XCA is not affected at all by the Heartbleed vulnerability,
because it does not do any SSL/TLS related things.
The Windows/MacOSX version of XCA comes with an OpenSSL version (number) which is affected.
On unix-ish hosts XCA uses the OpenSSL library of the host system.
OpenSSL is split in 2 librarys
1. The crypto library: libcrypto.so (libeay32.dll) containing all the X.509 crypto and hash functions
2. The SSL/TLS library: libssl.so (libssl32.dll) containing the HTTPS network code and the Heartbleed bug... read more
There are several fixes in this release. The validation of certificate requests was made working again. During certificate creation xca notifies about duplicate v3 extensions. The default hashing algorithm was reset to SHA1, since too many applications can't handle SHA256 correctly, yet.
- PEM import feature added to paste or open a file and autodetect the content
- The subject of certificate requests can be modified before signing
- Arbitrary X509v3 extensions may be added by using the OpenSSL config file format on the "Advanced Settings" Tab
- A validation button computes and displays all extensions before creating the certificate... read more
The release of XCA 0.6.3 comes with an options dialog where
the following settings can be adjusted per database:
The default hash-algo can be set to SHA1 for all users with clients
that can not handle the current default of SHA256. Additionally a list of mandatory
distinguished name entries can be set to get warned if one of them is empty
during certificate rollout.
Usually xca takes care that a key is only used once.
Some people asked my to help them shooting themselves into the foot,
so I added an option to use keys more than once.
The internal handling of umlauts was moved to UTF8.
It may be possible that some of your key and certificate internal names
show rubish where non 7bit ASCII characters have been. This is
no issue, since you can easily rename the items in question. This will not change
its content.... read more
It needed some time to port XCA to QT4. This enables me to use a modern API and take advantage of the free Windows port of QT4 for free software.
A lot of new features were added, like v3 extensions for requests or the more convenient input dialogs for issuer-alternative-name and others.
The Cetificate-wizard got replace by a tab-dialog to enhance the usability. The switch to OpenSSL 0.9.8 enables the newer hashing algos SHA256 and SHA512. The storage type of the asymmetric keys (DSA is supported now, too) was changed. The private key remains encrypted in the db and is only decrypted on demand. The keys also may get protected by different passwords.... read more
This new version fixes some bugs in handling the commandline options especially is it possible again to select an other database name.
The configure system was reduced to a small configure script removin 1/3 of the needed diskspace of the tar ball.
The dates in the created CRLs were changed to be compatible to netscape.
This release implements the following feature requests:
1) Change Database password
2) Error messages can be copied to the clipboard
3) User can enter arbitrary key sizes for keygeneration
Since there poped up 2 evil bugs at the morning after the release there is a new release today.
This release now uses UTC time for certificate dates.
This new release introduces the Multi import functionality and solves a certificate creation bug.
The ExtendedKeyUsage now contains VPN OIDs.
XCA does create malformed certificates under some circumstances:
When creating a certificate with XCA and selecting
"Authority Key Identifier" it takes the values from an other
than the signing certificate.
This results to invalid certificates !!
All versions of xca from 0.4.0 to 0.4.2 are affected.
The 0.3 series is not affected.
Dumb implemetations like IE do easily ignore it, but
others like CISCO VPN routers or Mozilla do
reject such malformed certificates.... read more
After a short testing periode of the rewritten XCA 0.4.0
application there is a new version fixing some
grave bugs and introducing a cleaner use of default paths and the registry at the windows OS.
Everybody is advised to upgrade from 0.4.0 to 0.4.1
After 2 months of hard work, rewritting
large code segments to make them more stable
and pretty, there is a new version solving all pending bugs and implementing some feature requests.
Please test it and report suggestions as well as bugs and feature requests.
The WIN32 version will be available soon.
This version of xca has some enhancements for windows, like the import of MS *.p7b files and use of the registry that enables the user to use
xca as "viewer" for cryptographic items. Also the UI got some small enhancements.