Release Notes Summary

The following lists release notes for all Hardware Appliance versions released.

Hardware Appliance 3.9.8

OCTOBER 2022

Hardware Appliance 3.9.8 was an internal release, not generally available for customers.

Hardware Appliance 3.9.7 Release Notes

SEPTEMBER 2022

New versions of EJBCA Enterprise and SignServer Enterprise

EJBCA Enterprise 7.10.0.1

Updated version of EJBCA Enterprise, see the EJBCA Release Notes.

SignServer Enterprise 5.10

Updated version of SignServer Enterprise, see the SignServer Release Notes.

New Features and Improvements

The following lists new features and improvements included in the release.

• PKCS#11 migration from R1 to R2 with Smart Card Authentication is now available (MONT-3030)
• Installation history is written as of version 3.9.7 (MONT-1032)
• Default TLS key size is now 4k (MONT-2444)

Bug Fixes

• Graceful shutdown of node 1 in a 2-node cluster makes node 2 unresponsive (MONT-3179)
• Administrators authenticated with slot authentication code only on a smart card protected slot can delete Crypto Token keys (MONT-3621)
• SignServer now has sufficient disk space (MONT-3610)
• In some cases, pinpad_lock file disappeared (MONT-2972)

Known Issues

• CN field twice in End Entity profiles (MONT-3640)
• CA/VA setup: Internal Key Binding default Protocol and Cipher Suite not working (MONT-3638)
• Changing IPv4 address in a cluster might lead to IPv6 address disappearing (MONT-3626)
• Updating a cluster node > node1 might lead to IPv6 address disappearing (MONT-3625)

Hardware Appliance 3.9.6 Release Notes

JUNE 2022

New versions of EJBCA Enterprise and SignServer Enterprise

EJBCA Enterprise 7.9.1

Updated version of EJBCA Enterprise, see the EJBCA Release Notes.

SignServer Enterprise 5.9.1

Updated version of SignServer Enterprise, see the SignServer Release Notes.

Hardware Appliance 3.9.5 Release Notes

APRIL 2022

New versions of EJBCA Enterprise and SignServer Enterprise

EJBCA Enterprise 7.9.0

Updated version of EJBCA Enterprise, see the EJBCA Release Notes.

SignServer Enterprise 5.9.0

Updated version of SignServer Enterprise, see the SignServer Release Notes.

Link Bonding (LACP) Support

For the current generation of hardware, the additional network interface ports can now be used for Link Bonding (LACP).

The following lists new features and improvements included in the release.

• The third-party library OpenSSL has been updated/patched to not be vulnerable to CVE-2022-0778 (MONT-3482).
• Link Bonding/LACP (MONT-3106, MONT-3438).
• Since the "legacy" EndEntity enrollment method <keygen> has been removed from browsers and EJBCA alike, the Appliance WebConf does not offer this method anymore (MONT-3511).
• WebConf will no longer suggest a filename with a ':' character for a file to download by the browser (Cluster KSP) and thus the browser no longer needs to substitute this with a space char (MONT-3489).
• EJBCA OCSP Audit and transaction logging will now also be forwarded to syslog (MONT-3440).
• A built-in timeout has been increased to be more patient when creating big/slow key sizes on slow HSMs (MONT-3412).
• Since all new installations are now with P11R2 by default, the HSM KeepAlive Service in EJBCA is no longer created by default (MONT-3330).
• In some situations, an EJBCA instance would previously not resume automatically after a short network interruption to the rest of the cluster. This issue has now been resolved (MONT-3326 and MONT-2589).

Hardware Appliance 3.9.4

Hardware Appliance 3.9.4 was an internal release, not generally available for customers.

Hardware Appliance 3.9.3 Release Notes

DECEMBER 2021

New versions of EJBCA Enterprise and SignServer Enterprise

EJBCA Enterprise 7.8.1

Updated version of EJBCA Enterprise, see the EJBCA 7.8.1 Release Notes.

SignServer Enterprise 5.8.1

Updated version of SignServer Enterprise, see the SignServer Release Notes.

Phasing out support for Utimaco PKCS#11 R1

We are starting to phase out support for the legacy PKCS#11 Utimaco R1 stack. P11R1 is still available when restoring from backup and when connecting to a cluster, but will not be offered for new installations going forward. If you still need to set up new installations with P11R1, please contact PrimeKey support for assistance.

We recommend upgrading and migrating your installation to P11R2. When restoring a backup of an installation still running P11R1, the Hardware Appliance Web Configuration Wizard provides options to migrate over your data to P11R2. For more information, see Migrating the HSM Key Material from PKCS#11 R1 to PKCS#11 R2.

Hardware Appliance 3.9.2 Release Notes

NOVEMBER 2021

Security Issue

This maintenance release resolves a security issue when using smart cards to additionally secure key material in PKCS#11 R2 mode.

Hardware Appliance 3.9.1 Release Notes

OCTOBER 2021

The PrimeKey Appliance team is pleased to announce the release of the EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.9.1.

New versions of EJBCA Enterprise and SignServer Enterprise

EJBCA Enterprise 7.8.0.1

Updated version of EJBCA Enterprise, see EJBCA 7.8 Release Notes.

SignServer Enterprise 5.8.0.2

Updated version of SignServer Enterprise, see SignServer 5.8 Release Notes.

Upgrade Information

Note that as of 3.9.0, the application server WildFly has been updated to version 24 and thus the stock standalone.xml configuration file has changed. If you have manually altered this configuration file, additional manual file edits will be required to either re-apply the required changes to the new version of the file or merge the configuration file updates into your altered standalone.xml file.

Hardware Appliance 3.9.0 Release Notes

JULY 2021

The PrimeKey Appliance team is pleased to announce the release of the EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.9.0.

New versions of EJBCA Enterprise and SignServer Enterprise

EJBCA Enterprise 7.7

Updated version of EJBCA Enterprise, see EJBCA 7.7 Release Notes.

SignServer Enterprise 5.7

Updated version of SignServer Enterprise, see SignServer 5.7 Release Notes.

Hardware Appliance 3.8.0 Release Notes

JULY 2021

The PrimeKey Appliance team is pleased to announce the release of the EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.8.0.

Loaded FIPS-certified HSM Firmware Module

We have added support for operating the Hardware Appliance (current hardware versions) with the FIPS-certified HSM firmware module loaded and enable you to migrate your Appliance environment from non-FIPS to FIPS mode.

New version of EJBCA Enterprise 

EJBCA Enterprise 7.6.0

Updated version of EJBCA Enterprise, see EJBCA 7.6 Release Notes.

Hardware Appliance 3.7.1 Release Notes

The PrimeKey Appliance team is pleased to announce the release of the EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.7.1.

New versions of EJBCA Enterprise and SignServer Enterprise

EJBCA Enterprise 7.5.0.1

Updated version of EJBCA Enterprise, see EJBCA 7.5 Release Notes.

SignServer Enterprise 5.6.1

Updated version of SignServer Enterprise, see SignServer 5.6.1 Release Notes.

Hardware Appliance 3.6.0 Release Notes

This release implements a migration process that allows you to migrate your HSM key material from PKCS#11 R1 to PKCS#11 R2.

Migrating the HSM Key Material from PKCS#11 R1 to PKCS#11 R2

The Hardware Appliance supports the Hardware Security Module (HSM) PKCS#11 stack versions PKCS#11 R1 and PKCS#11 R2. Since the vendor of the HSM has deprecated PKCS#11 R1, we now provide a migration process implemented as a restore migration. 

Note that the migration process is implemented in preparation for phasing out PKCS#11 R1 support and since the Hardware Appliance still supports PKCS#11 R1 the migration is not mandatory. The currently implemented migration process does not cover the installation scenarios Smart Card Authentication (SCA) or 1.x generation hardware installations with the FIPS module loaded into the HSM. 

For more information on the migration option, see Restore System from Backup. For customers with a valid support contract (and support portal access), refer to migration information available on the PrimeKey Support Portal.

Hardware Appliance 3.5.8 Release Notes

This maintenance release of EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.5.8 delivers EJBCA Enterprise 7.4.3.3 and SignServer 5.6.

New versions of EJBCA Enterprise and SignServer Enterprise

EJBCA Enterprise 7.4.3.3

Updated version of EJBCA Enterprise, see EJBCA 7.4.3.3 Release Notes.

SignServer Enterprise 5.6.0

Updated version of SignServer Enterprise.

SignServer 5.6.0 introduces support for request prioritization and authenticode resigning, see SignServer 5.6 Release Notes.

Hardware Appliance 3.5.7 Release Notes

New version of EJBCA Enterprise

EJBCA Enterprise 7.4.3.2

Updated version of EJBCA Enterprise, see the EJBCA Release Notes.

New Features and Improvements

The following lists improvements included in the release.

• The issue with the USB connected PIN pad reader not responding after reboot on Appliance Hardware version 1.x has been resolved.

Hardware Appliance 3.5.6 Release Notes

This maintenance release of EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.5.6 delivers EJBCA Enterprise 7.4.3.1.

New version of EJBCA Enterprise

Updated version of EJBCA Enterprise 7.4.3.1.

Hardware Appliance 3.5.5 Release Notes

The PrimeKey Appliance team is pleased to announce the release of the EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.5.5.

The release brings a new updated version of EJBCA Enterprise.

New version of EJBCA Enterprise

EJBCA Enterprise 7.4.3

Updated version of EJBCA Enterprise, see the EJBCA Release Notes.

New Features and Improvements

The following lists new features and improvements included in the release.

• Clustering is not restricted on the latest EJBCA Hardware Appliance 2020 model Small (S), only on the model Extra Small (XS). For more information on the EJBCA Hardware Appliance Models, see Model Specifications.
• It is now possible to specify a Hostname (domain name) that begins with digits in the WebConf installation wizard when configuring the Network settings. For more information on the WebConf installation wizard, see Running WebConf Wizard.
• An issue with SNMP database monitoring returning incorrect output has been resolved.

Hardware Appliance 3.5.4 Release Notes

This maintenance release of EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.5.4 delivers EJBCA Enterprise 7.4.2 and SignServer Enterprise 5.5.0.

New versions of EJBCA Enterprise and SignServer Enterprise

EJBCA Enterprise 7.4.2

Updated version of EJBCA Enterprise, see the EJBCA Release Notes.

SignServer Enterprise 5.5.0

Updated version of SignServer Enterprise, see the SignServer Release Notes.

Hardware Appliance 3.5.3 Release Notes

This maintenance release of EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.5.3 delivers EJBCA Enterprise 7.4.1.

New version of EJBCA Enterprise

EJBCA Enterprise 7.4.1

Updated version of EJBCA Enterprise, see the EJBCA Release Notes.

Hardware Appliance 3.5.2 Release Notes

This maintenance release of EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.5.2 delivers EJBCA Enterprise 7.4.0.

New version of EJBCA Enterprise

EJBCA Enterprise 7.4.0

Updated version of EJBCA Enterprise, see the EJBCA 7.4 Release Notes.

Hardware Appliance 3.5.1 Release Notes

This maintenance release of EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.5.1 delivers EJBCA Enterprise 7.3.1.4 and SignServer 5.4.0.1.

New versions of EJBCA Enterprise and SignServer Enterprise

EJBCA Enterprise 7.3.1.4

Updated version of EJBCA Enterprise, see the EJBCA 7.3.1.4 Release Notes.

SignServer 5.4.0.1

Updated version of SignServer Enterprise, see the SignServer 5.4.0.1 Release Notes.

Hardware Appliance 3.5.0 Release Notes

The PrimeKey Appliance team is pleased to announce the release of the EJBCA Hardware Appliance and SignServer Hardware Appliance version 3.5.0.

We have further refined our hardware appliance offering with new models to better support your business and operational needs. At the same time, we have taken the opportunity to introduce the new name EJBCA Appliance for the PKI Appliance.

This release also brings support for Simple Network Management Protocol (SNMP) version 3.

New Hardware Appliance Models

EJBCA Appliance

We are now introducing EJBCA Appliance models ranging from XS to XL. The new models offer variations on the total number of certificates that can be managed and performance capacity. The Registration Authority and Validation Authority are also available in stand-alone models. For more information, see EJBCA Appliance Model Specifications.

SignServer Appliance

The new SignServer Appliance models support your digital signature needs. The models are defined per signature use case, that is Document signing, Code signing, Time-stamping, and Travel/e-passport signing. Every model also comes with two signing performance levels. For more information, see SignServer Appliance Model Specifications.

Added Support for SNMPv3

With this version we also introduce support for Simple Network Management Protocol version 3 (SNMPv3). We have improved the monitoring capabilities of the appliance to help manage deployments and keep track of status information. For more information on activating and configuring SNMP access to the appliance, refer to the WebConf section of the Appliance Online Help.

PKI Appliance 3.4.5 Release Notes

This maintenance release of PKI Appliance and SignServer Appliance version 3.4.5 delivers EJBCA Enterprise 7.3.1.2.

Highlights

EJBCA Enterprise 7.3.1.2

The EJBCA Enterprise 7.3.1.2 maintenance release resolves vulnerabilities found in EJBCA during penetration testing.

For more information, refer to the EJBCA 7.3.1.2 Release Notes.

Improvements and Fixes

• Accessing JBoss CLI, required by some advanced customers, has been simplified compared to the access method introduced in version 3.3.0.
• As of Appliance version 3.3.0, we did not deliver a truststore of trusted CAs for outgoing connections with our Java installations. This has been improved as of the 3.4.5 release.

Bug Fix

• We have resolved the issue that previously caused a backup to occasionally not restore without manual interaction. This only occurred under certain circumstances such as old generation hardware, legacy PKCS#11 stack and smart card activation for PKCS#11 slots.

Upgrade Information and Limitations

For important upgrade information and limitations to be aware of, review the PKI Appliance 3.4 Upgrade Notes.

PKI Appliance 3.4.4 Release Notes

This maintenance release of PKI Appliance and SignServer Appliance 3.4.4 brings a new updated version of SignServer Enterprise.

Highlights

SignServer Enterprise 5.3.0

The SignServer Enterprise 5.3.0 release brings support for APPX and Domain Name System Security Extensions (DNSSEC) signing.

For more information, refer to the SignServer 5.3 Release Notes.

Improvement

The initial auto-generated TLS certificates are now updated to use the X.509 V3 certificate standard.

Upgrade Information and Limitations

For important upgrade information and limitations to be aware of, review the PKI Appliance 3.4 Upgrade Notes.

PKI Appliance 3.4.3 Release Notes

This maintenance release of PKI and SignServer Appliance 3.4.3 delivers EJBCA Enterprise 7.3.1.1.

EJBCA Enterprise 7.3.1.1

The EJBCA Enterprise 7.3.1.1 maintenance release includes a software update that resolves a potential security issue when using SCEP in RA mode. 

For more information, refer to the EJBCA 7.3.1.1 Release Notes.

Upgrade Information and Limitations

For general upgrade information and limitations to be aware of, see the PKI Appliance 3.4 Upgrade Notes.

PKI Appliance 3.4.2 Release Notes

New versions of EJBCA and SignServer

EJBCA Enterprise 7.3.1

Updated version of EJBCA Enterprise, please see the EJBCA 7.3.1 Release Notes.

SignServer 5.2.0

Updated version of SignServer Enterprise, please see the SignServer 5.2 Release Notes.

Upgrade Information

The following lists important upgrade information and limitations to be aware of.

Upgrading EJBCA

After upgrading to certain versions of EJBCA (typically a new version where the database schema has changed), it is recommended to perform an EJBCA post-upgrade.

If the EJBCA instance you are upgrading is a part of a cluster, you should run the EJBCA post-upgrade only after all nodes in the cluster have been upgraded to the new version of EJBCA. Note that you only need to run the post-upgrade on one of the nodes in the cluster.

For more information on upgrading EJBCA, refer to Upgrading EJBCA and for information on database changes in the respective EJBCA releases, refer to the EJBCA Upgrade Notes.

General Upgrade Notes

The following provides important information and requirements to be aware of when upgrading.

• When installing updates on a PKI Appliance running version 3.2.0, make sure to unplug any USB sticks before performing the update. When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable and the EJBCA Administration interface displays an error message. The problem remediates itself within one hour while a restart of EJBCA resolves the issue instantly. Note however, if your installation uses smart card authentication, PIN pad interactions will be required to activate the slots again.
• When restoring large backups from EJBCA versions prior to 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to reindex. For a full database of a Model M, it takes about an hour to reindex the database. Once reindexed, an additional reboot is required.
• For cluster backups taken on PKI Appliance versions 2.4 to 2.8: when restoring the first backup onto a 3.4.X version, the cluster configuration will be deleted and requires manually adding the IP addresses of all the other nodes before proceeding with the cluster setup.
• The Appliance 3.4.X versions do not support restoring backups of versions older than 2.4.0. 
  

PIN Pad

• While this release newly supports the new PIN pad (cyberJack one) and Smart Card Authentication with more than 1 user authentications for PKCS#11 R2, the new PIN pad is neither supported for Smart Card Authentication on the legacy PKCS#11 R1 stack nor for Backup Key Shares on very old Appliance hardware versions (1.x).
• In rare cases after rebooting the Appliance, the PIN pad is not detected correctly and the WebConfigurator (WebConf) Wizard will display the following message "Please connect the PIN pad to the PKI Appliance before beginning the installation." This issue can be solved by replugging the PIN pad.
  

FIPS Restrictions Applied Mode

• The FIPS restrictions applied mode is currently not available on Appliances of the second generation hardware version since it is not available on that HSM generation. Operation in FIPS mode will be added in future releases. 
• While smart card activated slots are supported with PKCS#11 R2, the FIPS restrictions applied mode is not.

Ethernet Ports

• Due to a firmware limitation, the PKI Appliance only becomes reachable when both management and application Ethernet ports are successfully connected to a network.
• Ethernet ports might not establish a link if the network cables have been connected after powering on the device.

PKI Appliance 3.4.1 Release Notes

The PrimeKey Appliance team is pleased to announce the release of PKI and SignServer Appliance 3.4.1.

With this release, we have updated the Utimaco firmware stack to bring PCKS#11 R2 to feature parity with PCKS#11 R1. The release also brings a new updated version of EJBCA Enterprise.

Features and Improvements

• Updated version of EJBCA Enterprise, read more about this release in the EJBCA 7.3 Release Notes.

• Update of the Utimaco Firmware Stack
  • The Utimaco PKCS#11 R2 is the new recommended default for new installations and you can now use smart card activated multi-user slots in PKCS#11 R2.
  • In addition, the new cyberJack One PIN pad (white) is now supported and will be delivered with all new PKI and SignServer Appliance hardware.
• GCM mode ciphers are now available for outgoing peer connections.
• Resolved a corner case where generating a key pair on the HSM previously deactivated the crypto token in other cluster nodes.

Upgrade Information and Limitations

The following lists important upgrade information and limitations to be aware of.

Upgrading EJBCA

After upgrading to certain versions of EJBCA (typically a new version where the database schema has changed), it is recommended to perform an EJBCA post-upgrade.

If the EJBCA instance you are upgrading is a part of a cluster, you should run the EJBCA post-upgrade only after all nodes in the cluster have been upgraded to the new version of EJBCA. Note that you only need to run the post-upgrade on one of the nodes in the cluster.

For more information on upgrading EJBCA, refer to Upgrading EJBCA and for information on database changes in the respective EJBCA releases, refer to the EJBCA Upgrade Notes.

General Upgrade Notes

The following provides important information and requirements to be aware of when upgrading.

• When installing updates on a PKI Appliance running version 3.2.0, make sure to unplug any USB sticks before performing the update. When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable and the EJBCA Administration interface displays an error message. The problem remediates itself within one hour while a restart of EJBCA resolves the issue instantly. Note however, if your installation uses smart card authentication, PIN pad interactions will be required to activate the slots again.
• When restoring large backups from EJBCA versions prior to 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to reindex. For a full database of a Model M, it takes about an hour to reindex the database. Once reindexed, an additional reboot is required.
• For cluster backups taken on PKI Appliance versions 2.4 to 2.8: when restoring the first backup onto the 3.4.1 version, the cluster configuration will be deleted and requires manually adding the IP addresses of all the other nodes before proceeding with the cluster setup.
• The Appliance version 3.4.1 does not support restoring backups of versions older than 2.4.0.

PIN Pad

• While this release newly supports the new PIN pad (cyberJack one) and Smart Card Authentication with more than 1 user authentications for PKCS#11 R2, the new PIN pad is neither supported for Smart Card Authentication on the legacy PKCS#11 R1 stack nor for Backup Key Shares on very old Appliance hardware versions (1.x).
• In rare cases after rebooting the Appliance, the PIN pad is not detected correctly and the WebConfigurator (WebConf) Wizard will display the following message "Please connect the PIN pad to the PKI Appliance before beginning the installation."

FIPS Restrictions Applied Mode

• The FIPS restrictions applied mode is currently not available on Appliances of the second generation hardware version since it is not available on that HSM generation. Operation in FIPS mode will be added in future releases. 
• While smart card activated slots are supported with PKCS#11 R2, the FIPS restrictions applied mode is not.

Ethernet Ports

• Due to a firmware limitation, the PKI Appliance only becomes reachable when both management and application Ethernet ports are successfully connected to a network.
• Ethernet ports might not establish a link if the network cables have been connected after powering on the device.

PKI Appliance 3.4.0 Release Notes

The PrimeKey Appliance team is proud to announce the 3.4.0 release. This release brings major updates for EJBCA and SignServer. Besides of that, another round of improvements under the hood of the PKI Appliance have been introduced.

Furthermore with this release we are introducing basic IPv6 connectivity, services running on the Appliance can now be reached over IPv6.

New features

• EJBCA Enterprise 7.2.1: Please check out the EJBCA 7.2.1 Release Notes.
  
  
• SignServer 5.1.0.Final. To find out more about the release, refer to the SignServer 5.1 Release Notes.
  
  
• IPv6 can be configured on the management and application interfaces through WebConf. After that the WebConf, EJBCA and SignServer will available via IPv6.
  Please note that the following constraints apply to IPv6 connectivity:
  • IPv6 connectivity is optional and disabled by default.
  • Outgoing PeerConnectors cannot use IPv6.
  • Cluster connections over IPv6 are not implemented at the moment.
  • The initial installation of the Appliance has to be performed using IPv4, IPv6 addresses cannot be configured using the front display.
  • If SSH access is enabled and IPv6 is configured on the management interface, SSH access via IPv6 is possible (even using link local addressing).
  • HTTP connections through link local addresses are blocked by the firewall.

Changes

• After upgrading to 3.4.0 (or higher) it is not possible to downgrade to versions lower than 3.4.0. If a downgrade is required, please contact support.
• WebConf sessions are now tracked using a cookie, not using a URL parameter.
• Feedback for smart card operations (e.g. change PIN) have been improved.

Known Issues and Limitations

• While smart card activated slots are supported with PKCS#11 R2, "FIPS
  restrictions applied" mode is not.
• When using smart card activated slots with PKCS#11 R2, the maximum amount of users is one. This is due to a bug which we plan to fix. If you need more users, you can opt to install your Appliance with PKCS#11 R1 instead of R2.
• When installing updates on a PKI Appliance running 3.2.0, make sure to unplug any USB sticks before performing the update.
• When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable (EJBCA admin interface shows an error message).
  The problem remediates itself within 1 hour. A restart of EJBCA fixes it immediately, however if your installation uses smart card authentication, PIN pad interactions will be required to activate slots again.
• When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
• For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.4.0 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before proceeding with the cluster setup.
• Version 3.4.0 does not support restoring backups of versions older than 2.4.0.
• The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment. Support for the disabled ethernet ports will be added in future versions.
• Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
• Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
• "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.3.1 Release Notes

This is a maintenance release to 3.3.0.

New features

• SignServer has been updated to 5.1.0. To find out more about the release, refer to the SignServer 5.1 Release Notes.

Known Issues and Limitations

• Under certain circumstances it is possible that after a restore of a backup the click on "Continue with reboot" will return with "SSL_ERROR_RX_RECORD_TOO_LONG" due to incorrect restarting of the http proxy in between.
  There are two workarounds for this:
  1. Set your appliance's IP address to the same IP address as in the backup before starting the restore process.
  2. Ignore the "SSL_ERROR_RX_RECORD_TOO_LONG" error and reboot the appliance via front panel.
• While smart card activated slots are supported with PKCS#11 R2, "FIPS restrictions applied" mode is not.
• When using smart card activated slots with PKCS#11 R2, the maximum amount of users is one. This is due to a bug which we plan to fix. If you need more users, you can opt to install your Appliance with PKCS#11 R1 instead of R2.
• When installing updates on a PKI Appliance running 3.2.0, make sure to unplug any USB sticks before performing the update.
• When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable (EJBCA admin interface shows an error message).
  The problem remediates itself within 1 hour. A restart of EJBCA fixes it immediately, however if your installation uses smart card authentication, PIN pad interactions will be required to activate slots again.
• When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database
  of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
• For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.3.1 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before proceeding
  with the cluster setup.
• Version 3.3.1 does not support restoring backups of versions older than 2.4.0.
• The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment.
  Support for the disabled ethernet ports will be added in future versions.
• Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
• Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
• "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM
  generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.3.0 Release Notes

This release brings a major update for EJBCA and SignServer. Besides of that, another round of improvements under the hood of the PKI Appliance have been introduced. Runtime environments for EJBCA, SignServer and WebConf have been
updated to Java 1.8 and WildFly 14.

Furthermore with this release we are introducing the availability of a new PKCS#11 implementation to access the HSM. This will allow us to introduce further features and improvements related to the HSM integration in the future.

Below you can find the list of the most relevant changes:

New Features

• EJBCA Enterprise 7.0.1.4: Please check out EJBCA 7.0.1 Release Notes.
• SignServer 5.0.0: Find more information at SignServer 5.0 Release Notes.
  
  
• Support for PKCS#11 R2. When updating an existing PKCS#11 R1 installation, it will keep using PKCS#11 R1. The same is true for restoring a backup from a PKCS#11 R1 setup. New installations with PKCS#11 R1 are still possible.
• Support packages can now be also generated during the installation process.
• WebConf offers a button to restart EJBCA and SignServer.

Changes and bug fixes

• Updates: Java 1.8.0 and WildFly 14.
• Additional checks for completeness of backups have been added.
• In case of smart card activated slots with PKCS#11 R2: smart card interactions are retried on failure (eg. wrong PIN) on a best-effort basis.
• PKCS#11 R2: cluster key synchronization package restore does not delete keys, only adds missing keys and overwrites differing keys that have the same alias. To delete a key, it has to be manually deleted on all nodes.
• Randomised passwords for the internal database.
• Hardened TLS settings in Apache.
• EJBCA and SignServer are executed as unprivileged user.
• Improved robustness of cluster key synchronization package handling.
• PeerConnector setup does now support DH key agreement.

Known Issues and Limitations

• While smart card activated slots are supported with PKCS#11 R2, "FIPS restrictions applied" mode is not.
• When using smart card activated slots with PKCS#11 R2, the maximum amount of users is one. This is due to a bug which we plan to fix. If you need more users, you can opt to install your Appliance with PKCS#11 R1 instead of R2.
• When installing updates on a PKI Appliance running 3.2.0, make sure to unplug any USB sticks before performing the update.
• When a single node is disconnected from the cluster, the local EJBCA instance will be temporarily unusable (EJBCA admin interface shows an error message).
  The problem remediates itself within 1 hour. A restart of EJBCA fixes it immediately, however if your installation uses smart card authentication, PIN pad interactions will be required to activate slots again.
• When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
• For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.3.0 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before proceeding with the cluster setup.
• Version 3.3.0 does not support restoring backups of versions older than 2.4.0.
• The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment. Support for the disabled ethernet ports will be added in future versions.
• Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
• Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
• "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.2.2 Release Notes

This is a maintenance release to 3.2.1.

Below you can find the list of the most relevant changes.

New Feature

• EJBCA Enterprise 6.15.0.3 - Please check out EJBCA release notes for further information.

Known Issues and Limitations

• When installing updates on a PKI Appliance so far running 3.2.0, make sure to unplug any "update stick" aka "customer deploy" USB stick that could possibly still be plugged in. USB storage devices that have been used for creating backups can be left plugged in. You can remotely check for this:
  • SSH into Appliance
  • $ ssh vadm
  • $ blkid
• If the output of blkid lists two or more entries with the label "PrimeLFS", one or more customer deploy sticks are plugged in.
  If a customer deploy stick is left plugged in during the update, some configuration will be lost, including the timezone shown in WebConf and scheduled backups. The timezone settings for EJBCA and SignServer would be unaffected.
  When installing updates to an Appliance running 3.2.1 or higher this issue is fixed. This bug is independent of the update you are installing, and only depends on the version you are running before applying an update.
• When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
• For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.2.1 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before
   proceeding with the cluster setup.
• Version 3.2.1 does not support restoring backups of versions older than 2.4.0.
• The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment.
  Support for the disabled ethernet ports will be added in future versions.
• Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
• Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
• PeerConnector setup does not support DH key agreement. To setup a peer system please switch to RSA algorithm before adding the PeerConnector.
• "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.2.1 Release Notes

This is a maintenance release to 3.2.0.

Below you can find the list of the most relevant changes.

Minor Tweaks and Bug Fixes

• Fixed time zone issue when migrating from a version lower than 3.0.0. You can either restore your backup from 2.x directly on 3.2.1, or you can restore it on 3.2.0, then update to 3.2.1. In both cases you will regain the timezone settings from 2.x.
• Fixed invalid backup path regex
• Bugfixes around the update mechanism

Known Issues and Limitations

• When installing updates on a PKI Appliance so far running 3.2.0, make sure to unplug any "update stick" aka "customer deploy" USB stick that could possibly still be plugged in. USB storage devices that have been used for creating backups can be left plugged in. You can remotely check for this:
• SSH into Appliance
  • $ ssh vadm
  • $ blkid
• If the output of blkid lists two or more entries with the label
  "PrimeLFS", one or more customer deploy sticks are plugged in.
  If a customer deploy stick is left plugged in during the update, some
  configuration will be lost, including the timezone shown in WebConf and
  scheduled backups. The timezone settings for EJBCA and SignServer would be
  unaffected.
  When installing updates to an Appliance running 3.2.1 or higher this issue is
  fixed. This bug is independent of the update you are installing, and only
  depends on the version you are running before applying an update.
• When restoring large backups coming from EJBCA versions smaller than 6.6.0,
  after the restore and reboot EJBCA will not be available for some time due
  to the database schema change and the need to re-index. For a full database
  of a Model M it takes about an hour to re-index the database. After this an
  additional reboot is required.
• For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first
  backup onto 3.2.1 version the cluster configuration will be deleted and it is
  needed to add the IP addresses of all the other nodes manually before
  proceeding with the cluster setup.
• Version 3.2.1 does not support restoring backups of versions older than 2.4.0.
• The 2nd generation hardware version offers four ethernet ports, but only two
  of them are usable at the moment.
  Support for the disabled ethernet ports will be added in future versions.
• Due to a firmware limitation the PKI Appliance only becomes reachable when
  both management and application ethernet ports are successfully connected to a
  network.
• Ethernet ports might not establish a link if the network cables have been
  connected after powering on the device.
• PeerConnector setup does not support DH key agreement. To setup a peer system
  please switch to RSA algorithm before adding the PeerConnector.
• "FIPS restrictions applied" mode is currently not available on appliances of
  the 2nd generation hardware version because it is not available on that HSM
  generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.2.0 Release Notes

This release brings new versions of EJBCA and SignServer to the PKI Appliance.

Furthermore, it provides a unified software stack for PKI and SignServer Appliances of 1st and 2nd generation, allowing mixed clusters of both hardware versions in one deployment.

This release allows to migrate PKI and SignServer Appliance deployments with versions 2.4 up to 2.8 onto the 3.X software line and explicitly migrate to the new hardware generation.

Updating 1st generation hardware versions (software versions 2.4 to 2.8) is only possible by USB boot stick and requires restoring a backup afterwards. 2nd generation hardware versions (software versions 3.0 and 3.1) can be live-updated. See UpdateStickInstructions.txt, which also outlines a procedure for migrating clusters.

Below you can find the list of the most relevant changes, improvements and bug fixes.

New Features

• EJBCA Enterprise 6.15.0.1 - Please check out EJBCA release notes for further information.
• SignServer 4.4.0 - Please check out SignServer release notes for more details.
• Now backups can also be stored to and restored from USB storage devices.
• PKI Appliance firmware 3.2.0 can now be installed on all hardware versions.
• Support for multiple syslog servers.
• Client certificates used to authenticate on the application interface of thePKI Appliance can now be checked via a configurable OCSP responder.

Minor Tweaks and Bug Fixes

• Fixed restoring backups taken on version smaller than 3.0.0.
• Installation Wizard correctly checks if NTP server addresses are working before proceeding.
• When booting, the PKI Appliance will now allow access as soon as all systems are up instead of waiting for a fixed amount of time.
• EJBCA documentation in PublicWeb now working properly.

Known Issues and Limitations

• When restoring large backups coming from EJBCA versions smaller than 6.6.0, after the restore and reboot EJBCA will not be available for some time due to the database schema change and the need to re-index. For a full database of a Model M it takes about an hour to re-index the database. After this an additional reboot is required.
• For cluster backups taken on versions 2.4 up to 2.8 - when restoring the first backup onto 3.2.0 version the cluster configuration will be deleted and it is needed to add the IP addresses of all the other nodes manually before proceeding with the cluster setup.
• Version 3.2.0 does not support restoring backups of versions older than 2.4.0.
• The 2nd generation hardware version offers four ethernet ports, but only two of them are usable at the moment.
  Support for the disabled ethernet ports will be added in future versions.
• Due to a firmware limitation the PKI Appliance only becomes reachable when both management and application ethernet ports are successfully connected to a network.
• Ethernet ports might not establish a link if the network cables have been connected after powering on the device.
• PeerConnector setup does not support DH key agreement. To setup a peer system please switch to RSA algorithm before adding the PeerConnector.
• "FIPS restrictions applied" mode is currently not available on appliances of the 2nd generation hardware version because it is not available on that HSM generation. Operation in FIPS mode will be added in future releases.

PKI Appliance 3.1.0 Release Notes

This maintenance release brings a new version of EJBCA and some minor improvements to the PKI Appliance. This software release is only relevant for customers with appliance hardware of latest generation purchased after April 2018 or later. For customers operating PKI Appliances purchased earlier software version 2.8 is the most recent one.

New Features

• EJBCA Enterprise 6.13.0.2 - Please check out EJBCA release notes for more details

Minor Tweaks and Bug Fixes

• EST available on PKI Appliance now

Known Issues and Limitations

• Only two of the four available ethernet ports are usable at the moment. Support for the disabled ethernet ports will be added in future versions.
• Due to a firmware limitation the appliance only becomes reachable when both ethernet ports are successfully connected to a switched network.
• Ethernet ports might not establish the link if the network cables have not been connected before booting the device.
• PeerConnector setup do not support DH key agreement. To setup a peer system please switch to RSA algorithm before adding the PeerConnector.
• Backups taken with some special characters in SubjectDN might not be able to be restored without renaming the file manually
• PKI Appliance 3.1.0 firmware can only be installed on appliances of the latest generation (hardware version >= 2.0 required). Support for older hardware will be added in future releases.
• Backups taken on version < 3.0.0 cannot be restored. Support to restore backups taken on previous versions will be added in future releases.
• "FIPS restrictions applied" mode is not available for CryptoServer Se52. Operation in FIPS mode will be added in future releases.
• It is not supported to set up a cluster with nodes running a mix of firmware version 2 and version 3.
• EJBCA documentation link in EJBCA PublicWeb is not available.

PKI Appliance 3.0.0 Release Notes

This major release brings an overhauled technology stack for the PKI Appliance platform. Beside the updates of EJBCA and SignServer the majority of components and services have been updated.

New Features

• Support for hardware version 2
• EJBCA Enterprise 6.11.1.1 - Please check out EJBCA release notes for more detailed information
• SignServer 4.2.2 - Please check out SignServer release notes for more details

Improvements

• PrimeLFS is now based on LFS 7.9 with updated components and services:
  • MariaDB to 10.2.13 and Galera provider 25.3.23
  • OpenSSL 1.0.2.n
  • Apache 2.4.29

• Adjust quorum weights (127,126,125) for cluster nodes for graceful degradation of service
• Improved "Force into Active" handling of cluster nodes
• Improve database scalability by using database.useSeparateCertificateTable=true
• Newly structured security/secrets page in the installation wizard

Security Patches

• Mitigation for Meltdown, Spectre and zombie Dirty COW vulnerability
• Openssl has been updated to 1.0.2
• Apr-Util to 1.6.1
• curl to 7.58.0

Known Issues and Limitations

• Only two of the four available ethernet ports are usable at the moment.
  Support for the the disabled ethernet ports will be added in future versions.
• Due to a firmware limitation the appliance only becomes reachable when both ethernet ports are successfully connected to a switched network.
• Ethernet ports might not establish the link if the network cables have not been connected before booting the device.
• PKI Appliance 3.0.0 firmware can only be installed on appliances of the latest generation (hardware version >= 2.0 required). Support for older hardware will be added in a future version.
• Backups taken on version < 3.0 cannot be restored. Support to restore backups taken on previous versions will be added in future releases.
• "FIPS restrictions applied" mode is not available for CryptoServer Se52.
  Operation in FIPS mode will be added in a future version.
• It is not possible to set up a cluster with nodes running a mix of firmware version 2 and version 3.

PKI Appliance 2.8.0 Release Notes

This release brings a new version of EJBCA and some minor improvements to the PKI Appliance.

New Features

• EJBCA Enterprise 6.13.0 - Please check out EJBCA release notes for more details

Minor Tweaks and Bug Fixes

• Small improvements in OpenJDK SunPKCS11 wrapper
• HTTP Proxy has been extended to support EST
• Node 2 and 3 in a cluster setup did not create a backup signing key. This is fixed now.

Known Issues and Limitations

• In some cases after successful cluster connect it is needed to reboot the new connected node to bring up the applications.
• Setting up a peer connector fails when DHE is selected
• PKI Appliance installations <= version 2.5.x with SingServer can only be updated to 2.7.0 or higher utilizing our deploy system started from an USB
  stick. Please contact PrimeKey Support for obtaining instructions for the usage of the USB based deploy system needed to perform the update.

PKI Appliance 2.7.2 Release Notes

This is a maintenance release to 2.7.1 which mainly brings new versions of EJBCA and SignServer to the PKI Appliance.

With the new EJBCA version custom certificate extensions for CV certificates are available. There are also improvements on CT logs.

SignServer comes with support for one click certificate renewals from within EJBCA.

New Features:

• EJBCA Enterprise 6.10.1.2 - Please check out EJBCA release notes for more detailed information
• SignServer 4.2.0 - Please check out SignServer release notes for more details

Minor tweaks and bug fixes:

• TimeMonitor was not active after restoring from an old backup (<= 2.5.1)
• In some cases of improper shutdown some configuration was lost. This is fixed now.
• 2-node cluster setup now possible without errors on restore from old versions
• Improved error reporting for Jboss

Known Issues and Limitations:

• Setting up a peer connector fails when DHE is selected

PKI Appliance 2.7.1 Release Notes

This is a maintenance release to 2.7.0 which brings new versions of EJBCA and SignServer to the PKI Appliance.

With the new EJBCA version, CAA validator is now available on PKI Appliance.

SignServer comes with improvements on Time-stamping and PDF Signing.

New Features:

• EJBCA Enterprise 6.9.1 - Please check out EJBCA release notes for more details
• SignServer 4.1.1 - Please check out SignServer release notes for more details

Minor tweaks and bug fixes:

• Support of external Management CA was broken in 2.7.0

Known Issues and Limitations:

• Setting up a peer connector fails when DHE is selected

PKI Appliance 2.7.0 Release Notes

This release brings new versions of EJBCA and SignServer to the PKI Appliance.

EJBCA comes with a lot of improvements to Roles and Rules.

SignServer has now large file support and can also be managed by web administration.

New Features:

• EJBCA Enterprise 6.8.0 - Please check out EJBCA release notes for more details
• SignServer 4.1.0 - Please check out SignServer release notes for more details

Improvements:

• Improvements on cluster connect
• Improvements in WebConf
• New JBoss version
• Improved audit logging of time adjustments

Security Patches:

• Updated openSSL to version 1.0.2k
• Updated openSSH to version 7.4p1
• Updated ntpd to version 4.2.8p0
• Updated apache to version 2.4.25

Minor tweaks and bug fixes:

• Missing brainpool algorithms now available on crypto token
• Correct CPU temperature shown in WebConf

Known Issues and Limitations:

• In some cases after successful cluster connect it is needed to reboot the new connected node to bring up the applications.
• Under some circumstances, appliance cluster nodes might fail to synchronize into a consistent state after they have been disconnected. For that reason, we recommend to perform a factory reset on all nodes that has been disconnected from the cluster and perform a full-state transfer.
• PKI Appliance installations <= version 2.5.x with SingServer can only be updated to 2.7.0 utilizing our deploy system started from a USB stick. Please contact PrimeKey Support for obtaining instructions for the usage of the USB based deploy system needed to perform the update.

PKI Appliance 2.6.1 Release Notes

This release is a maintenance release to 2.6.0. It brings some improvements, bug fixes and EJBCA version 6.7.0.

Improvements:

• Backups are additionally signed
• WebConf Wizard GUI adjustments
• Autocomplete in password fields has been disabled
• Adjustments for maintenance and support packages
• Improvements on cluster connect
• Renamed button 'Force into Primary' into 'Force into Active' in WebConf
• Block access to EJBCA enroll pages over plain HTTP
• PKI Appliance model is now shown in display

Security Patches:

• CVE-2016-3092 updated to commons-fileupload-1.3.2.jar

Minor tweaks and bug fixes:

• Several typos have been corrected
• HSM AuditLog is now configured/cleared when installing in FIPS mode
• Clear error message in WebConf when updating to an unsupported version
• Removed all setuid bits on binaries in underlaying PrimeLFS
• EJBCA advanced access rules page works with many profiles now due to adjusted JBOSS configuration

Known Issues and Limitations:

Due to the in previous version mentioned low level changes and the complete migration to PrimeLFS the current (<=2.5.0) PKI Appliance update mechanism implemented in WebConf does not support 2.6.x packages. This means that already installed PKI Appliances can only be updated utilizing our deploy system started from a USB stick.
As this operation wipes all data stored on the appliance, a current backup of the system is required to perform the update and to restore the operation. PKI Appliance firmware 2.6.x can restore backup files taken from versions >=2.4.0.
Updates of cluster setups can be performed as rolling updates maintaining the availability of the system.
Please contact our support for obtaining instructions for the usage of the USB based deploy system needed to perform the update.

PKI Appliance version 2.6.1 does not support SignServer at the moment. This means that a PKI Appliance with activated SignServer will lose the SignServer functionality after the update. This will be fixed in the 2.6.2 release where the latest SignServer will be added.

Under some circumstances, appliance cluster nodes might fail to synchronize into a consistent state after they have been disconnected. For that reason, we recommend to perform a factory reset on all nodes that has been disconnected from the cluster and perform a full-state transfer.

PKI Appliance 2.6.0 Release Notes

This release brings a broad range of new features, improvements and changes under the hood of the PKI Appliance. To name some of the most important changes:
EJBCA 6.6 is finally available on the PKI Appliance, we have improved the handling of error states by introducing the maintenance state and simplified the debugging by adding the option to obtain support packages containing all relevant log files.

Although not visible for the end user, the internals of the PKI Appliance has been significantly reworked and all used virtual machines are now based on PrimeLFS - our hardened Linux system. The migration to PrimeLFS improves the maintainability of the appliance infrastructure and the security of the overall system.

New features:

• EJBCA 6.6.2 - Please check out EJBCA release note for more details
• WebConf audit log available in syslog
• The PKI Appliance can automatically detect some specific error states and sets itself into maintenance state providing a clear error message
• Automatic log collection on detected errors
• WebConf can create support packages which contain all relevant logs and can be obtained by a simple download

Improvements:

• Improved WebConf structure by introducing two level menus
• Improved TLS configuration in WebConf
• SuperAdmin enrolment supports CSR and PKCS#12 beside legacy browser enrollment (keygen)
• HSM Keepalive Service is now reliably triggered on all cluster node
• The internal PKCS#11 interface (p11proxy) is updated and has now 6support for symmetric encryption and unwrapping

Security Patches:

• updated OpenSSL to 1.0.2j
• CVE-2016-4300 libarchive is updated to 3.2.2
• CVE-2016-6313 GnuPG/Libgcrypt is updated to 1.7.3
• CVE-2016-5195 also known as DirtyCOW has been patched
• Removed: ‘List backups’ and ‘Search now’ in update could leak an internal directory listing of the PKI Appliance

Minor tweaks and bug fixes:

• Support for Management CA with SHA384withRSA
• Better default Management CA key specs options
• PIN settings in WebConf now part of the ‘Key Synchronisation Package’
• Extended validity of initial Management CA
• Display shows sha256 fingerprint of the used TLS certificate
• Prevent self-lock out of the administrator of WebConf by deleting the trusted CA
• Readded logrotate for all non rsyslogd handled log files
• WebConf file uploads now use the correct filter pattern
• Avm server log now limited in size
• Removed the reoccurring XmlRpcClientException from the log
• Fixed internal time setting with ntpd, all VMs follow the NTP server now
• Fixed bug in restore process which rejected backups of older PKI Appliances which were created on newer ones
• Wizard prevents setting ‘Slot Smart Card Activation’ and ‘FIPS restrictions’ applied at the same time
• added standard Linux file system integrity check on all volumes

Known Issues and limitations

Due to the afore mentioned low level changes and the complete migration to PrimeLFS the current (<=2.5.0) PKI Appliance update mechanism implemented in WebConf does not support 2.6.0 packages. This means that already installed PKI Appliances can only be updated utilising our deploy system started from a USB stick.

As this operation wipes all data stored on the appliance, a current backup of the system is required to perform the update and to restore the operation. PKI Appliance firmware 2.6.0 can restore backup files taken from versions >=2.4.0.
Updates of cluster setups can be performed as rolling updates maintaining the availability of the system.
Please contact our support for obtaining instructions for the usage of the USB based deploy system needed to perform the update.

PKI Appliance version 2.6.0 does not support SignServer at the moment. This means that a PKI Appliance with activated SignServer will lose the SignServer functionality after the update. This will be fixed in the 2.6.2 release where the latest SignServer will be added.

Under some circumstances, appliance cluster nodes might fail to synchronize into a consistent state after they have been disconnected. For that reason, we recommend to perform a factory reset on all nodes that has been disconnected from the cluster and perform a full-state transfer.

PKI Appliance 2.5.0 Release Notes

This is a feature release which brings mainly a new version of EJBCA and(optional) SignServer.

PKI Appliance Platform

Improvements:

• Updated documentation.
• Updated HSM firmware.

Security Patches:

• OpenSSL has been updated to 1.0.2g.

Note:

• The update archives are from this version on encrypted and signed. The update mechanism will automatically check the signatures, decrypt the archives and update the system so there is no difference in the update procedure workflow from user perspective.

EJBCA Enterprise 6.5.0.2

New Features:

• Certificate profiles can now be set to restrict key algorithms, curves (for EC) and key length.
• The CSCA "CA Name Change" feature from ICAO 9303 7th part 12 has been implemented.
• Auditor default role has been given access to additional pages in the UI.
• OCSP responder can now cache the revocation status of client certificates (used to sign requests) for limited time periods.
• CMP Proxy now checks for message signatures, HMAC and checks revocation status for signing certificates, relieving the CA of handling unauthorized messages.
• CT logs can now be submitted to log servers in parallel.

Improvements:

• The underlying BouncyCastle library has been upgraded to version 1.54
• All return and error codes from the CMP servlet have been documented.

Security Patches:

• Removed a possible XML exploit from the administration web.
• Deserialization has been significantly hardened.
• Fixed a possible information leakage in the administrative web in regards to certificate and end entity profiles.

SignServer Enterprise 3.7.3 Add-On (Optional)

New Features:

• Fully automatic renewal service requesting certificates from EJBCA

Improvements:

• Possibility to specify options for the generated certificate (Android)

Known Issues and Limitations

• With FIPS module loaded into the HSM, smart card based slot activation is disabled.
• EJBCA approval notifications do not contain any relevant information.
• Time and date shown in EJBCA/SignServer and WebConf might differ due to incorrect daylight saving time calculation.

Important Notes

• Starting with 2.4.0 updating from an older version the update process will remove all incompatible configuration files and overwrite them with new defaults. Due to this, all custom configuration changes (e.g. iptables rules, Apache vhosts) that might have been applied to the system will be overriden.
• Please follow the documentation to update your system. Should you plan to update a system running a version < 2.2.0, please contact PrimeKey Support or your local PrimeKey partner.
• After the update to version 2.4.0 or higher the system will stop accepting backups created on a system with a version < 2.2.0.
• The firmware of the HSM is only updated during a fresh installation or restore from a backup. To enforce this update on an existing installation it is required to backup the PKI Appliance, perform the update, reset it to factory defaults and restore the backup.

PKI Appliance 2.4.1 Release Notes

This is a maintenance release including some few new features, security patches, bug fixes and small improvements. We recommend the installation of this update as it contains several important security patches.

PKI Appliance Platform

New Features:

• WebConf: Support for loading of multiple trust stores used for user authentication. Registered users can now authenticate with certificates issued by different CAs.

Improvements:

• Extended logging especially for backup/restore operations and cluster configuration.
• WebConf: WebConf requires now confirmation of authentication codes for PKCS#11 slots during the installation process.
• Updated documentation.

Solved Issues:

• WebConf: In the past, Webconf accepted only certificates from a root CA as authentication trust stores. This issue has been solved and now WebConf expects root certificates or full certificate chain as PEM file in the TLS trust store configuration dialog.

Security Patches:

• CVE-2015-6924: A vulnerability which allowed the extraction of secret EC keys from the HSM by an authenticated HSM user (PCKS#11 Slot Authentication Code) has been fixed by updating the EC firmware module of the HSM to the latest version.
• CVE-2016-0777 aka Triple-Seven: SSH Client has been patched to version 7.1p2
• PKI Appliance Platform: Syslog (which might be written) to a remote syslog server contained the Domain Master Secret. This problem has been resolved by removing the secret from the log output.

Important Note: The firmware of the HSM is only updated during a fresh installation or restore from a backup. To enforce this update on an existing installation it is required to backup the PKI Appliance, perform the update, reset it to factory defaults and restore the backup.

EJBCA Enterprise 6.4.2

• Improvement: The Auditor Role has been extended, and now has read access to authorized End Entities, Roles and configurations.
• Bug: A backport introduced in 6.4.1 broke the Certificate Transparency configuration page.
• Bug: PKCS#11 crypto token page was incorrectly formatted
• Improvement: X-Forwarded-For is now logged if present in OCSP requests

SignServer Enterprise 3.7.1 Add-On (Optional)

New Features and Improvements:

• Java code signing (including Android).
• Various Administration GUI improvements.

Bug fixes:

• Security issue in Commons Collections library.
• Regression: Renewing keys for multiple workers at once did not fully work in the Administration GUI.
• Bin folder could not be put in the PATH environment variable.
• Username/password not accepted if client certificate presented.
• The FirstActiveDispatcher was logging using the dispatchees fields.
• 24 other bug fixes.

Known Issues and Limitations

• Available storage capacity for the S model might be displayed incorrectly.
• With FIPS module loaded into the HSM, smart card based slot activation won't work.
• EJBCA approval notifications do not contain any relevant information.

Important Notes

• Starting with 2.4.0 updating from an older version the update process will remove all incompatible configuration files and overwrite them with new defaults. Due to this, all custom configuration changes (e.g. iptables rules, Apache vhosts) that might have been applied to the system will be overriden.
• Please follow the documentation to update your system. Should you plan to update a system running a version < 2.2.0, please contact PrimeKey Support or your local PrimeKey partner.
• After the update to version 2.4.0 or higher the system will stop accepting backups created on a system with a version < 2.2.0.

PKI Appliance 2.4.0 Release Notes

This is a feature release which introduces several new functionalities and improvements and restructures the appliances portfolio offered by PrimeKey by introducing new models. From this release on PrimeKey will offer the PKI Appliance in three different models, addressing different needs depending on the use cases. Check the updated product sheet for the specification of the new appliance models.

Appliance Platform

New Features:

• Introduction of new PKI Appliance models S, M, L.
  Details are available in the product sheet.
• Option to load FIPS firmware module into the HSM to enforce FIPS Restrictions.
• Support for signed and encrypted firmware and application software packages.
  All future updates will be signed and encrypted.
• Improved SSH/console password and key handling. WebConfigurator supports now the option to set the SSH password or upload a SSH key for authentication.
  Console access can be enabled and disabled.

Improvements:

• Improved RAID status information in WebConfigurator.
• Updated firewall rules.
• Notification for running background jobs.
• Clearer error messages and explanation of error codes.
• NTPd has been updated to 4.2.8p4.
• Syslog appender format has been adjusted.
• Apache Proxy has been updated to 2.4.16.
• SSHd has been updated to 7.1p1.

Solved Issues:

• In the past it could happen that the connection from EJBCA to the HSM could expire after an idle period of few days. The result was that EJBCA was unavailable as it could not write to the audit log. This problem has been addressed by activating HSM Keep Alive service in EJBCA by default.
• In the case one node of a 2-node cluster has been disconnected, the other might become also unavailable until it is forced-into-primary from Web-Configurator web GUI. Unfortunately EJBCA might remain unavailable after this operation and the only workaround is to restart JBoss application server using the console. This issue has been resolved by an automatic application server restart after forcing the node into primary mode.

Security Patches

• commons-collections library has been removed as preventive security measure.

EJBCA Enterprise 6.4.0

• Improved policy enforcement. Granular control has been added to DN and SAN elements in End Entity Profiles. Entered values can be controlled using regular expressions.
• New features making even easier for audits and regulatory compliance. Most of the UI has been given read-only rights, and a new role template (named Auditor) can be created and built upon to allow an auditor to view but not modify.
• Further extending run-time flexibility, Custom Certificate Extensions and Extended Key Usages can now be added on the fly from the UI.

SignServer Enterprise 3.7.0 Add-On (Optional)

• Individual keys and certificates (including CLI/GUI for managing those in a token).
• Batch signing support in the client CLI.
• Password prompts in the client CLI.
• Initial support for building using Maven.
• Improved logging options in PlainSigner and MSAuthCodeSigner.
• Various GUI improvements.
• For more details please check SignServer 3.7.0 release notes.

Known Issues and Limitations

• Available storage capacity for the S model might be displayed incorrectly.
• With FIPS module loaded into the HSM, smart card based slot activation
  won't work anymore.
• EJBCA approval notifications do not contain any relevant information.
• WebConfigurator accepts only self-signed CAs as TLS truststore.

Important Notes

• This update will remove all incompatible configuration files and overwrite
  them with new defaults. Due to this, all custom configuration changes
  (e.g. iptables rules, Apache vhosts) that might have been applied to the
  system will be overriden.
• Please follow the documentation to update your system. Should you plan
  to update a system running a version < 2.2.0, please contact PrimeKey
  Support or your local PrimeKey partner.
• After the update to 2.4.0 the system will stop accepting backups created
  on a system with a version < 2.2.0.

PKI Appliance 2.3.3 Release Notes

This is a maintenance release which resolves an issue which might prevent reactivation of a 2 node cluster after a node failure.

Appliance Platform

Bug: In the case one node of a 2-node cluster has been disconnected, the other
might become also unavailable until it is forced-into-primary from WebConf web
GUI. Unfortunately EJBCA might remain unavailable after this operation and the
only workaround is to restart JBoss application server using the console. This
issue has been resolved by an automatic application server restart after forcing
the node into primary mode.

Note: Please follow the documentation to update your system. Should you plan
to update a system running a version < 2.2.0, please contact
PrimeKey Support or your local PrimeKey partner.

PKI Appliance 2.3.2 Release Notes

This is a maintenance release which resolves an issue which might cause an HSM connection timeout.

Appliance Platform

Improvements: HSMKeepAlive service activated per default

Note: Please follow the documentation to update your system. Should you plan to update a system running a version < 2.2.0, please contact PrimeKey Support or your local PrimeKey partner.

PKI Appliance 2.3.1 Release Notes

This is a maintenance release which resolves several issues on the platform and application side (EJBCA).

Appliance Platform

Improvements:

• Extended documentation
• WebConf help section has much better contrast now
• Apply Content Security Policy in the HTTP Proxy configuration enforcing that every web page loaded from the PKI Appliance only uses resources from the same appliance.

Bug Fixes:

• Preventing AVM library from flooding /tmp and hitting tmpfs inode limits
• Timezone information are now passed properly into EJBCA/SignServer Java environment

EJBCA Enterprise 6.3.2.1

New Features:

• CA certificate rollover via SCEP has been implemented in accordance to draft-nourse-scep-23.
• Added a working default configuration for Self Registration in EJBCA to cos-ejbca

Bug Fixes:

• CRLDownloadService can handle CRLs with multiple updates of a revoked entry

Note: Please follow the documentation to update your system. Should you plan to update a system running a version older than 2.2.0, please contact  PrimeKey Support or your local PrimeKey partner.

PKI Appliance 2.3.0 Release Notes

The following is a selection of the most noteworthy changes within this feature release.

Appliance Platform

New Features:

• Extended SNMP interface (cluster status, DB Disk Usage, EJBCA/SignServer health)
• Integrated Mail Relay for sending out mail notifications (EJBCA)
• Possibility to disable the otherwise mandatory audit log

Improvements:

• Better security defaults (SSH disabled by default, smart cards required per default)
• Network security improvements
• Improved cluster handling and monitoring in WebConf

• Extended documentation

Bug Fixes:

• Several minor WebGUI bugs have been fixed
• Preventing that the WebGUI becomes unreachable after a period of 50 days of inactivity

EJBCA Enterprise 6.3.1

• Now possible to create CAs and issue End Entity certificates through the Web Service API
• SCEP Client Certificate Renewal
• Web Service API calls for monitoring certificate expiration
• Single Active Certificate Constraint has been added to Certificate Profiles, allowing for automatic revocation of old certificates, as  new ones are issued
• For more details please check EJBCA 6.3.1 release notes

SignServer Enterprise 3.6.3 Add-On (Optional)

• Authenticode signer for portable executables (code signing)
• CSCA Master List signer (for ePassports)
• Signer that produces plain signatures
• Configurable maximum upload limit
• For more details please check SignServer 3.6.3 release notes

Note: Please follow the documentation to update your system. Should you plan to update a system running a version older than 2.2.0, please contact PrimeKey Support or your local PrimeKey partner for support.

PKI Appliance 2.2.0 Release Notes

This release introduces a lot of new functionalities and includes EJBCA Enterprise 6.3 which brings among other improvements the new Peer System protocol. Furthermore there are several improvements in the platform infrastructure which improve handling of firmware and application updates and enable the support for smart card protection for CryptoTokens

The following are a selection of the most noteworthy changes within this feature release.

New Features

• EJBCA 6.3.0 including support for EJBCA Peer System protocol
• Optional SignServer Enterprise 3.6.2 including TimeMonitor and TSA functionality
• Smart card protection for CryptoTokens *Enhanced update functionality allowing firmware and application updates via web interface

Improvements

• Front display with extended configuration options
• Improved online help
• Several bug fixes

Note: As this version introduces several low level changes within the
internal appliance infrastructure, it is required for an update from an
older version to reset/reinitialize the PKI Appliance followed by a
restore from a backup created before. Please contact our support for
further assistance if you want to update your PKI Appliance to this
version.

PKI Appliance 2.1.1 Release Notes

This is a maintenance release which mainly addresses some recently discovered vulnerabilities of components which are used within he appliance infrastructure:

• Fix for bash vulnerability (Shellshock)
• Disabled support for SSLv3 to address a SSL vulnerability (Puddle)
• Fix for a problem that might prevent restoration of backups which were protected by soft tokens.

PKI Appliance 2.1.0 Release Notes

The following are a selection of the most noteworthy changes within this maintenance release.

New Features

• EJBCA 6.2.0.
• Support for operation as standalone VA based on CRLs.
• Support for SCEP configuration over web interface.
• SNMP support.

Improvements

• Improved fault tolerance in the installation procedure.
• Improved HSM Alarm handling.

PKI Appliance 2.0.0 Release Notes

The following are a selection of the most noteworthy changes within this major release.

New Features

• High Availability and Load Balancing Cluster support (2- or 3-nodes setup).
• Update to EJBCA 6.1.1.
• SignServer integration (SignServer 3.5.0).
• Responsive WebConf Design.
• Log Export to Remote Syslog Server.
• NTP Support.

Improvements

• Improved system stability and robustness.
• Improved Network Configuration.

Fixes

• OpenSSL update fixes the Heartbleed vulnerability.

PKI Appliance 1.2.1 Release Notes

The following are a selection of the most noteworthy changes within this maintenance release.

Improvements

• Improved documentation and online user guidance.
• Scheduled backup now includes all configuration files.
• Improved fault tolerance during the installation procedure.