EJBCA, JEE PKI Certificate Authority / News: Recent posts

EJBCA 3.9.2 released

We are proud to announce the release of EJBCA 3.9.2. We believe this is
the most stable release of EJBCA to date.

This is a minor release but packed with new minor features and fixes, 38
issues have been resolved. Some minor features and options and many bug
fixes and stabilizations.

Noteworthy changes:
- Sign and verify of files with clientToolBox when the private key is
stored on a HSM.
- Possible to limit signing keys for an external OCSP responder to keys
within a set of key aliases.
- Add support for the TSL signer extended key usage
- Use improved validity period parsing in Certificate Profiles
- Add option to use publisher queue or not for CRLs and certificates
- Document MS application policies extension
- Fixes for ejbcaClientToolBox.bat for windows platform
- Timeouts for LDAP publishers to handle unstable LDAP servers
- For issue where CRL service may stop running if database is stopped
for some period
- Change so that Issuing Distribution Point on CRLs is not used by
default in CA configuration
- Fix issue using IAIK provider with several CAs
- Fix slow revocation if a user have many certificates
- cert-cvc: getting expiration date returns 00.00 hours but it means
it's valid the whole day
- cert-cvc: bad encoding of EC points in certificates in rare cases
where affineX and affineY is not same size
- Many small optimizations, fixes and improvements.... read more

Posted by Tomas Gustavsson 2009-10-21

EJBCA 3.9.1 released

we are pleased to announce the release of EJBCA 3.9.1.

This is a minor release but packed with new minor features and fixes, 46 issues have been resolved.

Noteworthy changes:
- Improvements to public enrollment process including automatic renewal.
- Ability to specify approvals on certificate profiles.
- Configurable list of extended key usages.
- Dynamic update of max-age and nextUpdate for OCSP responders, also per certificate profile.
- In CRL update service you can select which CAs to generate CRLs for.
- Possible to schedule CRLs more often than hourly.
- Possible to remove soft CA key and possibility to import it back again.
- Possibility to remove passwords from properties files.
- Support for CRL distribution points with URI:s containing semicolon.
- Transaction log for web service certificate issuance.
- Possibility to specify Any CA in end entity profiles.
- More flexible configuration of CA validity, years, months days.
- Improved error message in GUI when HSM activation fails.
- Many small optimizations, fixes and improvements.... read more

Posted by Tomas Gustavsson 2009-08-16

EJBCA 3.9.0 released

This is a major release adding many new features and improvements, and fixing numerous bugs.
126 issues have been resolved for this release. Check the changelog, there is a good chance that your favorite issue has been resolved.

Some noteworthy changes:
- Support for CAs using DSA keys. EJBCA now supports all major algorithms; RSA, DSA and ECDSA.
- External RA improvements. CA service running as an EJBCA services gives full cluster functionality and support for multiple external RAs.
As a bonus it is now much easier to install and configure.
- Robust re-publishing mechanism for publishers that fail, running as an EJBCA service.
- OCSP responder improvements with performance improvements and support for on-line renewal of OCSP responder keys and certificates.
The external OCSP responder can now saturate high performance HSMs.
- OCSP monitoring tool for monitoring synchronization between EJBCA and external OCSP responders.
- GUI for configuring the external OCSP publisher with new options.
- Possible to change OCSP signing keys in a running external OCSP responder.
- New commands and stress tests in the client toolbox.
- A new admin web gui front page with status overview panels.
- Possible to configure status of certificates issued for end entities, i.e. issue certificate revoked "on hold".
- New DN attribute, Name.
- Performance improvement by caching and lowering number of database queries.
- XKMS now works also on Java 6.
- Possibility to set user validity start and end time in WS API.
- Lots of small fixes and improvements to the admin GUI.
- Lots of small bugfixes.
- Keon CA to EJBCA migration guide.... read more

Posted by Tomas Gustavsson 2009-06-05

EJBCA: 3.8.3 released

This is a minor release with only a few fixes
Read the changelog for details.
- Fixed unability to deploy on PostgreSQL + Glassfish combination.
- Fixed possible extensive CPU usage for crafted messages to CMP RA service (not default config).
- Fixed Ugly error message in LDAP publisher if no certificate to remove exists.

For upgrade instructions, please see UPGRADE.

Changes:
Improvement
* [ECA-1221] - Ugly error message in LDAP publisher if no certificate to remove exists... read more

Posted by Tomas Gustavsson 2009-06-04

Cert-cvc 1.2.9 released

This small release, of the EAC ePassport CV certificate library, only enhances visibility of two constructors for easier usage from other code.

Changes:
- Changed visibility of constructor CVCertificate(CVCertificateBody, byte[]) to public.
- Changed visibility of KeyFactory.createInstance to public.

Posted by Tomas Gustavsson 2009-06-04

EJBCA: 3.8.2 released

EJBCA is an enterprise class PKI Certificate Authority built on J2EE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in other J2EE applications.

This is a minor release adding improvements and bugfixes
- Add street and pseudonym DN attributes.
- OCSP improvements, RFC 5019, nextUpdate, support for requests using GET, improved configuration and error handling.
- Correct coding of optional Issuing Distribution Point in CRLs.
- Possible to publish userPassword in LDAP.
- A few minor fixes.... read more

Posted by J Eklund 2009-03-30

EJBCA 3.5.12 released

Note that 3.8.x is the recommended release. This is simply a maintenance update for users still running 3.5.x.

This is a minor release, fixing a performance issue with getCerts webservice call when a single user have lots of certificates, and
also an issue with authorization in UserDataSource.
- Optimize performance of findCerts WS call
- Serious bug in UserDataSource Authorization

Read the changelog for details.... read more

Posted by Tomas Gustavsson 2009-03-13

EJBCA, J2EE PKI Certificate Authority: 3.8.1 released

EJBCA is an enterprise class PKI Certificate Authority built on J2EE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in other J2EE applications.

This is a minor release, targeted for adding support for JBoss 5 and fixing a mistake that caused install on Glassfish to fail.
It also adds a few minor improvements and bugfixes.
Read the changelog for details.
- Add support for JBoss 5.
- Fix support for Glassfish caused by a forgotten commit in 3.8.0.
- Improve support for Weblogic 10.3.
- Fix support for IPv6 subject alternative names.
- A few minor CMP, OCSP and CVC fixes.... read more

Posted by Tomas Gustavsson 2009-01-29

EJBCA 3.5.11 released

This is a minor release, fixing two minor issues with webservice calls used by HardTokenMgmt.
- Change genTokenCertificates WS call behavior to not temporary revoke certificates for MS logon
- Fix error in EJBCAWS.genTokenCertificate temporary cards aren't revoked properly

Read the changelog for details.

This is a plug-in upgrade from 3.5.x. See UPGRADE for the simple instructions.

Changes:
Improvement
* [ECA-778] - change genTokenCertificates WS call behavior to not temporary revoke certificates for MS logon... read more

Posted by Tomas Gustavsson 2009-01-28

EJBCA 3.7.5 released

This is a minor release that makes a few minor changes in the CVC WS-API and adds a variable in OCSP audit log.
- Allow logging of REPLY_TIME in both audit and transaction logs
- Fixed CVC certificate requests with error leaves user status as new
- Fixed that cvcgetchain does not return latest cert
- Add brazilian portuguese translation of admin GUI
- A few minor bugs

Read the changelog for details.... read more

Posted by Tomas Gustavsson 2009-01-19

EJBCA 3.8.0 released

This is a major release, particularly focusing on support for administrators to log in with certificates from other CAs,
not in EJBCA.
Read the changelog for details.

Notable changes in no specific order:
- Restructure administrator validation to allow admins using externally issued certificates.
- Add a CLI subcommand to add an administrator in an admin group using the serial number.
- Drop administrator flag in end entities, it's not needed, makes configuration easier together with remade admin GUI.
- Possible to generate CA PKCS#10 request without giving CA certificate.
- Add support for SEIS Card Number extension.
- Added KRB5PrincipalName subjectAltName.
- Option in certificate profiles for reversing DN order.
- Enroll for CV certificate on public web.
- Upload PEM or binary certificate requests on public web.
- Possible to sign releases and deployed code.
- Enhanced basic custom certificate extension.
- Command to list objects in Luna HSM partition.
- Some bug fixes. ... read more

Posted by Tomas Gustavsson 2008-12-15

EJBCA 3.7.4 released

This is a minor release that replaces 3.7.3 where initial install was broken. It has a few additional fixes from 3.7.3 as well.
- Substitute email from- and to- as well in user notifications
- Create a built-in Server certificate profile
- OCSP improvements

Read the changelog for details.

This is a plug-in upgrade from 3.7.x. See UPGRADE for the simple instructions.

Changes:
-------
New Feature
* [ECA-1024] - Substitute email from- and to- as well in user notifications... read more

Posted by Tomas Gustavsson 2008-11-18

EJBCA 3.7.3 released

This is a minor release mainly put out to fix building on Glassfish that broke in 3.7.2.
- Fix on Glassfish that was broken in 3.7.2
- Glassfish support for PostgreSQL
- A couple of trivial fixes.

Read the changelog for details.

This is a plug-in upgrade from 3.7.x. See UPGRADE for the simple instructions.

Changes:
New Feature
* [ECA-1022] - Glassfish support for PostgreSQL

Improvement
* [ECA-1020] - External RA, clarify documentation about signing and encrypting using Scep RA
* [ECA-1021] - Fix the default ENDUSER Certificate Profile... read more

Posted by Tomas Gustavsson 2008-11-07

EJBCA 3.7.2 released

This is a minor release with focus on fixing making OCSP optimizations, introducing some minor features and fixing a few annoying bugs.

- Add Intel AMT extended key usage
- Optimize OCSP servlet for better performance
- OCSP responder improvements: reload of p11 when connection broken, return error of audit logging fails.
- CA certificates with SerialNumber in DN does not work with External OCSP
- WS-API, make mathtype contains with with matchwith username
- Key length changes when editing CA in admin-GUI
- Minor GUI fixes.... read more

Posted by Tomas Gustavsson 2008-10-31

Cert-cvc 1.2.8 released

This release of the library for CV certificates, as used in EU EAC
ePassport PKIs, adds support for HSMs for ECC signatures. There was wan
issue in 1.2.7 that made the signatures not work when using an pkcs#11
signature provider.

This in turn is because the EAC specification decided not to use the
standard X9.62 signature format for ECC signatures.

Posted by Tomas Gustavsson 2008-09-27

EJBCA 3.7.1 released

We are pleased to announce EJBCA 3.7.1. This release primarily focuses
on ePassport ECC support, but there are some other minor improvements in
there too.

This is a minor release with major focus on enhancements to CVC CA
support for EU EAC ePassport PKIs.
- Support for both RSA and ECC with all EAC algorithms.
- Interoperability fixes tested with other implementation at the Prague
2008 event.
- Usability enhancements for CVC PKIs, for example download and import
of binary certificates.
- Changes to the CVC cli to mimic the WS-API functions.
- Fixed that upgrade from 3.6 to 3.7 causes error when autogenerated
password are used
- Other minor bugfixes.... read more

Posted by Tomas Gustavsson 2008-09-27

Cert-cvc 1.2.7 released

This release of the cert-cvc library for CV certificates, for EAC 1.11 ePassports, contains full support for both RSA and ECC algorithms.

Changes:
- Support for ECC keys and signatures, need BC version 1.41 which is included in svn.
- Fix bug where outer signature in authenticated requests did not include CARef in TBS
- Don't add caRef if not passed, or passed as null, to CertificateGenerator.
- Translations of Swedish javadoc to English.

Posted by Tomas Gustavsson 2008-09-01

EJBCA 3.7.0 released

We are very proud to release this first version of EJBCA with EU EAC ePassport support. This means support for CVC certificates, which are very different from X.509 certificates.

This is a major release, particularly focusing on support for CVC certificates as used in EU EAC ePassport PKI.
Read the changelog for details.

Notable changes in no specific order:
- Support for CV Certificates (CVC) for EU EAC ePassports, you can now build a CVC PKI for EU ePassport using EJBCA.
- Upgrade of jaxb jars using for Webservice API, and new WS-API calls.
- Support for error codes in Exceptions from Webservice API.
- New service to automatically renew expiring CAs.
- Possible to use IAIK PKCS#11 provider as well as Sun PKCS#11.
- Client Tool box with client CLI tools easy to deploy stand-alone on other machines.
- Minor fixes and enhancements.... read more

Posted by Tomas Gustavsson 2008-08-28

EJBCA 3.6.2 released

This is a minor release but with a record amount of fixes for a point release. New features, improvements and a lot of bugfixes
rounding a lot of rough edges.
Some very notable changes are:
- Major improvements to the External OCSP responder with more configuration options and
completely new Audit and Account logging. With the new, highly configurable, logging it is
suitable for using as a service charging for, and auditing, requests.
- New documentation feature with on-line documentation deployed in the Web interface by default.
Question mark links from options that are hard to understand in the Admin-GUI are now possible.
- Lots of improvements to the Admin-GUI with configuration for autogenerated passwords and fixing a lot of small GUI bugs and quirks.
- Fail over mechanism for the LDAP publisher.
- Improved documentation for more HSMs, Admin-GUI, etc.
- Improvements for other app servers apart from JBoss.
- MS document signing extended key usage, and tool for importing certificates from MS CA.
- Lots and lots of small bugfixes.
- Updated translations. ... read more

Posted by Tomas Gustavsson 2008-08-20

EJBCA 3.5.8 released

EJBCA is an enterprise class PKI Certificate Authority. EJBCA builds on the J2EE platform to create a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in any J2EE app.

EJBCA 3.5.8 is a minor release on the stable branch. You should only be
interesed in this if you are sticking with 3.5.x instead of moving to
3.6.x. And only if you have had any of the below small issues.... read more

Posted by Tomas Gustavsson 2008-07-23

Cert-cvc 1.2.6 released

We are proud to announce this initial release of the Cert-cvc library developed by Keijo Kurkinen for the Swedish National Police Board.
The library handles CVC certificates for EAC ePassport PKIs.
The library is used in EJBCA to build support for CVC CAs.
This release is feature complete for EU EAC ePassports using RSA algorithm. ECC support is still not complete.

Posted by Tomas Gustavsson 2008-07-11

EJBCA: 3.5.7 released

EJBCA is an enterprise class Certificate Authority using J2EE technology. EJBCA builds on the J2EE platform to create a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in any J2EE app.

EJBCA 3.5.7 is a minor release on the stable branch. You should only be
interesed in this if you are sticking with 3.5.x instead of moving to
3.6.x. And only if you have had any of the below small issues.... read more

Posted by Tomas Gustavsson 2008-06-30

EJBCA 3.6.1 released

This is a minor release with a few new features, from EJBCA 3.5.6, and some minor fixes.
Apart form the fixes from EJBCA 3.5.6 nCipherHSM.sh now hides the password the user enters and
an index collision in profilemappings.properties is fixed. Also an error when enrolling with approvals
activated was fixed.

Read the changelog for details.

This is a plug-in upgrade from 3.6.x. See UPGRADE for the simple instructions.... read more

Posted by Tomas Gustavsson 2008-05-02

EJCBA 3.5.6 released

This is a minor release, fixing a few bugs and adding a new activation page to the admin-GUI.
- New activation page to effectively be able to activate many CAs quickly
- Possibility to exclude CAs from monitoring by the HealthCheckServlet
- Improve generation of CRL with the CRL worker
- Fix bugs listing many log or user entries
- Fix WS issues and a few other issues affecting hard token administration... read more

Posted by Tomas Gustavsson 2008-05-02

EJBCA: 3.6.0 released

EJBCA is an enterprise class Certificate Authority using J2EE technology. EJBCA builds on the J2EE platform to create a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in any J2EE app.

This is a major release with many new interesting features and framework improvements.
Read the changelog for details.
Notable changes in no specific order:
- New (optional) fully clusterable log system with advanced log signing.
- Support for more extensions (FreshestCRL, caIssuers, more extended key usages, multiple policy statements)
- More WebService API commands.
- Support for Oracle Application Server and Websphere, improvements for Weblogic.
- Support for DB2 database.
- Support for delta CRLs
- Auto-enroll certificates for Microsoft systems (see ejbca.org->Howto).
- Improved PKCS#11 support for HSMs.
- OCSP improvements, support for PKCS#11 HSMs on external OCSP responder.
- External RA improvements, better configuration and SCEP improvements.
- LDAP publisher improvements.
- User notification improvements.
- New Wiki web, wiki.ejbca.org.... read more

Posted by Tomas Gustavsson 2008-04-07