EJBCA, JEE PKI Certificate Authority / News: Recent posts

EJBCA Community 6.1.1 Released

This is a maintenance release with new features, bug fixes and improvements. In all 32 issues have been fixed.
The biggest news in this release are support for EAC 2.10 access control templates, more OCSP improvements as
well as improvements for Key Recovery.

  • Noteworthy changes:
  • OCSP improvements and new features related to RFC 6960, minimizing size of OCSP responses (see note below).
  • Implemented OCSP signing algorithm including client requested algorithms.
  • CVC certificate profiles (ePassport PKI) now supports EAC 2.10 access control templates.
  • Improvements to Key Recovery enabling encryption key rollover and providing more information about encryption keys.
  • Windows build/install is now working.
  • ManagementCA created during a default install now uses SHA256WithRSA.
  • EJBCA now compiles (deployment/running not supported however) on WildFly 8 and Glasshish 4, also using Java 8.
  • EJBCA can now use certificate serial number longer than 64 bits.
  • Minor improvements and fixes to make life easier for everyone.... read more
Posted by Tomas Gustavsson 2014-04-07

EJBCA 6.0.3 released

PrimeKey is happy to announce that EJBCA Enterprise 6.0.3 has been released! This is a maintenance release – 21 issues have been resolved.
Running on the latest technology platforms, this PKI is faster, more resource efficient, more secure and more user friendly than ever. EJBCA Enterprise v.6 is so flexible it is suitable for any organization, cloud, social or mobile system.

EJBCA, the open source PKI, has been around for quite some time now, since 2001 to be exact. The last major release of EJBCA Community was EJBCA 4, which saw many updates up to the final release 4.0.16 in June 2013. EJBCA 5 was Common Criteria certified, and therefore never released to the public. After a long wait, and much development, EJBCA Community version 6 is now here.... read more

Posted by Tomas Gustavsson 2013-12-30

EJBCA 4.0.14 released

This is a maintenance release containing a few new features and improvements. In all 5 issues have been resolved.

* Noteworthy changes:
- Active certificates published to a VA publisher that only publishes revoked certificates are no longer stored in the queue.
- Publishers are cached for improved performance.
- New and fixed settings that makes EJBCA work better behind an Apache using ProxyPass, by David Carella.
- Some passwords are not displayed in the console during build anymore, by David Carella.... read more

Posted by Tomas Gustavsson 2013-02-15

EJBCA 4.0.13 released

We just released EJBCA 4.0.13 as an early gift from the EJBCA Team.

This is a maintenance release containing a few new features and
improvements. In all 25 issues have been resolved.

* Noteworthy changes:
- New self-registration work-flow available in the public web.
- Added extended key usage for WiFi EAP authentication.
- Some build improvements to avoid issues on some platforms (no
javascript, no jasper).
- More minor GUI improvements by David Carella of Linagora.
- Minor bug fixes.... read more

Posted by Tomas Gustavsson 2012-12-19

EJBCA 4.0.12 released

We are delighted to present a new release of EJBCA 4. EJBCA 4 continues to get new features and fixes and is state of the art PKI.

This is a maintenance release containing a few new features and improvements.

* Noteworthy changes:

- Possibility for External OCSP responder key renewal at absolute times.
- Certificate expiration notifier can now filter on certificate profiles, not only CAs.
- A publisher for sampling of issued certificates.
- Added user friendly output of certificate profile dependencies when deletion can not be done.
- A new language tool for developers and localizers, by David Carella of Linagora.
- OCSP rekeying now works on JBoss 6.1.0 and JBoss EAP5... read more

Posted by Tomas Gustavsson 2012-08-16

EJBCA 4.0.9 released

This is a maintenance release containing 1 security bug fix.

* Noteworthy changes:
- Fixed XSS issues in admin GUI.

Read the full Changelog for details.
For upgrade instructions, please see UPGRADE (in the release package).

Posted by Tomas Gustavsson 2012-02-13

EJBCA 4.0.8 released

This is a maintenance release with a few bug fixes and new features. In all, 16 issues have been resolvesd.

* Noteworthy changes:
- CMP: SenderKeyID no longer needs to be set in the request if it is not needed.
- CMP: KeyUpdateRequest works in RA mode as well as in client mode.
- CMP: It is now possible to skip verification of a CertConfRequest if desired.
- CRL: More efficient CRL download
- AdminGUI: Improvement in the appearance.
- Fixed few minor XSS issues and other minor bugs... read more

Posted by Tomas Gustavsson 2012-02-13

EJBCA 4.0.5 released

This is a maintenance release with a few improvements and bug fixes. In all 7 issues have been resolved.

* Noteworthy changes:
- Correct comparison of public key in HSM and CA certificate
- Fixed regression during republish
- Many small bug fixes.

Posted by Tomas Gustavsson 2011-11-03

EJBCA 4.0.4 released

We are proud to release EJBCA 4.0.4.

This is a maintenance release with a few new features and bug fixes. In all 33 issues have been resolved.

* Noteworthy changes:
- Improved CMP with many new authentication modules in both client and RA mode, and support for Nested content
- Support for custom certificate extensions with raw or RA defined values.
- Many small bug fixes.

With this update EJBCA has support for most use cases for CMP, including the new 3GPP standard.

Posted by Tomas Gustavsson 2011-10-06

EJBCA 4.0.3 released

This is a maintenance release with a few improvements and bug fixes. In all 5 issues have been resolved.

* Noteworthy changes:
- Improved CMP interoperability, with minor improvement and bugfixes.
- Fixed a bug that made it impossible to delete end entity profile on certain databases, in particular hsql (test database).

Read the full Changelog for details.
For upgrade instructions, please see UPGRADE.

Posted by Tomas Gustavsson 2011-06-01

EJBCA 4.0.2 released

This is a maintenance release with many improvements and fixes. In all 44 issues have been resolved.

* Noteworthy changes:
- Internal optimizations makes this the fastest version of EJBCA ever, capable of issuing > 400 certificates/second (depending on configuration).
- Certificate enrollment now works also with Safari and Chrome browsers.
- Support for PrivateKeyUsagePeriod certificate extension.
- Fixed a time zone bug issuing CVC certificates where the date was encoded using local timezone instead of GMT in certificates.
- More admin console and public web improvements from David Carella of Linagora.
- Now uses ISO8601 date format consistently when entering dates in admin console.
- Automatic generation of Norwegian UNID numbers from CMP requests.
- Many small bug fixes and improvements.... read more

Posted by Tomas Gustavsson 2011-05-22

EJBCA 3.11.2 Released

We have just released EJBCA 3.11.2.
This is a maintenance release containing 11 bug fixes, and 12 new features/improvements.

* Noteworthy changes:
- Several bug fixes
- Increased algorithm support on PKCS11 HSMs
- Added a webservice based RA written by Daniel Horn
- Possibility to disable the command line interface
- New CA CLI commands to import CRLs and certificates which are useful when migrating to EJBCA... read more

Posted by Tham Wickenberg 2011-04-29

EJBCA 4.0.1 released

We just released EJBCA 4.0.1. This release has a single fix, which
slipped through QA of 4.0.0. So far EJBCA 4.0.0 has been downloaded 400
times, and this is the only bug report so far.
I think it shows that IE is not so widely used by the EJBCA team, but it
shouldn't have slipper through QA nevertheless.

Changes:
- Fixed failure to perform web browser enrollment with Internet Explorer.

The release can be downloaded from the usual place, http://www.ejbca.org/.... read more

Posted by Tomas Gustavsson 2011-03-14

EJBCA 4.0.0 released

The PrimeKey EJBCA team is happy to announce
that a new generation of EJBCA is finally here. As always, you can
download the release from SourceForge
(https://sourceforge.net/projects/ejbca/).

In this release, the underlying framework has changed from Java
Enterprise Edition 2, to 5. EJBCA 4 will constitute the solid base for
EJBCA for the coming years. Together with major refactoring, the Java
Enterprise upgrade significantly improves the quality of the EJBCA code
and internal architecture, allowing for faster development time. The
tecnology upgrades also make way for the development of a new
Administration GUI and the integration with CESeCore [1].... read more

Posted by Tomas Gustavsson 2011-03-14

EJBCA 3.11.1 released

This is a maintenance release – 16 issues have been resolved. Only fixes and layout improvements, no new features.
This release fixes an upgrade issue from 3.6.x to 3.11.x and also a MySQL/MyISAM related issue in the 3.11.0 release.
A few uncaught regressions from 3.10.x and 3.11.0 were fixed, and as usual David Carella of Linagora added some
Admin GUI layout improvements.

Changes:
- It is now possible to easily upgrade from EJBCA 3.6.x to 3.11.x
- Fixed a MySQL mapping that did not work when using the MyISAM storage engine and UTF-8 encoding.
- ETSI QC value limit can now have the value zero.
- Admin GUI improvements from David Carella of Linagora.
- Added a favicon to the EJBCA web interfaces.
- Fixed an issue causing cached end entity profiles (not default) to be changed for some actions in the admin GUI.
- Fixed an issue where session information spilled over to other edits when using the "Back to certificate profiles" link.
- Fixed an issue where using the required flag on Cardnumber in a end entity profile gave error about missing unstructured address.
This also resolved an issue where the DN field Unstructured Address did not work.... read more

Posted by Tomas Gustavsson 2010-12-23

EJBCA 3.11.0 released

This is a major release with several new features – 47 issues have been resolved.
One major goal with this release is to prepare for a seamless migration to EJBCA 4.0. To make
the migration path to EJBCA 4.0 a simple plug-in upgrade, EJBCA 3.11 introduces database changes
needed to make the schema fully compatible and consistent across all supported databases.

Upgrade to EJBCA 3.11 should be simple as usual, just follow the instructions in doc/UPGRADE.... read more

Posted by Tomas Gustavsson 2010-11-29

EJBCA 3.10.6 and cert-cvc 1.2.12 released

We have friday the 26th november 2010 released EJBCA 3.10.6, in company with the cert-cvc
library version 1.2.12.

This release is a very small maintenance release intended mostly to mark
the end of the 3.10 branch, anticipating 3.11.0 to be released within a
few days.
If you are running 3.10.5 with no issues, there is no real reason to
upgrade to 3.10.6. A few people have been waiting for the only new
feature in this release, but for others there is nothing really exciting.... read more

Posted by Tomas Gustavsson 2010-11-29

EJBCA 3.10.5 released

EJBCA 3.10.5
-----------
This is a maintenance release with 37 issues resolved, both features and bug fixes.

Noteworthy changes:
- Fixed admin GUI error running on JBoss 5.
- Fixed some issues with audit and approvals when using admin certificates issued by an external CA.
- Harmonized admin GUI and improved looks. Contributed by David Carella of Linagora.
- Added and improved caches of profiles and CAs, improves performance. CLI for clearing caches.
- Fixed installation issue on Windows when JBoss installed in root directory.
- Fixed re-publishing of certificates when CertReqHistory is not used. CertReqHistory is enabled by default for new CAs.
- Updated German translation, contributed by Atos Origin.
- Support unrevocation using WS-API.... read more

Posted by Tomas Gustavsson 2010-09-21

EJBCA 3.10.4 release

This is a maintenance release with 23 issues resolved, both features and bug fixes.

Noteworthy changes:
- Possibility to specify custom certificate serial number for end entities.
- Possibility to configure CA to not use CertReqHistory to increase performance.
- Harmonized admin GUI and improved looks. Contributed by David Carella of Linagora.
- Other performance optimizations. More than 100 certificates per second can now be issued under certain conditions.
- WS API did not work with external administrator certificates.
- Mitigate potential XSS vulnerabilities in admin GUI.
- Fixed bug when creating CRLs for CAs with single quote in the DN.
- Other admin GUI improvements with better error messages in some cases.... read more

Posted by Tomas Gustavsson 2010-08-12

EJCBA 3.10.3 released

To have it out before the summer holidays we released EJBCA 3.10.3.

This is a maintenance release with only 6 issues fixed.
The release was primarily done to fix a regression for EAC CVC CAs using ECC keys.

Noteworthy changes:
- EAC CVC Document Verifiers using ECC keys did not work properly. This was fixed and new test cases was added to the test suite.
- Removed requirement to use “Batch generation” when using CMP RA mode.
- Fixed issue that revocation in admin gui did not work with CAs using accented characters.
- Added code to mitigate potential cross site scripting in admin gui. Note that client certificate authentication was still needed so it was not publicly exploitable.
- Added UTF-8 URI encoding for the public http port (8080). It was previously only enabled for the https ports.... read more

Posted by Tomas Gustavsson 2010-06-24

EJBCA 3.10.2 released

We proudly offer you EJBCA 3.10.2.

This is a maintenance release with a new features, improvements and several bug fixes. 36 issues in total have been resolved.

With this release 3.10.2 is the preferred release for all installations.
We believe that most regressions resulting from the large restructuring in 3.10.0 is resolved.

Noteworthy changes:
- CMP proxy module.
- Improved transaction isolation and performance in CMP.
- Improvements for JBoss 5.
- Possibility to Enforce unique SubjectDN Serial Number.
- Framework for validation of the contents of end entity fields.
- Fixed some regressions in the admin GUI related to cross certification and CV certificates.
- Possible to define custom CN of superadmin on install.
- Update pre-defined windows smart card logon profiles.
- Output the servers time to the first page of the Admin GUI.
- Supervision of the OCSP responder certificate validity in the standalone OCSP responder.
- Many minor bug fixes related to the big restructure in 3.10.0.
- Minor security enhancements. ... read more

Posted by Tomas Gustavsson 2010-06-17

EJBCA 3.10.0 released

We are proud to release EJBCA 3.10.0. An important stepping stone toward EJBCA 4.0. The code base is now in better shape than ever making a good platform for migration to the new technology in EJBCA 4.0.

This is a major release with lots of internal reorganisations, new features and fixes.

NOTE:
A user that is requesting a certificate with same public key or subject DN as an existing certificate issued to another user is now denied the
certificate. If this will result in any problem in your installation you may disable any of these checks on the "Edit CA" page. You can read
more about it in the user guide.... read more

Posted by Tomas Gustavsson 2010-03-26

EJBCA 3.9.5 released

We are proud to release EJBCA 3.9.5. We believe this is the best version of EJBCA to date.

This is a maintenance release with minor fixes and improvements.

Noteworthy changes:
- Fixed a performance regression for the OCSP service that could lower throughput from 400 to 200 req/s.
- Added process time parameter to OCSP transaction logging.
- Fixed and improved usage of the optional IAIK PKCS#11 provider.
- Improve sequence handing for EAC CVC CAs.
- Fixed a bug when renewing CA keys on HSMs.
- Fixed that you could not use a dot in pre-set usernames in end entity profiles.
- Added possibility to install directly with external admin CA, initializing authorization module in importcacert cli command.
- Added possibility to prompt for keystore password during install so you never have to write it anywhere. ... read more

Posted by Tomas Gustavsson 2010-03-05

EJBCA 3.9.4 released

This is a minor release with only a few minor fixes.

Noteworthy changes:
- Fixed a bug where OCSP responder would not return correct status for archived (expired) certificates.
- Fixed a regression for the (deprecated) SafeNet JCE CA token.
- Fixed a regression where you could not renew expired CAs
- It's not possible to renew soft ECC CA keys in the admin GUI
- All language files are now encoded in UTF-8
- Fixed corner cases where bogus CRLs and certs could be published to LDAP... read more

Posted by Tomas Gustavsson 2010-01-07

EJBCA 3.9.3

This is a minor release but packed with new minor features and fixes, 42 issues have been resolved.
Some minor features and options and some bug fixes and stabilizations.

Noteworthy changes:
- Fixed a regression in 3.9.2 where you could not upload files in the admin GUI.
- Certificate profiles can now specify a different signature algorithm than the CA. Useful to start migrating SHA1 CAs to issue SHA256 certificates.
- Possibility to use part of user data in LDAP DN but not in certificate DN when publishing certificate to LDAP.
- Possibility to set fixed end date of certificates in certificate profile and CA configuration.
- Possibility to configure several notification services for expiring certificates, notifying at different times, i.e. 30 days, 7 days, etc.
- Browser enrollment tested with Windows 7.
- ECC improvements and fixes for CAs and HSMs, CA renew keys, CA import, brainpool curves, explicit ec parameters, clientToolBox etc.
- GUI improvement to the admin GUI with nicer navigation menu and CSS. Contributed by Linagora, France.
- cert-cvc: fixed rare possibility to get bad encoding of EC points in certificates. Contributed by DGBK, Netherlands.
- CVC CA fixes and improvements for EAC PKI, approvals, import CAs, fix cli info command, .cvcert instear of .crt when downloading certs, etc.
- Don't publish certificates for inactive CA services to LDAP.
- Fix so renewing CA keys in admin GUI does not reload all CA tokens.
- Fixed an OutOfMemory error when failing to publish large CRLs with connection closed error.
- Fix download issues with IE for exported CA keystores.
- Many small optimizations, fixes and improvements.... read more

Posted by Tomas Gustavsson 2009-12-21