PKI Appliance Release Notes Summary

The following lists release notes for all PKI Appliance versions released.

PKI Appliance 3.4.2 Release Notes

The release brings new updated versions of EJBCA Enterprise and SignServer Enterprise.

New versions of EJBCA and SignServer

EJBCA Enterprise 7.3.1

Updated version of EJBCA Enterprise, please see the EJBCA 7.3.1 Release Notes.

SignServer 5.2.0

Updated version of SignServer Enterprise, please see the SignServer 5.2 Release Notes.

Upgrade Information and Limitations

For important upgrade information and limitations to be aware of, see PKI Appliance 3.4.X Upgrade Notes.

PKI Appliance 3.4.1 Release Notes

With this release, we have updated the Utimaco firmware stack to bring PCKS#11 R2 to feature parity with PCKS#11 R1. The release also brings a new updated version of EJBCA Enterprise.

Features and Improvements

  • Updated version of EJBCA Enterprise, read more about this release in the EJBCA 7.3 Release Notes.

  • Update of the Utimaco Firmware Stack
    • The Utimaco PKCS#11 R2 is the new recommended default for new installations and you can now use smart card activated multi-user slots in PKCS#11 R2.
    • In addition, the new cyberJack One PIN pad (white) is now supported and will be delivered with all new PKI and SignServer Appliance hardware.
  • GCM mode ciphers are now available for outgoing peer connections.
  • Resolved a corner case where generating a key pair on the HSM previously deactivated the crypto token in other cluster nodes.

Upgrade Information and Limitations

The following lists important upgrade information and limitations to be aware of.

Upgrading EJBCA

After upgrading to certain versions of EJBCA (typically a new version where the database schema has changed), it is recommended to perform an EJBCA post-upgrade.

If the EJBCA instance you are upgrading is a part of a cluster, you should run the EJBCA post-upgrade only after all nodes in the cluster have been upgraded to the new version of EJBCA. Note that you only need to run the post-upgrade on one of the nodes in the cluster.

For more information on upgrading EJBCA, refer to Upgrading EJBCA and for information on database changes in the respective EJBCA releases, refer to the EJBCA Upgrade Notes.

General Upgrade Notes

The following provides important information and requirements to be aware of when upgrading.

  • When installing updates on a PKI Appliance running version 3.2.0, make sure to unplug any USB sticks before performing the update. When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable and the EJBCA Administration interface displays an error message. The problem remediates itself within one hour while a restart of EJBCA resolves the issue instantly. Note however, if your installation uses smart card authentication, PIN pad interactions will be required to activate the slots again.
  • When restoring large backups from EJBCA versions prior to 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to reindex. For a full database of a Model M, it takes about an hour to reindex the database. Once reindexed, an additional reboot is required.
  • For cluster backups taken on PKI Appliance versions 2.4 to 2.8: when restoring the first backup onto the 3.4.1 version, the cluster configuration will be deleted and requires manually adding the IP addresses of all the other nodes before proceeding with the cluster setup.
  • The Appliance version 3.4.1 does not support restoring backups of versions older than 2.4.0.
PIN Pad
  • While this release newly supports the new PIN pad (cyberJack one) and Smart Card Authentication with more than 1 user authentications for PKCS#11 R2, the new PIN pad is neither supported for Smart Card Authentication on the legacy PKCS#11 R1 stack nor for Backup Key Shares on very old Appliance hardware versions (1.x).
  • In rare cases after rebooting the Appliance, the PIN pad is not detected correctly and the WebConfigurator (WebConf) Wizard will display the following message "Please connect the PIN pad to the PKI Appliance before beginning the installation."
FIPS Restrictions Applied Mode
  • The FIPS restrictions applied mode is currently not available on Appliances of the second generation hardware version since it is not available on that HSM generation. Operation in FIPS mode will be added in future releases. 
  • While smart card activated slots are supported with PKCS#11 R2, the FIPS restrictions applied mode is not.
Ethernet Ports
  • Due to a firmware limitation, the PKI Appliance only becomes reachable when both management and application Ethernet ports are successfully connected to a network.
  • Ethernet ports might not establish a link if the network cables have been connected after powering on the device.

PKI Appliance 3.4.0 Release Notes

The PrimeKey Appliance team is proud to announce the 3.4.0 release. This release brings major updates for EJBCA and SignServer. Besides of that, another round of improvements under the hood of the PKI Appliance have been introduced.

Furthermore with this release we are introducing basic IPv6 connectivity, services running on the Appliance can now be reached over IPv6.

New features

  • EJBCA Enterprise 7.2.1: Please check out the EJBCA 7.2.1 Release Notes.

  • SignServer 5.1.0.Final. To find out more about the release, refer to the SignServer 5.1 Release Notes.

  • IPv6 can be configured on the management and application interfaces through WebConf. After that the WebConf, EJBCA and SignServer will available via IPv6.
    Please note that the following constraints apply to IPv6 connectivity:
    • IPv6 connectivity is optional and disabled by default.
    • Outgoing PeerConnectors cannot use IPv6.
    • Cluster connections over IPv6 are not implemented at the moment.
    • The initial installation of the Appliance has to be performed using IPv4, IPv6 addresses cannot be configured using the front display.
    • If SSH access is enabled and IPv6 is configured on the management interface, SSH access via IPv6 is possible (even using link local addressing).
    • HTTP connections through link local addresses are blocked by the firewall.

Changes

  • After upgrading to 3.4.0 (or higher) it is not possible to downgrade to versions lower than 3.4.0. If a downgrade is required, please contact support.
  • WebConf sessions are now tracked using a cookie, not using a URL parameter.
  • Feedback for smart card operations (e.g. change PIN) have been improved.

Known Issues and Limitations

  • While smart card activated slots are supported with PKCS#11 R2, "FIPS
    restrictions applied" mode is not.
  • When using smart card activated slots with PKCS#11 R2, the maximum amount of users is one. This is due to a bug which we plan to fix. If you need more users, you can opt to install your Appliance with PKCS#11 R1 instead of R2.
  • When installing updates on a PKI Appliance running 3.2.0, make sure to unplug any USB sticks before performing the update.
  • When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable (EJBCA admin interface shows an error message).
    The problem remediates itself within 1 hour. A restart of EJBCA fixes it immediately, however if your installation uses smart card authentication, PIN pad interactions will be required to activate slots again.
  • When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
  • For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.4.0 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before proceeding with the cluster setup.
  • Version 3.4.0 does not support restoring backups of versions older than 2.4.0.
  • The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment. Support for the disabled ethernet ports will be added in future versions.
  • Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
  • Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
  • "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.3.1 Release Notes

This is a maintenance release to 3.3.0.

New features

Known Issues and Limitations

  • Under certain circumstances it is possible that after a restore of a backup the click on "Continue with reboot" will return with "SSL_ERROR_RX_RECORD_TOO_LONG" due to incorrect restarting of the http proxy in between.
    There are two workarounds for this:
    1. Set your appliance's IP address to the same IP address as in the backup before starting the restore process.
    2. Ignore the "SSL_ERROR_RX_RECORD_TOO_LONG" error and reboot the appliance via front panel.
  • While smart card activated slots are supported with PKCS#11 R2, "FIPS restrictions applied" mode is not.
  • When using smart card activated slots with PKCS#11 R2, the maximum amount of users is one. This is due to a bug which we plan to fix. If you need more users, you can opt to install your Appliance with PKCS#11 R1 instead of R2.
  • When installing updates on a PKI Appliance running 3.2.0, make sure to unplug any USB sticks before performing the update.
  • When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable (EJBCA admin interface shows an error message).
    The problem remediates itself within 1 hour. A restart of EJBCA fixes it immediately, however if your installation uses smart card authentication, PIN pad interactions will be required to activate slots again.
  • When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database
    of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
  • For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.3.1 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before proceeding
    with the cluster setup.
  • Version 3.3.1 does not support restoring backups of versions older than 2.4.0.
  • The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment.
    Support for the disabled ethernet ports will be added in future versions.
  • Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
  • Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
  • "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM
    generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.3.0 Release Notes

This release brings a major update for EJBCA and SignServer. Besides of that, another round of improvements under the hood of the PKI Appliance have been introduced. Runtime environments for EJBCA, SignServer and WebConf have been
updated to Java 1.8 and WildFly 14.

Furthermore with this release we are introducing the availability of a new PKCS#11 implementation to access the HSM. This will allow us to introduce further features and improvements related to the HSM integration in the future.

Below you can find the list of the most relevant changes.

New Features

  • EJBCA Enterprise 7.0.1.4: Please check out EJBCA 7.0.1 Release Notes.
  • SignServer 5.0.0: Find more information at SignServer 5.0 Release Notes.

  • Support for PKCS#11 R2. When updating an existing PKCS#11 R1 installation, it will keep using PKCS#11 R1. The same is true for restoring a backup from a PKCS#11 R1 setup. New installations with PKCS#11 R1 are still possible.
  • Support packages can now be also generated during the installation process.
  • WebConf offers a button to restart EJBCA and SignServer.

Changes and bug fixes

  • Updates: Java 1.8.0 and WildFly 14.
  • Additional checks for completeness of backups have been added.
  • In case of smart card activated slots with PKCS#11 R2: smart card interactions are retried on failure (eg. wrong PIN) on a best-effort basis.
  • PKCS#11 R2: cluster key synchronization package restore does not delete keys, only adds missing keys and overwrites differing keys that have the same alias. To delete a key, it has to be manually deleted on all nodes.
  • Randomised passwords for the internal database.
  • Hardened TLS settings in Apache.
  • EJBCA and SignServer are executed as unprivileged user.
  • Improved robustness of cluster key synchronization package handling.
  • PeerConnector setup does now support DH key agreement.

Known Issues and Limitations

  • While smart card activated slots are supported with PKCS#11 R2, "FIPS restrictions applied" mode is not.
  • When using smart card activated slots with PKCS#11 R2, the maximum amount of users is one. This is due to a bug which we plan to fix. If you need more users, you can opt to install your Appliance with PKCS#11 R1 instead of R2.
  • When installing updates on a PKI Appliance running 3.2.0, make sure to unplug any USB sticks before performing the update.
  • When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable (EJBCA admin interface shows an error message).
    The problem remediates itself within 1 hour. A restart of EJBCA fixes it immediately, however if your installation uses smart card authentication, PIN pad interactions will be required to activate slots again.
  • When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
  • For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.3.0 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before proceeding with the cluster setup.
  • Version 3.3.0 does not support restoring backups of versions older than 2.4.0.
  • The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment. Support for the disabled ethernet ports will be added in future versions.
  • Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
  • Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
  • "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.2.2 Release Notes

This is a maintenance release to 3.2.1.

Below you can find the list of the most relevant changes.

New Feature

  • EJBCA Enterprise 6.15.0.3 - Please check out EJBCA release notes for further information.

Known Issues and Limitations

  • When installing updates on a PKI Appliance so far running 3.2.0, make sure to unplug any "update stick" aka "customer deploy" USB stick that could possibly still be plugged in. USB storage devices that have been used for creating backups can be left plugged in. You can remotely check for this:
    • SSH into Appliance
    • $ ssh vadm
    • $ blkid
  • If the output of blkid lists two or more entries with the label "PrimeLFS", one or more customer deploy sticks are plugged in.
    If a customer deploy stick is left plugged in during the update, some configuration will be lost, including the timezone shown in WebConf and scheduled backups. The timezone settings for EJBCA and SignServer would be unaffected.
    When installing updates to an Appliance running 3.2.1 or higher this issue is fixed. This bug is independent of the update you are installing, and only depends on the version you are running before applying an update.
  • When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
  • For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.2.1 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before
     proceeding with the cluster setup.
  • Version 3.2.1 does not support restoring backups of versions older than 2.4.0.
  • The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment.
    Support for the disabled ethernet ports will be added in future versions.
  • Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
  • Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
  • PeerConnector setup does not support DH key agreement. To setup a peer system please switch to RSA algorithm before adding the PeerConnector.
  • "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.2.1 Release Notes

This is a maintenance release to 3.2.0.

Below you can find the list of the most relevant changes.

Minor Tweaks and Bug Fixes

  • Fixed time zone issue when migrating from a version lower than 3.0.0. You can either restore your backup from 2.x directly on 3.2.1, or you can restore it on 3.2.0, then update to 3.2.1. In both cases you will regain the timezone settings from 2.x.
  • Fixed invalid backup path regex
  • Bugfixes around the update mechanism

Known Issues and Limitations

  • When installing updates on a PKI Appliance so far running 3.2.0, make sure to unplug any "update stick" aka "customer deploy" USB stick that could possibly still be plugged in. USB storage devices that have been used for creating backups can be left plugged in. You can remotely check for this:
  • SSH into Appliance
    • $ ssh vadm
    • $ blkid
  • If the output of blkid lists two or more entries with the label "PrimeLFS", one or more customer deploy sticks are plugged in.
    If a customer deploy stick is left plugged in during the update, some configuration will be lost, including the timezone shown in WebConf and scheduled backups. The timezone settings for EJBCA and SignServer would beunaffected.
    When installing updates to an Appliance running 3.2.1 or higher this issue is fixed. This bug is independent of the update you are installing, and only depends on the version you are running before applying an update.
  • When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database  of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
  • For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.2.1 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before  proceeding with the cluster setup.
  • Version 3.2.1 does not support restoring backups of versions older than 2.4.0.
  • The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment.
    Support for the disabled ethernet ports will be added in future versions.
  • Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
  • Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
  • PeerConnector setup does not support DH key agreement. To setup a peer system please switch to RSA algorithm before adding the PeerConnector.
  • "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM  generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.2.0 Release Notes

This release brings new versions of EJBCA and SignServer to the PKI Appliance.

Furthermore, it provides a unified software stack for PKI and SignServer Appliances of 1st and 2nd generation, allowing mixed clusters of both hardware versions in one deployment.

This release allows to migrate PKI and SignServer Appliance deployments with versions 2.4 up to 2.8 onto the 3.X software line and explicitly migrate to the new hardware generation.

Updating 1st generation hardware versions (software versions 2.4 to 2.8) is only possible by USB boot stick and requires restoring a backup afterwards. 2nd generation hardware versions (software versions 3.0 and 3.1) can be live-updated. See UpdateStickInstructions.txt, which also outlines a procedure for migrating clusters.

Below you can find the list of the most relevant changes, improvements and bug fixes.

New Features

  • EJBCA Enterprise 6.15.0.1 - Please check out EJBCA release notes for further information.
  • SignServer 4.4.0 - Please check out SignServer release notes for more details.
  • Now backups can also be stored to and restored from USB storage devices.
  • PKI Appliance firmware 3.2.0 can now be installed on all hardware versions.
  • Support for multiple syslog servers.
  • Client certificates used to authenticate on the application interface of thePKI Appliance can now be checked via a configurable OCSP responder.

Minor Tweaks and Bug Fixes

  • Fixed restoring backups taken on version smaller than 3.0.0.
  • Installation Wizard correctly checks if NTP server addresses are working before proceeding.
  • When booting, the PKI Appliance will now allow access as soon as all systems are up instead of waiting for a fixed amount of time.
  • EJBCA documentation in PublicWeb now working properly.

Known Issues and Limitations

  • When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
  • For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.2.0 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before proceeding with the cluster setup.
  • Version 3.2.0 does not support restoring backups of versions older than 2.4.0.
  • The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment.
    Support for the disabled ethernet ports will be added in future versions.
  • Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
  • Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
  • PeerConnector setup does not support DH key agreement. To setup a peer system please switch to RSA algorithm before adding the PeerConnector.
  • "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.1.0 Release Notes

This maintenance release brings a new version of EJBCA and some minor improvements to the PKI Appliance. This software release is only relevant for customers with appliance hardware of latest generation purchased after April 2018 or later. For customers operating PKI Appliances purchased earlier software version 2.8 is the most recent one.

New Features

  • EJBCA Enterprise 6.13.0.2.

Minor Tweaks and Bug Fixes

  • EST available on PKI Appliance now

Known Issues and Limitations

  • Only two of the four available ethernet ports are usable at the moment. Support for the disabled ethernet ports will be added in future versions.
  • Due to a firmware limitation the appliance only becomes reachable when both ethernet ports are successfully connected to a switched network.
  • Ethernet ports might not establish the link if the network cables have not been connected before booting the device.
  • PeerConnector setup do not support DH key agreement. To setup a peer system please switch to RSA algorithm before adding the PeerConnector.
  • Backups taken with some special characters in SubjectDN might not be able to be restored without renaming the file manually
  • PKI Appliance 3.1.0 firmware can only be installed on appliances of the latest generation (hardware version >= 2.0 required). Support for older hardware will be added in future releases.
  • Backups taken on version < 3.0.0 cannot be restored. Support to restore backups taken on previous versions will be added in future releases.
  • "FIPS restrictions applied" mode is not available for CryptoServer Se52. Operation in FIPS mode will be added in future releases.
  • It is not supported to set up a cluster with nodes running a mix of firmware version 2 and version 3.
  • EJBCA documentation link in EJBCA PublicWeb is not available.

PKI Appliance 3.0.0 Release Notes

This major release brings an overhauled technology stack for the PKI Appliance platform. Beside the updates of EJBCA and SignServer the majority of components and services have been updated.

New Features

  • Support for hardware version 2
  • EJBCA Enterprise 6.11.1.1 - Please check out EJBCA release notes for more detailed information
  • SignServer 4.2.2 - Please check out SignServer release notes for more details

Improvements

  • PrimeLFS is now based on LFS 7.9 with updated components and services:
    • MariaDB to 10.2.13 and Galera provider 25.3.23
    • OpenSSL 1.0.2.n
    • Apache 2.4.29
  • Adjust quorum weights (127,126,125) for cluster nodes for graceful degradation of service
  • Improved "Force into Active" handling of cluster nodes
  • Improve database scalability by using database.useSeparateCertificateTable=true
  • Newly structured security/secrets page in the installation wizard

Security Patches

  • Mitigation for Meltdown, Spectre and zombie Dirty COW vulnerability
  • Openssl has been updated to 1.0.2
  • Apr-Util to 1.6.1
  • curl to 7.58.0

Known Issues and Limitations

  • Only two of the four available ethernet ports are usable at the moment.
    Support for the the disabled ethernet ports will be added in future versions.
  • Due to a firmware limitation the appliance only becomes reachable when both ethernet ports are successfully connected to a switched network.
  • Ethernet ports might not establish the link if the network cables have not been connected before booting the device.
  • PKI Appliance 3.0.0 firmware can only be installed on appliances of the latest generation (hardware version >= 2.0 required). Support for older hardware will be added in a future version.
  • Backups taken on version < 3.0 cannot be restored. Support to restore backups taken on previous versions will be added in future releases.
  • "FIPS restrictions applied" mode is not available for CryptoServer Se52.
    Operation in FIPS mode will be added in a future version.
  • It is not possible to set up a cluster with nodes running a mix of firmware version 2 and version 3.

PKI Appliance 2.8.0 Release Notes

This release brings a new version of EJBCA and some minor improvements to the PKI Appliance.

New Features

  • EJBCA Enterprise 6.13.0 - Please check out EJBCA release notes for more details

Minor Tweaks and Bug Fixes

  • Small improvements in OpenJDK SunPKCS11 wrapper
  • HTTP Proxy has been extended to support EST
  • Node 2 and 3 in a cluster setup did not create a backup signing key. This is fixed now.

Known Issues and Limitations

  • In some cases after successful cluster connect it is needed to reboot the new connected node to bring up the applications.
  • Setting up a peer connector fails when DHE is selected
  • PKI Appliance installations <= version 2.5.x with SingServer can only be updated to 2.7.0 or higher utilizing our deploy system started from an USB
    stick. Please contact PrimeKey Support for obtaining instructions for the usage of the USB based deploy system needed to perform the update.

PKI Appliance 2.7.2 Release Notes

This is a maintenance release to 2.7.1 which mainly brings new versions of EJBCA and SignServer to the PKI Appliance.

With the new EJBCA version custom certificate extensions for CV certificates are available. There are also improvements on CT logs.

SignServer comes with support for one click certificate renewals from within EJBCA.

New Features:

  • EJBCA Enterprise 6.10.1.2 - Please check out EJBCA release notes for more detailed information
  • SignServer 4.2.0 - Please check out SignServer release notes for more details

Minor tweaks and bug fixes:

  • TimeMonitor was not active after restoring from an old backup (<= 2.5.1)
  • In some cases of improper shutdown some configuration was lost. This is fixed now.
  • 2-node cluster setup now possible without errors on restore from old versions
  • Improved error reporting for Jboss

Known Issues and Limitations:

  • Setting up a peer connector fails when DHE is selected

PKI Appliance 2.7.1 Release Notes

This is a maintenance release to 2.7.0 which brings new versions of EJBCA and SignServer to the PKI Appliance.

With the new EJBCA version, CAA validator is now available on PKI Appliance.

SignServer comes with improvements on Time-stamping and PDF Signing.

New Features:

  • EJBCA Enterprise 6.9.1 - Please check out EJBCA release notes for more details
  • SignServer 4.1.1 - Please check out SignServer release notes for more details

Minor tweaks and bug fixes:

  • Support of external Management CA was broken in 2.7.0

Known Issues and Limitations:

  • Setting up a peer connector fails when DHE is selected

PKI Appliance 2.7.0 Release Notes

This release brings new versions of EJBCA and SignServer to the PKI Appliance.

EJBCA comes with a lot of improvements to Roles and Rules.

SignServer has now large file support and can also be managed by web administration.

New Features:

  • EJBCA Enterprise 6.8.0 - Please check out EJBCA release notes for more details
  • SignServer 4.1.0 - Please check out SignServer release notes for more details

Improvements:

  • Improvements on cluster connect
  • Improvements in WebConf
  • New JBoss version
  • Improved audit logging of time adjustments

Security Patches:

  • Updated openSSL to version 1.0.2k
  • Updated openSSH to version 7.4p1
  • Updated ntpd to version 4.2.8p0
  • Updated apache to version 2.4.25

Minor tweaks and bug fixes:

  • Missing brainpool algorithms now available on crypto token
  • Correct CPU temperature shown in WebConf

Known Issues and Limitations:

  • In some cases after successful cluster connect it is needed to reboot the new connected node to bring up the applications.
  • Under some circumstances, appliance cluster nodes might fail to synchronize into a consistent state after they have been disconnected. For that reason, we recommend to perform a factory reset on all nodes that has been disconnected from the cluster and perform a full-state transfer.
  • PKI Appliance installations <= version 2.5.x with SingServer can only be updated to 2.7.0 utilizing our deploy system started from a USB stick. Please contact PrimeKey Support for obtaining instructions for the usage of the USB based deploy system needed to perform the update.

PKI Appliance 2.6.1 Release Notes

This release is a maintenance release to 2.6.0. It brings some improvements, bug fixes and EJBCA version 6.7.0.

Improvements:

  • Backups are additionally signed
  • WebConf Wizard GUI adjustments
  • Autocomplete in password fields has been disabled
  • Adjustments for maintenance and support packages
  • Improvements on cluster connect
  • Renamed button 'Force into Primary' into 'Force into Active' in WebConf
  • Block access to EJBCA enroll pages over plain HTTP
  • PKI Appliance model is now shown in display

Security Patches:

  • CVE-2016-3092 updated to commons-fileupload-1.3.2.jar

Minor tweaks and bug fixes:

  • Several typos have been corrected
  • HSM AuditLog is now configured/cleared when installing in FIPS mode
  • Clear error message in WebConf when updating to an unsupported version
  • Removed all setuid bits on binaries in underlaying PrimeLFS
  • EJBCA advanced access rules page works with many profiles now due to adjusted JBOSS configuration

Known Issues and Limitations:

Due to the in previous version mentioned low level changes and the complete migration to PrimeLFS the current (<=2.5.0) PKI Appliance update mechanism implemented in WebConf does not support 2.6.x packages. This means that already installed PKI Appliances can only be updated utilizing our deploy system started from a USB stick.
As this operation wipes all data stored on the appliance, a current backup of the system is required to perform the update and to restore the operation. PKI Appliance firmware 2.6.x can restore backup files taken from versions >=2.4.0.
Updates of cluster setups can be performed as rolling updates maintaining the availability of the system.
Please contact our support for obtaining instructions for the usage of the USB based deploy system needed to perform the update.

PKI Appliance version 2.6.1 does not support SignServer at the moment. This means that a PKI Appliance with activated SignServer will lose the SignServer functionality after the update. This will be fixed in the 2.6.2 release where the latest SignServer will be added.

Under some circumstances, appliance cluster nodes might fail to synchronize into a consistent state after they have been disconnected. For that reason, we recommend to perform a factory reset on all nodes that has been disconnected from the cluster and perform a full-state transfer.

PKI Appliance 2.6.0 Release Notes

This release brings a broad range of new features, improvements and changes under the hood of the PKI Appliance. To name some of the most important changes:
EJBCA 6.6 is finally available on the PKI Appliance, we have improved the handling of error states by introducing the maintenance state and simplified the debugging by adding the option to obtain support packages containing all relevant log files.

Although not visible for the end user, the internals of the PKI Appliance has been significantly reworked and all used virtual machines are now based on PrimeLFS - our hardened Linux system. The migration to PrimeLFS improves the maintainability of the appliance infrastructure and the security of the overall system.

New features:

  • EJBCA 6.6.2 - Please check out EJBCA release note for more details
  • WebConf audit log available in syslog
  • The PKI Appliance can automatically detect some specific error states and sets itself into maintenance state providing a clear error message
  • Automatic log collection on detected errors
  • WebConf can create support packages which contain all relevant logs and can be obtained by a simple download

Improvements:

  • Improved WebConf structure by introducing two level menus
  • Improved TLS configuration in WebConf
  • SuperAdmin enrolment supports CSR and PKCS#12 beside legacy browser enrollment (keygen)
  • HSM Keepalive Service is now reliably triggered on all cluster node
  • The internal PKCS#11 interface (p11proxy) is updated and has now 6support for symmetric encryption and unwrapping

Security Patches:

  • updated OpenSSL to 1.0.2j
  • CVE-2016-4300 libarchive is updated to 3.2.2
  • CVE-2016-6313 GnuPG/Libgcrypt is updated to 1.7.3
  • CVE-2016-5195 also known as DirtyCOW has been patched
  • Removed: ‘List backups’ and ‘Search now’ in update could leak an internal directory listing of the PKI Appliance

Minor tweaks and bug fixes:

  • Support for Management CA with SHA384withRSA
  • Better default Management CA key specs options
  • PIN settings in WebConf now part of the ‘Key Synchronisation Package’
  • Extended validity of initial Management CA
  • Display shows sha256 fingerprint of the used TLS certificate
  • Prevent self-lock out of the administrator of WebConf by deleting the trusted CA
  • Readded logrotate for all non rsyslogd handled log files
  • WebConf file uploads now use the correct filter pattern
  • Avm server log now limited in size
  • Removed the reoccurring XmlRpcClientException from the log
  • Fixed internal time setting with ntpd, all VMs follow the NTP server now
  • Fixed bug in restore process which rejected backups of older PKI Appliances which were created on newer ones
  • Wizard prevents setting ‘Slot Smart Card Activation’ and ‘FIPS restrictions’ applied at the same time
  • added standard Linux file system integrity check on all volumes

Known Issues and limitations

Due to the afore mentioned low level changes and the complete migration to PrimeLFS the current (<=2.5.0) PKI Appliance update mechanism implemented in WebConf does not support 2.6.0 packages. This means that already installed PKI Appliances can only be updated utilising our deploy system started from a USB stick.

As this operation wipes all data stored on the appliance, a current backup of the system is required to perform the update and to restore the operation. PKI Appliance firmware 2.6.0 can restore backup files taken from versions >=2.4.0.
Updates of cluster setups can be performed as rolling updates maintaining the availability of the system.
Please contact our support for obtaining instructions for the usage of the USB based deploy system needed to perform the update.

PKI Appliance version 2.6.0 does not support SignServer at the moment. This means that a PKI Appliance with activated SignServer will lose the SignServer functionality after the update. This will be fixed in the 2.6.2 release where the latest SignServer will be added.

Under some circumstances, appliance cluster nodes might fail to synchronize into a consistent state after they have been disconnected. For that reason, we recommend to perform a factory reset on all nodes that has been disconnected from the cluster and perform a full-state transfer.

PKI Appliance 2.5.0 Release Notes

This is a feature release which brings mainly a new version of EJBCA and(optional) SignServer.

PKI Appliance Platform

Improvements:

  • Updated documentation.
  • Updated HSM firmware.

Security Patches:

  • OpenSSL has been updated to 1.0.2g.

Note:

  • The update archives are from this version on encrypted and signed. The update mechanism will automatically check the signatures, decrypt the archives and update the system so there is no difference in the update procedure workflow from user perspective.

EJBCA Enterprise 6.5.0.2

New Features:

  • Certificate profiles can now be set to restrict key algorithms, curves (for EC) and key length.
  • The CSCA "CA Name Change" feature from ICAO 9303 7th part 12 has been implemented.
  • Auditor default role has been given access to additional pages in the UI.
  • OCSP responder can now cache the revocation status of client certificates (used to sign requests) for limited time periods.
  • CMP Proxy now checks for message signatures, HMAC and checks revocation status for signing certificates, relieving the CA of handling unauthorized messages.
  • CT logs can now be submitted to log servers in parallel.

Improvements:

  • The underlying BouncyCastle library has been upgraded to version 1.54
  • All return and error codes from the CMP servlet have been documented.

Security Patches:

  • Removed a possible XML exploit from the administration web.
  • Deserialization has been significantly hardened.
  • Fixed a possible information leakage in the administrative web in regards to certificate and end entity profiles.

SignServer Enterprise 3.7.3 Add-On (Optional)

New Features:

  • Fully automatic renewal service requesting certificates from EJBCA

Improvements:

  • Possibility to specify options for the generated certificate (Android)

Known Issues and Limitations

  • With FIPS module loaded into the HSM, smart card based slot activation is disabled.
  • EJBCA approval notifications do not contain any relevant information.
  • Time and date shown in EJBCA/SignServer and WebConf might differ due to incorrect daylight saving time calculation.

Important Notes

  • Starting with 2.4.0 updating from an older version the update process will remove all incompatible configuration files and overwrite them with new defaults. Due to this, all custom configuration changes (e.g. iptables rules, Apache vhosts) that might have been applied to the system will be overriden.
  • Please follow the documentation to update your system. Should you plan to update a system running a version < 2.2.0, please contact PrimeKey Support or your local PrimeKey partner.
  • After the update to version 2.4.0 or higher the system will stop accepting backups created on a system with a version < 2.2.0.
  • The firmware of the HSM is only updated during a fresh installation or restore from a backup. To enforce this update on an existing installation it is required to backup the PKI Appliance, perform the update, reset it to factory defaults and restore the backup.

PKI Appliance 2.4.1 Release Notes

This is a maintenance release including some few new features, security patches, bug fixes and small improvements. We recommend the installation of this update as it contains several important security patches.

PKI Appliance Platform

New Features:

  • WebConf: Support for loading of multiple trust stores used for user authentication. Registered users can now authenticate with certificates issued by different CAs.

Improvements:

  • Extended logging especially for backup/restore operations and cluster configuration.
  • WebConf: WebConf requires now confirmation of authentication codes for PKCS#11 slots during the installation process.
  • Updated documentation.

Solved Issues:

  • WebConf: In the past, Webconf accepted only certificates from a root CA as authentication trust stores. This issue has been solved and now WebConf expects root certificates or full certificate chain as PEM file in the TLS trust store configuration dialog.

Security Patches:

  • CVE-2015-6924: A vulnerability which allowed the extraction of secret EC keys from the HSM by an authenticated HSM user (PCKS#11 Slot Authentication Code) has been fixed by updating the EC firmware module of the HSM to the latest version.
  • CVE-2016-0777 aka Triple-Seven: SSH Client has been patched to version 7.1p2
  • PKI Appliance Platform: Syslog (which might be written) to a remote syslog server contained the Domain Master Secret. This problem has been resolved by removing the secret from the log output.

Important Note: The firmware of the HSM is only updated during a fresh installation or restore from a backup. To enforce this update on an existing installation it is required to backup the PKI Appliance, perform the update, reset it to factory defaults and restore the backup.

EJBCA Enterprise 6.4.2

  • Improvement: The Auditor Role has been extended, and now has read access to authorized End Entities, Roles and configurations.
  • Bug: A backport introduced in 6.4.1 broke the Certificate Transparency configuration page.
  • Bug: PKCS#11 crypto token page was incorrectly formatted
  • Improvement: X-Forwarded-For is now logged if present in OCSP requests

SignServer Enterprise 3.7.1 Add-On (Optional)

New Features and Improvements:

  • Java code signing (including Android).
  • Various Administration GUI improvements.

Bug fixes:

  • Security issue in Commons Collections library.
  • Regression: Renewing keys for multiple workers at once did not fully work in the Administration GUI.
  • Bin folder could not be put in the PATH environment variable.
  • Username/password not accepted if client certificate presented.
  • The FirstActiveDispatcher was logging using the dispatchees fields.
  • 24 other bug fixes.

Known Issues and Limitations

  • Available storage capacity for the S model might be displayed incorrectly.
  • With FIPS module loaded into the HSM, smart card based slot activation won't work.
  • EJBCA approval notifications do not contain any relevant information.

Important Notes

  • Starting with 2.4.0 updating from an older version the update process will remove all incompatible configuration files and overwrite them with new defaults. Due to this, all custom configuration changes (e.g. iptables rules, Apache vhosts) that might have been applied to the system will be overriden.
  • Please follow the documentation to update your system. Should you plan to update a system running a version < 2.2.0, please contact PrimeKey Support or your local PrimeKey partner.
  • After the update to version 2.4.0 or higher the system will stop accepting backups created on a system with a version < 2.2.0.

PKI Appliance 2.4.0 Release Notes

This is a feature release which introduces several new functionalities and improvements and restructures the appliances portfolio offered by PrimeKey by introducing new models. From this release on PrimeKey will offer the PKI Appliance in three different models, addressing different needs depending on the use cases. Check the updated product sheet for the specification of the new appliance models.

Appliance Platform

New Features:

  • Introduction of new PKI Appliance models S, M, L.
    Details are available in the product sheet.
  • Option to load FIPS firmware module into the HSM to enforce FIPS Restrictions.
  • Support for signed and encrypted firmware and application software packages. All future updates will be signed and encrypted.
  • Improved SSH/console password and key handling. WebConfigurator supports now the option to set the SSH password or upload a SSH key for authentication. Console access can be enabled and disabled.

Improvements:

  • Improved RAID status information in WebConfigurator.
  • Updated firewall rules.
  • Notification for running background jobs.
  • Clearer error messages and explanation of error codes.
  • NTPd has been updated to 4.2.8p4.
  • Syslog appender format has been adjusted.
  • Apache Proxy has been updated to 2.4.16.
  • SSHd has been updated to 7.1p1.

Solved Issues:

  • In the past it could happen that the connection from EJBCA to the HSM could expire after an idle period of few days. The result was that EJBCA was unavailable as it could not write to the audit log. This problem has been addressed by activating HSM Keep Alive service in EJBCA by default.
  • In the case one node of a 2-node cluster has been disconnected, the other might become also unavailable until it is forced-into-primary from Web-Configurator web GUI. Unfortunately EJBCA might remain unavailable after this operation and the only workaround is to restart JBoss application server using the console. This issue has been resolved by an automatic application server restart after forcing the node into primary mode.

Security Patches

  • commons-collections library has been removed as preventive security measure.

EJBCA Enterprise 6.4.0

  • Improved policy enforcement. Granular control has been added to DN and SAN elements in End Entity Profiles. Entered values can be controlled using regular expressions.
  • New features making even easier for audits and regulatory compliance. Most of the UI has been given read-only rights, and a new role template (named Auditor) can be created and built upon to allow an auditor to view but not modify.
  • Further extending run-time flexibility, Custom Certificate Extensions and Extended Key Usages can now be added on the fly from the UI.

SignServer Enterprise 3.7.0 Add-On (Optional)

  • Individual keys and certificates (including CLI/GUI for managing those in a token).
  • Batch signing support in the client CLI.
  • Password prompts in the client CLI.
  • Initial support for building using Maven.
  • Improved logging options in PlainSigner and MSAuthCodeSigner.
  • Various GUI improvements.
  • For more details please check SignServer 3.7.0 release notes.

Known Issues and Limitations

  • Available storage capacity for the S model might be displayed incorrectly.
  • With FIPS module loaded into the HSM, smart card based slot activation won't work anymore.
  • EJBCA approval notifications do not contain any relevant information.
  • WebConfigurator accepts only self-signed CAs as TLS truststore.

Important Notes

  • This update will remove all incompatible configuration files and overwrite them with new defaults. Due to this, all custom configuration changes (e.g. iptables rules, Apache vhosts) that might have been applied to the system will be overriden.
  • Please follow the documentation to update your system. Should you plan to update a system running a version < 2.2.0, please contact PrimeKey Support or your local PrimeKey partner.
  • After the update to 2.4.0 the system will stop accepting backups created on a system with a version < 2.2.0.

PKI Appliance 2.3.3 Release Notes

This is a maintenance release which resolves an issue which might prevent reactivation of a 2 node cluster after a node failure.

Appliance Platform

Bug: In the case one node of a 2-node cluster has been disconnected, the other might become also unavailable until it is forced-into-primary from WebConf web GUI. Unfortunately EJBCA might remain unavailable after this operation and the only workaround is to restart JBoss application server using the console. This issue has been resolved by an automatic application server restart after forcing the node into primary mode.

Note: Please follow the documentation to update your system. Should you plan to update a system running a version < 2.2.0, please contact PrimeKey Support or your local PrimeKey partner.

PKI Appliance 2.3.2 Release Notes

This is a maintenance release which resolves an issue which might cause an HSM connection timeout.

Appliance Platform

Improvements: HSMKeepAlive service activated per default

Note: Please follow the documentation to update your system. Should you plan to update a system running a version < 2.2.0, please contact PrimeKey Support or your local PrimeKey partner.

PKI Appliance 2.3.1 Release Notes

This is a maintenance release which resolves several issues on the platform and application side (EJBCA).

Appliance Platform

Improvements:

  • Extended documentation
  • WebConf help section has much better contrast now
  • Apply Content Security Policy in the HTTP Proxy configuration enforcing that every web page loaded from the PKI Appliance only uses resources from the same appliance.

Bug Fixes:

  • Preventing AVM library from flooding /tmp and hitting tmpfs inode limits
  • Timezone information are now passed properly into EJBCA/SignServer Java environment

EJBCA Enterprise 6.3.2.1

New Features:

  • CA certificate rollover via SCEP has been implemented in accordance to draft-nourse-scep-23.
  • Added a working default configuration for Self Registration in EJBCA to cos-ejbca

Bug Fixes:

  • CRLDownloadService can handle CRLs with multiple updates of a revoked entry

Note: Please follow the documentation to update your system. Should you plan to update a system running a version older than 2.2.0, please contact  PrimeKey Support or your local PrimeKey partner.

PKI Appliance 2.3.0 Release Notes

The following is a selection of the most noteworthy changes within this feature release.

Appliance Platform

New Features:

  • Extended SNMP interface (cluster status, DB Disk Usage, EJBCA/SignServer health)
  • Integrated Mail Relay for sending out mail notifications (EJBCA)
  • Possibility to disable the otherwise mandatory audit log

Improvements:

  • Better security defaults (SSH disabled by default, smart cards required per default)
  • Network security improvements
  • Improved cluster handling and monitoring in WebConf
  • Extended documentation

Bug Fixes:

  • Several minor WebGUI bugs have been fixed
  • Preventing that the WebGUI becomes unreachable after a period of 50 days of inactivity

EJBCA Enterprise 6.3.1

  • Now possible to create CAs and issue End Entity certificates through the Web Service API
  • SCEP Client Certificate Renewal
  • Web Service API calls for monitoring certificate expiration
  • Single Active Certificate Constraint has been added to Certificate Profiles, allowing for automatic revocation of old certificates, as  new ones are issued
  • For more details please check EJBCA 6.3.1 release notes

SignServer Enterprise 3.6.3 Add-On (Optional)

  • Authenticode signer for portable executables (code signing)
  • CSCA Master List signer (for ePassports)
  • Signer that produces plain signatures
  • Configurable maximum upload limit
  • For more details please check SignServer 3.6.3 release notes

Note: Please follow the documentation to update your system. Should you plan to update a system running a version older than 2.2.0, please contact PrimeKey Support or your local PrimeKey partner for support.

PKI Appliance 2.2.0 Release Notes

This release introduces a lot of new functionalities and includes EJBCA Enterprise 6.3 which brings among other improvements the new Peer System protocol. Furthermore there are several improvements in the platform infrastructure which improve handling of firmware and application updates and enable the support for smart card protection for CryptoTokens

The following are a selection of the most noteworthy changes within this feature release.

New Features

  • EJBCA 6.3.0 including support for EJBCA Peer System protocol
  • Optional SignServer Enterprise 3.6.2 including TimeMonitor and TSA functionality
  • Smart card protection for CryptoTokens *Enhanced update functionality allowing firmware and application updates via web interface

Improvements

  • Front display with extended configuration options
  • Improved online help
  • Several bug fixes

Note: As this version introduces several low level changes within the internal appliance infrastructure, it is required for an update from an older version to reset/reinitialize the PKI Appliance followed by a restore from a backup created before. Please contact our support for further assistance if you want to update your PKI Appliance to this version.

PKI Appliance 2.1.1 Release Notes

This is a maintenance release which mainly addresses some recently discovered vulnerabilities of components which are used within he appliance infrastructure:

  • Fix for bash vulnerability (Shellshock)
  • Disabled support for SSLv3 to address a SSL vulnerability (Puddle)
  • Fix for a problem that might prevent restoration of backups which were protected by soft tokens.

PKI Appliance 2.1.0 Release Notes

The following are a selection of the most noteworthy changes within this maintenance release.

New Features

  • EJBCA 6.2.0.
  • Support for operation as standalone VA based on CRLs.
  • Support for SCEP configuration over web interface.
  • SNMP support.

Improvements

  • Improved fault tolerance in the installation procedure.
  • Improved HSM Alarm handling.

PKI Appliance 2.0.0 Release Notes

The following are a selection of the most noteworthy changes within this major release.

New Features

  • High Availability and Load Balancing Cluster support (2- or 3-nodes setup).
  • Update to EJBCA 6.1.1.
  • SignServer integration (SignServer 3.5.0).
  • Responsive WebConf Design.
  • Log Export to Remote Syslog Server.
  • NTP Support.

Improvements

  • Improved system stability and robustness.
  • Improved Network Configuration.

Fixes

  • OpenSSL update fixes the Heartbleed vulnerability.

PKI Appliance 1.2.1 Release Notes

The following are a selection of the most noteworthy changes within this maintenance release.

Improvements

  • Improved documentation and online user guidance.
  • Scheduled backup now includes all configuration files.
  • Improved fault tolerance during the installation procedure.