ejbca-news — News and updates about EJBCA (low traffic)

[Ejbca-news] EJBCA 3.9.4 released

[Tomas G. <to...@pr...>]

We are proud to release yet a new version of EJBCA.

This is a minor release with only a few minor fixes. Nothing critical
that makes is necessary for you to jump directly on to this release,
just a few fixes.

Noteworthy changes:
- Fixed a bug where OCSP responder would not return correct status for
archived (expired) certificates.
- Fixed a regression for the (deprecated) SafeNet JCE CA token.
- Fixed a regression where you could not renew expired CAs
- It's not possible to renew soft ECC CA keys in the admin GUI
- All language files are now encoded in UTF-8
- Fixed corner cases where bogus CRLs and certs could be published to LDAP

Read the full changelog for details
(https://jira.primekey.se/browse/ECA?report=com.atlassian.jira.plugin.system.project:changelog-panel).

For upgrade instructions, please see UPGRADE in the release package.

Regards,
The PrimeKey EJBCA Team

[Ejbca-news] EJBCA 3.9.3

[Tomas G. <to...@pr...>]

In time for christmas the EJBCA team would like to give you a christmas 
present in the form of EJBCA 3.9.3. This is a release that fixes one 
unfortunate regression in 3.9.2, and also adds some new features and 
plenty of improvements and bugfixes. 42 issues in total have been resolved.

Some minor features and options and some bug fixes and stabilizations.

Noteworthy changes:
- Fixed a regression in 3.9.2 where you could not upload files in the 
admin GUI.
- Certificate profiles can now specify a different signature algorithm 
than the CA. Useful to start migrating SHA1 CAs to issue SHA256 
certificates.
- Possibility to use part of user data in LDAP DN but not in certificate 
DN when publishing certificate to LDAP.
- Possibility to set fixed end date of certificates in certificate 
profile and CA configuration.
- Possibility to configure several notification services for expiring 
certificates, notifying at different times, i.e. 30 days, 7 days, etc.
- Browser enrollment tested with Windows 7.
- ECC improvements and fixes for CAs and HSMs, CA renew keys, CA import, 
brainpool curves, explicit ec parameters, clientToolBox etc.
- GUI improvement to the admin GUI with nicer navigation menu and CSS. 
Contributed by Linagora, France.
- cert-cvc: fixed rare possibility to get bad encoding of EC points in 
certificates. Contributed by DGBK, Netherlands.
- CVC CA fixes and improvements for EAC PKI, approvals, import CAs, fix 
cli info command, .cvcert instear of .crt when downloading certs, etc.
- Don't publish certificates for inactive CA services to LDAP.
- Fix so renewing CA keys in admin GUI does not reload all CA tokens.
- Fixed an OutOfMemory error when failing to publish large CRLs with 
connection closed error.
- Fix download issues with IE for exported CA keystores.
- Many small optimizations, fixes and improvements.

Read the full changelog for details.

For upgrade instructions, please see UPGRADE.

Merry christmas,
The EJBCA Team.

[Ejbca-news] SignServer 3.1 released

[Markus K. <ma...@pr...>]

The PrimeKey SignServer team is happy to announce that SignServer 3.1
has been released! This is a major new version with lots of exciting
functionality for document signing and validation.

Development continues beyond this version and all requests from the
community and from the EJBCA Developer Conference [1] are scheduled for
SignServer 3.2 or later releases.

More information is available at the project web site [2] and the
complete changelog can be viewed in the issue tracker [3].


Release Notes:

* New module system
The byte code for a worker can be packaged as a separate module that can
be loaded and unloaded at runtime.

* New workers: XMLSigner/Validator
Signing and validation of XML documents

* New worker: ODFSigner
Signing OpenDocument Format documents for instance used by OpenOffice.org

* New worker: OOXMLSigner
Signing Office Open XML documents

* New worker: CRLValidator
Validating certificates by looking up certificate revocation lists

* New worker: OCSPValidator
Validating certificates using the online certificate status protocol

* New worker: MRTDSODSigner
Signing EAC ePassports

* Several other features, fixes and improvements


[1]	http://www.primekey.se/Community/
[2]	http://www.signserver.org
[3]	http://jira.primekey.se/browse/DSS


Regards,
The PrimeKey SignServer team

[Ejbca-news] SignServer 3.1 soon to be released

[Markus K. <ma...@pr...>]

The SignServer team is happy to announce that a new release is on its way!

SignServer 3.1 is being scheduled for release within one or two weeks.

The project is now entering feature freeze for 3.1 and all requests from
the community and from the EJBCA Developer Conference [1] are
scheduled for SignServer 3.2 or later releases.

After the release more information will be available at the project web
site [2] and the complete changelog can be viewed in the issue tracker [3].


Release Notes:

* New module system
The byte code for a worker can be package as a separate module that can
be loaded and unloaded at runtime and with support for clustering

* New workers: XMLSigner/Validator
Signing and validation of XML documents

* New worker: ODFSigner
Signing OpenDocument Format documents for instance used by OpenOffice.org

* New worker: OOXMLSigner
Signing Office Open XML documents

* New worker: CRLValidator
Validating certificates by looking up certificate revocation lists

* New worker: OCSPValidator
Validating certificates using the online certificate status protocol

* New worker: MRTDSODSigner
Signing EAC ePassports

* Several other features, fixes and improvements


[1]	http://www.primekey.se/Community/
[2]	http://www.signserver.org
[3]	http://jira.primekey.se/browse/DSS


Regards,
The SignServer team

[Ejbca-news] EJBCA 3.9.2 released

[Tomas G. <to...@pr...>]

We are proud to announce the release of EJBCA 3.9.2. We believe this is
the most stable release of EJBCA to date.

This is a minor release but packed with new minor features and fixes, 38
issues have been resolved. Some minor features and options and many bug
fixes and stabilizations.

Noteworthy changes:
- Sign and verify of files with clientToolBox when the private key is
stored on a HSM.
- Possible to limit signing keys for an external OCSP responder to keys
within a set of key aliases.
- Add support for the TSL signer extended key usage
- Use improved validity period parsing in Certificate Profiles
- Add option to use publisher queue or not for CRLs and certificates
- Document MS application policies extension
- Fixes for ejbcaClientToolBox.bat for windows platform
- Timeouts for LDAP publishers to handle unstable LDAP servers
- For issue where CRL service may stop running if database is stopped
for some period
- Change so that Issuing Distribution Point on CRLs is not used by
default in CA configuration
- Fix issue using IAIK provider with several CAs
- Fix slow revocation if a user have many certificates
- cert-cvc: getting expiration date returns 00.00 hours but it means
it's valid the whole day
- cert-cvc: bad encoding of EC points in certificates in rare cases
where affineX and affineY is not same size
- Many small optimizations, fixes and improvements.

Read the full changelog for details.

For upgrade instructions, please see UPGRADE.

----
Work has already started for EJBCA 3.9.3, as well as 3.10. For 3.9.3 we
will for the first time in ages get some new bling on the admin GUI,
thanks to David Carella in France who contributed some styles for the
admin GUI.

EJBCA 3.10 will have many changes, preparing for the big move to EJBCA
4.0. Among other things all configuration in properties files are now
possible to store outside of the ear file, and change dynamically in
runtime.

Regards,
The EJBCA team at PrimeKey.

[Ejbca-news] EJBCA 3.9.1 released

[Tomas G. <to...@pr...>]

Hi,

we are pleased to announce the release of EJBCA 3.9.1.

This is a minor release but packed with new minor features and fixes, 46 
issues have been resolved.

Noteworthy changes:
- Improvements to public enrollment process including automatic renewal.
- Ability to specify approvals on certificate profiles.
- Configurable list of extended key usages.
- Dynamic update of max-age and nextUpdate for OCSP responders, also per 
certificate profile.
- In CRL update service you can select which CAs to generate CRLs for.
- Possible to schedule CRLs more often than hourly.
- Possible to remove soft CA key and possibility to import it back again.
- Possibility to remove passwords from properties files.
- Support for CRL distribution points with URI:s containing semicolon.
- Transaction log for web service certificate issuance.
- Possibility to specify Any CA in end entity profiles.
- More flexible configuration of CA validity, years, months days.
- Improved error message in GUI when HSM activation fails.
- Many small optimizations, fixes and improvements.

Read the full changelog for details.
https://jira.primekey.se/browse/ECA?report=com.atlassian.jira.plugin.system.project:changelog-panel

This is a plug-in upgrade for users of EJBCA 3.9.0.

Visit EJBCA.org to download the latest release!

Regards,
The EJBCA team.

[Ejbca-news] EJBCA 3.9.0 released

[Tomas G. <to...@pr...>]

After much hard work, EJBCA 3.9.0 is finally released. This might just
be the best release ever of EJBCA :-)

Regards,
The EJBCA team

This is a major release adding many new features and improvements, and
fixing numerous bugs.
126 issues have been resolved for this release. Check the changelog,
there is a good chance that your favorite issue has been resolved.

Some noteworthy changes:
- Support for CAs using DSA keys. EJBCA now supports all major
algorithms; RSA, DSA and ECDSA.
- External RA improvements. CA service running as an EJBCA services
gives full cluster functionality and support for multiple external RAs.
  As a bonus it is now much easier to install and configure.
- Robust re-publishing mechanism for publishers that fail, running as an
EJBCA service.
- OCSP responder improvements with performance improvements and support
for on-line renewal of OCSP responder keys and certificates.
  The external OCSP responder can now saturate high performance HSMs.
- OCSP monitoring tool for monitoring synchronization between EJBCA and
external OCSP responders.
- GUI for configuring the external OCSP publisher with new options.
- Possible to change OCSP signing keys in a running external OCSP responder.
- New commands and stress tests in the client toolbox.
- A new admin web gui front page with status overview panels.
- Possible to configure status of certificates issued for end entities,
i.e. issue certificate revoked "on hold".
- New DN attribute, Name.
- Performance improvement by caching and lowering number of database
queries.
- XKMS now works also on Java 6.
- Possibility to set user validity start and end time in WS API.
- Lots of small fixes and improvements to the admin GUI.
- Lots of small bugfixes.
- Keon CA to EJBCA migration guide.

Read the changelog for details.

Note that the configuration of External RA changed dramatically (to the
better). If using the external RA, please read the manual how to
install and configure the RA CA service in EJBCA 3.9.

Note that this version brings database changes. Read the UPGRADE
document for upgrade instructions.

This release should, as always, work on JBoss, Glassfish, Weblogic and
OC4J, together with most available databases.

Changes
-------
New Feature
    * [ECA-648] - Add a configurable revocation status to end entity
profiles
    * [ECA-877] - Patch level showing
    * [ECA-987] - Add cli command for processing certificate requests in
ejbca.sh
    * [ECA-1054] - User Certificate Validity Start/End Time as a
editUser Web Service parameter
    * [ECA-1076] - CMP stress test
    * [ECA-1093] - Support for static custom enroll forms
    * [ECA-1100] - CAs using DSA algorithm
    * [ECA-1172] - Validity override in certificate profiles should be
able to override startdate to set earlier start than "now"
    * [ECA-1188] - Permit to install on JBOSS with Tomcat Native Connector
    * [ECA-1202] - Implement extension override for PKCS#10 requests
    * [ECA-1203] - Allow DN override from requests
    * [ECA-1207] - Option in OCSP publisher to only use queue and not
publish directly
    * [ECA-1213] - Display length of publisher queue in external OCSP GUI
    * [ECA-1218] - Stand-alone monitoring tool for comparing CA and OCSP
databases
    * [ECA-1219] - Add CA status overview portal on first page of admin GUI
    * [ECA-1220] - Show certificate profile id in admin GUI
    * [ECA-1222] - Show CA id in Admin GUI
    * [ECA-1242] - Configurable to show CA status on front page
    * [ECA-1263] - Add new WS stress-test to test behaviour when there
are many certificates per user

Improvement
    * [ECA-550] - Bad error message when receiving PEM files from
external CA
    * [ECA-603] - Add a property to specify the module to use when using
nCipher HSM
    * [ECA-857] - Improve error message "Error occured when receiving
file, are you sure it is valid and in PEM encoding."
    * [ECA-878] - Start up welcome page(s) admin and normal one
    * [ECA-965] - Hide CRL-related fields when creating a CVC CA
    * [ECA-988] - Document database privileges
    * [ECA-1003] - EJBCA CLI requires APPSRV_HOME
    * [ECA-1008] - A CA could be activated with any password (PIN) after
it has been deactivated
    * [ECA-1011] - Output time of successful ant commands often used in
development
    * [ECA-1041] - Errormessage "User xxxx has status '40', NEW, FAILED
or INPROCESS required" could be improved
    * [ECA-1067] - JavaScript "Enabled" test
    * [ECA-1074] - Add Name DN attribute to supported attributes
    * [ECA-1094] - CN for httpsserver.dn property can be inherited from
httpsserver.hostname
    * [ECA-1101] - ExtRA: Make RA CA service as an EJBCA service and
make clusterable and support multiple RAs
    * [ECA-1129] - use same functionality in the OCSP respnder as in the
CA to handle P11 HSMs
    * [ECA-1131] - Filter what is published to CertificateData on
standalone OCSP
    * [ECA-1139] - Use Commons Configuration for OCSP config
    * [ECA-1163] - Save/cancel certificate profiles should bring you
back to profiles list
    * [ECA-1165] - required and modifyable checkboxes for username in
entity profiles not needed
    * [ECA-1166] - Rename mozilla/netscape to firefox
    * [ECA-1167] - activatecas cli command should be able to prompt for
activation code
    * [ECA-1168] - Don't display the password user types in import CA
command.
    * [ECA-1170] - Display signature algorithm with providers text in
view certiifcate
    * [ECA-1175] - Improve default DB2 CMP mapping
    * [ECA-1176] - Add cvcwscli.cmd for windows
    * [ECA-1178] - Add issuerDN to edit CA page
    * [ECA-1179] - Possible to specify multiple parameters in
cmp.ra.namegenerationparameters
    * [ECA-1180] - Be able to specify Any CA in end entity profiles
    * [ECA-1196] - Change ERROR to INFO message for mail notifications
    * [ECA-1198] - Implement robust re-publishing if publishing fails
    * [ECA-1199] - Don't log error for missconfigured service that is
not active
    * [ECA-1200] - GUI for the External OCSP Publisher
    * [ECA-1208] - Log4jLogDevice logs INFO exceptions as ERROR
    * [ECA-1209] - Upgrade certificateProfileId to new server profile
during 'ant upgrade' to avoid problems on SSL certificate renewal.
    * [ECA-1215] - Don't set start and end time for end entity if not
entered
    * [ECA-1221] - Ugly error message in LDAP publisher if no
certificate to remove exists
    * [ECA-1231] - Optimize performace of getCertificateInfo
    * [ECA-1233] - Prevent accidental runs of JUnit tests and
deploy/ocsp-deploy in production environment
    * [ECA-1235] - No point in swapping identical times
    * [ECA-1240] - Remove error log for cases where CVC sequence is not
numerical, we handle it gracefully.
    * [ECA-1249] - ClientToolBox PKCS11 operations echoes the password
back to the user
    * [ECA-1255] - AdminGroupData etc should be marked as read-only for
get methods
    * [ECA-1256] - Optimize authorization to lower number of SQL queries
for AuthorizationTreeUpdateData
    * [ECA-1259] - Rename List button to Search
    * [ECA-1260] - Rename "Create Server Certificate" to "Create
Certificate from CSR"
    * [ECA-1261] - improve behaviour of External CAs
    * [ECA-1265] - Error messages that we handle when editing users
should be info
    * [ECA-1267] - Inherit getCATokenStatus() from BaseCAToken on
SafeNetLunaCAToken
    * [ECA-1269] - Improve performance by caching common database queries
    * [ECA-1271] - ca init cli commands should be able to create sub CAs
    * [ECA-1290] - Don't log error creating CRLs when a CA is offline
    * [ECA-1291] - CRL service should not try to create CRLs for
external CAs

Task
    * [ECA-1116] - Avoid usage of class strings
    * [ECA-1173] - Drop upgrade support for EJBCA 3.1.x
    * [ECA-1195] - Upgrade to BC 1.43
    * [ECA-1205] - Create new tag-field for CertificateData to be able
to distinguish between different certificate types in database queries
    * [ECA-1214] - Ask for algorithm before key size in installation script
    * [ECA-1247] - Add KCA-EJBCA migration guide to docs
    * [ECA-1297] - Warnings about incorrect JSF navigation rules during
startup

Bug
    * [ECA-632] - Path length constraints not selectable in cert profile
    * [ECA-922] - DBCHANGE: Particular Log query with ProtectedLog fails
on Derby
    * [ECA-1077] - Not possible to get algorithm name from OID for CMP
with latest BC
    * [ECA-1085] - Email notifications may not treat foreign characters
correct
    * [ECA-1109] - Rare threading issues in OCSP certificate cache
    * [ECA-1110] - XKMS only works with JDK 1.5
    * [ECA-1122] - Cancel button on Edit Certificate Profiles page
doesn't work.
    * [ECA-1135] - Do not issue CRLs for expired CAs
    * [ECA-1137] - Serialnumbers starting with 0 do not behave properly
    * [ECA-1138] - nCipherHSM script with preload is broken
    * [ECA-1142] - First delta CRL is not issued when a CA is created
    * [ECA-1147] - NullpointerException in ProtectedLog
    * [ECA-1156] - OCSP ClientToolBox test failing when CA key is
signing the OCSP response.
    * [ECA-1157] - NullPointerException when invoking createcrl CLI with
bad CA name
    * [ECA-1160] - When a fast HSM is used then OCSP responder is not as
fast as it should be.
    * [ECA-1162] - external OCSP responder freezing after HSM failure.
    * [ECA-1164] - Hex serial number for admin certificates in admin
groups should not be limited to only 16 char hex strings
    * [ECA-1169] - Error verifying JCE using pkcs12req WS cli
    * [ECA-1171] - Possible to change OCSP signing keys in a running
external OCSP responder.
    * [ECA-1174] - Can not batch generate users using SHA256WithRSAAndMGF1
    * [ECA-1186] - Batch generation set user status to generated even if
request counter exists
    * [ECA-1187] - no such provider BC when EJBCA starts when protected
log is enabled
    * [ECA-1191] - Unable to deploy on PostgreSQL + Glassfish combination
    * [ECA-1193] - cli.xml ejbca:noprompt missing ca.signaturealgorithm
property
    * [ECA-1194] - "ejbca.sh ca info" fails for ECDSA CA
    * [ECA-1201] - Incorrect display of HTML escaped characters on
Access Rules comboboxes
    * [ECA-1216] - Add userPassword in LDAP should only happen if
addNonExisting or modifyExisting is checked
    * [ECA-1217] - Possible extensive CPU usage for crafted messages to
CMP RA service (not default config)
    * [ECA-1223] - NullpointerException in CMP when unknown keyId is sent
    * [ECA-1224] - CertTools.getCertfromByteArray never throws
CertificateException as the JavaDoc says but can return null
    * [ECA-1225] - Freshest CRL extension (aka Delta CRL Distribution
Point) on a CRL must not be critical
    * [ECA-1227] - AccessRules link for admin privileges does not work
on weblogic or oracle
    * [ECA-1229] - Internalresources may fail in rare contidtions
    * [ECA-1234] - Error message is shown when editing end entity
profiles when no printers are defined
    * [ECA-1245] - CRL reason entry extensions in CMP revocation
requests are not read
    * [ECA-1246] - Deadlock when load testing CMP with same user
    * [ECA-1248] - Cannot unselect last Custom Certificate Extension in
Certificate Profile
    * [ECA-1254] - ProtectedLog reloading CA token unnessecarily
    * [ECA-1257] - Importing wrong certificate using PKCS11 will make
the key unavailable on nCipher netHSM
    * [ECA-1258] - cursor:hand style on links should be cursor:pointer
    * [ECA-1266] - Upgrade may cause "use authority information access"
to be enabled though it was not before in certificate profile
    * [ECA-1268] - Missing Exception handling for super.deactivate()
calls on SafeNetLunaCAToken
    * [ECA-1272] - Authorization issue during stress test
    * [ECA-1273] - Services will stop running if database goes down
    * [ECA-1293] - ProtectedLog on idling system warns about missing log
rows if protectionIntensity > 0
    * [ECA-1294] - Issuing certificate with + sign does not work in cmp
requests
    * [ECA-1295] - Error making advanced log search for CA on DB2
    * [ECA-1296] - Fetching cert or keystore from Public Web generates
an error when cert-profile is the default in UserData

[Ejbca-news] EJBCA 3.8.3 and cert-cvc 1.2.9 released

[Tomas G. <to...@pr...>]

We just released two very minor releases. EJBCA 3.8.3 with just three
fixes. The cert-cvc library with only modifications to make two
constructors visible to outside code.

This release of EJBCA makes way for the imminent release of EJBCA 3.9.0.
 A major new release with lots and lots of fixes.


EJBCA Release notes:
This is a minor release with only a few fixes
Read the changelog for details.
- Fixed unability to deploy on PostgreSQL + Glassfish combination.
- Fixed possible extensive CPU usage for crafted messages to CMP RA
service (not default config).
- Fixed Ugly error message in LDAP publisher if no certificate to remove
exists.

For upgrade instructions, please see UPGRADE.


EJBCA changes:
Improvement
    * [ECA-1221] - Ugly error message in LDAP publisher if no
certificate to remove exists

Bug
    * [ECA-1191] - Unable to deploy on PostgreSQL + Glassfish combination
    * [ECA-1217] - Possible extensive CPU usage for crafted messages to
CMP RA service (not default config)



Regards,
The EJBCA team

[Ejbca-news] EJBCA 3.8.2 released

[Johan E. <ejb...@pr...>]

This is a minor release adding improvements and bugfixes
- Add street and pseudonym DN attributes.
- OCSP improvements, RFC 5019, nextUpdate, support for requests using 
GET, improved configuration and error handling.
- Correct coding of optional Issuing Distribution Point in CRLs.
- Possible to publish userPassword in LDAP.
- A few minor fixes.

Cheers,
EJBCA Team


New Feature
   * [ECA-552] - Add support for nextUpdate, thisUpdate and producedAt 
in OCSP responses
   * [ECA-1124] - Configurable to use HTTP headers for standalone OCSP
   * [ECA-1053] - Pseudonym as a subject DN attribute
   * [ECA-1133] - Configurable in ExternalOCSPPublisher to only publish 
certificates with and OCSP URI extension.

Improvement
   * [ECA-1123] - Create dummy object for TransactionLogger and AuditLogger
   * [ECA-1088] - Default public exponent for lunaHSM.sh should be 65537 
(0x1001)
   * [ECA-1055] - Support OCSP by HTTP GET
   * [ECA-1117] - Use info instead of error messages in Standalone OCSP 
Responder.
   * [ECA-1144] - Add "userPassword" attribute in LDAP publisher
   * [ECA-1114] - Add street DN component
   * [ECA-1096] - Improve handling of invalid requests and streams in 
OCSP responder
   * [ECA-1146] - Stress Test does not print out no of failed tests
   * [ECA-748] - Order certificates in view certificates with newest first
   * [ECA-1121] - Unnecessary signing operations     Bug
   * [ECA-1158] - CA-certificate, but no signing key from a CA on the 
external OCSP generates an Exception
   * [ECA-1141] - CRL Distribution Point in CRLs must be encapsulated 
into an Issuing Distribution Point
   * [ECA-1092] - Code not thread-safe in certificate-request Servlet
   * [ECA-1154] - Concurrency issue when reloading soft keys for 
external OCSP responder
   * [ECA-1113] - JCE error on JBoss 5 on some platforms
   * [ECA-1148] - ServiceData cached in bean making synchronization 
between cluster nodes fail.
   * [ECA-1090] - Wrong encoding of issuer DN on retrieval public web pages
   * [ECA-1150] - Wrong language tag for "Certificate Validity End Time" 
in viewendentity.jsp
   * [ECA-1095] - Allow comma in directoryName subject alt names
   * [ECA-1145] - CvcRequestMessage not serializable
   * [ECA-1143] - Freshest CRL is lost when creating a new CA

[Ejbca-news] Syscheck 1.4.1 Released

[Henrik A. <ej...@ha...>]

Hi all!

I've released syscheck 1.4.1

What is syscheck?

   Framework written in /bin/sh to monitor server and (ejbca 
among other)application health, send a standardized message with syslog to 
a central server that monitors all nodes in a trust center.

Why (there are lots of tools doing this already)?
   We found that most system uses a "agent" installed on the server, and 
often it needs to run as root, we couldn't have either of that in a hig 
security environment. Thus syscheck was born.


What does it do (the scripts)?
  regular server checks (sc_01_diskusage.sh sc_03_memory-usage.sh
sc_06_raid_check.sh sc_07_syslog.sh sc_09_firewall.sh sc_14_sw_raid.sh 
sc_15_apache.sh sc_16_ldap.sh sc_17_ntp.sh sc_18_sqlselect.sh 
sc_19_alive.sh sc_28_check_vip.sh)

specific to a ca (sc_02_ejbca.sh sc_04_pcsc_readers.sh sc_05_pcscd.sh 
sc_08_crl_from_webserver.sh sc_10_cluster_master_db.sh 
sc_11_heartbeat.sh sc_13_heartbeat-master.sh 
sc_18_sqlselect.sh sc_19_alive.sh sc_20_errors_ejbcalog.sh )

other systems: (sc_22_boks_replica.sh sc_23_rsa_axm.sh sc_24_weblogic.sh 
sc_27_dss.sh)

It also covers the regular jobs a admin needs to do, by hand or 
automaticly (cron)
   900_export_cert.sh 901_export_revocation.sh 902_export_crl.sh 
903_make_hsm_backup.sh 904_make_mysql_db_backup.sh 905_publish_crl.sh 
906_ssh-copy-to-remote-machine.sh 
907_make_mysql_db_backup_and_transfer_to_remote_mashine.sh 
908_clean_old_backups.sh 909_activate_CAs.sh 910_deactivate_CAs.sh 
911_activate_VIP.sh 912_deactivate_VIP.sh 913_copy_ejbca_conf.sh 
914_compare_master_slave_db.sh 915_remote_command_via_ssh.sh 
916_archive_access_manager_logs.sh 917_archive_file.sh 918_server_alive.sh

Homepage: http://wiki.ejbca.org/syscheck

Download: 
https://sourceforge.net/project/showfiles.php?group_id=39716&package_id=58346

Please contribute

//Henrik "kinneh" Andreasson

[Ejbca-news] EJBCA 3.8.1 released

[Tomas G. <to...@pr...>]

This is a minor release, targeted for adding support for JBoss 5 and 
fixing a mistake that caused install on Glassfish to fail.
It also adds a few minor improvements and bugfixes.

- Add support for JBoss 5.
- Fix support for Glassfish caused by a forgotten commit in 3.8.0.
- Improve support for Weblogic 10.3.
- Fix support for IPv6 subject alternative names.
- A few minor CMP, OCSP and CVC fixes.

Change log:

Improvement
* [ECA-966] - NPE when using a non-existing ECC algorithm during CVC CA 
creation
* [ECA-983] - Allow logging of REPLY_TIME in both audit and transaction 
logs
* [ECA-1006] - Database index script fails for MySQL using UTF-8
* [ECA-1057] - Run EJBCA in JBoss 5.0
* [ECA-1059] - Fix ipv6 altname ipaddress and allow it in admin-GUI
* [ECA-1060] - Throw CertificateExpiredException when certificate used 
to verify cvc request has expired
* [ECA-1070] - Windows .BAT file for using clientToolBox
* [ECA-1080] - Option to set internally used password in CMP
* [ECA-1081] - Improve support for Weblogic 10.3
* [ECA-1086] - Allow to set null password in WS cli editUser call
* [ECA-1087] - Increase timeout for CRL generation transaction on JBoss 
and document how it could be done

Bug
* [ECA-984] - ejbca.cmd does not work with spaces in JBoss path
* [ECA-1039] - CVC certificate requests with error leaves user status as 
new
* [ECA-1040] - cvcgetchain does not return latest cert
* [ECA-1056] - REQUIREDCARDNUMBER language string missing
* [ECA-1061] - Wrong header displayed for different groups of access rules
* [ECA-1062] - Verifying OCSP requests can throw InvalidKeyException 
which is not caught
* [ECA-1063] - Not working on Glassfish
* [ECA-1068] - CMP tcp service does not work on JBoss 5
* [ECA-1069] - Wrong errormessage in checkValidity when endDate is wrong
* [ECA-1071] - OCSP responder does not handle TelephoneNumber, 
PostalAddress and PostalCode in DN
* [ECA-1079] - KeyId decoding in CMP uses platform charset
* [ECA-1084] - External RA: SCEP enrollment from Cisco IOS gets wrong DN

[Ejbca-news] EJBCA 3.7.5 released

[Tomas G. <to...@pr...>]

This is a minor release making some small changes to the CVC WS-API and 
adding REPLY_TIME to OCSP audit logs. We're not updating the ejbca 
homepage, since EJBCA 3.8.0 is the recommended release, unless you are 
after a minor release fixing exactly these issues.

Cheers,
EJBCA Team

Changelog:

New Feature
     * [ECA-1035] - Add Brazilian Portuguese Translation

Improvement
     * [ECA-983] - Allow logging of REPLY_TIME in both audit and 
transaction logs
     * [ECA-1031] - Get server certificate in public web shoud not show 
password
     * [ECA-1032] - Add cli command to convert cvc certificates between 
binary and pem
     * [ECA-1036] - Hide keytool-errors during install.
     * [ECA-1060] - Throw CertificateExpiredException when certificate 
used to verify cvc request has expired

Bug
     * [ECA-244] - Problem during installation with schema: 
DC=bigcorp,DC=com
     * [ECA-1037] - CLI for fetching user certificate fails
     * [ECA-1039] - CVC certificate requests with error leaves user 
status as new
     * [ECA-1040] - cvcgetchain does not return latest cert
     * [ECA-1042] - LdapPublisher does not work with CVC certificates
     * [ECA-1044] - Nullpointer in BasicFunctions when admin not 
authorized to CA
     * [ECA-1046] - view certificate on Public web gives error for CVC 
certificates
     * [ECA-1065] - Password needed to update CVC certificate with WS-API
     * [ECA-1069] - Wrong errormessage in checkValidity when endDate is 
wrong

[Ejbca-news] EJBCA 3.8.0 released

[Tomas G. <to...@pr...>]

We're glad to announce the EJBCA 3.8.0 as an early christmas present.

This is a major release, particularly focusing on support for 
administrators to log in with certificates from other CAs, not in EJBCA.
Read the changelog for details.

Notable changes in no specific order:
- Restructure administrator validation to allow admins using externally 
issued certificates.
- Add a CLI subcommand to add an administrator in an admin group using 
the serial number.
- Drop administrator flag in end entities, it's not needed, makes 
configuration easier together with remade admin GUI.
- Possible to generate CA PKCS#10 request without giving CA certificate.
- Add support for SEIS Card Number extension.
- Added KRB5PrincipalName subjectAltName.
- Option in certificate profiles for reversing DN order.
- Enroll for CV certificate on public web.
- Upload PEM or binary certificate requests on public web.
- Possible to sign releases and deployed code.
- Enhanced basic custom certificate extension.
- Command to list objects in Luna HSM partition.
- Some bug fixes.

For upgrade instructions, please see UPGRADE.
NOTE: There are database upgrades in this release, so read UPGRADE 
carefully.

Because there are binary files in EJBCA_HOME/lib changed there is no 
patch file for upgrading
EJBCA 3.7.x to 3.8.0. Use the full package from EJBCA 3.8.0 and follow 
the upgrade instructions in UPGRADE.

Note that if using JBoss, you need JBoss 4.2.x or later to run EJBCA 3.8.x.

Changes
-------
New Feature
* [ECA-904] - Add a CLI subcommand to add an administrator in an admin 
group using the serial number
* [ECA-935] - Restructure administrator validation to allow admins using 
externally issued certificates
* [ECA-953] - List objects in Luna HSM partition
* [ECA-969] - Possible to generate CA PKCS#10 request without giving CA 
certificate
* [ECA-993] - Add KRB5PrincipalName subjectAltName
* [ECA-1000] - Sign releases and deployed code
* [ECA-1007] - Enhanced basic certificate extensions
* [ECA-1033] - Possible to enroll for CV certificates on public web
* [ECA-1051] - Possibility give a user defined DN to a new certificate 
request for an HSM

Improvement
* [ECA-917] - Allow to use inverse LDAP order in DN for end entities
* [ECA-918] - Handle web service error code when CA is down
* [ECA-936] - Drop administrator flag in end entities
* [ECA-937] - Allow use of emailAddress in Admin interface
* [ECA-963] - Ability to distinguish between non-existing CA and 
authorization problems through WS
* [ECA-990] - Allow auto-activation of CAs dispite not having strong 
crypto policy installed
* [ECA-1001] - tool to change key alias
* [ECA-1012] - Option to enter email manually for import cert cli command
* [ECA-1014] - Display ejbca version in startup log message
* [ECA-1016] - Make error messages from CertReqServlet localizeable
* [ECA-1034] - Use TRACE logging for certain debug log
* [ECA-1038] - Use Commons Configuration for CMP service
* [ECA-1043] - Upload of binary certificate requests in public web enrol
* [ECA-1045] - Add support for SEIS Card Number extension in certificates
* [ECA-1049] - CMP raVerified can sometimes by zero bytes DEROctetString 
instead of DERNUll

Task
* [ECA-971] - ExtRA: upgrade to commons-lang 2.4 and commons-collections 
3.2
* [ECA-1013] - Upgrade BC to 1.41

Bug
* [ECA-664] - Adding Administrator Access rule; username with 
not-allowed character is possible
* [ECA-782] - Listing user certificates from the public web fails if the 
serial number of the cert begins with "0"
* [ECA-882] - Add Administrator - cert serial number not checked
* [ECA-968] - Key length changes when editing CA in admin-GUI
* [ECA-970] - LdapPublisher searches for old objects on certDN instead 
of Ldap DN
* [ECA-972] - Merge on DN - Problems with rfc822name and email
* [ECA-992] - Cannot add "OtherName" SubjectAltName in end entity profile
* [ECA-996] - Merge of DN doesn't work properly
* [ECA-1046] - view certificate on Public web gives error for CVC 
certificates
* [ECA-1048] - Can not install with initial CA with space in name

[Ejbca-news] EJBCA 3.7.4 released

[Tomas G. <to...@pr...>]

This is a minor release that replaces 3.7.3 where initial install was 
broken. It has a few additional fixes from 3.7.3 as well.
- Substitute email from- and to- as well in user notifications
- Create a built-in Server certificate profile
- OCSP improvements

We are very sorry for the inconvenience you who tried to make a fresh 
install with 3.7.3, before we pulled it from download, encountered.

Read the changelog for details.

This is a plug-in upgrade from 3.7.x. See UPGRADE for the simple 
instructions.

Changes:
-------
New Feature
* [ECA-1024] - Substitute email from- and to- as well in user notifications

Improvement
* [ECA-1021] - Fix the default ENDUSER Certificate Profile
* [ECA-1026] - Create a built-in Server certificate profile

Bug
* [ECA-1023] - External RA SCEP service fails on cisco message with 
wrongly encoded request extension
* [ECA-1025] - Missing ErrorCode class in ejbca-util.jar
* [ECA-1027] - OCSP should not respond with responseBytes when an error 
code is sent
* [ECA-1029] - OCSP responder should answer with OCSP error 
MalformedRequest when a badly encoded request is received

[Ejbca-news] EJBCA 3.7.2 released

[Tomas G. <to...@pr...>]

Happy halloween. To keep you safe inside tonight there's a new fabulous 
release of EJBCA out.

You should check out the External OCSP responder in EJBCA, it's really good.


This is a minor release with focus on fixing making OCSP optimizations, 
introducing some minor features and fixing a few annoying bugs.

- Add Intel AMT extended key usage
- Optimize OCSP servlet for better performance
- OCSP responder improvements: reload of p11 when connection broken, 
return error of audit logging fails.
- CA certificates with SerialNumber in DN does not work with External OCSP
- WS-API, make mathtype contains with with matchwith username
- Key length changes when editing CA in admin-GUI
- Minor GUI fixes.

Read the changelog for details.

This is a plug-in upgrade from 3.7.x. See UPGRADE for the simple 
instructions.

Changes:
New Feature
     * [ECA-974] - Add Intel AMT extended key usage
     * [ECA-1005] - Give OCSP error if audit or transaction logging fails

Improvement
     * [ECA-950] - Optimize OCSP servlet
     * [ECA-973] - external OCSP responder: trying to reload the p11 
provider when the HSM removed/disconnected.
     * [ECA-976] - WS-API, make mathtype contains with with matchwith 
username
     * [ECA-982] - Explicitly close maintenance file in health check
     * [ECA-989] - add cmd=deltacrl command on CertDistServlet (with patch)

Bug
     * [ECA-957] - ocspclient.jar cannot handle answers with responderID 
of type Name.
     * [ECA-959] - Public web can give NPE in rare conditions
     * [ECA-960] - reference to "bin/ejbca.sh ca processreq" in manual
     * [ECA-968] - Key length changes when editing CA in admin-GUI
     * [ECA-970] - LdapPublisher searches for old objects on certDN 
instead of Ldap DN
     * [ECA-975] - CA certificates with SerialNumber in DN does not work 
with External OCSP
     * [ECA-977] - Error editing RenewCAWorker if CA has been removed
     * [ECA-978] - NullPointerException using WS-API to revoke 
non-existing certificate
     * [ECA-979] - The transactionlogger and auditlogger set incorrect 
CERT_STATUS and STATUS
     * [ECA-985] - Wrong default value for OCSP helathcheck database query
     * [ECA-986] - Can't run ejbca.sh from $EJBCA_HOME/bin
     * [ECA-995] - getAuthorityInformationAccessOcspUrl in CertTools 
fails to retrieve OCSP Locator url from AIA for cert with mutliple AIA 
points
     * [ECA-997] - Error publishing deltaCRL to LDAP
     * [ECA-999] - CRLIssuer can not be removed in CDP
     * [ECA-1009] - Validity of certificates in signed OCSP requests not 
checked for expiration

[Ejbca-news] EJBCA 3.5.9 and 3.6.3 released

[Tomas G. <to...@pr...>]

We're releasing a couple of point releases just to keep the branches up 
to date as well. We still recommend EJBCA 3.7.1 for production.

These are both minor releases aimed to fix a few issues found, most notable:
- Upgrade fails to set internal state of CA expire time for externally 
signed CAs
- Key length changes when editing CA in admin-GUI
- LdapPublisher searches for old objects on certDN instead of Ldap DN

If you have been affected by any of these issues, and want to keep 
running your older version, you can upgrade to these versions. For the 
key length change issue, there is also a CLI command that can be used to 
reset/change the value to your desired value. This can also be used to 
change algorithm or key length when renewing a CA.

Regards,
The EJBCA team

Changes:

3.6.3, 2008-10-06
---
Bug
     * [ECA-952] - Entity Profile : the text "Use entity e-mail field" 
is not localizable
     * [ECA-954] - TestProtectedLog fails if ProtectedLogDevice is not 
enabled in configuration
     * [ECA-955] - PKCS11 support problem on OCSP responder
     * [ECA-957] - ocspclient.jar cannot handle answers with responderID 
of type Name.
     * [ECA-968] - Key length changes when editing CA in admin-GUI
     * [ECA-970] - LdapPublisher searches for old objects on certDN 
instead of Ldap DN


3.5.9, 2008-10-06
---
Improvement
     * [ECA-891] - Avoid unnecessary database searches during HealthCheck

Bug
     * [ECA-886] - Upgrade fails to set internal state of CA expire time 
for externally signed CAs
     * [ECA-906] - EjbcaHealthCheck may use same session bean object for 
concurrent accesses
     * [ECA-968] - Key length changes when editing CA in admin-GUI

[Ejbca-news] EJBCA 3.7.1 released

[Tomas G. <to...@pr...>]

Hi,

We are pleased to announce EJBCA 3.7.1.  This release primarily focuses 
on ePassport ECC support, but there are some other minor improvements in 
there too.

This is a minor release with major focus on enhancements to CVC CA 
support for EU EAC ePassport PKIs.
- Support for both RSA and ECC with all EAC algorithms.
- Interoperability fixes tested with other implementation at the Prague 
2008 event.
- Usability enhancements for CVC PKIs, for example download and import 
of binary certificates.
- Changes to the CVC cli to mimic the WS-API functions.
- Fixed that upgrade from 3.6 to 3.7 causes error when autogenerated 
password are used
- Other minor bugfixes.

Read the changelog for details.

This is a plug-in upgrade from 3.7.x. See UPGRADE for the simple 
instructions.
Because there are binary files in EJBCA_HOME/lib changed there is no 
patch file for upgrading
EJBCA 3.7.0 to 3.7.1. Use the full package from EJBCA 3.7.1 and follow 
the upgrade instructions in UPGRADE.


Changes:
New Feature
     * [ECA-896] - CVC support for EC keys
     * [ECA-925] - Import of external CA certificates
     * [ECA-940] - possibility to use an EC key stored on a HSM

Improvement
     * [ECA-748] - Order certificates in view certificates with newest first
     * [ECA-927] - CVC requests should not include CARef if null
     * [ECA-928] - cvcprint cli command should handle verification of 
authenticated requests
     * [ECA-934] - Possible to authenticate CVC request by outer CA 
signature
     * [ECA-941] - Possible to download CA certrequests and certs as binary
     * [ECA-942] - possible to receive certiifcate requests and certs in 
binary format
     * [ECA-946] - Not possible to create CVC link certificates with 
soft CA tokens
     * [ECA-947] - Making certificate request from a CA should ask for 
CA cert of target CA
     * [ECA-948] - cvcrequest cli command should not automatically add 
end entities
     * [ECA-951] - Possible to set sequence of catoken manually

Bug
     * [ECA-926] - CVC requests can be assigned to wrong CA when 
sequence is same
     * [ECA-930] - cert-cvc: authenticated requests does not include 
CARef in TBS
     * [ECA-931] - getrootcert cli command does not work for CVC 
certificates
     * [ECA-932] - CVC requests from SubCAs does not have the target CA 
as CARef
     * [ECA-939] - Upgrade 3.6 to 3.7 cases error when autogenerated 
password are used
     * [ECA-943] - NullPointer when clicking Sign Certificate Request
     * [ECA-944] - Import soft CVCA does not set sequence
     * [ECA-945] - Not possible to delete admin entities with ' in name
     * [ECA-949] - Make certificate request button should not be 
available for external CAs
     * [ECA-956] - NullPointerException in LdapPublisher when base node 
does not exist

[Ejbca-news] Cert-cvc 1.2.8 released

[Tomas G. <to...@pr...>]

This release of the library for CV certificates, as used in EU EAC 
ePassport PKIs, adds support for HSMs for ECC signatures. There was wan 
issue in 1.2.7 that made the signatures not work when using an pkcs#11 
signature provider.

This in turn is because the EAC specification decided not to use the 
standard X9.62 signature format for ECC signatures.

Regards,
Tomas

[Ejbca-news] Cert-cvc 1.2.7 released

[Tomas G. <to...@pr...>]

This release of the CV certificate library, for EAC 1.11 ePassports, 
contains full support for both RSA and ECC algorithms.

This marks another milestone for ePassport support in EJBCA. The 
cert-cvc library now has full support and can be freely used by anyone 
under the LGPLv2 license.

Changes:
- Support for ECC keys and signatures, need BC version 1.41 which is 
included in svn.
- Fix bug where outer signature in authenticated requests did not 
include CARef in TBS
- Don't add caRef if not passed, or passed as null, to 
CertificateGenerator.
- Translations of Swedish javadoc to English.


Regards,
Tomas

[Ejbca-news] EJBCA 3.7.0 released

[Tomas G. <to...@pr...>]

We are very proud to release this first version of EJBCA with EU EAC 
ePassport support. This means support for CVC certificates, which are 
very different from X.509 certificates.

This is a major release, particularly focusing on support for CVC 
certificates as used in EU EAC ePassport PKI.
Read the changelog for details.

Notable changes in no specific order:
- Support for CV Certificates (CVC) for EU EAC ePassports, you can now 
build a CVC PKI for EU ePassport using EJBCA.
- Upgrade of jaxb jars using for Webservice API, and new WS-API calls.
- Support for error codes in Exceptions from Webservice API.
- New service to automatically renew expiring CAs.
- Possible to use IAIK PKCS#11 provider as well as Sun PKCS#11.
- Client Tool box with client CLI tools easy to deploy stand-alone on 
other machines.
- Minor fixes and enhancements.

For upgrade instructions, please see UPGRADE.
There are no database upgrades in this release.

Because there are binary files in EJBCA_HOME/lib changed there is no 
patch file for upgrading
EJBCA 3.6.x to 3.7.0. Use the full package from EJBCA 3.7.0 and follow 
the upgrade instructions in UPGRADE.

Changes:
-------
New Feature
* [ECA-792] - Support for CV Certificates (CVC) for EU EAC ePassports
* [ECA-811] - Possible to create certificate request from any CA
* [ECA-825] - WS-API call to get users last cert and chain
* [ECA-827] - Service to renew CAs
* [ECA-830] - Possible to use IAIK PKCS#11 provider instead of Sun
* [ECA-920] - Client tool box.

Improvement
* [ECA-819] - New WS-API call to get EJBCA version
* [ECA-871] - Enhance error management in EJBCA web services.
* [ECA-893] - Able to use TelephoneNumber and PostalAddress in DN and 
publish to LDAP attributes
* [ECA-915] - Display hostname on admin-GUI
* [ECA-923] - Use of EEP informations when using WS editUser.
* [ECA-929] - Handle error code if certificate revocation has been 
invoked twice.

Bug
* [ECA-813] - Upgraded profiles not saved until edited
* [ECA-829] - Advanced mode for log viewer is not working
* [ECA-832] - syscheck script sc_08_crl_from_web.sh shell problem
* [ECA-839] - Problem activating CA tokens for expired CAs
* [ECA-879] - Failure to create a new CA due to CRL creation failure
* [ECA-921] - EjbcaHealthCheck does not work on OC4J
* [ECA-924] - Language variable misspelled (name="UTF8")

[Ejbca-news] EJBCA 3.6.2 released

[Tomas G. <to...@pr...>]

After lots of work 3.6.2 is now released.

This is a minor release but with a record amount of fixes for a point 
release. New features, improvements and a lot of bugfixes
rounding a lot of rough edges.

Some very notable changes are:

- Major improvements to the External OCSP responder with more 
configuration options and
completely new Audit and Account logging. With the new, highly 
configurable, logging it is
suitable for using as a service charging for, and auditing, requests.
- New documentation feature with on-line documentation deployed in the 
Web interface by default.
Question mark links from options that are hard to understand in the 
Admin-GUI are now possible.
- Lots of improvements to the Admin-GUI with configuration for 
autogenerated passwords and fixing a lot of small GUI bugs and quirks.
- Fail over mechanism for the LDAP publisher.
- Improved documentation for more HSMs, Admin-GUI, etc.
- Improvements for other app servers apart from JBoss.
- MS document signing extended key usage, and tool for importing 
certificates from MS CA.
- Lots and lots of small bugfixes.
- Updated translations.

Read the changelog for details.

This is a plug-in upgrade from 3.6.x. See UPGRADE for the simple 
instructions.

Changes
-------
New Feature
* [ECA-348] - Option to generate non-exportable private keys in IE
* [ECA-739] - Accounting log on OCSP responder
* [ECA-740] - When requiring signed OCSP request, configure allowed issuers
* [ECA-865] - Add tool for importing certificates from a MS CA
* [ECA-876] - Generated documentation should be reachable from within 
the EJBCA Web GUI
* [ECA-908] - Support MS document signing extended key usage
* [ECA-914] - Configure if OCSP responses should use KeyId or Name as 
ResponderId

Improvement
* [ECA-390] - Make it possible to select password generation parameters 
for autogenerated user password
* [ECA-547] - Send custom certificate publisher information found in 
certificate or CRL.
* [ECA-640] - Popup window with valid ${Foo} variables near any field in 
which they can be used
* [ECA-657] - Import and export of end entity profiles should not have 
to depend on existing CAs.
* [ECA-696] - Import profiles improvement.
* [ECA-760] - Relocate 'p12' to 'ejbca-custom' if/when present (by default)
* [ECA-765] - Log whenever an attempt to activate a CA with the wrong 
activation code is made
* [ECA-789] - Display issuer in listcas cli command
* [ECA-790] - ejbcarawscli should print error message if it can not find 
the admin keystore
* [ECA-795] - Notifications are not editable, but looks editable.
* [ECA-810] - Make advanced search for ProtectedLog available
* [ECA-822] - Default healthcheck db query causes table scan
* [ECA-826] - EjbcaWsHelper makes double allocations when looking up 
remote beans
* [ECA-833] - Simple LDAPPublisher failover
* [ECA-854] - Remove confusing error message about not finding 
ejbca-custom directory when running ant
* [ECA-859] - Delta CRL generation message
* [ECA-870] - Accept PEM certificates with BEGIN TRUSTED CERTIFICATE
* [ECA-872] - Improve public page for CA certificate retrieval
* [ECA-874] - General JUint test improvements
* [ECA-880] - Better defaults and help for Freshest CRL Extension / 
DeltaCRLs
* [ECA-881] - Be able to drop the 0, O, l and 1 from the auto generated 
passwords
* [ECA-884] - Add approvalDN variables to add/edit end entity notifications
* [ECA-885] - Add email variables where possible for use in notifications
* [ECA-887] - Document how validity is assigned for a CA
* [ECA-913] - Configure if OCSP responses should include whoe cert chain 
or only signer

Task
* [ECA-702] - JDK 1.6 u4 causes EjbcaWS to stop working
* [ECA-796] - Add documentation on how to use EJBCA with GemSAFE Toolbox
* [ECA-805] - Update German translation

Bug
* [ECA-496] - When using a fixed Certificate Profile as template, the 
FIXED property is inherited.
* [ECA-682] - WS Cli error message is not good when it cannot find the 
.jks file
* [ECA-770] - Protected Log Device always sends 'missing row' email 
alerts when it shouldn't with MySQL using InnoDB
* [ECA-783] - During the last step if IE enroll, the URL-path is missing 
the "ejbca"-part.
* [ECA-788] - Bull TrustWay support
* [ECA-793] - Using of module protected keys with netHSM-500 failed
* [ECA-797] - Cannot activate a CA with a Safenet Luna SA Token.
* [ECA-798] - A card key or a soft key must be defined in order to run 
the P11 external OCSP responder.
* [ECA-802] - Exception when approving KeyRecovery
* [ECA-803] - PKCS10 requests from OCSP responder uses null attributes
* [ECA-806] - Equal error code contants in OCSPUnidResponse
* [ECA-809] - ocsp cli client can not sign requests
* [ECA-812] - EJBCA 3.6 does not deploy on Glassfish
* [ECA-815] - NullpointerException downloading CA certificated without CN
* [ECA-817] - Possible NullpointerException when no extended information 
exists for user
* [ECA-820] - Signing CMP responses does not work with most PKCS#11 HSMs
* [ECA-823] - Deadlock in ProtectedLogData with stresstest
* [ECA-824] - CA activation page does not display correct for Expired CAs
* [ECA-831] - High load on ProtectedLog might generate false alarm on MySQL
* [ECA-836] - Email notifications are not able to handle autogenerated 
passwords.
* [ECA-837] - PKCS10 with no attributes causes NullPointer exception
* [ECA-841] - ExtRA PKCS12 request does not work with approvals
* [ECA-843] - Some words not localizables in CA Activation
* [ECA-850] - CN name like 'Graham O'Regan' cannot be entered case 
sensitive in the 'Add Administrator'
* [ECA-851] - No messages are created during CA Activation
* [ECA-861] - Misdirected error output from "ra listusers" CLI to 
standard output
* [ECA-866] - Import of externally chained PEM failes
* [ECA-875] - Trying to reset Subject AltName or Email for a end entity 
fails
* [ECA-888] - Profiles allow you to enter things like 'Peter & Partners' 
in the O and OU field - but a 'Add Entity' will fail
* [ECA-889] - NPE when running TestEjbcaWS
* [ECA-895] - Batch generation doesn't work on initial user creation 
(WebUI / profiles)
* [ECA-898] - Incorrect initialization of NumberArray in 
EndEntityProfile causes annoying log output
* [ECA-901] - email modified in LDAP even if attributes should not be 
modified
* [ECA-902] - LdapSearchPublisher can not modify attributes
* [ECA-903] - LdapSearchPublisher uses Ldap DN instead of Cert DN to search
* [ECA-905] - java.lang.NullPointerException when creating new end 
entity with only end time, with end entity profile limitations enabled
* [ECA-909] - OCSP responder not working on Weblogic
* [ECA-911] - OCSP not responding for CAs that have been notified about 
expiration
* [ECA-912] - NPE on Glassfish on error.jsp in publiweb

[Ejbca-news] EJBCA 3.5.8 released

[Tomas G. <to...@pr...>]

EJBCA 3.5.8 is a minor release on the stable branch. You should only be
interesed in this if you are sticking with 3.5.x instead of moving to
3.6.x. And only if you have had any of the below small issues.

This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple
instructions.

Changelog:
Improvement
* [ECA-845] - Attempt to revoke a certificate.user that is already 
revoked generates an error
* [ECA-847] - Option to Health Check to perform sign test on CA token

---
EJBCA is an enterprise class PKI Certificate Authority. EJBCA builds on 
the J2EE platform to create a robust, high performance, platform 
independent, flexible, and component based CA to be used standalone or 
integrated in any J2EE app.

[Ejbca-news] CVC Certificate library available

[Tomas G. <to...@pr...>]

We are very proud to announce this initial release of the Cert-cvc 
library developed by Keijo Kurkinen for the Swedish National Police 
Board and kindly donated to the EJBCA project.

The library handles CVC certificates for EAC ePassport PKIs.
The library is used in EJBCA to build support for CVC CAs.

This release is feature complete for EU EAC ePassports using RSA 
algorithm. ECC support is still not complete. Any help in the ECC area 
is welcome.

The library is freely usable under the LGPL 2.1 (or later) license for 
all parties interesting in handling CVC certificates, in particular for 
EU EAC ePassports.

The library source code can be downloaded the EJBCA sourceforge page:
http://sourceforge.net/project/platformdownload.php?group_id=39716

Building the library currently requires that one library from EJBCA 
(bcprov15.jar) is available. With this available issuing a simple 'ant' 
command will build the jar library file (which is already used in the 
EJBCA beta announced earlier today).

Regards,
EJBCA Team

[Ejbca-news] EJBCA gets support for EU EAC CVC certificates

[Tomas G. <to...@pr...>]

The Swedish National Police Board has contributed support for CVC 
certificates as used by EU EAC ePassport PKI to EJBCA.
EJBCA 3.7 will get complete support for building EAC PKIs.

For those interested, you can download a summer beta from:
http://www.primekey.se/~tomas/download/ejbca_3_7b6.zip

Documentation is already available on ejbca.org:
http://ejbca.org/cvccas.html

The CVC certificate library developed by the Swedish National Police 
Board will soon be available as full open source under the LGPL license 
to be used by any interested party.

Regards,
EJBCA Team

[Ejbca-news] EJBCA 3.5.7 released

[Tomas G. <to...@pr...>]

EJBCA 3.5.7 is a minor release on the stable branch. You should only be 
interesed in this if you are sticking with 3.5.x instead of moving to 
3.6.x. And only if you have had any of the below small issues.

This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple 
instructions.

Changelog:
Improvement
     * [ECA-808] - Errors that should not be errors but info messages

Bug
     * [ECA-799] - Deadlock when running stress test that is revoking 
certificates
     * [ECA-800] - Importing certificate to CA with off-line token 
causes status to be wrong
     * [ECA-801] - CRL generation for CAs waiting for certificate 
response throws excepton
     * [ECA-807] - Error enrolling though SSL with client cert
     * [ECA-818] - NPE when issuing sparecard with cert without extended 
keyusage through HTMF


Regards,
EJBCA Team