EJBCA 6.9.1 Release Notes

The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.9.1.

The following covers information on new features and improvements in the 6.9.1 release:

Read the EJBCA 6.9 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 6.9.1

For the first time in a while we're releasing a standard minor release, mainly concentrating on bug fixes and feedback from implements of our CAA Validator. All in all we've made the CAA Validator far more configurable, allowing features such as white-listing some domains (excluding them from CAA checks), allowing the validator to ignore specific Top Level Domains and making recursion depth configurable. We've also added caching and robustness to DNS lookups in order to deal with the results query throttling from the resolvers. Add to that, we've also included a couple of minor performance improvements in connection to certificate issuance.

As the CAA standard is still involving we're not counting on our work in this field being finished quite yet, but for the moment we're hoping that you're all looking forward to all the neat new features coming in EJBCA 6.10 in a few weeks.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 6.9.1, refer to our JIRA Issue Tracker.

Issues Resolved in 6.9.1

Released on 6 October 2017

New Features

[ECA-6063] - Make Trust Anchor for CAA Validators configurable
[ECA-6116] - Add TTL information to CAA Tool output
[ECA-6133] - Add whitelist possibility to CAA Validator

Improvements

[ECA-6064] - Optimize issuance by minimizing EndEntity XML encoding/decoding
[ECA-6093] - Optimize ConfigurationHolder.getPrefixedPropertyNames
[ECA-6105] - Raw subject DN extended information should be base64 encoded
[ECA-6118] - Ability to use "description" attribute in directoryName fields
[ECA-6122] - Add additional logging to CAA Validator
[ECA-6123] - Make recursion depth configurable for CAA Validators
[ECA-6127] - CAA Validator should only lookup CAA records instead of ANY
[ECA-6128] - Make querying top level domains (TLDs) for CAA lookups optional
[ECA-6129] - Introduce DNS lookup caching for multiple SANs in the CAA Validator
[ECA-6136] - DNSSEC should be enabled by default in the CAA validator
[ECA-6137] - Issue if CAA lookup failed more than once and there is no DNSSEC chain to the ICANN root
[ECA-6145] - Support CNAME discovery as in Errata 5065
[ECA-6149] - Fill in default CAA Validator timout in the UI
[ECA-6150] - Stop writing complete stack traces for expected validation failures
[ECA-6161] - Make DNAME lookups in CAA validator optional

Bug Fixes

[ECA-6103] - importcert command fails in some instances for DirectoryName SAN values
[ECA-6104] - DNAME records are not followed correctly by CAA Validator
[ECA-6115] - CMP: error verifying extraCerts in RA mode when more than the EE cert is present in a chain longer than two
[ECA-6117] - Certificate with empty attribute can not be imported
[ECA-6121] - CAA Validator doesn't fail for nonsense domains.
[ECA-6135] - Regression: Key WS Key recovery requires call to edituser() before enrollment
[ECA-6148] - Remaining login attempts counter not decreased using public web
[ECA-6152] - Regression: Uploading EC CSRs in RA result in exception