ECA-2976] - Debug log healthcheck message
New Feature
[ECA-2985] - Add possibility to publish cert serial to LDAP custom schema
EJBCA 4.0.14, 2013-02-15

---
Bug
[ECA-2897] - Wrong example of external SSL port number in web.properties
Improvement
[ECA-2882] - Do not store active certificates in queue for
ValidationAuthorityPublisher that only publish revoked
[ECA-2890] - GUI: Better link from Public Web to Administration Web, via
reverse proxy
[ECA-2899] - Do not display passwords in stdout during build
New Feature
[ECA-2907] - Add cache for Publishers
EJBCA 4.0.13, 2012-12-19

---
Bug
[ECA-2376] - Republishing certificates to LDAP when multiple certificates per

user are allowed fails if certificate is already present
[ECA-2704] - Error in usage text for 'ejbca.sh ra listusers'
[ECA-2710] - Last certificate gets republished twice when using '-all' in cli
[ECA-2745] - GUI: Request Browser Certificate Renewal page update
[ECA-2750] - GUI: Logout links miss on some Web Public pages
[ECA-2759] - Unexpected form closing, when editing Certificate Profile
[ECA-2761] - Downgraded EJBCA from 5 to 4 get NULL CA Token
[ECA-2778] - Plus character in CA DN breaks Download of Certificates
[ECA-2786] - GUI: Remove "OCSP" text in navigation menu of Public Web
[ECA-2809] - Unable to use "modified" at the "Search End Entities" page.
Improvement
[ECA-2746] - Clean up message keys, and some titles
[ECA-2753] - GUI: Web Public pages improvement
[ECA-2755] - GUI: Administration pages improvement (adding home link)
[ECA-2769] - GUI: Key Usage form improvement
[ECA-2776] - Disable jasper compilation in default build
[ECA-2802] - Clean up message keys, and section titles
[ECA-2813] - Class RequestInstance should allow to provide a password
[ECA-2823] - Backport ECA-2244, don't require javascript to build
[ECA-2829] - GUI: Update Renew title in the Public Web navigation
[ECA-2832] - GUI: Fix 'Fetch CA certificate' title in the Public Web page
[ECA-2875] - Able to use unlimited no of arguments for clientToolBox on Windows
New Feature
[ECA-2727] - Self-registration with admin approval
[ECA-2740] - Ant target for renewing application server keystore
[ECA-2747] - Extended Key Usage for WiFi EAP authentication
Task
[ECA-2624] - Clean up message keys
EJBCA 4.0.12, 2012-08-16

---
New Feature
[ECA-2705] - OCSP key renewal at absolute times
[ECA-2706] - Allow Certificate Expiration Notification Service to specify
Certificate Profiles
[ECA-2709] - Publisher for sampling of issued certificates
Improvement
[ECA-2069] - Better log message when querying for not existing CA and default
responder CA does not exist
[ECA-2714] - Hide the HARDTOKEN profiles in "Certificate Expiration Checker"
configuration if "Issue Hardware Tokens" hasn't been enabled
[ECA-2724] - When deleting a Certificate Profile, list which end entities/end
entity profiles that use it.
Bug
[ECA-2077] - OCSP rekeying does not work on JBoss 6.1.0 and JBoss EAP5
[ECA-2719] - Download of certificates from Admin GUI fails in Chrome when using
"strange" usernames
Task
[ECA-2625] - Language tool for developers and localizers
EJBCA 4.0.11, 2012-06-18

---
New Feature
[ECA-2629] - Add Japanese language file
[ECA-2696] - Custom revocation date in EJBCA
Task
[ECA-2579] - Help message keys refactoring
Bug
[ECA-2662] - Strip whitespace from username entered in public web
[ECA-2664] - Cleartext links (http) in documentation
[ECA-2699] - ejbca.sh CLI exportprofiles function can't handle special
characters in filename
Improvement
[ECA-1979] - GUI: End-Entity (profile, add, edit) forms usability
[ECA-2577] - GUI: Configuration forms improvement
[ECA-2583] - GUI: LDAP Publishers form layout improvement
[ECA-2584] - GUI: Improvement of in-line help in all forms
[ECA-2627] - Process CA: forms layout improvement, and message keys refactoring
[ECA-2633] - GUI: Improve Services form
[ECA-2634] - GUI: View Certificate popup improvement
[ECA-2661] - Possible to use aliases for CRL Naming in RFC4387 CRL Store
[ECA-2675] - JBOSS with APR makes EJBCA deploy fail
EJBCA 4.0.10, 2012-03-14

---
New Feature
[ECA-2590] - Possibility to only publish revoked certificates to external VA DB
[ECA-2603] - "unknown is good" changed for some URLs used in the OCSP request.
Bug
[ECA-2564] - CMP: Correct the CrmfKeyUpdateTest
[ECA-2594] - XSS issues
Improvement
[ECA-2563] - CMP: clean up CMP tests
[ECA-2575] - GUI: Administrator groups page headers improvement
[ECA-2580] - GUI: Improve View CA table layout (rows: header, sections, footer)
[ECA-2585] - GUI: Change Rename button in all Object lists
EJBCA 4.0.9, 2012-02-13

---
Bug
EJBCA 4.0.8, 2012-02-09

---
New Feature
[ECA-2539] - CMP: Get KeyUpdateRequest working even in RA mode
Bug
[ECA-2261] - SenderKeyID does not need to be set in a CMP request
[ECA-2476] - null pointer when trying to recover lost HSM in external OCSP
[ECA-2482] - Minor XSS issues
[ECA-2504] - Rename LIST button in Approve Actions section
[ECA-2544] - Upgrading Certificate Profiles can remove Authority Information
access under certain conditions
[ECA-2552] - CMP: Skip verifying CertificateConfirmationRequest if not
required
[ECA-2567] - CMP: Should use EjbRemoteHelper in CrmfRARequestTest
Improvement
[ECA-1978] - Certificate Profile form improved
[ECA-2094] - Edit CA form improved
[ECA-2454] - Improve all table layout (rows: header, sections, footer)
[ECA-2468] - Formats and Units (GUI usability and keys refactoring)
[ECA-2497] - Unreadable code in VerifyPKIMessage
[ECA-2501] - More efficient CRL download
[ECA-2518] - Add link to Help page for ECDSA keys
Task
[ECA-2157] - Clean up CSS code
EJBCA 4.0.7, 2011-12-25

---
New Feature
[ECA-2410] - Document EJBCA Djigzo intregration
[ECA-2430] - Plugin build system
[ECA-2434] - Add CMP KeyUpdate stress test in clientToolBox
Bug
[ECA-2197] - VA build fails sometimes
[ECA-2396] - More XSS issues
[ECA-2429] - Inconsistency in VA health-check properties comment and used URL
[ECA-2435] - Chinese charaters doesn't work in "Edit End Entity Profles" for DN
attributes
[ECA-2436] - Reading OCSP messages over http1.1 with chunked encoding can fail
[ECA-2444] - CMP Revoke Response Message is unprotected sometimes
EJBCA 4.0.6, 2011-11-17

---
New Feature
[ECA-2368] - CMP, Implement message type KeyUpdateRequest
Bug
[ECA-2369] - NestedMessageContentTest does not clean up the test certificates
it creates
[ECA-2383] - Cannot import empty CRL via CLI
EJBCA 4.0.5, 2011-11-02

---
New Feature
[ECA-2332] - Admin GUI ServletFilter for client certificate emulation
Improvement
[ECA-2325] - Add custom cert serno and extension parsing the generatenewuser WS
command
Bug
[ECA-2297] - NestedMessageContent implements version RFC2510 instead of RFC4210
[ECA-2302] - Publishing Queue Fails on slow publishers
[ECA-2338] - CMP End entity certificate authentication module does not work in
client mode
[ECA-2346] - Certificate issuance verification does not detect when CAs public
key (in HSM) does not match CA certificate
[ECA-2354] - Should not be possible to run service initialization after start
EJBCA 4.0.4, 2011-10-05

---
New Feature
[ECA-2105] - Add support for Signature protection of CMP confirm messages
[ECA-2161] - EJBCA add-on build option
[ECA-2194] - Add CMP Client mode using HMAC protection for user pwd
[ECA-2195] - Add modular authentication facility for CMP
[ECA-2196] - Add certificate authentication, by external cert, to CMP client
mode
[ECA-2202] - Certreq WS CLI command support for altName
[ECA-2209] - Add new CMP client mode authentication methods
[ECA-2242] - Add certificate authentication, by external cert, to CMP RA mode
[ECA-2243] - Support multiple protection in CMP RA mode
[ECA-2264] - Support for certificate extensions with raw and/or dynamic value
[ECA-2267] - Support for adding/editing certificate extension data for an end
entity in Admin Web
[ECA-2269] - Certificate extension value from WS and WSCLI. Certificate serial
number from WSCLI.
[ECA-2275] - Add CMP tests in ClientToolBox
Improvement
[ECA-2192] - Support other than DN in CMP recipient field
[ECA-2205] - Link to French installation guide contributed by asyd
[ECA-2285] - Allow getCA from CaSessionBean without requiring a transaction
Task
[ECA-2253] - Add classes from cesecore to EJBCA sources to allow downgrade from
5.0 to 4.0
Bug
[ECA-2145] - EJBCA is not prepared to receive signature protected CMP Confirm
messages
[ECA-2199] - Certreq WS CLI command ignores outputpath
[ECA-2213] - Enforce unique subject DN does not work with unused fields in EE
profile
[ECA-2224] - Create Browser Certificate, Create Keystore pages have incorrect
titles
[ECA-2231] - SCEP enrollment with CA-name containing spaces fails
[ECA-2235] - External VA doesn't correctly publish CRLs from CAs with X.509
naming order
[ECA-2254] - Way to indicate that a certificate should not be generated and
stored on a HW token
[ECA-2256] - cmpHttpProxy does not build
[ECA-2257] - When a certificate is revoked and this certificate is not in LDAP
it is logged as an error that the cert can not be removed and a task to remove is
queued.
[ECA-2260] - CRL file name returned from VA differs from public web, should
be .crl
[ECA-2270] - MSIE enrollment fails under certain conditions
[ECA-2276] - Approvals are denied because requestAdmin is not local admin token
[ECA-2278] - Finding free ids checks the id incorrectly
[ECA-2283] - Hard tokens are listed in wrong order in the GUI
[ECA-2286] - The VA page listing URLs to to CA certificates and the VA page
listing URLs to CRLs is blank for some installations.
[ECA-2299] - Reading CMP messages over http1/1 with chunked encoding can fail
EJBCA 3.11.5, 2012-03-12

---
Bug
[ECA-2594] - Fixed some XSS issues.
EJBCA 3.11.4, 2012-02-13

---
Bug
[ECA-2557] - Minor XSS issues: merge bugfix from ECA-2482
EJBCA 3.11.3, 2011-07-08

---
Bug
[ECA-2065] - Certificate enrollment using OS X 10.6 and Safari 5.0.3
[ECA-2152] - Certificate not published to OCSP when reactivating after jboss
restart.
[ECA-2212] - Problem between 'ant install' and 'ant deploy' on JBoss EAP 5.1.
EJBCA 4.0.3, 2011-06-01

---
Improvement
[ECA-2188] - CMP improvements and minor bug fixes
[ECA-2189] - Fetch CMP regToken Control from CertRequest as well as CertReqMsg
Bug
[ECA-2101] - CMP error parsing POP signing key from BC1.46 clients
[ECA-2104] - CMP protection using digital signatures is missing DERNull for RSA
AlgorithmParameters
[ECA-2181] - Exception deleting end entity profiles,
AccessRulesData.findCountByCustomQuery does not use valuextractor
[ECA-2190] - POPO verification fails for BC1.46 signed CMP messages
EJBCA 4.0.2, 2011-05-22

---
New Feature
[ECA-1405] - Support for adding PrivateKeyUsagePeriod certificate extension
[ECA-1678] - Support Public Web enrollment in Chrome
[ECA-2172] - Storing of a secret not allowed to be in certificate in a DB with
mapping to a fieald in the certificate.
Improvement
[ECA-1827] - Optimize unique subject DN check
[ECA-1909] - End-Entity popups layout improved
[ECA-1959] - Public web layout improved
[ECA-1975] - View Log layout improved
[ECA-1976] - Fix PMD warnings
[ECA-2075] - Use ISO 8601 date format for absolute CertificateValidity,
LogjDevice and in interfaces
[ECA-2076] - Change label 'CRL Publishers' to 'Publishers' for CAs
[ECA-2081] - Optimize EJBCA
[ECA-2084] - Create combined JDK patch for SHA224WithECDSA and RSAWithMGF1
[ECA-2097] - End-Entity Search form usability
[ECA-2100] - Make the number of BCrypt rounds configurable
[ECA-2106] - Improve CertificateProfileCache and EndEntityProfileCache
[ECA-2107] - Use getResultList instead of getSingleResult for JPA queries
[ECA-2110] - Improve log error message when CMP RA CA does not exist
[ECA-2111] - View History popup improved
[ECA-2115] - Use StringBuilder instead of StringBuffer where thread safety
isn't required
[ECA-2119] - Optimize DNFieldsUtil
[ECA-2125] - GUI usability: History navigation in popups
Bug
[ECA-2006] - Certain hexadecimal values of the Validity field on the Edit CA
page are parsed incorrectly
[ECA-2065] - Certificate enrollment using OS X 10.6 and Safari 5.0.3
[ECA-2085] - During install asked twice to input password
[ECA-2098] - Check for unique index on (certificate serialNumber, issuerDN)
does not work as expected
[ECA-2108] - Property for custom available access rules miss-spelled
[ECA-2113] - CA Tokentype ignored during installation
[ECA-2132] - Start and end time displaying bugged in View EE popup
[ECA-2133] - DN displaying bugged in View Certificate popup
[ECA-2136] - Displaying of DN attributes which contains several spaces
[ECA-2137] - Fix EJBCA Web Configuration layout
[ECA-2143] - External RA PKCS12 request gives NPE
[ECA-2152] - Certificate not published to OCSP when reactivating after jboss
restart.
[ECA-2153] - Error serial number start with 0
[ECA-2154] - Cert-cvc date decoding does not take timezone into consideration
[ECA-2158] - Export log as CSV does not work
[ECA-2166] - CertificateExpireTest does not remove the test CA
[ECA-2168] - If ServicetimerSessionBean.timeoutHandler throws exception
multiple timers are created
[ECA-2169] - Possible too much logging when violating unique user public key
and/or DN
[ECA-2176] - Deploying XKMS on JBoss 6 downloads dtd from w3c
Task
[ECA-2073] - Update generated documentation
[ECA-2091] - Upgrade Extended CA services to include implementation classpath
[ECA-2147] - Clean up HTML code
[ECA-2148] - Message keys refactoring
EJBCA 3.11.2, 2011-04-29

---
Bug
[ECA-1981] - End Entity History: Administrator is not listed right
(NullPointerException)
[ECA-1996] - NPE in approvals page when logged in as RA Admin without End
Entity Profiles access rights
[ECA-2008] - Date in certificate profile decreased by one if different daylight
savings time
[ECA-2024] - External CAs are set to expired, and treated as normal CAs giving
exceptions in log
[ECA-2037] - Compilations fails on JDK 5
[ECA-2092] - Not possible to revoke some certificate after upgrading from 3.4.x
to 3.11.1
[ECA-2102] - Some WS calls do not write the DN and issuer DN of the client
making the call to the WS transaction log.
[ECA-2120] - External OCSP does not deploy on JBoss 5.1
[ECA-2127] - Republishing a revoked certificate to VA does not work
[ECA-2131] - Republish button in Admin GUI's view certificate page will not
work when CertReqHistory isn't present for the certificate.
[ECA-2135] - Republish button in Admin GUI does not work for special characters
Improvement
[ECA-2012] - Support named curves for Brainpool ECC in PKCS11 HSMs
[ECA-2082] - Add note about potential future error in fresh installations on
EJBCA 3.11.0 and 3.11.1 on MySQL.
New Feature
[ECA-2009] - Add GlassFish database schema for Oracle
[ECA-2013] - Support SHA224WithECDSA on PKCS11 HSMs
[ECA-2014] - Support signing with SHA256WithRSAandMGF1 on PKCS11 HSMs
[ECA-2018] - Possibility to disable command line interface
[ECA-2021] - WS Call for retrieving CA path
[ECA-2022] - Add Web Service RA standalone application
[ECA-2083] - Add Import CRL to the EJBCA CLI
[ECA-2093] - CA CLI: Add import certificates from a directory of PEM files
[ECA-2112] - Web service operation issuing certificate from public key
[ECA-2141] - ExtRA certificate request that also edit user and sets serial
number
4.0.1, 2011-03-08
---
Bug
[ECA-2090] - Can not browser enroll with IE
4.0.0, 2011-03-03
---
New Feature
[ECA-200] - Serialized database object not compatible between different app
servers
[ECA-1286] - Additional notification template tag requestAdmin.CN
[ECA-1348] - Update user's SubjectDN from EJB CLI
[ECA-1516] - Possibility to revoke a certificate with the ejbca.sh tools (using
the serial number)
[ECA-1522] - EJBCA CLI command to list lastUpdate and nextUpdate for each CA's
last CRL
[ECA-1595] - Add Adobe PDF Signature extended key usage
[ECA-1700] - Add customLog WS CLI command
[ECA-1867] - Perform ampersand escaping for XML-based database sources
[ECA-1875] - New JUnit test for parsing Glassfish's JEE standard validation
[ECA-1905] - Function in public web to dump/inspect contents of
certificates/CSRs
[ECA-2000] - Add SPOC PKI, CSN369791, extended key usages
[ECA-2013] - Support SHA224WithECDSA on PKCS11 HSMs
[ECA-2014] - Support signing with SHA256WithRSAandMGF1 on PKCS11 HSMs
[ECA-2021] - WS Call for retrieving CA path
[ECA-2022] - Add Web Service RA standalone application
[ECA-2072] - Handle database with case sensitive column names
Improvement
[ECA-687] - WebService API does not work on Weblogic
[ECA-735] - Additional default 'chain' link on the public CRL/CA page
[ECA-852] - Improve handling of error in WS-API for unknown errors like
underlying SQLExceptions.
[ECA-899] - Specify min password length in Bits - regardless of method used to
express them
[ECA-964] - Change all "revokation" to "revocation" and "revoce" to "revoke"
throughout the sourcecode
[ECA-1064] - Simplify configuration depending on appserver.type
[ECA-1099] - PMD Warnings
[ECA-1378] - Don't display Log4jLogDevice in View log function in admin-GUI
[ECA-1511] - Make EJBCA JBoss 6.0 compliant
[ECA-1528] - Remove CRL number from Publisher.storeCRL method
[ECA-1586] - Possible to prompt for passwords during install and don't display
on screen
[ECA-1601] - GeneralPurposeCustomPublisher should have parameter for deltaCRL
[ECA-1623] - Refactor unit tests to comply to JUnit3 standard
[ECA-1648] - Date format of the setStartTime and setEndTime WS functions
[ECA-1656] - Adapt ProtocolOcspHttpTest to Windows
[ECA-1667] - E-mail template: use an e-mail address from SAN or entity account
[ECA-1750] - The Elimination of TestTools
[ECA-1755] - Replace usage of SimpleDateFormat with commons.lang FastDateFormat
[ECA-1786] - Get all tests up and running post EJB3-conversion
[ECA-1833] - Log devices that use the database should be responsible for
creating new transactions
[ECA-1839] - Remove JNDI lookup for local interfaces and replace with proper
injection wherever possible.
[ECA-1840] - Move CMP TCP Service to a separate appserver independent module
[ECA-1843] - Move configuration from ejb-jar.xml to Commons Config read
property files
[ECA-1849] - Refactor HealthCheck component to allow for injection of local
interfaces.
[ECA-1852] - Change Log4J property file bundled with EJBCA on non-JBoss
application servers to XML format
[ECA-1863] - Make org.cesecore.core.ejb.ca.store.CertificateProfileSessionBean
from CertificateStoreSessionBean
[ECA-1868] - Extract EndEntityProfileSession from RaAdminSession in preparation
for CESeCore.
[ECA-1878] - Improve speed of HttpMethodsTest
[ECA-1880] - Run unit JUnit tests in parallel
[ECA-1886] - Add new authorization check to internal getCA method
[ECA-1888] - Move detection of referenced publishers and CAs to
CertificateProfileSessionBean
[ECA-1890] - AuthorizationSessionBean tosses AuthorizationDeniedException for
unexceptional conditions.
[ECA-1896] - Remove unused methods in CreateCRLSession
[ECA-1899] - Support for RSA CAs with SHA384 and SHA512 in admin GUI
[ECA-1900] - Replace Class.forName(SomeClass.class.getName()) with
SomeClass.class
[ECA-1929] - Convert CertificateDataUtil to abstract base class for
CertificateStoreSessionBean and CertificateStoreOnlyDataSessionBean
[ECA-1943] - Only merge ejbca-custom once per build
[ECA-1970] - Simplify query for batch users
[ECA-1989] - Mildly confusing message during default install "Generating for
all FAILED."
[ECA-1991] - Change references to ejb-interface_ejb3 to just ejb-interface
[ECA-1993] - Migrate EJBCA from junit3 to junit4
[ECA-2011] - Improve build scripts
[ECA-2016] - Improvement of CA Administrators access rules
[ECA-2019] - Update generated documentation
[ECA-2030] - Use atomic update of LogConfigurationData.logEntryRowNumber
[ECA-2033] - Use @Override on all EJB methods
[ECA-2064] - Ugly exception in cli trying to set pwd for non existing used
[ECA-2088] - Remove CertificateData created during test for index
certificatedata_idx1
Task
[ECA-1319] - Upgrade apache beanutils to > 1.8
[ECA-1671] - CAInfo.setincludeInHealthCheck misspelled
[ECA-1716] - Migrate from J2EE to JEE5
[ECA-1717] - Drop support for JDK 1.5
[ECA-1718] - Convert EJB 2.1 interfaces to their EJB 3.0 counterpart
[ECA-1719] - Update EJBCA WS and XKMS
[ECA-1720] - Migrate Entity Beans to JPA 1.0
[ECA-1721] - Migrate all Stateless Session Beans from EJB 2.1 to EJB 3.0
[ECA-1722] - Use JPA QL instead of JDBC
[ECA-1723] - Remove XDoclet
[ECA-1728] - Refactor Admin GUI as self contained module depending on EJB
interfaces
[ECA-1730] - Refactor Public Web components as self contained modules depending
on EJB interfaces
[ECA-1777] - Add the unit test for CMP extractUsernameComponent created in ECA-
1736 to EJBCA4
[ECA-1832] - Remove ProtectedLog
[ECA-1851] - Remove support for OC4J
[ECA-1854] - Enterprise bean class must declare all class static fields as
final
[ECA-1879] - Extract AdminEntity and AdminGroup handling from
AuthorizationSession in order to comply with the CeSeCore spec.
[ECA-1884] - Drop Jasper reports
[ECA-1892] - Remove unused methods in SignSession
[ECA-1894] - With caching EJBCA should recover from a database failure
[ECA-1903] - Remove myfaces jars
[ECA-1904] - Extract CRUD operations from CreateCrlSession into a new bean
[ECA-1907] - Extract some CRUD operations for CAs from CaAdminSessionBean to
new SSB
[ECA-1913] - Message keys refactoring
[ECA-1920] - Move configuration of inistial administration CA to
install.properties
[ECA-1922] - Remove TableProtect mechanism
[ECA-1926] - Move Log4J JBoss appenders to separate module
[ECA-1927] - Upgrade commons-configuration to latest version (1.6)
[ECA-1928] - Upgrade commons-lang to latest version (2.5)
[ECA-1940] - Upgrade commons-logging to latest version (1.1.1)
[ECA-1942] - Upgrade log4j to latest version (1.2.16)
[ECA-1944] - Merge ECA-1853 and ECA-1931 to trunk
[ECA-1971] - HTML/CSS compliance and code cleaning
[ECA-1974] - Document current state of Test EJBCA 4 on WebLogic AS 10.3.4
[ECA-1977] - Remove deprecated methods from BasePublisher and update
ICustomPublisher to match.
[ECA-1984] - Remove deprecated methods from CertificateProfile
[ECA-1986] - Remove deprecated certtools.dnorderreverse
[ECA-1987] - Document current state of EJBCA 4 on WebSphere AS 7
[ECA-1992] - Remove unused env entries from CMP WAR's web.xml
[ECA-2036] - Test for CVE-2010-4476
Bug
[ECA-579] - Log queries for administrator data are incorrect
[ECA-1151] - startTime/endTime format in end entity profile incoherence
[ECA-1212] - Edit administrator groups does not work on Weblogic 9/10
[ECA-1327] - Creating CA from CLI using a certificate profile not derivative of
ROOTCA or SUBCA causes a NullPointerException.
[ECA-1352] - The CA DN is not the CA displayed in CA certificate view
[ECA-1397] - postalAddress DN component is has wrong encoding
[ECA-1515] - ejbca.sh ca listexpired return revoked certificates
[ECA-1591] - External OCSP tests in TestPublisher fails on Postgres
[ECA-1604] - Trying to create a CVCA with incomplete SubjectDN results in
NullPointerException
[ECA-1615] - Forgetting to define key encryption key in hard token results in
NullPointerException on certificate creation with CSR
[ECA-1624] - Test test06RequestCounter in UserDataTest system test apparently
does not clean up after itself
[ECA-1647] - ServiceTimerSession does not loop through the correct timers in
case of exception
[ECA-1650] - JUnit tests cannot handle EndOfLine characters on Windows
[ECA-1673] - OCSP Service Locator URI fills in default value even if we want to
have it empty
[ECA-1686] - CertificateStoreSessionBean.findCertificatesByXX inconsistent
behavior when user does not exist
[ECA-1689] - Possible NullpointerException in admin GUI if ee profile is
removed in database
[ECA-1695] - EjbcaWS.getAvailableCertificateProfiles and
getAvailableCAsInProfile throws NullPointerException if profile does not exist
[ECA-1697] - Possible NPE when merging WS DN
[ECA-1699] - X.500 DN order with multiple attributes (e.g. DC, OU)
[ECA-1753] - externalra-gui does not work with jBoss 5.1.0.GA.
[ECA-1767] - Subject DN field with only the space character leads to Exception
[ECA-1799] - notSerializableException running userquerywith remote EJBs
[ECA-1806] - Get timers working again in EJBCA4
[ECA-1809] - Services based on EJB Timer service does not work on Weblogic
Server 10.0
[ECA-1829] - XKMSKISSTest fails due to inproper matching och SubjectDNs
[ECA-1841] - Error adding end entity with several required and non required OUs
[ECA-1861] - Batch generation does not work when there are lots of new users
with empty passwords in database
[ECA-1864] - CATokenOfflineException is converted to CADoesntExistsException
[ECA-1887] - Redeployment on Glassfish 2.1.1 does not work
[ECA-1919] - EndEntityProfileSessionBean.findFreeEndEntityProfileId may fail
and loop
[ECA-1951] - Can't add admin groups when logged in as SuperAdmin
[ECA-1956] - EJBCA doesn't handle well SCEP request with multivalue relative
distinguishable name with a space in it
[ECA-1973] - Certificate archiving does not work when creating CRLs using WS
(4.0 dev regression only)
[ECA-1980] - Unable to delete end entity profile
[ECA-1981] - End Entity History: Administrator is not listed right
(NullPointerException)
[ECA-1982] - External OCSP responder does not work with ECC algorithm
[ECA-1988] - WARs depend on classes from ejbca-ejb.jar and not only EAR bundled
libs
[ECA-1994] - Arrays.asList does not like an empty array of Integer
[ECA-1995] - NullPointerException creating request if cachain is null
[ECA-1996] - NPE in approvals page when logged in as RA Admin without End
Entity Profiles access rights
[ECA-1999] - SECURITY: Replace simple password hasing with BCrypt salted
password hasing
[ECA-2002] - CRLs must be published when they are created
[ECA-2004] - The Edit CA form is submitted even when an error in the input is
detected
[ECA-2005] - Catch NoResultException for
javax.persistence.Query.getSingleResult
[ECA-2007] - Always check for null before trying to remove something with
entityManager
[ECA-2008] - Date in certificate profile decreased by one if different daylight
savings time
[ECA-2010] - Wrong menu displaying according to Admin access rules
[ECA-2024] - External CAs are set to expired, and treated as normal CAs giving
exceptions in log
[ECA-2025] - Download of certificates via ejbca/adminweb/ca/endentitycert does
not work
[ECA-2028] - Build script error for WS
[ECA-2031] - WebdistHttpTest use case sensitive check for HTTP header
[ECA-2045] - CAActivation page requires wrong permission to view
[ECA-2055] - Reactivation is no longer possible in Admin GUI when viewing
certificate
[ECA-2057] - CertificateData.findUsernamesByExpireTimeWithLimit's query is
missing IS keyword.
[ECA-2059] - Random hickups with services
[ECA-2060] - CARepublishCommand has might publish CRL with wrong CRLNumber
[ECA-2061] - CaRepublishCommand throws exception publishing server certificates
[ECA-2062] - CRLs are not always created in a new transaction
[ECA-2071] - AccessRuleData matching for CAs and EndEntityProfiles
[ECA-2089] - ExternaRAServiceWorker cannot access external database in
container managed transaction
3.11.1, 2010-12-23
---
Improvement
[ECA-1908] - Certificate popup layout improved
[ECA-1952] - Add favicon to public and admin web
[ECA-1958] - Add message "Integrated by"
[ECA-1961] - Header, Footer, and global layout improved
[ECA-1972] - CA information popup layout improved
Bug
[ECA-1946] - cert-cvc 1.2.12 maven pom still has version tag 1.2.11
[ECA-1948] - MySQL mapping for KeyRecoveryData.certSN is incorrect
[ECA-1949] - MySQL mapping for UserData.cardNumber is inconsistent in in SQL
create script and mapping files.
[ECA-1950] - ETSI QC value limit can not have 0 value
[ECA-1953] - Sybase ServiceData.nextRunTimeStamp and runTimeStamp was
inconsistent compared with other long fields
[ECA-1955] - Error upgrading from EJBCA 3.6.x to 3.11.x
[ECA-1962] - Editing certificate profile, session information spills over to
other edits when using the "Back to certificate profiles" link
[ECA-1963] - Trying to use Cardnumber in EE profile gives error about missing
UNSTRUCTUREDADDRESS
[ECA-1964] - Ugly NPE in log for field error during add end entity
[ECA-1965] - UserDoesntFullfillEndEntityProfile is wrapped twice in
LocalUserAdminSessionBean
[ECA-1966] - Add end entity modifies cached end entity profiles
[ECA-1985] - UnstructuredAddress dn field does not work
3.11.0, 2010-11-29
---
New Feature
[ECA-63] - Implement RFC4387, cert store access via http
[ECA-1264] - Add extended information to edit user WS-API.
[ECA-1711] - GUI application for batch-enrollment from CSR:s
[ECA-1784] - Add version column to database tables
[ECA-1842] - Be able to separate log files depending on CA
[ECA-1844] - Function to fluch caches across a cluster from admin GUI
[ECA-1850] - ClientToolBox command for db managemnt in a generic ways.
[ECA-1853] - External OCSP responder also a CRL Distribution point
[ECA-1885] - Options to issue certificates without database storage
[ECA-1893] - Supply custom certificate serial number over CMP in RA mode
[ECA-1901] - Support one CMP RA secret per CA
[ECA-1938] - Database mapping for Oracle on GlassFish
[ECA-1859] - Add SSH extended key usages
[ECA-1860] - Add MS Code Signing extended key usages
Improvement
[ECA-1712] - Add End-Entity forms usability
[ECA-1765] - Possibility to pin a service to specific cluster nodes
[ECA-1768] - Make Ubuntu quick start guide doc
[ECA-1816] - Forms layout improved
[ECA-1819] - Make nextRunTimeStamp a column in database to avoid updating long
column
[ECA-1837] - Optimize use of ExtendedInformation to not store anything if not
used
[ECA-1847] - Make data types consistent across all databases
[ECA-1848] - Only log CA expired warnings to server.log
[ECA-1857] - End-Entity Profile form improved
[ECA-1858] - Certificate Authority form improved
[ECA-1862] - Optimize creation of User and Certificate objects in database
[ECA-1877] - SPOC interop requires "unusual" countries which the CVC library
does not permit
[ECA-1895] - Set correct port in administration link in public web
[ECA-1897] - Improve error message for violating unique subject DN
[ECA-1912] - Add new RSA key sizes: 1536 bits, 8192 bits
[ECA-1921] - Search End Entities layout improved
[ECA-1935] - Use random password for autogenerated passwords in WS-API
certificateRequest
[ECA-1937] - New RSA 1536 Bit for Hard Token Profiles
Task
[ECA-1923] - Deprecate TableProtect mechanism
[ECA-1924] - Introduce new (unused) database column for future integrity
protection
Bug
[ECA-1845] - Wrong reference in on line doc link for renew ca
[ECA-1871] - It's possible to change the value of 'OCSP Service Locator URI'
when 'Use Authority Information Access' is turned on
[ECA-1914] - Import of certfificate profiles referring to CVC CAs failed i CLI
[ECA-1915] - TestCustomCertSerialnumberWS not compilable without JBoss
[ECA-1917] - Class not found during marshalling when running tests on GlassFish
[ECA-1918] - Web services tests fails on GlassFish
[ECA-1930] - Error using creatcrl cli on Glassfish
[ECA-1931] - NPE in OCSP at load
[ECA-1934] - Standalone VA/OCSP missing jar when deploying on GlassFish
[ECA-1936] - Some characters double encoded in admin GUI
[ECA-1939] - XMLEncoding/decoding of ExtendedInformation complains about
BigInteger
[ECA-1945] - Username not displayed in popups
3.10.6, 2010-11-26
---
New Feature
Improvement
[ECA-1877] - SPOC interop requires "unusual" countries which the CVC library
does not permit
Bug
[ECA-1845] - Wrong reference in on line doc link for renew ca
[ECA-1914] - Import of certificate profiles referring to CVC CAs failed i CLI
3.10.5, 2010-09-21
---
New Feature
[ECA-1791] - Logging the certificate SubjectDN when an admin logs in with an
external cert and displaying this info in Log View
[ECA-1822] - Command line to clear internal caches
Improvement
[ECA-1663] - Option to specify CRL Expire Period fields etc. in months
[ECA-1741] - Clean authentication session bean
[ECA-1756] - Configurable cache for end entity profiles
[ECA-1795] - It should be possible to run the CMP TCP Proxy as a Windows
service
[ECA-1797] - Page sub-titles harmonized
[ECA-1800] - Name as a word, name as a DN attribute
[ECA-1802] - Improve CAInfo cache to use configurable time
[ECA-1805] - Configurable cache for certificate profiles
[ECA-1807] - Document 'Finish User' CA config
[ECA-1811] - Improve caching of global configuration and authorization data
[ECA-1813] - Re-order all the Extended Key Usage
[ECA-1816] - Forms layout improved
[ECA-1818] - Make log configuration cache time configurable
[ECA-1823] - HSM p11 key attribute test and default.
[ECA-1824] - New "fixed" username generation scheme in CMP RA mode
[ECA-1831] - Lower log level from info to debug for expired CA warnings
[ECA-1834] - Use only fingerprint index to check for unique cert serialnumber
Task
[ECA-1745] - Can not re-publish a certificate when CertReqHistory is not used
[ECA-1780] - Doc update CMP over TCP not supported on Glassfish
[ECA-1830] - Update german language file
Bug
[ECA-1739] - Unique subjectDN serialnumber cannot be edited.
[ECA-1747] - Change how an approval administrator is identified, approval does
not work with external administrators
[ECA-1759] - Admin GUI crashes with a stacktrace when accessed by unauthrized
user cert, on JBoss 5
[ECA-1779] - Error when clicking on the Adminstrator in "View Log"
[ECA-1790] - Unable to choose event in Advanced Filter Mode in View Log
[ECA-1793] - Mitigate Cross Site Scripting (XSS) in the Admin GUI
[ECA-1794] - Admin GUI errors on JBoss 5
[ECA-1804] - ProfileMappings update and fixes, for messages
[ECA-1808] - WS CLI does not support unrevocation
[ECA-1812] - Activation failure when EJBCA is started at high load
[ECA-1817] - EJBCA fail to install, if application server is installed in the
root directory.
[ECA-1820] - Certificate related events in the View Log does not display the
certificate in question
[ECA-1821] - NullPointerException when filling certing fields in View Log
[ECA-1825] - Create CA with SerialNumber in DN regression with CLI
[ECA-1836] - Use CertReqHistory should be active by default
3.10.4, 2010-08-12
---
New Feature
[ECA-1727] - User defined serial number using UserDataVO
[ECA-1733] - Possible to configure CA to not use Certificate Request History
[ECA-1735] - Add configuration to fully cache CA objects, to minimize database
roundtrips
Improvement
[ECA-1729] - EJBCA on Glassfish with MySQL
[ECA-1734] - Add throws clause for CADoesntExistException to add/change user in
user admin session bean, and optimize away one read of CA info in cert req session
[ECA-1743] - Improve file log for parsing, prefix dn and quote it in log
[ECA-1752] - Harmonized themes for home page
[ECA-1757] - Harmonized themes for CA Activation page
[ECA-1762] - Harmonized GUI for all pages
[ECA-1763] - Make country DV renewals optionally take CVCA certificate from the
EJBCA store
[ECA-1783] - CertTools.checkValidity should not log with error when a CVC
certificate has expired
Task
[ECA-1725] - Make test34CaRenewCertRequest JUnit test also for ECC keys
Bug
[ECA-1321] - Single-qoute bug when creating CRL from Admin GUI
[ECA-1710] - Certrequest session (and now CMP) requires ee profile to use
'Batch', i.e. clear pwd
[ECA-1724] - Mitigate Cross Site Scripting (XSS) in the Admin GUI
[ECA-1731] - EJBCA WS KeyRevocerNewest always returns 0 as approval Id in
WaitingForApprovalException
[ECA-1736] - extractUsernameComponent in CMP client mode broken
[ECA-1737] - Error while setup admin permissions for superadmin when
superadmin.cn contains a space
[ECA-1738] - Nullpointer exception editing end entity profiles when printer is
null
[ECA-1746] - EjbcaWS does not work with external admin certificates
[ECA-1761] - Error parsing certificate serialnumber
[ECA-1778] - webconfiguraiton.jspf displays HTML
[ECA-1785] - Error when filling the Subject Directory Attribute Fields
[ECA-1789] - ocsphealthcheck does not deploy on JBoss 5
3.10.3, 2010-06-24
---
Improvement
[ECA-1709] - Typo in ejbca-ws-cli
Bug
[ECA-1704] - Tomcat's server.xml must have URIEncoding also for port 8080
[ECA-1710] - Certrequest session (and now CMP) requires ee profile to use
'Batch', i.e. clear pwd
[ECA-1713] - Mitigate Cross Site Scripting (XSS) in the error page of Admin GUI
[ECA-1714] - Issuer CA DN is HTML escaped when revoking through Admin GUI
[ECA-1715] - Error creating DVs using ECC
3.10.2, 2010-06-17
---
New Feature
[ECA-1622] - CMP Proxy
[ECA-1677] - Enforce unique SubjectDN Serial Number
[ECA-1693] - Validate content of End Entity Fields
[ECA-1705] - Support MySQL 5.1 Cluster 7
[ECA-1707] - Display a search-link when trying to add a user that already
exists.
Improvement
[ECA-714] - Document how ROOT CA revocation works, and what to do
[ECA-1655] - Restrict http methods other than get and post
[ECA-1674] - Output the servers time to the first page of the Admin GUI.
[ECA-1682] - Allow multiple CA policy OIDs and URLs when creating a CA from the
EJB CLI
[ECA-1683] - Use CertificateRequestSessionBean for CMP to make it transaction
safe
[ECA-1685] - Look over exception handling in UserAdminSessionBean findUser and
optimize usage to existsUser where possible
[ECA-1687] - LocalUserAdminSessionBean.findAllUsersByCaId method declares
throws FinderException that it does not throw
[ECA-1690] - Possible to define custom CN of superadmin on install
[ECA-1658] - Supervision of the validity time of the signing certificates for
the OCSP responder
Task
[ECA-1631] - Update pre-defined windows smart card logon profiles
Bug
[ECA-715] - Possible to issue certificates from a revoked CA
[ECA-1266] - Upgrade may cause "use authority information access" to be enabled
though it was not before in certificate profile
[ECA-1639] - The CAR of a CV Certificate can hold an incorrect sequence number
(which makes the CAR incorrect)
[ECA-1645] - Exception in CertTools parsing CRL Distribution Point with name
but no URI
[ECA-1646] - class isolation does not work with Jboss AS 4.2.3 GA : unable to
"ant install" succesfully
[ECA-1651] - Some cli commands does not work on JBoss 5
[ECA-1652] - Trying to use plus sign in DN with WS-API results in double
escaping
[ECA-1653] - Trying to get delta CRL when none exists with cli gives ugly error
message
[ECA-1654] - Perform check for illegal SQL query characters from
LocalUserAdminSession.query
[ECA-1657] - export profiles cli gives error for CA certificate profiles
[ECA-1660] - Visiting adminweb using port 442 for the first time gives NPE
[ECA-1661] - Adding a CA with PKCS11 token but without HSM installed gives NPE
[ECA-1662] - Password masking in "ant install" not working on Windows Server
2008
[ECA-1666] - Not possible to use subject DN EMAIL field when creating
certificate with CMP.
[ECA-1668] - Tooltip title missing in Edit Administrator Privileges
[ECA-1670] - Upgrade of existing CA should set EnforceUniqueDistinguishedName
and PublicKey to false
[ECA-1672] - /log_functionality/log_custom_events authorization not verified in
WS API
[ECA-1675] - Download CRL from Basic functions give ugly filename with space in
CN
[ECA-1676] - Error downloading certificate request created by X509 CA
[ECA-1679] - Can not create a new certificate request from a CVC CA with no
previous signing key
[ECA-1680] - When superadmin.dn is modified, authentication on adminweb is
impossible
[ECA-1681] - MakeRequest button when SignedBy=External CA is not enabled
3.10.1, 2010-05-03
---
New Feature
[ECA-1542] - New WS API methods for caRenewCertRequest and caCertResponse
[ECA-1622] - CMP Proxy
[ECA-1630] - Support SHA384withECDSA signature algorithm
Improvement
[ECA-958] - Allow DVCA renewal of keys without activating them immediately
[ECA-1585] - Renew CA signed by external does not accept binary CA certificate
input
[ECA-1616] - cvcRequest gives unclear error message when the exact same request
is passed
[ECA-1618] - OCSP responder, log startup, with version, and shutdown
[ECA-1627] - Support DSA keys in ejbca.sh batch.
[ECA-1635] - Specify a ca certificate profile when creating a ca with CLI
Task
[ECA-1346] - Write version information etc in ejbca-util.jar's manifest file
[ECA-1529] - Remove the SafeNetLuna JCE CA token
[ECA-1563] - EJBCA does not deploy on JBoss EAP 5.0.0.GA
Bug
[ECA-1058] - Multiple DCs in CA's sujectDN break CRL generation when LDAP DN
order switched off
[ECA-1072] - Got exception when adding an end entity from ejbcarawscli.sh when
approval is enabled
[ECA-1136] - User interface does not update correctly when changing Admingroup
privileges
[ECA-1189] - Error saving RA Admin access rules, End Entity Rules
[ECA-1197] - Mail notifications does not work for CA's about to expire.
[ECA-1541] - CMP servlet does not verify input length
[ECA-1587] - CLI for getting delta CRL does not work
[ECA-1602] - A Root CA can not renew certificate of an External CA
[ECA-1603] - Approval Notifications gives nullpointerexception
[ECA-1608] - Approval notification does not include requestAdmin
[ECA-1609] - A new CRL is not created when a CA is renewed.
[ECA-1610] - An error is logged when publishing CRL for a CA not using delta
CRL.
[ECA-1614] - ERROR logged erroneous when renewing root CA
[ECA-1617] - Process time in OCSP logging fails when request fails
[ECA-1619] - "CA issuer URI" can not be deleted on the "Edit Certificate
Profile" page if the string start or ends with space.
[ECA-1620] - Listing end entities with expiring certificates generates
Exception
[ECA-1626] - addUser ejb method does not always throw DuplicateKeyException if
user exists
[ECA-1629] - Error saving RA Admin access rules, Other Rules
[ECA-1633] - document boolean usepreviouskey in X509CA.signRequest better
[ECA-1638] - activateca cli does not work for expired CAs
[ECA-1641] - Expired CAs makes CA cert download from public web fail
[ECA-1644] - ejbca.sh listcas does not work with CVCAs
3.10.0, 2010-03-26
---
New Feature
[ECA-1530] - Support signing NewWithOld after CA key rollover
[ECA-1557] - Enforcement of Unique Public keys
[ECA-1566] - External RA: Web based GUI for enrolling entites
[ECA-1567] - Enforcement of Unique Distinguished Name
[ECA-1589] - Support for Ingres 9.3
Task
[ECA-1465] - Preparations for EJBCA 4
[ECA-1466] - Build ejbca-util with a minimal number of classes
[ECA-1467] - Move the ejbca-ws build to modules
[ECA-1468] - Move the ejbca-xkms build to modules
[ECA-1470] - Deprecate ProtectedLog
[ECA-1476] - Move external RA to modules
[ECA-1482] - Update JavaDoc build
[ECA-1484] - Disable XKMS service by default
[ECA-1531] - Restructure documentation into separate admin and user guides
[ECA-1550] - Internal OCSP responder should always use the CA signing
certificate to sign responses
[ECA-1582] - Upgrade bouncycastle to 1.45
Improvement
[ECA-668] - Possibility to change keyStorePassword in an already installed
setup
[ECA-892] - WS-cli should work with pkcs12 file as well in addition to jks
files.
[ECA-1237] - External RA: possibility to deploy to other deploy directory
[ECA-1239] - Build ClientToolBox without application server present
[ECA-1251] - Name returned certificates from public web after the username
[ECA-1336] - Add Spanish commonly used OID's NIF/CIF
[ECA-1380] - Use commons configuration for all configuration
[ECA-1381] - Use JPA in ExtRA client library
[ECA-1383] - Separate system and functional JUnit tests
[ECA-1396] - Create new WS and bean method that creates/edits user and issues a
certificate in a single transaction
[ECA-1428] - More effective stress test.
[ECA-1432] - Refactor and create new module for EJBCA's remote EJB CLI
[ECA-1469] - Rename LogEntryDataBean comment and comment_ column to logComment
for all database types
[ECA-1488] - Property in mail.properties for setting SMTP port missing
[ECA-1495] - Enforce dependency check for all components of the EJBCA core and
improve structure
[ECA-1505] - Optimize isRevoked method in CertificateStoreSessionbean
[ECA-1537] - Display min and max time for stress test jobs
[ECA-1575] - Get length of message from ASN1 length value.
[ECA-1576] - Default certificate profile should not allow key usage override
[ECA-1596] - Possibility to run SCEPTest directly against EJBCA.
[ECA-1599] - EJBCA EJB CLI subcommand 'encryptpwd' should not echo password
Bug
[ECA-1050] - Revoke and renew button on OCSP/XKMS/CMS extended services only
revokes and does not renew
[ECA-1536] - Extra test client does not compile with JBoss 5
[ECA-1578] - Use of DN from CA data when searching for last CRL number.
[ECA-1579] - Root CA certificate could have different subject and issuer DN.
[ECA-1583] - EJBCA EJB CLI is not working with JBoss 5
[ECA-1584] - PublisherQueue process service does not work in PostgreSQL
[ECA-1590] - Hash of a CA certificates can not be used to get "CA" if the
subject DN of the certificate is not the same as the subject DN of the CA data.
3.9.10, 2010-03-01
---
Bug
[ECA-1699] - X.500 DN order with multiple attributes (e.g. DC, OU)
3.9.9, 2010-11-02
---
New Feature
Bug
[ECA-1704] - Tomcat's server.xml must have URIEncoding also for port 8080
[ECA-1714] - Issuer CA DN is HTML escaped when revoking through Admin GUI
[ECA-1773] - Using multiple of the same Custom OID field for OtherName in
Subject Alternative Names results in double values
3.9.8, 2010-06-17
---
Improvement
[ECA-1658] - Supervision of the validity time of the signing certificates for
the OCSP responder
Bug
[ECA-1639] - The CAR of a CV Certificate can hold an incorrect sequence number
(which makes the CAR incorrect)
3.9.7, 2010-05-03
---
Improvement
[ECA-1616] - cvcRequest gives unclear error message when the exact same request
is passed
[ECA-1618] - OCSP responder, log startup, with version, and shutdown
Bug
[ECA-1636] - Error creating DVs signed by external CVCAs
[ECA-1643] - Possible NullpointerException in
EjbcaWS.getAvailableCertificateProfiles
3.9.6, 2010-03-30
---
New Feature
[ECA-1542] - New WS API methods for caRenewCertRequest and caCertResponse
Improvement
[ECA-958] - Allow DVCA renewal of keys without activating them immediately
[ECA-1585] - Renew CA signed by external does not accept binary CA certificate
input
Bug
[ECA-1587] - CLI for getting delta CRL does not work
[ECA-1602] - A Root CA can not renew certificate of an External CA
[ECA-1603] - Approval Notifications gives nullpointerexception
[ECA-1608] - Approval notification does not include requestAdmin
3.9.5, 2010-03-05
---
Improvement
[ECA-1523] - Display and accessibility of CA status table on home page

[ECA-1538] - OCSP service closes ServletInputStream uneccesarily
[ECA-1539] - When downloading a CVC certificate or request the name of the
downloaded file should contain the CAR and the CHR (certificates only)
[ECA-1543] - Remove hardcoded paths in CertReqServlet.java for OpenVPN
installer creation
[ECA-1547] - Add processtime variable to OCSP transaction logging
[ECA-1574] - Possibility to prompt for password in install and ca init cli
[ECA-1577] - Possibility to initilize authorization module when importing CA
certificate of external CA
Bug
[ECA-1479] - relative path to the catoken.properties file in
conf/ejbca.properties not working
[ECA-1533] - EracomCAToken (old deprecated) uses sSlotLabel before it has been
set
[ECA-1534] - generation of new HSM keys does not update keyStrings in
BaseCAToken
[ECA-1540] - When generating new keys using a hard token the new key label is
generated incorrectly, if the old sequence contained non numeric characters
[ECA-1544] - Compile error in jsp in some cases
[ECA-1545] - External OCSP signing is failing at the period of re-keying.
[ECA-1546] - The key sequence is incremented decimal when renewing a key, but
it could be incremented alphanumeric
[ECA-1548] - OCSP responder performance drop i 3.9.4
[ECA-1549] - mTransactionID in OCSPServletBase may not be thread safe
[ECA-1552] - Iaik provider not working
[ECA-1554] - PKCS11HSMKeyTool fails test command using IAIK provider in some
cases
[ECA-1555] - Can not use . (dot) in username when editing end entity profiles
[ECA-1558] - Can not view log when using cvc sequences in alfanumeric form
[ECA-1560] - No default value for ca.name
[ECA-1562] - ejbca-mail-service is overridden by default mailservice in JBoss 5
[ECA-1572] - clientToolBox not configuring logging on windows
[ECA-1573] - Charcters in German languagefile causes JavaScript errors in
adminweb
3.9.4, 2010-01-07
---
Improvement
[ECA-1518] - Language files encoded in UTF-8
Task
[ECA-1521] - Document how to use of Brainpool curves for EAC
Bug
[ECA-1441] - Old CA cert published to LDAP after CA renewal.
[ECA-1443] - Bogus CRL published to LDAP at some occations.
[ECA-1471] - Don't publish certificates for inactive CA services
[ECA-1514] - CMP requests with DN characters requiring escaping fails
[ECA-1519] - Not possible to renew soft CA ECC CA keys
[ECA-1524] - Unable to renew expired CAs (regression)
[ECA-1525] - SafeNetLunaCAToken (old class) does not work
[ECA-1526] - SecConst.CERT_EXPIRED, should not be used, Import cert cli uses
EXPIRED instead of ARCHIVED.
[ECA-1527] - OCSP responder returns good for expired and archived certificates
3.9.3, 2009-12-21
---
New Feature
[ECA-1389] - Make it possible to add several notifications for expiring
certificates.
[ECA-1439] - End date for certificate profile and CA.
[ECA-1480] - Possible to generate EC certificate requests with explicit
parameters
[ECA-1492] - Add configuration of allowed signing algorithms to certificate
profiles
Task
[ECA-1312] - Test browser enrollment with Windows 7
[ECA-1483] - Update database schema at ejbca.org
Improvement
[ECA-1386] - Generate new keys on HSM in Admin GUI does not support ECC
[ECA-1400] - New navigation menu GUI
[ECA-1401] - GUI improvement with IE fixes CSS
[ECA-1417] - name CV certificates .cvcert instead of .crt when downloading from
public web
[ECA-1440] - Configureable error output on admin gui error page.
[ECA-1449] - Rename "Download to Internet Explorer" to "Download binary/to IE"
[ECA-1451] - Display EC public key in view certificate pop-up
[ECA-1453] - WS command to get length of queue for an issuer.
[ECA-1455] - Possibility to change DN of superadmin user created by 'ant
install'
[ECA-1456] - clientToolBox createCertReq should handle ECC keys as well
[ECA-1493] - Possibility to use part of user data in LDAP DN but not in
certificate DN when publishing certificate to LDAP
Bug
[ECA-1429] - Renewing keys on a CA in admin GUI forces reload of all CAs

[ECA-1436] - Export CA keystore, download issues with IE
[ECA-1442] - Mail Expiration Checker cannot send mail for user SYSTEMCERT
[ECA-1444] - CertificateExpirationWorker does not work with CV certificates
[ECA-1445] - Java 5's XMLEncoder breaks when using Collections.EMPTY_LIST
[ECA-1447] - InvalidKeyException för HSM during deploy or startup under load
[ECA-1448] - When issuing certificates, sometimes it is not checked if CA is
off-line, only CA token
[ECA-1450] - NullpointerException making CA offline if CAToken can not be
created
[ECA-1454] - p11slot keeps adding numerous tokens
[ECA-1457] - ECC brainpool curves does not work due to Sun certificate provider
[ECA-1458] - Can not import exported ECC CVCA
[ECA-1460] - Approval and finishuser settings missing from CVC CA configuration
[ECA-1461] - Exception on import CA keystore
[ECA-1463] - ca info cli command does not work for cvc CAs
[ECA-1464] - Having a trailing '\' at the end of a field (e.g. username) gives
a StringIndexOutOfBoundsException on search
[ECA-1471] - Don't publish certificates for inactive services
[ECA-1473] - CAFingerprint in database not set correctly for SubCAs
[ECA-1475] - OutOfMemory when failing to publish large CRLs with connection
closed error
[ECA-1481] - Not possible to get PUK from issued card of the type "turkish
profile" with WS
[ECA-1485] - Remove StdErr logging when editing approvals in certificate
profiles
[ECA-1496] - End Entity Profile check fails for CMP requests with E in subject
DN
[ECA-1502] - Remove ocsp from bin/ejbca.sh
[ECA-1504] - clientToolBox.bat does not work with space in path
[ECA-1509] - cert-cvc: ECPoint can be wrongly encoded in 1 out of 2^16 keys
[ECA-1517] - Notification status interferes with "Search/edit end entities"
3.9.2, 2009-10-21
---
New Feature
[ECA-1377] - Sign and verify of files with clientToolBox when the private key
is stored on a HSM.
[ECA-1390] - Possible to limit signing keys for an external OCSP responder to
keys within a set of key aliases.
[ECA-1412] - Add support for the TSL signer extended key usage
Improvement
[ECA-1360] - use improved validity period parsing in Certificate Profiles
[ECA-1364] - Deleting certificate profiles in large database slow, new index
[ECA-1366] - Improve debug logging in ProtectedLog
[ECA-1369] - Add command to cli to sign specified nodeGUID
[ECA-1384] - Property in mail.properties for sending start TLS
[ECA-1385] - PKCS11HSMKeyTool test does not work with ECC keys
[ECA-1426] - Rename keystore password to authentication code in admin GUI to
make it consistent.
[ECA-1427] - remove ocsp client
[ECA-1433] - Add option to use publisher queue or not for CRLs and certificates
Task
[ECA-1359] - Upgrade commons-upload jar.
[ECA-1399] - Add debug logging of keys and signature when testing CA token keys
[ECA-1425] - Document MS application policies extension
Bug
[ECA-1361] - Wrong default value listed for "build.compiler" property in
"ejbca.properties.sample"
[ECA-1363] - CA de-activation can give NPE if CA in some conditions
[ECA-1368] - Setting nodeIP in protectedlog.properties does not work
[ECA-1371] - Revocation is very slow if a user have many certificates. Remove
side-effect of revoking user from revokeCert method.
[ECA-1373] - ejbca.sh log accept or log does not increase the counter
[ECA-1379] - ejbcaClientToolBox.bat only accepts 9 parameters
[ECA-1392] - Fix potential NPE with extendedInformation
[ECA-1393] - Handle database exceptions properly for CMP
[ECA-1394] - Error adding end entity does not log username
[ECA-1395] - Error using IAIK provider with several CAs
[ECA-1403] - cert-cvc: bad encoding of EC points in certificates in rare cases
where affineX and affineY is not same size.
[ECA-1404] - ClientToolBox PKCS11 key test gives NullPointerException if there
are symmetrci keys in the slot
[ECA-1406] - Autoactivation PIN is showed in clear in debug log file
[ECA-1410] - Ldap publisher may "hang" if LDAP server hangs during operations
[ECA-1414] - FNR from UNID not working
[ECA-1415] - Strange errors when reading keys in external OCSP responder
[ECA-1416] - FNR lookup stress test
[ECA-1419] - CRL service may stop running if database is stopped for some
period
[ECA-1420] - Check of ProbeableErrorHandler for OCSP audit/transaction log
always return false
[ECA-1421] - AdminCA1 does not get a CMS certificate during installation
[ECA-1423] - cert-cvc: getting expiration date returns 00.00 hours but it means
it's valid the whole day
[ECA-1430] - Publish CRLs may fail to keep in publisher queue if publish fails
[ECA-1431] - ejbcaClientToolBox.bat does not work
[ECA-1434] - cert-cvc: OIDField.getEncoded() works only for values < 128
[ECA-1437] - Issuing Distribution Point on CRLs is default in CA configuration
3.9.1, 2009-08-16
---
New Feature
[ECA-1275] - Corporate User Requests User Cert
[ECA-1276] - Non-corporate User Requests Cert
[ECA-1277] - User (corporate or non corporate user) Requests Certificate
Renewal
[ECA-1287] - Configurable List of extKeyUsage OIDs in certificate profiles
[ECA-1299] - Transacion log for web service certificate issuance
[ECA-1309] - Ability to specify approvals on certificate profiles
[ECA-1334] - Run single JUnit test from CLI
[ECA-1337] - Removal of SoftCA key and possibility to import it back again
[ECA-1344] - Fixed absolute date for latest certificate expire
[ECA-1347] - Ability to set max-age and next update values on a per certificate
profile basis.
Task
[ECA-1354] - ExtRA: update BC jars to match version in EJCBA 3.9.1
Improvement
[ECA-967] - Add CVC WS CLI to client toolbox
[ECA-1073] - Possible to schedule CRLs more often than hourly
[ECA-1180] - Be able to specify Any CA in end entity profiles
[ECA-1270] - create support for clover coverage testing
[ECA-1298] - Dynamic update of max-age and nextUpdate for OCSP responders
[ECA-1302] - Optimize republishing performance to use less queries during
publish
[ECA-1307] - do not create new P11 provider when reloading
[ECA-1308] - Display the key instead of "not text available" for missing
language strings
[ECA-1310] - View end entity profile id in edit window
[ECA-1315] - Allow null debug object to disable debugging in RequestHelper
[ECA-1320] - Options which CA to generate CRLs for in CRL update service
[ECA-1324] - Bad error message in adduser cli when type is not a number
[ECA-1331] - Improve error message in GUI when HSM activation fails
[ECA-1335] - Support for CRL distribution points with URI:s containing
semicolon
[ECA-1338] - Remove passwords from properties files
[ECA-1341] - Change publishing message to say that it is "queued" instead of
"published"
[ECA-1342] - Improved error message when trying to create CA with incompatible
key/signing algorithm
[ECA-1343] - CA certificate validity in years
[ECA-1345] - More userfriendly error messages instead of only stacktrace for
instance when DB connection is down
Bug
[ECA-1295] - Error making advanced log search for CA on DB2
[ECA-1300] - Nullpointer exception editing end entity profiles when printer has
no name
[ECA-1303] - Runtime exception when uplaoding a certificate response and no
certificate chain exists
[ECA-1304] - ca listexpired cli command prints certificaste serialnumber in
decimal instead of hex
[ECA-1305] - Serching for end entities by certificate serial no does not find
all if DN changed
[ECA-1306] - external OCSP responder healt check not checking keys.
[ECA-1313] - Error creating CRL publisher on DB2
[ECA-1314] - Key could be used at same time as the rekeying is generating new
cert.
[ECA-1322] - Mixing EJBs and PreparedStatement gives NullpointerException in
Glassfish
[ECA-1323] - Import of entity profiles removes certificate profile links from
the profile
[ECA-1325] - Log Configuration : message keys missing
[ECA-1340] - ejbca.cmd requires additional libraries in classpath
[ECA-1355] - Revoke user does not work if a certificate is already revoked
[ECA-1356] - JPA entity CertificateData does not set certificateProfileId when
adding new certificate
[ECA-1357] - create CA with initial deltaCRL does not work on glassfish
[ECA-1358] - getCertSignatureAlgorithmAsString does not work for
SHA256WithECDSA on java 5
3.9.0, 2009-06-05
---
New Feature
[ECA-648] - Add a configurable revocation status to end entity profiles
[ECA-877] - Patch level showing
[ECA-987] - Add cli command for processing certificate requests in ejbca.sh
[ECA-1054] - User Certificate Validity Start/End Time as a editUser Web Service
parameter
[ECA-1076] - CMP stress test
[ECA-1093] - Support for static custom enroll forms
[ECA-1100] - CAs using DSA algorithm
[ECA-1172] - Validity override in certificate profiles should be able to
override startdate to set earlier start than "now"
[ECA-1188] - Permit to install on JBOSS with Tomcat Native Connector
[ECA-1202] - Implement extension override for PKCS#10 requests
[ECA-1203] - Allow DN override from requests
[ECA-1207] - Option in OCSP publisher to only use queue and not publish
directly
[ECA-1213] - Display length of publisher queue in external OCSP GUI
[ECA-1218] - Stand-alone monitoring tool for comparing CA and OCSP databases
[ECA-1219] - Add CA status overview portal on first page of admin GUI
[ECA-1220] - Show certificate profile id in admin GUI
[ECA-1222] - Show CA id in Admin GUI
[ECA-1242] - Configurable to show CA status on front page
[ECA-1263] - Add new WS stress-test to test behaviour when there are many
certificates per user
Improvement
[ECA-550] - Bad error message when receiving PEM files from external CA
[ECA-603] - Add a property to specify the module to use when using nCipher HSM
[ECA-857] - Improve error message "Error occured when receiving file, are you
sure it is valid and in PEM encoding."
[ECA-878] - Start up welcome page(s) admin and normal one
[ECA-965] - Hide CRL-related fields when creating a CVC CA
[ECA-988] - Document database privileges
[ECA-1003] - EJBCA CLI requires APPSRV_HOME
[ECA-1008] - A CA could be activated with any password (PIN) after it has been
deactivated
[ECA-1011] - Output time of successful ant commands often used in development
[ECA-1041] - Errormessage "User xxxx has status '40', NEW, FAILED or INPROCESS
required" could be improved
[ECA-1067] - JavaScript "Enabled" test
[ECA-1074] - Add Name DN attribute to supported attributes
[ECA-1094] - CN for httpsserver.dn property can be inherited from
httpsserver.hostname
[ECA-1101] - ExtRA: Make RA CA service as an EJBCA service and make clusterable
and support multiple RAs
[ECA-1129] - use same functionality in the OCSP respnder as in the CA to handle
P11 HSMs
[ECA-1131] - Filter what is published to CertificateData on standalone OCSP
[ECA-1139] - Use Commons Configuration for OCSP config
[ECA-1163] - Save/cancel certificate profiles should bring you back to profiles
list
[ECA-1165] - required and modifyable checkboxes for username in entity profiles
not needed
[ECA-1166] - Rename mozilla/netscape to firefox
[ECA-1167] - activatecas cli command should be able to prompt for activation
code
[ECA-1168] - Don't display the password user types in import CA command.
[ECA-1170] - Display signature algorithm with providers text in view
certiifcate
[ECA-1175] - Improve default DB2 CMP mapping
[ECA-1176] - Add cvcwscli.cmd for windows
[ECA-1178] - Add issuerDN to edit CA page
[ECA-1179] - Possible to specify multiple parameters in
cmp.ra.namegenerationparameters
[ECA-1180] - Be able to specify Any CA in end entity profiles
[ECA-1196] - Change ERROR to INFO message for mail notifications
[ECA-1198] - Implement robust re-publishing if publishing fails
[ECA-1199] - Don't log error for missconfigured service that is not active
[ECA-1200] - GUI for the External OCSP Publisher
[ECA-1208] - Log4jLogDevice logs INFO exceptions as ERROR
[ECA-1209] - Upgrade certificateProfileId to new server profile during 'ant
upgrade' to avoid problems on SSL certificate renewal.
[ECA-1215] - Don't set start and end time for end entity if not entered
[ECA-1221] - Ugly error message in LDAP publisher if no certificate to remove
exists
[ECA-1231] - Optimize performace of getCertificateInfo
[ECA-1233] - Prevent accidental runs of JUnit tests and deploy/ocsp-deploy in
production environment
[ECA-1235] - No point in swapping identical times
[ECA-1240] - Remove error log for cases where CVC sequence is not numerical, we
handle it gracefully.
[ECA-1249] - ClientToolBox PKCS11 operations echoes the password back to the
user
[ECA-1255] - AdminGroupData etc should be marked as read-only for get methods
[ECA-1256] - Optimize authorization to lower number of SQL queries for
AuthorizationTreeUpdateData
[ECA-1259] - Rename List button to Search
[ECA-1260] - Rename "Create Server Certificate" to "Create Certificate from
CSR"
[ECA-1261] - improve behaviour of External CAs
[ECA-1265] - Error messages that we handle when editing users should be info
[ECA-1267] - Inherit getCATokenStatus() from BaseCAToken on SafeNetLunaCAToken
[ECA-1269] - Improve performance by caching common database queries
[ECA-1271] - ca init cli commands should be able to create sub CAs
[ECA-1290] - Don't log error creating CRLs when a CA is offline
[ECA-1291] - CRL service should not try to create CRLs for external CAs
Task
[ECA-1116] - Avoid usage of class strings
[ECA-1173] - Drop upgrade support for EJBCA 3.1.x
[ECA-1195] - Upgrade to BC 1.43
[ECA-1205] - Create new tag-field for CertificateData to be able to distinguish
between different certificate types in database queries
[ECA-1214] - Ask for algorithm before key size in installation script
[ECA-1247] - Add KCA-EJBCA migration guide to docs
[ECA-1297] - Warnings about incorrect JSF navigation rules during startup
Bug
[ECA-632] - Path length constraints not selectable in cert profile
[ECA-922] - DBCHANGE: Particular Log query with ProtectedLog fails on Derby
[ECA-1077] - Not possible to get algorithm name from OID for CMP with latest BC
[ECA-1085] - Email notifications may not treat foreign characters correct
[ECA-1109] - Rare threading issues in OCSP certificate cache
[ECA-1110] - XKMS only works with JDK 1.5
[ECA-1122] - Cancel button on Edit Certificate Profiles page doesn't work.
[ECA-1135] - Do not issue CRLs for expired CAs
[ECA-1137] - Serialnumbers starting with 0 do not behave properly
[ECA-1138] - nCipherHSM script with preload is broken
[ECA-1142] - First delta CRL is not issued when a CA is created
[ECA-1147] - NullpointerException in ProtectedLog
[ECA-1156] - OCSP ClientToolBox test failing when CA key is signing the OCSP
response.
[ECA-1157] - NullPointerException when invoking createcrl CLI with bad CA name
[ECA-1160] - When a fast HSM is used then OCSP responder is not as fast as it
should be.
[ECA-1162] - external OCSP responder freezing after HSM failure.
[ECA-1164] - Hex serial number for admin certificates in admin groups should
not be limited to only 16 char hex strings
[ECA-1169] - Error verifying JCE using pkcs12req WS cli
[ECA-1171] - Possible to change OCSP signing keys in a running external OCSP
responder.
[ECA-1174] - Can not batch generate users using SHA256WithRSAAndMGF1
[ECA-1186] - Batch generation set user status to generated even if request
counter exists
[ECA-1187] - no such provider BC when EJBCA starts when protected log is
enabled
[ECA-1191] - Unable to deploy on PostgreSQL + Glassfish combination
[ECA-1193] - cli.xml ejbca:noprompt missing ca.signaturealgorithm property
[ECA-1194] - "ejbca.sh ca info" fails for ECDSA CA
[ECA-1201] - Incorrect display of HTML escaped characters on Access Rules
comboboxes
[ECA-1216] - Add userPassword in LDAP should only happen if addNonExisting or
modifyExisting is checked
[ECA-1217] - Possible extensive CPU usage for crafted messages to CMP RA
service (not default config)
[ECA-1223] - NullpointerException in CMP when unknown keyId is sent
[ECA-1224] - CertTools.getCertfromByteArray never throws CertificateException
as the JavaDoc says but can return null
[ECA-1225] - Freshest CRL extension (aka Delta CRL Distribution Point) on a CRL
must not be critical
[ECA-1227] - AccessRules link for admin privileges does not work on weblogic or
oracle
[ECA-1229] - Internalresources may fail in rare contidtions
[ECA-1234] - Error message is shown when editing end entity profiles when no
printers are defined
[ECA-1245] - CRL reason entry extensions in CMP revocation requests are not
read
[ECA-1246] - Deadlock when load testing CMP with same user
[ECA-1248] - Cannot unselect last Custom Certificate Extension in Certificate
Profile
[ECA-1254] - ProtectedLog reloading CA token unnessecarily
[ECA-1257] - Importing wrong certificate using PKCS11 will make the key
unavailable on nCipher netHSM
[ECA-1258] - cursor:hand style on links should be cursor:pointer
[ECA-1268] - Missing Exception handling for super.deactivate() calls on
SafeNetLunaCAToken
[ECA-1272] - Authorization issue during stress test
[ECA-1273] - Services will stop running if database goes down
[ECA-1293] - ProtectedLog on idling system warns about missing log rows if
protectionIntensity > 0
[ECA-1294] - Issuing certificate with + sign does not work in cmp requests
[ECA-1295] - Error making advanced log search for CA on DB2
[ECA-1296] - Fetching cert or keystore from Public Web generates an error when
cert-profile is the default in UserData
3.8.3, 2009-06-04
---
Improvement
[ECA-1221] - Ugly error message in LDAP publisher if no certificate to remove
exists
Bug
[ECA-1191] - Unable to deploy on PostgreSQL + Glassfish combination
[ECA-1217] - Possible extensive CPU usage for crafted messages to CMP RA
service (not default config)
3.8.2, 2009-03-27
---
New Feature
[ECA-552] - Add support for nextUpdate, thisUpdate and producedAt in OCSP
responses
[ECA-1124] - Configurable to use HTTP headers for standalone OCSP
[ECA-1053] - Pseudonym as a subject DN attribute
[ECA-1133] - Configurable in ExternalOCSPPublisher to only publish certificates
with and OCSP URI extension.
Improvement
[ECA-1123] - Create dummy object for TransactionLogger and AuditLogger
[ECA-1088] - Default public exponent for lunaHSM.sh should be 65537 (0x1001)
[ECA-1055] - Support OCSP by HTTP GET
[ECA-1117] - Use info instead of error messages in Standalone OCSP Responder.
[ECA-1144] - Add "userPassword" attribute in LDAP publisher
[ECA-1114] - Add street DN component
[ECA-1096] - Improve handling of invalid requests and streams in OCSP responder
[ECA-1146] - Stress Test does not print out no of failed tests
[ECA-748] - Order certificates in view certificates with newest first
[ECA-1121] - Unnecessary signing operations
Bug
[ECA-1158] - CA-certificate, but no signing key from a CA on the external OCSP
generates an Exception
[ECA-1141] - CRL Distribution Point in CRLs must be encapsulated into an
Issuing Distribution Point
[ECA-1092] - Code not thread-safe in certificate-request Servlet
[ECA-1154] - Concurrency issue when reloading soft keys for external OCSP
responder
[ECA-1113] - JCE error on JBoss 5 on some platforms
[ECA-1148] - ServiceData cached in bean making synchronization between cluster
nodes fail.
[ECA-1090] - Wrong encoding of issuer DN on retrieval public web pages
[ECA-1150] - Wrong language tag for "Certificate Validity End Time" in
viewendentity.jsp
[ECA-1095] - Allow comma in directoryName subject alt names
[ECA-1145] - CvcRequestMessage not serializable
[ECA-1143] - Freshest CRL is lost when creating a new CA
3.8.1, 2009-01-29
---
Improvement
[ECA-966] - NPE when using a non-existing ECC algorithm during CVC CA creation
[ECA-983] - Allow logging of REPLY_TIME in both audit and transaction logs
[ECA-1006] - Database index script fails for MySQL using UTF-8
[ECA-1057] - Run EJBCA in JBoss 5.0
[ECA-1059] - Fix ipv6 altname ipaddress and allow it in admin-GUI
[ECA-1060] - Throw CertificateExpiredException when certificate used to verify
cvc request has expired
[ECA-1070] - Windows .BAT file for using clientToolBox
[ECA-1080] - Option to set internally used password in CMP
[ECA-1081] - Improve support for Weblogic 10.3
[ECA-1086] - Allow to set null password in WS cli editUser call
[ECA-1087] - Increase timeout for CRL generation transaction on JBoss and
document how it could be done
Bug
[ECA-984] - ejbca.cmd does not work with spaces in JBoss path
[ECA-1039] - CVC certificate requests with error leaves user status as new
[ECA-1040] - cvcgetchain does not return latest cert
[ECA-1056] - REQUIREDCARDNUMBER language string missing
[ECA-1061] - Wrong header displayed for different groups of access rules
[ECA-1062] - Verifying OCSP requests can throw InvalidKeyException which is not
caught
[ECA-1063] - Not working on Glassfish
[ECA-1068] - CMP tcp service does not work on JBoss 5
[ECA-1069] - Wrong errormessage in checkValidity when endDate is wrong
[ECA-1071] - OCSP responder does not handle TelephoneNumber, PostalAddress and
PostalCode in DN
[ECA-1079] - KeyId decoding in CMP uses platform charset
[ECA-1084] - External RA: SCEP enrollment from Cisco IOS gets wrong DN
3.8.0, 2008-12-15
---
New Feature
[ECA-904] - Add a CLI subcommand to add an administrator in an admin group
using the serial number
[ECA-935] - Restructure administrator validation to allow admins using
externally issued certificates
[ECA-953] - List objects in Luna HSM partition
[ECA-969] - Possible to generate CA PKCS#10 request without giving CA
certificate
[ECA-993] - Add KRB5PrincipalName subjectAltName
[ECA-1000] - Sign releases and deployed code
[ECA-1007] - Enhanced basic certificate extensions
[ECA-1033] - Possible to enroll for CV certificates on public web
[ECA-1051] - Possibility give a user defined DN to a new certificate request
for an HSM
Improvement
[ECA-917] - Allow to use inverse LDAP order in DN for end entities
[ECA-918] - Handle web service error code when CA is down
[ECA-936] - Drop administrator flag in end entities
[ECA-937] - Allow use of emailAddress in Admin interface
[ECA-963] - Ability to distinguish between non-existing CA and authorization
problems through WS
[ECA-990] - Allow auto-activation of CAs dispite not having strong crypto
policy installed
[ECA-1001] - tool to change key alias
[ECA-1012] - Option to enter email manually for import cert cli command
[ECA-1014] - Display ejbca version in startup log message
[ECA-1016] - Make error messages from CertReqServlet localizeable
[ECA-1034] - Use TRACE logging for certain debug log
[ECA-1038] - Use Commons Configuration for CMP service
[ECA-1043] - Upload of binary certificate requests in public web enrol
[ECA-1045] - Add support for SEIS Card Number extension in certificates
[ECA-1049] - CMP raVerified can sometimes by zero bytes DEROctetString instead
of DERNUll
Task
[ECA-971] - ExtRA: upgrade to commons-lang 2.4 and commons-collections 3.2
[ECA-1013] - Upgrade BC to 1.41
Bug
[ECA-664] - Adding Administrator Access rule; username with not-allowed
character is possible
[ECA-782] - Listing user certificates from the public web fails if the serial
number of the cert begins with "0"
[ECA-882] - Add Administrator - cert serial number not checked
[ECA-968] - Key length changes when editing CA in admin-GUI
[ECA-970] - LdapPublisher searches for old objects on certDN instead of Ldap DN
[ECA-972] - Merge on DN - Problems with rfc822name and email
[ECA-992] - Cannot add "OtherName" SubjectAltName in end entity profile
[ECA-996] - Merge of DN doesn't work properly
[ECA-1046] - view certificate on Public web gives error for CVC certificates
[ECA-1048] - Can not install with initial CA with space in name
3.7.5, 2009-01-19
---
New Feature
[ECA-1035] - Add Brazilian Portuguese Translation
Improvement
[ECA-983] - Allow logging of REPLY_TIME in both audit and transaction logs
[ECA-1031] - Get server certificate in public web shoud not show password
[ECA-1032] - Add cli command to convert cvc certificates between binary and pem
[ECA-1036] - Hide keytool-errors during install.
[ECA-1060] - Throw CertificateExpiredException when certificate used to verify
cvc request has expired
Bug
[ECA-244] - Problem during installation with schema: DC=bigcorp,DC=com
[ECA-1037] - CLI for fetching user certificate fails
[ECA-1039] - CVC certificate requests with error leaves user status as new
[ECA-1040] - cvcgetchain does not return latest cert
[ECA-1042] - LdapPublisher does not work with CVC certificates
[ECA-1044] - Nullpointer in BasicFunctions when admin not authorized to CA
[ECA-1046] - view certificate on Public web gives error for CVC certificates
[ECA-1065] - Password needed to update CVC certificate with WS-API
[ECA-1069] - Wrong errormessage in checkValidity when endDate is wrong
3.7.4, 2008-11-18
---
New Feature
[ECA-1024] - Substitute email from- and to- as well in user notifications
Improvement
[ECA-1021] - Fix the default ENDUSER Certificate Profile
[ECA-1026] - Create a built-in Server certificate profile
Bug
[ECA-1023] - External RA SCEP service fails on cisco message with wrongly
encoded request extension
[ECA-1025] - Missing ErrorCode class in ejbca-util.jar
[ECA-1027] - OCSP should not respond with responseBytes when an error code is
sent
[ECA-1029] - OCSP responder should answer with OCSP error MalformedRequest when
a badly encoded request is received
3.7.3, 2008-11-07
---
New Feature
[ECA-1022] - Glassfish support for PostgreSQL
Improvement
[ECA-1020] - External RA, clarify documentation about signing and encrypting
using Scep RA
[ECA-1021] - Fix the default ENDUSER Certificate Profile (broken patch, EJBCA
3.7.3 withdrawn)
Bug
[ECA-1017] - Build on Glassfish broken
[ECA-1018] - Missing language string in intresources
3.7.2, 2008-10-31
---
New Feature
[ECA-974] - Add Intel AMT extended key usage
[ECA-1005] - Give OCSP error if audit or transaction logging fails
Improvement
[ECA-950] - Optimize OCSP servlet
[ECA-973] - external OCSP responder: trying to reload the p11 provider when the
HSM removed/disconnected.
[ECA-976] - WS-API, make mathtype contains with with matchwith username
[ECA-982] - Explicitly close maintenance file in health check
[ECA-989] - add cmd=deltacrl command on CertDistServlet (with patch)
Bug
[ECA-957] - ocspclient.jar cannot handle answers with responderID of type Name.
[ECA-959] - Public web can give NPE in rare conditions
[ECA-960] - reference to "bin/ejbca.sh ca processreq" in manual
[ECA-975] - CA certificates with SerialNumber in DN does not work with External
OCSP
[ECA-977] - Error editing RenewCAWorker if CA has been removed
[ECA-978] - NullPointerException using WS-API to revoke non-existing
certificate
[ECA-979] - The transactionlogger and auditlogger set incorrect CERT_STATUS and
STATUS
[ECA-985] - Wrong default value for OCSP helathcheck database query
[ECA-986] - Can't run ejbca.sh from $EJBCA_HOME/bin
[ECA-995] - getAuthorityInformationAccessOcspUrl in CertTools fails to retrieve
OCSP Locator url from AIA for cert with mutliple AIA points
[ECA-997] - Error publishing deltaCRL to LDAP
[ECA-999] - CRLIssuer can not be removed in CDP
[ECA-1009] - Validity of certificates in signed OCSP requests not checked for
expiration
3.7.1, 2008-09-16
---
New Feature
[ECA-896] - CVC support for EC keys
[ECA-925] - Import of external CA certificates
[ECA-940] - possibility to use an EC key stored on a HSM
Improvement
[ECA-748] - Order certificates in view certificates with newest first
[ECA-927] - CVC requests should not include CARef if null
[ECA-928] - cvcprint cli command should handle verification of authenticated
requests
[ECA-934] - Possible to authenticate CVC request by outer CA signature
[ECA-941] - Possible to download CA certrequests and certs as binary
[ECA-942] - possible to receive certiifcate requests and certs in binary format
[ECA-946] - Not possible to create CVC link certificates with soft CA tokens
[ECA-947] - Making certificate request from a CA should ask for CA cert of
target CA
[ECA-948] - cvcrequest cli command should not automatically add end entities
[ECA-951] - Possible to set sequence of catoken manually
Bug
[ECA-926] - CVC requests can be assigned to wrong CA when sequence is same
[ECA-930] - cert-cvc: authenticated requests does not include CARef in TBS
[ECA-931] - getrootcert cli command does not work for CVC certificates
[ECA-932] - CVC requests from SubCAs does not have the target CA as CARef
[ECA-939] - Upgrade 3.6 to 3.7 cases error when autogenerated password are used
[ECA-943] - NullPointer when clicking Sign Certificate Request
[ECA-944] - Import soft CVCA does not set sequence
[ECA-945] - Not possible to delete admin entities with ' in name
[ECA-949] - Make certificate request button should not be available for
external CAs
[ECA-956] - NullPointerException in LdapPublisher when base node does not exist
3.7.0, 2008-08-28
---
New Feature
[ECA-792] - Support for CV Certificates (CVC) for EU EAC ePassports
[ECA-811] - Possible to create certificate request from any CA
[ECA-825] - WS-API call to get users last cert and chain
[ECA-827] - Service to renew CAs
[ECA-830] - Possible to use IAIK PKCS#11 provider instead of Sun
[ECA-920] - Client tool box.
Improvement
[ECA-819] - New WS-API call to get EJBCA version
[ECA-871] - Enhance error management in EJBCA web services.
[ECA-893] - Able to use TelephoneNumber and PostalAddress in DN and publish to
LDAP attributes
[ECA-915] - Display hostname on admin-GUI
[ECA-923] - Use of EEP informations when using WS editUser.
[ECA-929] - Handle error code if certificate revocation has been invoked twice.
Bug
[ECA-813] - Upgraded profiles not saved until edited
[ECA-829] - Advanced mode for log viewer is not working
[ECA-832] - syscheck script sc_08_crl_from_web.sh shell problem
[ECA-839] - Problem activating CA tokens for expired CAs
[ECA-879] - Failure to create a new CA due to CRL creation failure
[ECA-921] - EjbcaHealthCheck does not work on OC4J
[ECA-924] - Language variable misspelled (name="UTF8")
3.6.4, 2009-02-13
---
Bug
[ECA-921] - EjbcaHealthCheck does not work on OC4J
3.6.3, 2008-10-06
---
Bug
[ECA-952] - Entity Profile : the text "Use entity e-mail field" is not
localizable
[ECA-954] - TestProtectedLog fails if ProtectedLogDevice is not enabled in
configuration
[ECA-955] - PKCS11 support problem on OCSP responder
[ECA-957] - ocspclient.jar cannot handle answers with responderID of type Name.
3.6.2, 2008-08-20
---
New Feature
[ECA-348] - Option to generate non-exportable private keys in IE
[ECA-739] - Accounting log on OCSP responder
[ECA-740] - When requiring signed OCSP request, configure allowed issuers
[ECA-865] - Add tool for importing certificates from a MS CA
[ECA-876] - Generated documentation should be reachable from within the EJBCA
Web GUI
[ECA-908] - Support MS document signing extended key usage
[ECA-914] - Configure if OCSP responses should use KeyId or Name as ResponderId
Improvement
[ECA-390] - Make it possible to select password generation parameters for
autogenerated user password
[ECA-547] - Send custom certificate publisher information found in certificate
or CRL.
[ECA-640] - Popup window with valid ${Foo} variables near any field in which
they can be used
[ECA-657] - Import and export of end entity profiles should not have to depend
on existing CAs.
[ECA-696] - Import profiles improvement.
[ECA-760] - Relocate 'p12' to 'ejbca-custom' if/when present (by default)
[ECA-765] - Log whenever an attempt to activate a CA with the wrong activation
code is made
[ECA-789] - Display issuer in listcas cli command
[ECA-790] - ejbcarawscli should print error message if it can not find the
admin keystore
[ECA-795] - Notifications are not editable, but looks editable.
[ECA-810] - Make advanced search for ProtectedLog available
[ECA-822] - Default healthcheck db query causes table scan
[ECA-826] - EjbcaWsHelper makes double allocations when looking up remote beans
[ECA-833] - Simple LDAPPublisher failover
[ECA-854] - Remove confusing error message about not finding ejbca-custom
directory when running ant
[ECA-859] - Delta CRL generation message
[ECA-870] - Accept PEM certificates with BEGIN TRUSTED CERTIFICATE
[ECA-872] - Improve public page for CA certificate retrieval
[ECA-874] - General JUint test improvements
[ECA-880] - Better defaults and help for Freshest CRL Extension / DeltaCRLs
[ECA-881] - Be able to drop the 0, O, l and 1 from the auto generated passwords
[ECA-884] - Add approvalDN variables to add/edit end entity notifications
[ECA-885] - Add email variables where possible for use in notifications
[ECA-887] - Document how validity is assigned for a CA
[ECA-913] - Configure if OCSP responses should include whoe cert chain or only
signer
Task
[ECA-702] - JDK 1.6 u4 causes EjbcaWS to stop working
[ECA-796] - Add documentation on how to use EJBCA with GemSAFE Toolbox
[ECA-805] - Update German translation
Bug
[ECA-496] - When using a fixed Certificate Profile as template, the FIXED
property is inherited.
[ECA-682] - WS Cli error message is not good when it cannot find the .jks file
[ECA-770] - Protected Log Device always sends 'missing row' email alerts when
it shouldn't with MySQL using InnoDB
[ECA-783] - During the last step if IE enroll, the URL-path is missing the
"ejbca"-part.
[ECA-788] - Bull TrustWay support
[ECA-793] - Using of module protected keys with netHSM-500 failed
[ECA-797] - Cannot activate a CA with a Safenet Luna SA Token.
[ECA-798] - A card key or a soft key must be defined in order to run the P11
external OCSP responder.
[ECA-802] - Exception when approving KeyRecovery
[ECA-803] - PKCS10 requests from OCSP responder uses null attributes
[ECA-806] - Equal error code contants in OCSPUnidResponse
[ECA-809] - ocsp cli client can not sign requests
[ECA-812] - EJBCA 3.6 does not deploy on Glassfish
[ECA-815] - NullpointerException downloading CA certificated without CN
[ECA-817] - Possible NullpointerException when no extended information exists
for user
[ECA-820] - Signing CMP responses does not work with most PKCS#11 HSMs
[ECA-823] - Deadlock in ProtectedLogData with stresstest
[ECA-824] - CA activation page does not display correct for Expired CAs
[ECA-831] - High load on ProtectedLog might generate false alarm on MySQL
[ECA-836] - Email notifications are not able to handle autogenerated passwords.
[ECA-837] - PKCS10 with no attributes causes NullPointer exception
[ECA-841] - ExtRA PKCS12 request does not work with approvals
[ECA-843] - Some words not localizables in CA Activation
[ECA-850] - CN name like 'Graham O'Regan' cannot be entered case sensitive in
the 'Add Administrator'
[ECA-851] - No messages are created during CA Activation
[ECA-861] - Misdirected error output from "ra listusers" CLI to standard output
[ECA-866] - Import of externally chained PEM failes
[ECA-875] - Trying to reset Subject AltName or Email for a end entity fails
[ECA-888] - Profiles allow you to enter things like 'Peter & Partners' in the O
and OU field - but a 'Add Entity' will fail
[ECA-889] - NPE when running TestEjbcaWS
[ECA-895] - Batch generation doesn't work on initial user creation (WebUI /
profiles)
[ECA-898] - Incorrect initialization of NumberArray in EndEntityProfile causes
annoying log output
[ECA-901] - email modified in LDAP even if attributes should not be modified
[ECA-902] - LdapSearchPublisher can not modify attributes
[ECA-903] - LdapSearchPublisher uses Ldap DN instead of Cert DN to search
[ECA-905] - java.lang.NullPointerException when creating new end entity with
only end time, with end entity profile limitations enabled
[ECA-909] - OCSP responder not working on Weblogic
[ECA-911] - OCSP not responding for CAs that have been notified about
expiration
[ECA-912] - NPE on Glassfish on error.jsp in publiweb
3.6.1, 2008-05-02
---
Improvement
[ECA-554] - nCipherHSM asks for password which is shown in plain text
Task
[ECA-771] - Update french translation
Bug
[ECA-540] - Exception if you try to issue a certificate from public web with a
CA that is offline
[ECA-779] - Cannot enroll with end entities created with CAs with approval
setting active
[ECA-780] - Index collision in profilemappings.properties.
3.6.0, 2008-04-06
---
New Feature
[ECA-257] - Support for IBM Websphere
[ECA-515] - Autoenroll certificates for Microsoft systems.
[ECA-564] - Support for DB2 database
[ECA-595] - Issuance of delta CRL
[ECA-596] - Add Freshest CRL extension
[ECA-597] - Support for multiple policy statements
[ECA-598] - Add support for id-pkix-ocsp-nocheck extension
[ECA-619] - Ability to create intermediate LDAP nodes
[ECA-624] - New EJBCA WS calls for listing CAs and profiles
[ECA-633] - Log signing with real signature keys and row chaining
[ECA-635] - Request multiple certificates for a user
[ECA-649] - Service to expire user passwords
[ECA-651] - Support for Oracle application server
[ECA-661] - KeyRecoverNewest command in Ejbca WS API
[ECA-662] - Email notifications to admin when user enrols
[ECA-665] - Plug-in mechanism for user notification recipient email
[ECA-669] - ExtRA SCEP, possible to use pre-registered users and verify their
passwords
[ECA-673] - Add support for id-ad-caIssuers (authority information access)
[ECA-679] - New EJBCA WS calls for CRL generation and CRMF requests
[ECA-684] - Allow setting and overriding any extension from a CRMF request
[ECA-697] - Support $UID as replacement variable in LdapSearchPublisher
[ECA-703] - Possible to use 32 bit serial numbers in cert, instead of 64 bit.
[ECA-721] - PKCS#11 HSM support on external OCSP responder
[ECA-723] - Option in OCSP to return good status for certificates not in
database
[ECA-727] - Extended key usages for SCVP
[ECA-737] - Allow hexencoded DERObject in custom certificate extensions.
[ECA-747] - CLI command to change certificate profile of a CA
[ECA-759] - Add ETSI retention period to QC extension
Task
[ECA-698] - Remove deprecated JBoss mbean create crl service
[ECA-706] - Create instructions for setting up an Apache web server as a proxy
in front of EJBCA.
Improvement
[ECA-477] - OCSP responder require that signed request are issued by a known CA
[ECA-478] - If a signed OCSP request is received, info-log which certificate
the request was signed by
[ECA-485] - If requiring signed OCSP requests, the responder should return
"signature required" for unsigned requests
[ECA-617] - External RA SCEP module only returns RA certificate in cert reply,
not CA certificate
[ECA-637] - Possible to use email for search in Ldap Search Publisher
[ECA-645] - Make all default values visible when creating a CA and add a
default CRL expiration interval.
[ECA-656] - Option to override KeyUsage with key usage from CMP request
[ECA-658] - CLI possible to get CRL in PEM format
[ECA-663] - Allow @ in username
[ECA-671] - Handle SCEP messages where client does not properly encode plus
sign in HTTP GET url
[ECA-672] - SCEP pending message should have an empty content
[ECA-677] - Use CRL Distribution Point On CRL
[ECA-678] - Change default CA's LDAP object class to certificationAuthority-V2
[ECA-683] - Improve internal code for certificate extensions
[ECA-685] - Easy configuration if OCSP requires signature on requests
[ECA-689] - Display a "BUILD FAILED" message during the install phase if no
superadmin.p12 is created.
[ECA-694] - EFS certificates support
[ECA-695] - Using PrimeCardHSM on install it does not have enough time to poll
readers
[ECA-700] - Improve LdapPublisher with option to not update attributes
[ECA-704] - better P11 support for nCipher
[ECA-705] - Make UTF-8 default encoding for web
[ECA-707] - Extra: make configuration of scep ra easier
[ECA-708] - Generating module protected JCA keys for nCipher should be
simplier.
[ECA-712] - Support creation of externally signed EC CAs and handling
certificate requests signed by EC key.
[ECA-716] - Confirmation when reomving a CA
[ECA-720] - Publish attributes postalcode and businesscategory in LDAP
[ECA-725] - Improve translations
[ECA-726] - Remove obsoleted extended key usages for ipsec, add ipsecIKE
[ECA-731] - Increase maximum validity of SubCA profile to 25 years
[ECA-738] - Checks for max request size and no of reqs in an OCSP req
[ECA-741] - Update pt_PT translation
[ECA-752] - Make the description of a publisher readable from custom publisher
implementations
[ECA-754] - For Oracle db change LONG to CLOB
Bug
[ECA-606] - ExtRA SCEP servlet should init directly at startup
[ECA-643] - Error with weblogic and 4096 bit CA
[ECA-652] - findbyApprovalIdNonExpired searches for expired instead of rejected
[ECA-670] - ExtRA SCEP, GetCACertChain return wrong content type
[ECA-674] - LdapSearchPublisher should not change other attributes
[ECA-680] - Derby database does not work with large 4096 bit CAs
[ECA-681] - Null Pointer Exception throught editUser when CANAME is invalid
[ECA-686] - Overflow causing archiving of non-expired certificates when
CRLPeriod is very large
[ECA-690] - EJBCA uses sun internal java class
[ECA-692] - Removal of CA generates database exception under DB2
[ECA-699] - Generating browser certificate failed; user still in 'new' status
[ECA-701] - Sorting of approvals in Admin GUI does not work.
[ECA-709] - Errors in upgrade scripts for MS-SQL
[ECA-710] - bin/pkcs11HSM.cmd not working
[ECA-711] - EJBCA WS Cli does not handle number of arguments correctly
[ECA-713] - the keys can not be used in EJBCA for some HSMs
[ECA-717] - SCEP does not work with Luna SHM
[ECA-724] - CertificateExpirationNotifier service not working on Weblogic-
Oracle
[ECA-728] - Lockdown of an enduser profile to fill out to just a CN only not
possible
[ECA-729] - ArrayIndexOutOfBoundsException on Approval Page
[ECA-730] - SCEP to CA signed by some External CAs fail
[ECA-734] - Not working on Sybase
[ECA-742] - ant javatruststore does not work for CA names with space
[ECA-745] - EJB REF to "ejb/RaAdminSessionLocal" has wrong case in glassfish
deployment file "ejbca_3_6_b1/src/publicweb/publicweb/WEB-INF/sun-web.xml"
[ECA-746] - Not possible to renew CA that does not use default keystore pwd or
autoaactivation.
[ECA-758] - Under some conditions it's not possible to edit rfc822name altname
field for user in admin-gui
[ECA-766] - Error saving CRL Service on Weblogic 10
3.5.12, 2009-03-13
---
Improvement
[ECA-1111] - Optimize performance of findCerts WS call
[ECA-1112] - Create a new ant target similar to create-lot-of-users, but
creates fewer users with many certs per user
Bug
[ECA-1091] - Serious bug in UserDataSource Authorization
3.5.11, 2009-01-28
---
Improvement
[ECA-778] - change genTokenCertificates WS call behavior to not temporary
revoke certificates for MS logon
Bug
[ECA-1052] - Error in EJBCAWS.genTokenCertificate temporary cards aren't
revoked properly
3.5.10, 2008-11-14
---
Bug
[ECA-724] - CertificateExpirationNotifier service not working on Weblogic-
Oracle
3.5.9, 2008-10-06
---
Improvement
[ECA-891] - Avoid unnecessary database searches during HealthCheck
Bug
[ECA-886] - Upgrade fails to set internal state of CA expire time for
externally signed CAs
[ECA-906] - EjbcaHealthCheck may use same session bean object for concurrent
accesses
3.5.8, 2008-07-23
---
Improvement
[ECA-845] - Attempt to revoke a certificate.user that is already revoked
generates an error
[ECA-847] - Option to Health Check to perform sign test on CA token
3.5.7, 2008-06-29
---
Improvement
[ECA-808] - Errors that should not be errors but info messages
Bug
[ECA-799] - Deadlock when running stress test that is revoking certificates
[ECA-800] - Importing certificate to CA with off-line token causes status to be
wrong
[ECA-801] - CRL generation for CAs waiting for certificate response throws
excepton
[ECA-807] - Error enrolling though SSL with client cert
[ECA-818] - NPE when issuing sparecard with cert without extended keyusage
through HTMF
3.5.6, 2008-05-02
---
New Feature
[ECA-768] - Create mechanism for Health Check to report nodes as Down for
maintenance
[ECA-769] - Activation Page. Create an easy access page for activating many
CA's. The current function in the admin-GUI requires a lot of clicking to activate
many CA's. Combine with one page access to configure monitoring of CA's
Improvement
[ECA-756] - CRLUpdateWorkers may run in same vm in parallel if too slow
[ECA-773] - Add distingushable string to health check return to know which test
failed
[ECA-774] - Make CRL generation be in one transaction for each CA
[ECA-775] - Introduce a random add-on to the service interval
[ECA-778] - change genTokenCertificates WS call behaivor to not temporary
revoke ceritificates for MS logon
[ECA-784] - Improve lunahsm shell script
Bug
[ECA-743] - GenerateToken And ViewHardTokenData approvalIds was not calculated
correctly
[ECA-744] - Wrong DN was used in non-admin generate spacecard pages.
[ECA-751] - DemoCertReqServlet gets reference to old template file
[ECA-753] - CMP only working with DEBUG log enabled
[ECA-755] - Listing log entries does not show the latest when limiting on too
many rows
[ECA-763] - Listing end entities query displays wrong values
[ECA-764] - Under some circumstances two CRLs with the same CRLNumber is stored
in the db
[ECA-772] - External OCSP publisher does not work on oracle DB
[ECA-777] - External OCSP health check not working
3.5.5, 2008-02-29
---
New Feature
[ECA-718] - Add Approval option for activation of CAToken
Improvement
[ECA-719] - Add support for the fields PostalCode and BusinessCategory, now
natively supported by BouncyCastle.
Bug
[ECA-736] - LDAPPublisher initialized the fakeCRL incorrectly
3.5.4, 2008-01-24
---
New Feature
[ECA-691] - A preference file that could specify custom attributes for keys
generated by pkcs11HSM.sh
Bug
[ECA-693] - Potential Duplicate Key exception on old logging system when log-
method is executed simultaneously.
3.5.3, 2008-01-04
---
New Feature
[ECA-676] - A stress test is needed to test EJBCA certificate signing
performance when access though https
Bug
[ECA-666] - NullPointerException in LogEntryDataBean
[ECA-667] - pkcs11HSM.sh does not run
[ECA-675] - Generated keys on some P11 HSMs (AEP Keyper) can not be used for
decryption.
3.5.2, 2007-11-09
---
New Feature
[ECA-530] - Debian package for EJBCA-MySQL
[ECA-599] - Add pt_PT l10n
Improvement
[ECA-529] - Pass extra parameters to JBoss through nCipherJBoss.sh/cmd
[ECA-580] - Optimize CRL generation for large CRLs (>100.000 revoked)
[ECA-618] - External RA SCEP module should include ip and dns altNames from
request
[ECA-623] - Possible to use an internal CA as external
[ECA-625] - Add the missing text label along with the message "Text not
available"
[ECA-626] - ExtRA, possible to require SCEP password
[ECA-642] - In lunaHSM.sh warn i EJBCA_HOME is not set
Bug
[ECA-541] - Null pointer exception when you enter wrong values or forget to
enter values in "Hard CA token properties".
[ECA-543] - It should be possible to run ejbca.sh from any directory in the
file system.
[ECA-590] - unconsistent labels in publisher (:)
[ECA-605] - Wrong parameter name in ca republish
[ECA-608] - Luna HSM support broken
[ECA-609] - XKMS cli not working
[ECA-612] - Can not run Glassfish off-line
[ECA-614] - Ugly error when entering non hex encoded serial number in check
status on public web
[ECA-615] - Java exception when editing an external CA
[ECA-616] - Can't fetch the certificate of external CA after signing it
[ECA-620] - PKCS10 requests to external CA can not be PrintableString encoded
[ECA-621] - Error creating a external OCSP-responder on JBoss 4.2.x
[ECA-627] - Large comments and CA Subject DNs generates SQL exceptions.
[ECA-629] - When you create a new soft CA and enter an "Authentication Code"
you get null pointer exception.
[ECA-646] - ExtRA CA service throws exception when RAIssuer is signed by
external CA
3.5.1, 2007-09-18
---
Improvement
[ECA-593] - Tool for checking translation files for missing tags
[ECA-602] - Enable use of multiple CRL Distribution points by changing GUI
length constraints
Task
[ECA-592] - Update french language file
Bug
[ECA-445] - JBoss deadlock problems
[ECA-542] - Null pointer exception when you run "$EJBCA_HOME/bin/ejbca.sh ca
republish -all"
[ECA-591] - Install does not work unless web.properties is defined
[ECA-594] - Certificate enrollment on card does not work using https only http
[ECA-600] - Removing certificates from LDAP does not work using LDAP search
publisher and username match
[ECA-601] - checkCertificateStatus for certificates that doesn't exists in
database throws a Nullpointer exception
[ECA-604] - Advanced Access Rules visual bug, End entity profiles rule haven't
the id to name replaced correctly
3.5.0, 2007-09-04
---
New Feature
[ECA-81] - Editing validity per End Entity
[ECA-115] - Serial Number Check
[ECA-138] - HardToken PIN data should be encrypted in database
[ECA-249] - Possible to configure specific validity dates in certificate
profiles
[ECA-398] - Support multiple email altnames in admin-GUI
[ECA-414] - Possibility to choose reverse DN for a CA
[ECA-419] - Improve CA softs security to use individual passwords
[ECA-470] - PKCS11 tokens for new CA and support for Utimaco CryptoServer
(using pkcs11)
[ECA-472] - Custom Logging
[ECA-480] - Import Hard Token Data in CLI
[ECA-489] - New ant argument that outputs the version number of the EJBCA
installation.
[ECA-505] - Enable download of CA certificate as jks-file from Basic Functions
in Admin GUI.
[ECA-516] - Present warning in the Admin GUI when JCE Unlimited Strength
Jurisdiction Policy Files isn't used.
[ECA-520] - Experimental reporting functionality using JasperReports
[ECA-526] - Possible to install with initial AdminCA on HSM
[ECA-527] - Possible to retrieve entity certs with CLI
[ECA-545] - Allow initial superadmin enroll on smartcard
[ECA-573] - Root-less install, use custom SSL truststore for JBoss/Tomcat
Improvement
[ECA-35] - make better looking public enroll pages
[ECA-232] - When listing administrators in access rights, make the link
clickable
[ECA-291] - Option to specify certificate validity begin time drift
[ECA-331] - Hide HardToken Puk Data in View HardToken page
[ECA-426] - Include nonce in requests from OCSP client
[ECA-461] - Build script does not check for actual version of java that is
used.
[ECA-462] - Possible to keep configuration/modifications in an external
directory
[ECA-465] - Possible to use different profiles in CMP RA mode
[ECA-468] - Create a PKCS7 with the web service interface to import it in IE
[ECA-471] - New Calls in the EJBCA Web Services interface
[ECA-473] - Interface of UserDataSources improved for support of UserData
Deletion
[ECA-475] - Improved functionality in Extended CMS Service
[ECA-482] - Move scep servlet to its own web application
[ECA-494] - Better default datasource for ScepRAServer in External RA
[ECA-495] - ScepRAServer in External RA will process the same message until it
is approved
[ECA-502] - build.xml should use $JAVA_HOME/bin/keytool instead of first one in
path, if available.
[ECA-507] - Add description on UPN field.
[ECA-508] - When using Validity Override, don't allow validity to start before
current time.
[ECA-509] - When using Validity Override, don't allow validity to to extend
beyond the validity of the certificate profile
[ECA-510] - AD Publisher should use different container for
certificateRevocationList
[ECA-513] - Not consequent text in profiles menu choices
[ECA-514] - Java exception when removing newly added service
[ECA-518] - Support new key purpose CAKEYPURPOSE_HARDTOKENENCRYPT
[ECA-531] - Improve Approvals with multiple steps of non-executable approvals
[ECA-532] - Support Approvals for the getHardTokenData and genTokenCertificates
call
[ECA-536] - Import CA function supports HSM CAs
[ECA-537] - Require approvals for revocation
[ECA-572] - Confusing text in conf/ejbca.properties.sample
[ECA-581] - Bad presentation of approvalId, sometimes it is displayed with -
sign in notification
[ECA-584] - Not possible to use comma in CA DN when creating CA
Bug
[ECA-412] - Try to create service after re-deploy gives exception
[ECA-413] - When choosing "Hard Token Type", all previously made "Settings" are
deleted.
[ECA-443] - If you execute ./ejbca.sh batch in "ejbca/bin" the script creates
ejbca/bin/p12 and puts the new p12:s in there instad of ejbca/p12
[ECA-460] - Get certificate chain link in public enroll pages does not work
when CA is signed by external Root.
[ECA-467] - Private EC keys report different algorithm after application server
restart
[ECA-501] - Weblogic throws TransactionRolledBackLocalException on duplicate
log lines
[ECA-512] - Java exception when editing services
[ECA-525] - ExtRATestClient not working according to doc
[ECA-539] - Removing any but last of dynamic fields in an End Entity Profile
generates errors when creating an end entity.
[ECA-548] - Automatic token activation fails when using nCipher HSM
[ECA-549] - No space triming in DN of a CA
[ECA-556] - Security: XSS possibility on public web
[ECA-559] - Autoactivate of Hard CA tokens does not show as active in Admin-GUI
[ECA-560] - Renew of keys for soft token CA must not regenerate encryption keys
[ECA-561] - CA levels displayed incorrectly in Basic Functions at depth > 2
[ECA-571] - PKCS#11 times out after some time on Utimaco
[ECA-574] - Wrong validity of created CAs, maximum two years
[ECA-583] - Bug in advances access rules view, UserDataSources displayed id
instead of name i rule
Task
[ECA-491] - Remove support for JDK 1.4
[ECA-538] - Remove CA import restrictions depending on keyusage field in CA-
cert.
[ECA-576] - Remove support for JBoss < 4.0
3.4.5, 2007-08-10
---
Bug
[ECA-567] - XKMS register operation fails when user's token is JKS or PEM.
[ECA-568] - Parsing of some DERBitStrings in custom certfificate extensions.
[ECA-569] - If KeyIdentifiers from ExternalCAs are not standard format, key
identifieres will missmatch
[ECA-570] - Approvalqueries can fail in some circumstances
Improvement
[ECA-524] - Configurable which interface tomcat listens on
3.4.4, 2007-07-20
---
Bug
[ECA-486] - Can't activate a (nethsm) hard CA where cardset is not protected
[ECA-544] - Servlet is not able to return Open VPN Installer executable.
[ECA-553] - CRLUpdate worker not working with TableProtection enabled on JBoss
4.2.0
Task
[ECA-555] - Add instructions for using module protected keys with EJBCA and
nCipher to User Guide.
3.4.3, 2007-06-08
---
New Feature
[ECA-484] - Support for JavaDb/Derby
Task
[ECA-500] - Support for JBoss 4.2.0
[ECA-522] - XKMS/WS does not work on JBoss 4.2.0
Improvement
[ECA-474] - Support RSASHA256WithRSAAndMGF1 again
[ECA-504] - possible to specify keystore name to ant javatruststore
[ECA-511] - Spelling errors
Bug
[ECA-360] - End entity details fails to display in log
[ECA-479] - invalid error message when i create an external ac
[ECA-483] - cli: ./bin/ejbca.sh ra unrevoke dont set a correct userstatus
[ECA-487] - Exception on glassfish when removing and adding a CA with same DN
[ECA-488] - ejbca.sh may fail to find weblogic/glassfish if jars are not
executable
[ECA-497] - LdapSearchPublisher not working
[ECA-498] - LdapSearchPublisher does not publish to old entry if search returns
more than one entry
[ECA-499] - ./bin/ejbca.sh ca importca gives exception
[ECA-503] - No good error message when using non existing alias for keystore in
the encryption decryption CLI
3.4.2, 2007-04-26
---
New Feature
[ECA-41] - Export soft CA token to pkcs12 file
[ECA-338] - EJBCA deploys and runs on Glassfish
[ECA-425] - Support for MD5withRSA as signature algorithm for CAs
[ECA-434] - CLI to automatically add HW token CA.
[ECA-435] - simple CLI to be able to use nCipher HSM to encrypt and decrypt
[ECA-444] - JSF admin pages work on Glassfish
[ECA-452] - Publish CRL with user defined script
[ECA-464] - Scep RA functionality in ExtRA API
Improvement
[ECA-429] - Public web link from admin-GUI should open in new window/tab
[ECA-431] - Better support for customized extention when processing external
CAs
[ECA-432] - Possiblity to store customized data in ExtendedInformation
[ECA-457] - New logo for admin-GUI
[ECA-458] - Basic custom extension support for asn.1 IA5String
[ECA-463] - Publish cert and revokation with user defined script
[ECA-481] - Remove track-statements config in JBoss to enhance performance
Task
[ECA-410] - Oracle JDBC does not support ResultSet.relative
[ECA-411] - Support for JSF in Weblogic
[ECA-450] - Update german language file
[ECA-454] - Include dncomponents.properties and profilemappings.properties in
ejbca-util jar
Bug
[ECA-374] - ServiceTimer Startup throws exception on startup on Glassfish
[ECA-421] - Certificate Enrollment Internet Explorer 7 Windows VISTA
[ECA-424] - Ocspclient stopped working
[ECA-427] - Bug showing fixed OCSPSIGNER certificate profile when adding end
entities
[ECA-428] - XKMS key recovery issue on platforms not using ISO8859-1 language
encoding
[ECA-430] - Upgrade XKMS external service for External CAs give NPE
[ECA-433] - Impossoble to remove CAs with customly defied profiles
[ECA-437] - Missing property YOUCANTADDFIXEDCERT in language files
[ECA-438] - When X is enabled on server, Edit end entity profiles gives
sun.print.CUPSPrinter exception
[ECA-439] - Renew Root CA does not give new validity period
[ECA-440] - Renew Root CA might give different encoding for subject and issuer
[ECA-446] - Not possible to use | in DirectoryName, altname and email not
stripped
[ECA-447] - Downloading certs on public web gives no file extension when
filename contains space
[ECA-449] - CRLUpdateWorker not working, missing reference to CRLSession bean
[ECA-451] - Service timer runs amok on Weblogic
[ECA-453] - nCipherHSM.sh runs out of memory for large backups.
[ECA-455] - Public web pages not working in Weblogic
[ECA-459] - Be able to use email in LDAP dn
3.4.1, 2007-01-27
---
Bug
[ECA-417] - Cli throws exception on windows
[ECA-422] - OCSP not working in Mozilla
3.4.0, 2007-01-19
---
New Feature
[ECA-97] - Possibility to dynamically configure new OtherNames in
subjectAltName.
[ECA-99] - Suport for CMP (rfc 4210)
[ECA-251] - Email for certificate expiration warning
[ECA-296] - New access rule to delete generated
[ECA-297] - Simple approval function for RA
[ECA-332] - Inital EJBCA WebService interface
[ECA-346] - Monitoring Services Framework, mail on certificate expire
[ECA-349] - Support custom OID fields in subject alternative names
[ECA-359] - Allow validity override from requests
[ECA-362] - Support for ECDSA signature keys
[ECA-371] - Support CRLIssuer in crl distribution point
[ECA-381] - Make DN components configurable, support custom OIDs
[ECA-393] - CSV export of log entries from admin-GUI
[ECA-394] - XKMS v2 Service
[ECA-400] - Custom Certificate Extension framework
Improvement
[ECA-30] - Unify DN and AltName handling
[ECA-304] - Mail notification of new passwords without re-setting status
[ECA-330] - Add access rule to access system configuration
[ECA-333] - Improve Batch Tool functionality
[ECA-335] - Printing of new and edited userdata
[ECA-337] - Make reverse dn ordering easy configurable
[ECA-339] - Move ejbca.properties to conf subdirectory to be able to split up
different part in different files
[ECA-341] - Approval Email notification
[ECA-342] - Internal log and exception localization
[ECA-343] - Key recovery should be approvable
[ECA-344] - Deploy CRL creation service by setting a simple property
[ECA-345] - Cache CA objects to avoid loading keystores often
[ECA-355] - implement the withlimit flag in useradminsession.query
[ECA-368] - Configurable order of unknown DN oids
[ECA-372] - Allow multiple policy oids in certificates
[ECA-377] - possibility to store certs on the card with Mozilla braowser
[ECA-379] - Add dnQualifier as a DN component
[ECA-382] - possibility to set public exponent when generating RSA keys for
nCipher.
[ECA-388] - Possibility to retrieve PKCS7 response in ExtRA API
[ECA-391] - Release zip-file should unpack in directory with version number
[ECA-392] - Improve Weblogic support for Weblogic 9.x.
[ECA-396] - Support multiple email altnames using CLI
[ECA-399] - Calculate certtype automatically in publishCACertificate
Task
[ECA-327] - Make UTF8 encoding default in DNs (for new CAs)
[ECA-351] - Upgrade XDoclet jars
[ECA-401] - Change default java version to 1.5 when building EJBCA
Bug
[ECA-299] - Changing CPS in profile does not save always
[ECA-336] - Using reversed DN makes DN wrong in some places
[ECA-352] - Language files must be placed under /tmp in Weblogic
[ECA-386] - Not possible to revoke external CAs
[ECA-406] - Changing log configuration gives NullpointerException when using
other languages
3.3.3, 2006-12-22
---
Bug
[ECA-347] - Sun One Directory Server doesn't understand the gn attribute, it

wait for givenName
[ECA-370] - CRLs are generated with default DN encoding, not the same as issuer
in ca certificate
[ECA-373] - Typo in ejbca.properties.sample
Improvement
[ECA-376] - Include serialNumber LDAP attribute if selected in DN

[ECA-383] - Option to remove entity in LDAP when cert revoked
3.3.2, 2006-11-13
---
Bug
[ECA-328] - EJBCA requires Myfaces in appserver to deploy admin-GUI
[ECA-350] - Errors deploying on Weblogic
[ECA-357] - OCSP with lookup test not workin. ocspclient.jar
[ECA-363] - EJBCA does not work with Oracle DB
Improvement
[ECA-353] - Automatic column name change for logentrydata.comment in

Weblogic/Oracle
[ECA-356] - ant javatruststore should be able to install any CAs certificate
[ECA-365] - Turkish profile
Task
[ECA-358] - Upgrade to latest log4j jar
3.3.1, 2006-09-29
---
Bug
[ECA-326] - Use MySQL specific command in ExternalOCSPPublisher.java
[ECA-334] - Not possible to activate a Luna HSM CA
[ECA-340] - Some errors in deployment descriptors (not noticable in JBoss)
3.3.0, 2006-09-13
---
New Feature
[ECA-98] - Commands and status for certificate suspend

[ECA-143] - Option to generate new keys when renewing a CA
[ECA-215] - Loadbalancer Health Check Servlet
[ECA-234] - Support for directoryName in SubjectAltNames
[ECA-238] - Generate OpenVPN install packages for token enrollment
[ECA-248] - External RA API and service
[ECA-268] - Revoke certificate in Ldap search publisher
[ECA-271] - Option in publishers to not remove certificate when revoked
[ECA-272] - Configurable CRL overlap time
[ECA-274] - Support Subject Directory Attributes extension
[ECA-275] - Support Custom UTF8String QC Statement
[ECA-276] - Asn1dump cli command
[ECA-281] - Option to specify UTF8String for all subject DNs
[ECA-289] - Possibility to use smart card HSM on external OCSP responder
[ECA-290] - Basic signing function to verify the integrity of audit logs
[ECA-306] - Inital Framwork for User Data Sources
[ECA-314] - Inital Approval implementation
[ECA-316] - Basic integrity protection of external OCSP database
[ECA-321] - k/n operator card authentication when enabling nCipher keys in
nCipher cards
[ECA-322] - Support for German in admin-GUI
Improvement
[ECA-84] - Add UserNotice and CPS url to certificate policy extension

[ECA-166] - Request to external CA gives bad error messages
[ECA-187] - Better sizing of the 'View Certificates' windows
[ECA-255] - Templates for Hard Token Profile printouts
[ECA-266] - Issue CRLs periodically before CRL expire date
[ECA-279] - Added new classes to ejbca-util.jar to compile with timestamp
server
[ECA-280] - Support of Safe Net Luna HSM
[ECA-285] - If possible it should be possible to define the auth code of the
HSM when configuring the CA.
[ECA-294] - Limit user cert validity to CAs validity
[ECA-309] - Healthcheck servlet for the External OCSP Service
[ECA-310] - Simplified EJBCA healthcheck deployment
[ECA-312] - Option in cli to re-publish all certificates, not only latest
[ECA-320] - Authorization denied displays as error 500 in IE
[ECA-324] - ant task to add ca-certificate to java truststore
Task
[ECA-174] - Publish (optionally) multiple certificate values in LDAP

[ECA-207] - Remove redundant code from Profiles
[ECA-298] - Latest version (1.33) of bouncycastle jars
Bug
[ECA-57] - I18N issues with resource bundle

[ECA-150] - Can get user certificate from another CA than the user is
registered for
[ECA-189] - LogSession can miss to log events under multithreaded heavy load
[ECA-236] - Internationalize webconfiguration.jspf
[ECA-250] - Error in default PIN envelope for hard tokens
[ECA-258] - JBoss hangs when deleting publisher used in CA
[ECA-262] - You cannot leave out defaultKey in nfast ca token configuration
[ECA-267] - Bug in searching for certificates for user that have been removed
[ECA-284] - Wrong exception thrown in EracomCAToken.
[ECA-287] - It is only possbile to use one key for each CA with Eracom HSM.
[ECA-292] - Creating CA with national chars in DN fails for some encodings
[ECA-300] - "Hard CA Token Properties" not stored permanently after editing.
[ECA-301] - External OCSP responder doesn't work with jboss-4.0.4
[ECA-302] - In the Edit End Entity Page it not possible to set a user back to
genereated if it have been set to new by mistake
[ECA-303] - ant ocsp-deploy does not work without tomcat.jks file
[ECA-305] - Wrong responderId in response from OCSP responder when not using
CA-signing
[ECA-307] - Custom Publishers doesn't reload after save of properties
[ECA-308] - Exception is thrown when trying to republish to external OCSP
publisher
[ECA-311] - Re-publish should not add revoked certificates in LDAP
[ECA-313] - BC provider can be missing if running multiple apps simultaneously
(rare)
[ECA-315] - Many calls to internal OCSP responder can give 'Reentrant method
call detected' error
[ECA-317] - ca republish cli command uses wrong username for CA
[ECA-318] - Scep only works against RootCAs, not SubCAs
[ECA-319] - Surname and Givenname is always added as attriubtes in LDAP even if
not required
[ECA-323] - Html encoded characters not displayed correctly on jsf pages
[ECA-325] - CRL Issue interval overflows when too large value entered
3.2.2, 2006-06-25
---
Improvement
[ECA-282] - Distribute files with stricter permissions

[ECA-286] - Remove logging in publisher.getAuthorizedPublisher calls
[ECA-295] - Allow dot in username
Bug
[ECA-202] - Too long primary keys when using UTF-8 encoding in MySQL
[ECA-277] - Error deploying on MS-SQL and Sybase
[ECA-278] - SQLException on MS-SQL
[ECA-283] - Web enrollment with Eracom HSM fails
3.2.1, 2006-05-29
---
New Feature
[ECA-263] - Alternitive way of checking end entity profile data
Bug
[ECA-139] - It is not possible to use a HSM to sign a pkcs10 req to an external

root CA.
[ECA-259] - Exception when importing certificate signed by external CA
[ECA-264] - Remove field restrictions for QC statement
[ECA-273] - Jboss 4.0.4 throws tomcat clustering exceptions with distributable
tag in web.xml
Improvement
[ECA-265] - Allow ':' in username and DN

[ECA-269] - Web-encoded characters in spanish language file
[ECA-270] - Public web cert dist sensitive to DN order
3.2.0, 2006-04-06
---
New Feature
[ECA-89] - New LdapSearchPublisher, obtain LDAP DN from directory server, using

UID attribute, with LdapPublisher
[ECA-179] - Support Qualified Certificate Statement (RFC3739)
[ECA-190] - LDAP search cababilities in AD Publisher
[ECA-192] - Support for Eracom HSM (now SafeNet)
[ECA-208] - Swedish Translation of Admin-GUI
[ECA-220] - OCSP extension mechanism
[ECA-221] - Possibility to run OCSP responder(s) separated from CA
[ECA-224] - Support for Informix 9.2 database
[ECA-225] - Chinese translation of Admin-GUI
[ECA-228] - Key Recovery of soft tokens should support reuse of certificates
[ECA-229] - Make OCSPSignerCertificateProfile Visible
[ECA-239] - possible to select if a printout should be "scaled to page" or not.
[ECA-245] - Utility script to initialize creation of administrator token
[ECA-195] - CLI function to activate HSM CAs
[ECA-216] - CRL in PEM format since OpenVPN requires PEM format
Bug
[ECA-66] - Certificate fingerprint (hex encoding)

[ECA-134] - Not possible to select 'no value' when a dn value is set in entity
profile
[ECA-137] - AdminGUI not working on different machines in a multi-machine
environment
[ECA-152] - ejbca-ejb.jar contains web.xmls
[ECA-164] - Spelling error in language file
[ECA-184] - EJBCA changed the order of issuer's subject DN when creating a
certificate
[ECA-202] - Too long primary keys when using UTF-8 encoding in MySQL
[ECA-203] - Exception when accesing adminGUI due to duplicate log entries
[ECA-205] - server.xml contains some static fields that should be taken form
ejbca.properties
[ECA-209] - Weblogic/Oracle needs special deployment descriptors for LONG
columns
[ECA-210] - In edit CA page will 'Edit' and 'Delete' action generate
nullpointer when spacevalue is selected
[ECA-223] - Links not URLEncoded on public page for downloading CA-cert
[ECA-227] - Testscript causes OutOfMemory exception
[ECA-230] - After enabling "issue hardware token" in sys config you need to
manually reload menu-frame
[ECA-231] - Edit hardwaretoken is broken
[ECA-235] - ant deploywithjbossservices messes up EJBCA
[ECA-237] - Generate CRL on off-line CA gives exception
[ECA-240] - All hard token CAs are displayed as online after ejbca start
[ECA-241] - Userdefined text in enhanced eid hard token profile misspelled
[ECA-242] - getAllCACertificates fails when there are external CAs waiting for
certificate
[ECA-243] - Install script error when JBoss runs on nonstandard ports
[ECA-247] - ejbca does not set a CA to offline when the HW has been reseted.
Task
[ECA-83] - Upgrade to the lastest ldap.jar

[ECA-212] - Make database upgrade script for EJBCA 3.1.x to 3.2.x
Improvement
[ECA-60] - Move CDP to CA.jsp page instead of Certificate Profile

[ECA-85] - Restructure source tree
[ECA-93] - link from admin-GUI to public index page
[ECA-158] - Wrong default CRL distribution point
[ECA-206] - Remove internal implementation of Hex and use only bouncycastle
[ECA-214] - Refactor addUser, changeUser to take UserDataVO as parameter
[ECA-217] - Change column type for extendedInformationData in UserDataBean
table
[ECA-218] - Make pageEncoding in JSP pages same as web.contentencoding
[ECA-219] - Change BaseURL behaviour to work with multi-machine setups
[ECA-246] - Small fix to UserMatch, possible to search for subjectDN contains
data from future webservice interface.
3.1.4, 2006-02-13
---
Bug
[ECA-193] - reentrant property of Entity beans is "false" instead of "False",

breaks Weblogic
[ECA-194] - Fix deployment descriptors to work with Weblogic 8.1
[ECA-196] - wrong size of some PrimeCard printouts
[ECA-198] - Private fields in CMP beans are not cached in Weblogic
[ECA-199] - Weblogic/Oracle can not use DISTINCT in SQL with LONG columns
[ECA-201] - DataSource jndi name must be EjbcaDS not java:/EjbcaDS in Weblogic
[ECA-211] - Unable to reload existing session
Improvement
[ECA-197] - Some entity beans does not define transacton settings in ejb-
jar.xml
[ECA-204] - possibility to include classes for HW token in the ear file
[ECA-222] - Make installation done with ealy pre-release of nCipher support
work out-of-the-box
[ECA-226] - Improved error logging for nCipher HSMs
3.1.3, 2005-11-30
---
Bug
[ECA-75] - SCEP not working with Hard token CAs (HSMs)
[ECA-107] - can't view logs using oracle due to column 'comment'
[ECA-139] - It is not possible to use a HSM to sign a pkcs10 req to an external
root CA.
[ECA-141] - Unstable default idle-timeout for datasource
[ECA-144] - Scep not working with Cryptlib
[ECA-145] - Bug in hard token profile pages, Nullpointer when changing profile
type or saving new pages
[ECA-147] - Star (*) not working in subject alt names
[ECA-148] - Scep not working with Cisco PIX
[ECA-149] - unstructuredName/address in DN does not work
[ECA-153] - cli not working on windows when java_home contains space char
[ECA-154] - install does not work when JAVA_HOME contain space char
[ECA-155] - OCSP using CA key does not work with HSMs
[ECA-156] - binary chars in ejbca-mail-service.xml
[ECA-160] - display of mail.smtp.host during ant deploy is wrong (cosmetic)
[ECA-165] - Not possible to remove UnstructuredName from entity profile
[ECA-167] - CN Postfix doesn't work if UID have the same value or DN is
reversed
[ECA-168] - Hard Token SN search doesn't work with primecard 1.3 >
[ECA-169] - Hard Token Profiles cannot be cloned
[ECA-170] - Malformed SVG Template craches the Hard Token Profile pages
[ECA-171] - Typo in language file
[ECA-176] - Method CertUtil.getEMailAddress(X509Certificate certificate) hangs
jboss
[ECA-177] - SCEP not working with Netscreen/Juniper boxes
[ECA-180] - Select, unselect javascript features doesn't work anymort
New Feature
[ECA-109] - Support RSASSA-PSS signatures
[ECA-140] - Add $UID as a variable to the SVG templates
[ECA-181] - Javascript checks use unicode for internationlized chars
[ECA-182] - Possible to select a subset of fields in DN and Subject AltNames in
the certificate profiles
[ECA-186] - Possibility to specify the BasicConstraint path length
Task
[ECA-127] - Add references of installations to EJBCA home page
Improvement
[ECA-146] - Device schema for sun directory server missing X-ORIGIN
[ECA-159] - Not possible to view historical data in CertReqHistory
[ECA-161] - easy configuration of smtp auth
[ECA-163] - Describe how to install com.mysql.jdbc.Driver in the documentation
[ECA-178] - Better error messages when HSM provider not found
[ECA-183] - Possible to configure for different JBoss targets
[ECA-185] - new version of batik lib
3.1.2, 2005-08-18
---
New Feature
[ECA-46] - multiple instances of altNames in certificates
[ECA-130] - Implement new Scep mode using POST
Bug
[ECA-118] - Imported OpenSSL CA not working
[ECA-121] - Can not publish certificate with comma in DN to LDAP
[ECA-123] - Dash not allowed in username
[ECA-124] - User passwords leak into debug log
[ECA-125] - Admiweb too restrictive for estonian chars.
[ECA-126] - Some imported CA certificate contains the field "friendlyName" in
PKCS#12 twice
[ECA-131] - Problem with certificate import CLI command
[ECA-133] - Single quote in DN does not work
[ECA-136] - senderNonce in returned SCEP messages longer than 16 bytes
Improvement
[ECA-108] - Add changelog to ejbca web site
3.1.1, 2005-06-30
---
Bug
[ECA-113] - key Ids looks critical when editing certificate profiles
Task
[ECA-111] - Remove obsolete cli commands
Improvement
[ECA-114] - add CA id to 'ca info' cli command
[ECA-116] - Added caid to create certificate method
3.1, 2005-06-20
---
General (not from Jira):
- Usage of XDoclet to generate ejb interfaces and deployment descriptors. Lots of
XDoclet tagging to simplify development and deployment.
- Changed packaging to avoid classes duplication between jars.
- Much improved configuration, installation and deployment, now there is a single
point of configuration using a config file.
- Added French, Italian and spanish translations for the admin-GUI.
- Add parameter for jboss/weblogic to install.
- Changed database configuration to make it more flexible for deployment.
- BatchMake has been changed to support a dir (directory attribute). Default is
still 'p12'.
- LDAP object classes for devices.
- New structure for the cli, it now lives in the bin subdirectory.
- Reorganization of documentation tree, new xml based web site for
http://ejbca.sf.net/.
- New version, 1.28, of bouncycatle provider.
- Lots of minor and structural changes.
New features:
* [ECA-6] - Download certificate link in 'View Certificate' window
* [ECA-12] - CA keystore randomizer in the ant script
* [ECA-19] - Create Servlet for initial installation
* [ECA-45] - Add SHA256WithRSA as signature algorithm for certs
* [ECA-62] - Add Receipt and address templates
* [ECA-67] - Republish button in view certificate window
* [ECA-68] - CN Postfix in certificate profile
* [ECA-69] - Only domain used for UPN in End Entity Profile
* [ECA-70] - Key Recover button in view hard token window
* [ECA-86] - Javascript changed so all new small windows automatically gets
focused.
* [ECA-87] - Added a new getCATokenStatus method in the IHardCAToken interface
* [ECA-90] - Support for nCipher HSM (sponsored by Linagora)
* [ECA-96] - Add importcert cli function
Improvements:
* [ECA-48] - make web page encoding selectable by parameter
* [ECA-56] - Bad error message when authorization fails
* [ECA-61] - Enable Advanced Profiles
* [ECA-73] - Add more information regarding Critical Extension
* [ECA-76] - Installation on JBoss 4.0.2
* [ECA-82] - Available languages (EN, FR, IT, ES) selectable by default in admin-
GUI.
* [ECA-88] - Added a 'reuse old certificate' flag to the hard token profiles
Bugs fixed:
* [ECA-13] - Exception after editing entity profile
* [ECA-28] - RA Admin privileges don't work
* [ECA-34] - Multiple bugs in Hard Token Issuing handling.
* [ECA-38] - register users with int'l characters in dn does not work
* [ECA-39] - HTML error in view end entity jsp page when displaying subjectDN
* [ECA-43] - exception during CRL generation
* [ECA-44] - no key length selection for p12 generated server certs
* [ECA-55] - export/import profiles does not ignore fixed HARDTOKEN profiles
* [ECA-71] - CRL creation in batch mode is not possible if a CA is not active
* [ECA-72] - cmd-line not working
* [ECA-74] - CRLCreateService not working
* [ECA-77] - bug when signing certificate with "card CA token"
* [ECA-78] - CRLCreatService has no overlap
* [ECA-79] - View ocsp certificate not working (exception)
* [ECA-80] - wrong PIN type is stored in DB
* [ECA-91] - Bug in base64 decoder
* [ECA-92] - UserGenerated Certificates doesn't work with enhanced EID hard tokens
and IE
* [ECA-100] - Subject DN with "'" (ASCII 27) displays as "\" in admin GUI.
* [ECA-102] - missing break; causes IllegalKeystoreException
* [ECA-104] - Handle language encodings in demo servlet
* [ECA-106] - non-superadmin cannot press cancel in my_preferences page
3.0.7, 2005-04-04
-----
* [ECA-54] - HardCATokens goes off-line when bean gets passivated
* [ECA-49] - saving of generated request from CA fails on IE
* [ECA-50] - Key Recovery status and change password in Edit End Entity doesn't
work
* [ECA-52] - In Create CA page should the CAToken authentication info be a password
field instead
3.0.6, 2005-02-23
-----
* [ECA-40] - defined hardtoken issuer and profiles disapears after some time
* [ECA-42] - <enterpris-beans> tag missing in xml fil
3.0.5, 2005-02-09
-----
Added support for activation of hardcatokens in View CA Info page.
Added MS Template for DomainController functionallity.
Fixed Certificate upgrade problems.
SECURITY: Add checks in adminweb for illegal SQL chars in advanced modes in list
end entities and view log.
Weblogic xml files for WLS 8.1 (still needs patch for complete function).
Possibility to set 2048 bit keys in Swedish hardtoken profile.
Changed error message when unlimithed strengh policy files not installed during
install.
Handle double type encoding in install.en.properties for other languages.
Tested with JBoss 4.0.1.
Support for PostgreSQL 8.0 on JBoss 4.
Fix for 'rule' column name in config for MS SQL server 2000.
Fixed problem where requiring RFC822Name caused error when editing end entity.
Fixed bug with extra commas in publishers when selected DN components don't exist
in DN.
Changed 'Batch' text in adminweb to be more descriptive.
Changed 'Use fields in DN' in adminweb to be more descriptive.
Added StaticRegistering to CA hard token manager.
Fixed error during install when CA-cert does not exist in java truststore.
Fixed weblink to force a browser type when using an unknown browser.
Added cli method to re-publish a CA and all it's users to ldap.
Fixed so EMPTY profile is not selectable for admin groups not authorized to it.
Fixed sending of notification messages not working on certain occasions.
Fixed cache control issues with download of ca cert and CRL from admin pages to IE.
3.0.4, 2004-11-11
-----
Fixed integer overflow when setting CRLPeriod longer than 596 hours.
CLI command to import a CA from an existing PKCS12 file (openssl CA).
Fixed bug where own fp instead of CA fp was written to the database.
Fixed bug where an administrator could not use the admin GUI if signed by a CA
using multiple DC attributes.
Fixed bugs with AD publishing, useraccountcontrol temporarly removed.
Changed the default extended keyusages for hard token profiles.
3.0.3, 2004-09-27
-----
Fixed wrong encoding of BasicConstraints when false.
Fixed bug in CA functions page viewing certificates with intl chars.
Fixed bugg in the publisher page where the top publisher wasn't shown.
Fixed bugg in adduser page where email address wasn't saved when user existed.
Fixed bugg where IPADDRESS and GUID subject altname wasn't shown in certificate
view.
Fixed email field check bugg in add and edit user jsp pages.
Fixed bugg in certificate profiles jsp page where critical extended keyusade
couldn't be unchecked.
Added missing class in admin.jar for 'ca processreq'.
Fixes to demo servlet.
Fixed error message when enrolling with un-allowed keysize from browser.
Fixed minor error in authorization log text.
Fixed error for DATE var in notifications.
Fixed bug adding email and uid attributes in LDAP.
Added more extra attributes to LDAP publisher.
Make o,ou,st selectable as 'Use Fields in DN' for publishers.
Fixed publishing of CA certificates and CRLs.
Works with Java 1.5 and 4096 bit keys.
Fixed bug in webpage checking for revocation.
Added pageEncoding for jsp pages and removed explicit encoding tag in meta-inf for
adminpages.
Fixed bug with republishing CA certificates.
Check execute permission on batch.sh from install script.
Many clarifications in docs.
Tested on MacOSX.
3.0.2, 2004-06-29
-----
Removed writing of testfile foo.crt.
Changed version in web-GUI.
3.0.1, 2004-06-27
-----
Fixed subject DN field removal bugg of UNSTRUCTURED IPADDRESS and UNSTRUCTURED NAME
Fixed bugg where PKCS7 header and footer always was generated when using manual
pkcs10
Fixed warning in SSL deployment with JBoss 3.2.4.
Long timeout for ca creation in JBoss 3.2.4.
Fix for keystore path in Tomcat41-JBoss32.
Some doc and xml fixes.
3.0, 2004-06-01
---
Added unstructuredname, unstructuredaddress to subjectdn.
Cleaned system.out debug logs.
Digital signature in default key usage to make ocsp work out of the box.
Added support for iPAddress alternative name.
Added support for MS GUID alternative name.
Better check on altnames when adding user with cli.
Fix CRL import in Mozilla.
Allow . in usernames i webGUI.
SCEP GetCRL method implemented.
Fixed minor errors in deployment descriptors.
3.0 beta 3, 2004-05-17

----------
Upgrade function from ejbca2 with MySQL.
Added password and extendedinformation to publisher interface.
Fixed CA renew bugg where new certificates wasn't published to publishers.
Fixed Hard Token Issuer authorization bug.
Fixed Hard Token Profile authorization bug when logging in as CA Administrator.
Fixed Authorizer.java so it doesn't throw NullPointerException.
Added initial support for HSM plug-ins.
Fixed install script freeze when installing adminweb. Added -noprompt.
Added Sybase as target for 'ant replaceDS'.
Support for JBoss3.2.4/Tomcat5.0.
Fixed bugg in Administrative deligations where a CA administrator could edit an
superadmin group.
Changed so 'enable end entity limitations' is enabled by default.
Strip DN when creating new CAs.
Added test if strong crypto is installed in the install script.
3.0 beta 2, 2004-03-21

----------
Made SUN specific algorithms and providers configurable, to be able to use other
jvm.
Fixed serious bug that caused certs to be signed by wrong CA after ejbPassivate.
Made DN order configurable with switch in source.
Alias in PKCS12 is now CN by default and username if CN does not exist.
Added possibility to configure publishers (LDAP, AD) through administrative web
interface.
Implemented more SCEP functions, tested with Cisco VPN client.
Compound primary key for HardTokenPropertyBean.
Added junit tests of entity beans
3.0 beta 1, 2004-02-09
----------
Virtual CAs, run a complete hierarchy (or several) in one instance of EJBCA.
Easier installation and configuration with new install script.
Complete support for OCSP.
Added 'Authority Information Access' extension for OCSP service URL in
certificates.
LDAP schema now correctly follows RFC 2256 and works with OpenLDAP 2.2.
LDAP Publishing controlled from certificate profiles.
Possible to configure autogenerated passwords in admin web gui.
Improved support for keyrecovery.
Improved configuration of administrative privileges.
Many minor fixes and enhancements.
2.1.3, 2004-03-29
-----
Fixed a bug when applying with IE, wrong csp could be used.
2.1.2, 2004-01-30
-----
LDAP schema now correctly follows RFC 2256 and works with OpenLDAP 2.2.
2.1.1, 2004-01-09
-----
Improved error handing for batch generation.
Fixed some SQL for PostgreSQL.
Set Content-Type on OCSP responses.
Setup-adminweb supports JBoss 3.2.3.
For for internatinalization of admin-web with non ISO chars.
Minor debug cleanups.
2.1, 2003-10-11
----
Initial SCEP support.
Initial OCSP support.
Support for multiple CDPs separated by ';'
Removed unneded debug output of cert during creation
Fixed bug in setup-adminweb.sh
Fixed missing submit button with PEM/P12 users
New cmd line command to export/import profiles to XML files
Fixed bug in 'ca makereq' when rootCA has no CN
Added encoding=iso8859-1 to javac to fix compile on strange locales
Fixed API for active directory publisher
Support for more than two levels of CAs
Fixed small bug if using null revocation date
Default revocation reason to new reason NOT_REVOKED
Fixed utitlity method that returned wrong subject key id
Getroot cert in PEM or DER format
Fixed bug when saving system configuration in admin-GUI.
2.0.1, 2003-05-12
-----
Java 1.4.x is now required.
Support for JBoss_Jetty and JBoss 3.2.x.
Microsoft UPN altName and smart card logon extended key usage.
Enrollment page can now handle both patched and unpatched IE
clients.
2.0, 2003-03-19
---
Added Hard Token funtionallity, EJBCA can now store store

pin/puk data in
database.
Added email notification to added end entities.
Added Key Recover funtionallity.
Changed initial temporary super administrator from "CN=Walter"
to "CN=
SuperAdmin".
Removed CA and ROOTCA types in "ra adduser" cmd, from now on use
certificate
profiles.
Added allowOverrideKeyUsage in certificate profiles.
New fields in DN, givenname, surname, initials.
ExtendedKeyUsage extension (for use in OutLook).
New servlet in adminweb, AdminCertReqServlet that creates users
out of PKCS10-
requests.
Moved batch and deploy scripts into build.xml.
Moved external jars into ear-file.
Tested on Weblogic 7.1.
Lots of bugfixes and cleanups.
2.0b1, 2002-12-05
-----
Moved to EJB 2.0 (JBoss 3 now required).
Enhanced database schema, for EJB 2.0 and the many new features.
Web GUI for administration using SSL.
Improved speed using EJB 2.0.
Type of signing device completely soft configurable.
New access control on method invocation.
Option to generate JKS or PEM keystores.
Added CertificatePolicies extension.
Return PKCS7 with full path to browsers.
New configurable certificate profiles.
More alternative names.
User profiles for administrators of different groups.
Improved serial number generation,
New logging mechanism.
Many small improvements.
Many bugfixes, and new bugs.
1.4, 2002-10-29
---
Fixed bug with case-sensitivity for column names in Sybase.
Fixed bug when rolling over subCAs without subjectKeyId in cert.
Fixed bug with using country=CN in DN.
Fixed encoding bug in CRL distribution points.
Fixed LDAP issue with email address.
Added method for easily getting certificates with different
keyUsage.
Better separated and better looking web pages.
Deployed with EAR-files.
Architectural changes.
New version of Log4j, 1.2.
Tested with Orion app-server.
1.3.2, 2002-04-16
-----
Fixed compilation error with JDK1.3.
Fixed bug where order in IssuerDN could be wrong.
Fixed typo in deploy.cmd/sh.
1.3.1, 2002-04-11
-----
Fixed wrong template path for IE certificate enrollment.
1.3, 2002-04-01
---
Configuration howto/support for Oracle.
Tested on Weblogic.
Function to batch-generate PEM-files for Apache etc.
Function to rollover subCA with same key pair in ca.sh/cmd.
Function to change password for user.
Function to list certificates about to expire.
New version (112) of BC JCE-provider.
Architectural overview in documentation.
Better deployment scripts.
Sample Linux firewall script.
Added demo accept-all authentication module,
NullAuthenticationSession.
CA-certs can now be downloaded from webdist.
Lots of minor cosmetic, architectural, installation and GUI
changes.
1.2, 2002-02-01
---
Command for batch processing, and other batch fixes.
Better error messages when user applies for cert with browser.
Fixed bug where NextUpdate in CRLs were incorrect.
Fixed problem receiving certificate replies for subCAs.
Function to rollover Root CA with same key pair in ca.sh/cmd.
Listusers function in ra.sh/cmd.
Info function in ca.sh/cmd.
Minor improvements and bugfixes.
1.1, 2002-01-09
---
Tested with additional databases (mySQL, PostgreSQL).
The Datasource used is configurable.
New architecture for Publishers where certificates can be
published in addition
to the main database.
Change DN order to match RFC1779. WARNING! See doc/RELEASE_NOTES
for information
about upgrading from v1.0.
LDAP Publisher to store for certificates and CRLs in LDAP
directory.
Minor bugfixes.
1.0, 2001-12-05
---
Fixed bug with not returning correct content-length to browser
when returning
PEM-certificates.
New version of BouncyCastle provider with minor PKCS12 fix.
Updated docs.
Added FAQ.
1.0b2, 2001-11-26
-----
New version of Bouncycastle JCE provider.
Added and clarified some documentation.
New version of BC provider fixed compatibility of PKCS10
requests with KeyTool
and MS CA.
Fixed process of PKCS10 request from KeyTool (they use different
header).
Fixed bug during key generation of CA that always generated 1024
bit keys.
Creates p12-files during test in real temporary dir.
1.0b1, 2001-11-21
-----
Initial release

Changelog

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Changelog

Uploaded by

Copyright:

Available Formats

EJBCA 6.5.0.

EJBCA 6.5.0.4, 2017-02-10

EJBCA 6.5.0.3, 2016-03-23

EJBCA 6.5.0.2, 2016-03-01

EJBCA 6.5.0.1, 2016-03-01

EJBCA 6.5.0, 2016-02-29

EJBCA 6.4.2, 2015-12-29

EJBCA 6.4.1, 2015-12-01

EJBCA 6.4.0, 2015-10-26

EJBCA 6.3.2, 2015-05-29

EJBCA 6.2.10, 2015-05-29

EJBCA 6.3.1, 2015-03-26

EJBCA 6.2.9, 2015-03-26

EJBCA 6.2.8, 2015-03-05

EJBCA 6.3.0, 2015-01-14

EJBCA 6.2.6, 2014-12-03

EJBCA 6.2.5, 2014-11-14

EJBCA 6.2.4, 2014-10-29

EJBCA 6.2.3, 2014-09-25

EJBCA 6.2.2, 2014-09-03

EJBCA 6.2.1, 2014-08-06

EJBCA 6.2.0, 2014-06-18

EJBCA 6.1.3, 2014-04-28

EJBCA 6.1.2, 2014-04-09

EJBCA 6.1.1, 2014-03-27

EJBCA 6.1.0, 2014-03-24

EJBCA 6.0.4, 2014-02-20

EJBCA 6.0.3, 2013-12-30

EJBCA 6.0.2, 2013-11-29

EJBCA 6.0.1, 2013-11-19

EJBCA 6.0.0, 2013-11-08

EJBCA 5.0.14, 2014-04-02

EJBCA 5.0.13, 2014-02-20

EJBCA 5.0.12, 2013-11-12

EJBCA 5.0.11, 2013-11-07

EJBCA 5.0.10, 2013-05-31

EJBCA 5.0.9, 2013-03-21

[ECA-2859] - CMP end entity certificate authentication requires clear text

[ECA-2901] - CMP vendor certificate authorization

EJBCA 5.0.8, 2012-12-18

EJBCA 5.0.7, 2012-10-31

EJBCA 5.0.6, 2012-10-15

EJBCA 5.0.5, 2012-06-03

EJBCA 5.0.4, 2012-03-08

EJBCA 5.0.3, 2012-02-24

EJBCA 5.0.2, 2012-01-23

EJBCA 5.0.1, 2011-12-02

EJBCA 5.0.0, 2011-11-21

EJBCA 4.0.16, 2013-06-28

EJBCA 4.0.15, 2013-05-10

EJBCA 4.0.14, 2013-02-15

EJBCA 4.0.13, 2012-12-19

[ECA-2376] - Republishing certificates to LDAP when multiple certificates per

EJBCA 4.0.12, 2012-08-16

EJBCA 4.0.11, 2012-06-18

EJBCA 4.0.10, 2012-03-14

EJBCA 4.0.9, 2012-02-13

EJBCA 4.0.8, 2012-02-09

EJBCA 4.0.7, 2011-12-25

EJBCA 4.0.6, 2011-11-17

EJBCA 4.0.5, 2011-11-02

EJBCA 4.0.4, 2011-10-05

EJBCA 3.11.5, 2012-03-12

EJBCA 3.11.4, 2012-02-13