xca / News: Recent posts

XCA moved to Github.
Please use the GitHub issue tracker for bugs, features wishes or even better merge-requests.

Homepage: http://hohnstaedt.de/xca

Download: http://hohnstaedt.de/xca/index.php/download
Changelog: http://hohnstaedt.de/xca/index.php/software/changelog

Github link: https://github.com/chris2511/xca

This is mainly a maintenance release after a pause of over 2 years.

• The default hash changed to SHA256 for security reasons. Databases with SHA1 as default hash will issue a warning when opening the database.
• Support for the heavily changed API of OpenSSL 1.1.0 has been added.
• The Windows an Mac OSX pre-compiled binaries now use Qt5 and OpenSSL 1.1.0

But also some small features and fixes sneaked into this release:... read more

This is a patch release, fixing some bugs.
I added a (non-modal) OID resolver (Extra -> OID resolver) where you can enter the OID, the short name like "C, ST, O, OU, or the long name like "commonName". If you ever wanted to know, whether XCA supports a special OID, just enter it.

I also adapted the configure script and includes to detect and compile against QT5.
Although these changes seem big for a patch-release, they almost did not touch existing code.... read more

There was a bug resulting in a hanging application if a special combination of a CRL and a signing certificate existed in the database.
(CA subject == CRL signer, but CA key did not sign it)
This is fixed now.

I fixed some of the reported Bugs and added some of the demanded features.

Here is the chagelog:

• Update to OpenSSL 1.0.2d for Windows and MAC
• SF Bug #105 1.2.0 OS X Retina Display Support
• Digitaly sign Windows and MAC binaries with a valid certificate
• Refactor the context menu. Exporting many selected items
  to the clipboard or a PEM file now works. Certificate renewal and revocation
  may now be performed on a batch of certificates.
• Feat. Reg. #83 Option to revoke old certificate when renewing
• Refactor revocation handling. All revocation information is
  stored with the CA and may be modified.
  Revoked certificates may now be deleted from the database
• Support nameConstraints, policyMappings, InhibitAnyPolicy, PolicyConstraint
  and (OSCP)noCheck when transforming certificates to templates or OpenSSL configs
• Fix SF Bug #104 Export to template introduces spaces
• Add option for disabling legacy Netscape extensions
• Support exporting SSH2 public key to the clipboard
• SF Bug #102 Weak entropy source used for key generation:
  Use /dev/random, mouse/kbd entropy, token RNG
• SF Feat. Req. #80 Create new certificate,
  based on existing certificate, same for requests
• Add Cert/Req Column for Signature Algorithm
• SF Feat. Req. #81 Show key size in New Certificate dialog
• Distinguish export from transform:
  • Export writes to an external file,
  • Transform generates another XCA item... read more

This release contains minor feature enhancements like

• Add Row numbering for easy item counting
• Support SSH2 public key format for import and export
• Add support for SHA-224
• add "xca extract" to export items from the database on the commandline

The Windows and MAC binaries of this release incorporate the OpenSSL 1.0.2a library.
It addresses the following issues, which could lead to segmentation faults in XCA.... read more

This release fully supports EC and DSA keys on tokens. It contains several bugfixes and enhancements like:
- Distributed binaries with EC Brainpool curves
- Configurable Distinguished name input fields
- Quick search
- Export public/private keys to clipboard
- Runtime selectable application language

I finally got the time to make a new release.
Even though this actually is only a patch release fixing some bugs
I called it Version 1.0.0 since it is pretty complete and stable.

I hope the next release won't take more than 2 years...

Enjoy XCA

In short

XCA is not affected at all by the Heartbleed vulnerability,
because it does not do any SSL/TLS related things.

Long version

The Windows/MacOSX version of XCA comes with an OpenSSL version (number) which is affected.
On unix-ish hosts XCA uses the OpenSSL library of the host system.

OpenSSL is split in 2 librarys
1. The crypto library: libcrypto.so (libeay32.dll) containing all the X.509 crypto and hash functions
2. The SSL/TLS library: libssl.so (libssl32.dll) containing the HTTPS network code and the Heartbleed bug... read more

There are several fixes in this release. The validation of certificate requests was made working again. During certificate creation xca notifies about duplicate v3 extensions. The default hashing algorithm was reset to SHA1, since too many applications can't handle SHA256 correctly, yet.

New features:
- PEM import feature added to paste or open a file and autodetect the content
- The subject of certificate requests can be modified before signing
- Arbitrary X509v3 extensions may be added by using the OpenSSL config file format on the "Advanced Settings" Tab
- A validation button computes and displays all extensions before creating the certificate... read more

The release of XCA 0.6.3 comes with an options dialog where
the following settings can be adjusted per database:
The default hash-algo can be set to SHA1 for all users with clients
that can not handle the current default of SHA256. Additionally a list of mandatory
distinguished name entries can be set to get warned if one of them is empty
during certificate rollout.
Usually xca takes care that a key is only used once.
Some people asked my to help them shooting themselves into the foot,
so I added an option to use keys more than once.
The internal handling of umlauts was moved to UTF8.
It may be possible that some of your key and certificate internal names
show rubish where non 7bit ASCII characters have been. This is
no issue, since you can easily rename the items in question. This will not change
its content.... read more

It needed some time to port XCA to QT4. This enables me to use a modern API and take advantage of the free Windows port of QT4 for free software.

A lot of new features were added, like v3 extensions for requests or the more convenient input dialogs for issuer-alternative-name and others.
The Cetificate-wizard got replace by a tab-dialog to enhance the usability. The switch to OpenSSL 0.9.8 enables the newer hashing algos SHA256 and SHA512. The storage type of the asymmetric keys (DSA is supported now, too) was changed. The private key remains encrypted in the db and is only decrypted on demand. The keys also may get protected by different passwords.... read more

This new version fixes some bugs in handling the commandline options especially is it possible again to select an other database name.
The configure system was reduced to a small configure script removin 1/3 of the needed diskspace of the tar ball.
The dates in the created CRLs were changed to be compatible to netscape.

This release implements the following feature requests:
1) Change Database password
2) Error messages can be copied to the clipboard
3) User can enter arbitrary key sizes for keygeneration

Since there poped up 2 evil bugs at the morning after the release there is a new release today.
This release now uses UTC time for certificate dates.

This new release introduces the Multi import functionality and solves a certificate creation bug.
The ExtendedKeyUsage now contains VPN OIDs.

XCA does create malformed certificates under some circumstances:

When creating a certificate with XCA and selecting
"Authority Key Identifier" it takes the values from an other
than the signing certificate.
This results to invalid certificates !!

All versions of xca from 0.4.0 to 0.4.2 are affected.
The 0.3 series is not affected.

Impact:
Dumb implemetations like IE do easily ignore it, but
others like CISCO VPN routers or Mozilla do
reject such malformed certificates.... read more

After a short testing periode of the rewritten XCA 0.4.0
application there is a new version fixing some
grave bugs and introducing a cleaner use of default paths and the registry at the windows OS.
Everybody is advised to upgrade from 0.4.0 to 0.4.1

After 2 months of hard work, rewritting
large code segments to make them more stable
and pretty, there is a new version solving all pending bugs and implementing some feature requests.
Please test it and report suggestions as well as bugs and feature requests.

The WIN32 version will be available soon.

This version of xca has some enhancements for windows, like the import of MS *.p7b files and use of the registry that enables the user to use
xca as "viewer" for cryptographic items. Also the UI got some small enhancements.