EJBCA 6.11.1 Release Notes

The PrimeKey EJBCA team is pleased to announce the minor release EJBCA 6.11.1.

Release Highlights:

For information on new features and implemented improvements, see the EJBCA 6.11 Release Notes.

This minor release does not involve any upgrade steps or notable database changes. Read the EJBCA 6.11 Upgrade Notes for important information about the release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

BouncyCastle Library Version Upgrade

We've upgraded the underlying BouncyCastle library version 1.59, which adds support for SHA3 signature algorithms.

Improved CMP Handling

The main feature of this release is a modification of how vendor certificates are handled in CMP. Previously we restricted CMP clients to enroll to the same subject DN and issuer as specified in the vendor certificate, while we now allow enrolling to a number of different certificates based on the same vendor certificate. The purpose of this change is to be able to use the same vendor certificate to enroll a device with several keys with different purposes.

Fixes and Improvements

We've fixed a few neat bugs, among which being a performance sink in the display of crypto tokens in the CA GUI, some minor issues related to EST and a case where a CA might incorrectly fail a CAA issuance check for some corner cases.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 6.11.0-6.11.1, refer to our JIRA Issue Tracker.

Issues Resolved in 6.11.1

Released on 22 February 2018

Epic

ECA-6468 - CMP changes to return caPub certificates and lessen DN checks on VC certificate

New Features

ECA-6212 - Add support for SHA3 signature algorithms

ECA-6512 - CMP Vendor mode: ability to issue multiple certificates authenticated by the same Vendor certificate

ECA-6577 - CMP ability to select CA certificates to add to caPubs in CMP responses (multiple order defined)

ECA-6601 - CMP ability to select CA certificates to add to extraCerts in CMP responses (multiple order defined)

Improvements

ECA-6434 - CMP Vendor mode: Ability to have different requestDN from VendorCert DN where request DN lacks extract username component

ECA-6435 - CMP Vendor mode: Ability to have different requestDN from VendorCert DN

ECA-6440 - ExternalCommandCertifciateValidator to call external scripts only

ECA-6460 - Upgrade EJBCA to BC 1.59

ECA-6536 - Info-loggning for incoming and outgoing EST requests

ECA-6540 - EST: improve help messages in EST alias

ECA-6541 - EST/CMP/SCEP configuration should use password field

ECA-6558 - Make EST be displayed in a nice way Enterprise vs Community

ECA-6569 - Documentation: clarify steps to renew OCSP certificates

ECA-6573 - Update CustomerLdapPublisher1

ECA-6574 - Add documentation links to CMP and EST aliases pages

ECA-6631 - CMP: find registered end entity by DN if username (extracted from DN) is not found

ECA-6632 - CMP: don't include trust anchor in extraCert certificate list to verify

Bug Fixes

ECA-6431 - End Entity Profile field validation should not allow empty fields

ECA-6439 - GeneralPurposeCustomPublisher test command shows error message with empty path

ECA-6443 - clientToolBox OCSP GET does not work with TLS connections

ECA-6461 - Regression: Cannot enroll in Public Web

ECA-6463 - Fix CrmfRequestTest.test12ServerGeneratedKeys

ECA-6467 - Null pointer exception when enroling with EC in RA web

ECA-6471 - Regression: It's only possible to add partitions to the first approval step

ECA-6481 - Base64 decoding fails with BC v1.59

ECA-6509 - XStream 1.4 lib requires JDK8

ECA-6535 - EST not working on local CA when a peer connection to a VA is present

ECA-6537 - EST: in EST profile Certificate Profile field not updated automatically when End Entity profile field is changed

ECA-6542 - EST Aliases fail to add values for future keys

ECA-6547 - Regression: Approval requests cannot be edited

ECA-6556 - EST certificate profile and default CA is stored with name instead of ID

ECA-6587 - No End Entity Profiles selected when viewing Role in Basic Mode after upgrading

ECA-6603 - EST - Enroll with username/password not working through external RA

ECA-6622 - CAA Issuance fails for domains where both issue and issuewild records exist in a certain order

ECA-6624 - PeerConnectionTest.publishCertificate fails with database protection enabled

ECA-6625 - Regression: Statedump and Database CLI doesn't work on with JDK8

ECA-6633 - CMP: check if extraCert is active does not consider if it is notified about expiration

ECA-6638 - Crypto Tokens are re-created and activated every time cache is reloaded