EJBCA 6.2 Release Notes

The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.2.

The following covers information on new features and improvements in the 6.2.x releases:

Read the EJBCA 6.2 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 6.2.0

The biggest news in this release is a rework of the local CLI (command line interface), bringing the CLI up to the most modern standard with option handling and manual pages.

Noteworthy changes

  • Completely reworked command handling of local command line interface (CLI) (See note 2)

  • It's now possible to import and export Certificate and End Entity Profiles from the GUI

  • VA machines can be created using a CRL

  • Certificate and End Entity Profiles can now be imported and exported form the Web GUI

  • SCEP configuration has been implemented from the Web GUI

images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg If you are customizing the EJBCA public web to be embedded in a frame, note that EJBCA now uses the X-FRAME-OPTIONS HTTP header, preventing web GUIs from being framed in modern browsers.

Some CLI commands have changed names, though legacy support for the old names still remains. Some commands have had to undergo syntax changes, and they are as follows:

  • General - Explicit password flag for CLI user password has been changed to '--clipassword'

All CLI commands' help pages can be summoned with the '--help' switch

  • CaImportCACommand - Command performs two different tasks depending on the number of arguments, which are mostly mutually exclusive and unswitched, hence impossible to identify.

  • CaImportCertCommand - The optional values e-mail, cert profile and ee profile must be used with a switch.

  • CaInitCommand - The catokenproperties is now optional (no need to substitute with null if unused)

  • CaRenewCACommand - The <regenerate keys> argument has been turned into a flag (-R), and a switch was added for the Custom Not Before value.

  • InternalKeyBindingCreateCommand - The "-property" switch is no longer needed. Instead optional properties are loaded dynamically, but must be entered with a "" preceding the property name.

  • InternalKeyBindingModifyCommand - Multiple "-addtrust" and "-removetrust" are no longer allowed, instead a separator "," may be used. Also, the --property switch is no longer used, instead properties are loaded dynamically and used like with InternalKeyBindingCreateCommand

  • AddEndEntityCommand - Password parameter now input with --password flag, leaving blank will prompt. subjectAltName and email have been made optional and equipped with flags. certificateprofile, endentityprofile and hardtokenissuer have been given flags. hardtokenissuer options won't appear at all unless hard tokens been turned on.

  • Services - The -listFields|-listProperties switched have been turned into commands instead

  • ServiceCreateCommand/ServiceEditCommand - properties are sent in as a single command instead, at least until Services can be properly refactored and made more dynamic

Known issues

EJBCA 6.2.1


  • The autoactivate parameter in for the CLI command 'cryptotoken create' has been changed from "A" to the more explicit "-autoactivate".

  • An XSS issue in the Public Web was patched

  • Regression: CPS and User Notice defined in Certificate Policy Extensions weren't being written to the relevant certificates

  • Regression: Soft keystores for CAs created using the CLI were always created with the default password

Known issues

One test failure on DB2: https://jira.primekey.se/browse/ECA-3298

EJBCA 6.2.10


This maintenance release contains 32 features, bug fixes and improvements, below is a selection of the most noteworthy. This branch was released in parallel with EJBCA 6.3.2.

New Features

  • Certificate Profile settings have been added for optimizing environments without certificate storage, both not storing certificates to the database at all (like the already existent CA setting) and for writing all meta data, but not the certificate itself.

  • A CLI command has been added to remove publishers and all references to those publishers.

Improvements

  • EJBCA was upgraded to BouncyCastle 1.52

Bug Fixes

  • Security: POP was not verified properly in WebService requests

  • Regression: HealthCheck can again be automatically set for new CAs

  • Regression: Certificate keyUsage was invalid when using the allowKeyUsage setting in certificate profiles.

  • Regression: Caching in crypto tokens could cause adhoc upgrades of OCSP responders to fail

  • Fixed an issue where deleting an HSM slot rendered the GUI unusable

Read the full Changelog for details. For upgrade instructions, please see UPGRADE.

A selection of known issues

  • One test failure on DB2: ECA-3298

  • CA Certificates using brainpool curves can't be imported from the ClI. GUI works though: ECA-4022

  • End entity profiles can't be deleted in high volume databases: ECA-4158

  • Some ECDSA key specifier missing in drop down menu for crypto tokens: ECA-4251

  • No HTTP Header 'Content-Type' in the Renew public web page: ECA-2844

EJBCA 6.2.9


This maintenance release contains 18 bug fixes and improvements, below a selection of the most noteworthy.

Improvements

  • The main feature of EJBCA 6.2.9 is an optimization for certificate signing that has reduced certificate signing time with approximately 10% for low workloads and 70% for intensive workloads. Numbers are compared to EJBCA 5 and EJBCA 6.

Bug Fixes

  • A minor regression introduced in 6.2.7 where trying to create a Browser Certificate in the External RA GUI failed.

Read the full Changelog for details. For upgrade instructions, please see UPGRADE.

A selection of known issues

  • External RA GUI cannot handle SubCA certificates with critical CDP: ECA-2138

  • One test failure on DB2: ECA-3298

  • Regression: Healtcheck is not enabled for new CAs by default: ECA-3999

  • CA Certificates using brainpool curves can't be imported from the ClI. GUI works though: ECA-4022

  • End entity profiles can't be deleted in high volume databases: ECA-4158

  • JDK patches for RSAWithMGF1 is not working on newer java: ECA-4175

EJBCA 6.2.8


The goal of this release has primarily been optimization of our OCSP responder, fixing usability issues, tightening up security and heavy GUI testing. We've also snuck in a brand new feature which web service users may find useful.

Improvements

  • OCSP responder has been widely optimized.

  • OCSP responder now caches SCTs, improving response times when using Certificate Transparency.

  • EJBCA has been upgraded to use BouncyCastle 1.51

  • HealthCheck memory monitor now reports on total amount of free memory instead of allocated free memory.

New Features

  • Web service calls for issuing certificates can now override EJBCA's default subject DN order with their own.

Bug Fixes

  • A minor security escalation issue has been fixed affecting explicit rule access denial.

Read the full Changelog for details. For upgrade instructions, please see UPGRADE.

A selection of known issues

  • External RA GUI cannot handle SubCA certificates with critical CDP: ECA-2138

  • One test failure on DB2: ECA-3298

  • CA Certificates using brainpool curves can't be imported from the ClI. GUI works though: ECA-4022

  • A base64 decoder exception is thrown when inspecting a specially-crafted CSR: ECA-4071

EJBCA 6.2.7


This, the first release of 2015, is a minor release primarily geared towards optimization and stabilization of the 6.2 branch. We have primarily optimized GUI behavior in regard to cryptotokens referencing many keys, as well as sorted out some documentation issues. QA procedures have also been revised and improved, which is the "known issues" list below is longer than in previous releases.

All in all, 24 issues have been fixed or implemented for this release.

Behavior of OCSP responder has been changed slightly in order to improve performance. Status of the OCSP signing certificate's CA is now only checked when the cache is reloaded, instead of at every request. If unsure how long the timeout is set for, check the value ocsp.signingCertsValidTime in ocsp.properties.

Read the full Changelog for details. For upgrade instructions, please see UPGRADE.

A selection of known issues

  • External RA GUI cannot handle SubCA certificates with critical CDP ECA-2138

  • One test failure on DB2: ECA-3298

  • ant install is known to fail on Windows machines running JDK >= 7.21 ECA-3602

  • Wrong CA key used when decrypting SCEP requests ECA-3807

  • Importing an externally produced certificate with empty DN fields fails ECA-4018

  • CA Certificates using brainpool curves can't be imported from the ClI. GUI works though. ECA-4022

EJBCA 6.2.6.8


EJBCA 6.2.6.8 is a patch release for ECA-2842 and ECA-2843, out of the box support for the OtherNames xmppAddr and srvName in subject alternative name.

EJBCA 6.2.6.7


EJBCA 6.2.6.7 is a patch release for ECA-5322, Ability to use variables in email subject for email expiration service.

EJBCA 6.2.6.6


EJBCA 6.2.6.6 is a patch release for ECA-5279, Adding support for RegisteredID subject alternative name.

EJBCA 6.2.6.5


EJBCA 6.2.6.5 is a patch release for ECA-4947

EJBCA 6.2.6.4


EJBCA 6.2.6.4 is a patch release for ECA-4885

EJBCA 6.2.6


EJBCA 6.2.6 is a maintenance release, primarily fixing two major issues and quite a few smaller ones.

Noteworthy changes

  • The OCSP default responder behavior introduced in 6.2.4 was buggy when CAs were set as the default responder. ECA-3969

  • Saving symmetric keys in a crypto token cause the GUI page to crash ECA-3933

  • A bug causing CertSafe publisher creation was fixed ECA-3958

  • For certificate profiles only specifying a single keylength, the default keylength was used instead ECA-3935

  • SSLv3 protocol has been disabled for use in JBoss7 due to the POODLE vulnerability ECA-3862

All in all, 23 issues have been fixed in this release.

Known issues

  • One test failure on DB2: ECA-3298

  • ant install is known to fail on Windows machines running JDK >= 7.21 ECA-3602

EJBCA 6.2.5


This minor release mainly centers around a bug found in the upgrade procedure when automatically upgrading CATokens to modern CryptoTokens. Due to a bug in 4.0.x, working CATokens could be created even with incorrect configurations, and these were then incorrectly processed. Since 6.2.5 the upgrade procedure will fail gracefully, allowing administrators to fix the configuration before proceeding.

Also, the CT log publisher will now use the the java system settings for http_proxy, which were previously ignored.

Known issues

EJBCA 6.2.4


This is a maintenance release introducing two new features, foremost of which are Private Domains for the Certificate Transparency (CT) Protocol and a change in the behavior of the OCSP default responder. All in all, 19 issues have been fixed.

Noteworthy changes

  • The OCSP default responder is now configurable from the GUI. Old configurations in ocsp.properties will automatically be migrated, and the configuration
    line should be removed from ocsp.properties.

  • The OCSP default responder will now reply for all external CAs that don't have a specific OCSP keybinding set. See UPGRADE document and documentation for further information.

  • CertSafe publisher now works in JDK6

  • An annoying but harmless error message which appeared in ant install has been removed.

Known issues

  • One test failure on DB2: ECA-3298

  • SSLv3 is still available for use, but is considered vulnerable due to the POODLE exploit

EJBCA 6.2.3


This is a maintenance release with a new feature, a couple of major and some minor bug fixes and improvements. All in all, 8 issues have been fixed.

Noteworthy changes

  • Regression: The new Certificate Profile GUI page caused information from one profile to bleed into others due to incorrect scoping

  • Regression: The install command failed if a certificate profile or token properties file was specified in install.properties due to a couple of missing switches

  • New functionality: A publisher for Cert-Safe has been implemented

Read the full Changelog for details. For upgrade instructions, please see UPGRADE.

Known issues

EJBCA 6.2.2


This is a maintenance release with one new feature, some minor bug fixes and minor improvements. All in all, 23 issues have been fixed.

Noteworthy changes

  • The OCSP responder now supports requests containing Certificate IDs hashed in SHA256

  • A minor regression where Certificate and CRL caches were not automatically refilled after server restart

  • CLI no longer prompts twice when asked to prompt for the CLI password

  • Several issues improving the upgrade procedure

  • An information leakage issue in the public web concerning end entities sharing the same keys

Read the full Changelog for details. For upgrade instructions, please see UPGRADE.

Known issues

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 6.2.0-6.2.10.1, refer to our JIRA Issue Tracker.

Issues Resolved in 6.2.0

Released on 18 June 2014

Bug Fixes

[ECA-3216] - Return unsigned response "unauthorized" when no default responder configured, or wrongly configured
[ECA-3299] - OCSP request signer verification does an additional database lookup
[ECA-3454] - Inconsistent skip options for state dump import
[ECA-3481] - Minor security hardening
[ECA-3489] - Fail fast creating CVCCAs when unique certificatedata_idx12 is enabled
[ECA-3492] - renameRole() tries to change primary key and triggers a HibernateException
[ECA-3495] - The public part of a key is still on the P11 token after the private part is removed.
[ECA-3496] - java.lang.IndexOutOfBoundsException when selecting empty crypto token for internal key binding
[ECA-3499] - Overwriting a CA with StateDump can leave cert/ee profiles in an invisible state
[ECA-3506] - ejbca-ws-generate target missing dependencies
[ECA-3517] - "Lock wait timeout exceeded" when disabling multiple access rules with MariaDB Galera
[ECA-3518] - NPE if only period length is provided for private key usage period
[ECA-3521] - Certificate & End-Entity Profiles with missing CAs become invisible, even for superadmin
[ECA-3534] - NullPointerException when adding a user without password
[ECA-3535] - State dump unselects "Any CA" from profiles during import
[ECA-3536] - ejbca-db-cli does not work since change to use ServiceLocator
[ECA-3537] - Clean up exception handling in CertificateCreateSession
[ECA-3551] - Certificates are not submitted to CT when generated from CLI, etc.
[ECA-3582] - CMP can not handle some valid CSRs.
[ECA-3587] - Update default Modifiable Fields in User Data Sources
[ECA-3588] - Regression: PrintableString encoding for DNs does not work
[ECA-3594] - Security related
[ECA-3596] - Creating limited CertificateData fails with certain databases
[ECA-3605] - Error when trying to create authenticated CVC CSR

Improvements
[ECA-631] - Enforce naming constraints present in CA-certificates
[ECA-2126] - Certificates that are issued in revoked state should never be active
[ECA-2690] - Create a CLI parameter handler
[ECA-3320] - Simpler format for specifying CA validity dates
[ECA-3468] - Implement statedump Subject DN renaming properly inside EJBCA
[ECA-3477] - Give focus to incorrectly marked fields in edit CA page
[ECA-3482] - Minor security hardening
[ECA-3483] - Minor security hardening
[ECA-3484] - Minor security hardening
[ECA-3490] - ICAO Master List Signer extended key usage
[ECA-3491] - Allow system tests to target non-localhost interface
[ECA-3494] - Suppress repeated OcspSigningCache warnings
[ECA-3502] - Allow system tests to use HSM when available
[ECA-3503] - SSB cached in CertificateCache
[ECA-3509] - ExternalRA: Oracle Database Support in database mapping setup
[ECA-3510] - Replace references to java.util.Vector
[ECA-3513] - Audit log when a CT pre-certificate is generated and sent to a log
[ECA-3515] - SCEP: Rewrite the configuration process to use one URL and multiple aliases
[ECA-3516] - SCEP: Implement configuring SCEP in the AdminGUI
[ECA-3519] - Minor security hardening
[ECA-3524] - Improve memory usage during CRL generation
[ECA-3525] - Do not use the HSM for hashing when signing data
[ECA-3531] - SCEP: Remove DefaultCA configuration
[ECA-3532] - Fix documentation of the command "ejbca.sh config cmp uploadfile"
[ECA-3538] - clientToolBox p11 test multiple times in same jvm, to test if objects on a p11 token can be updated from another application.
[ECA-3540] - External RA: Oracle Database mapping support in RA GUI
[ECA-3544] - Make error messages and success messages easier to distinguish
[ECA-3547] - GUI: Better item order for the System Functions menu
[ECA-3555] - CLI: able to list key bindings with non existing cryptotokens
[ECA-3557] - Add simplified CAInfo constructors
[ECA-3561] - Request subCA certificate from external CA without uploading the chain
[ECA-3565] - Rewrite Certificate Profile page in JSF
[ECA-3566] - Encapsulate HashID properly
[ECA-3569] - Effectivize the reloading of CaCertificateCache
[ECA-3572] - Use JavaScript for certificate installation redirect in public web
[ECA-3579] - Remove CERT_TEMP_REVOKED since it's not used

New Feature
[ECA-688] - Import / Export profiles from WebUI
[ECA-2114] - Rename EJB CLI for fetching CA certificates from getrootcert to getcacert
[ECA-3109] - Add native support for Name Constraints
[ECA-3123] - ICAO DocumentType List certificate extension
[ECA-3124] - Add the Issuer Alternative Name certificate extension to the GUI
[ECA-3530] - Ant targets for creating source and binary releases of CESeCore
[ECA-3542] - Support for IE11 in Public Web
[ECA-3543] - Support IE11 in External RA GUI
[ECA-3559] - Service for populating database with revocation status of certificates from CRL
[ECA-3584] - Choice of token type in Public Web self-registration page

Task
[ECA-3394] - French language files updated for the new functionalities
[ECA-3419] - CAAdminSessionBean.exportCAKeyStore throws Exception
[ECA-3478] - Have all system tests write results to the same directory
[ECA-3546] - French language files updated for SCEP Configuration
[ECA-3420] - Convert all EJB CLI commands to the new standard

Issues Resolved in 6.2.1

Released on 6 August 2014

Bug Fixes

[ECA-3589] - First CRL not created when initialising root CA after statedump import
[ECA-3613] - Regression: The CLI doesn't parse the value ca.name from install.properties if it contains spaces.
[ECA-3615] - SECURITY: Security issue
[ECA-3617] - Allow Enterprise Edition to run system tests sans Statedump
[ECA-3620] - Import/export profiles rendered during unrelated operations
[ECA-3621] - Can't save or initialize uninitialized (= statedump imported) externally-signed CA
[ECA-3635] - Regression: Missing user notice and CPS in certificate policy extensions
[ECA-3643] - Autoactivate switch in CryptoTokenCreateCommand is obfuscated
[ECA-3645] - CLI complaining about unknown CA with id 0 (Improve output for unbound admins)
[ECA-3648] - Importing certificate - no email specified error
[ECA-3650] - Changing the Subject DN on an uninitialized (=statedump-imported) CA causes all extended services to be lost
[ECA-3661] - Statedump can't import PKCS#11 cryptotokens with slots referenced by label
[ECA-3664] - Invalid key specification for uninitialised key after importing a statedump
[ECA-3670] - Fix exceptions when excluding system/cmp/admin config in statedump
[ECA-3675] - Not all defined external RA datasources added in persitence.xml
[ECA-3679] - Regression: CA soft keystore pwd is always default when creating CA using CLI
[ECA-3685] - Int to Long cast exception upgrading OCSP

Improvements

[ECA-3501] - Create CryptoToken key aliases (needed for InternalKeyBindings) during statedump import
[ECA-3592] - Update CA IDs for uninitialised CAs when saving
[ECA-3606] - Make HSM system tests configurable
[ECA-3618] - Configurable environment for testAdminWebSecurityHeaders
[ECA-3622] - Fix cosmetic issues with statedump
[ECA-3624] - Hide Name Constraint textboxes for external CAs without keys
[ECA-3625] - Handle external CAs (=without keys) in Statedump
[ECA-3626] - Proper setup of environment for testAuthenticationWithMissingCertificate
[ECA-3630] - Allow importing Key Bindings in statedump even when key aliases are missing
[ECA-3638] - Don't include external CAs in statedump export by default
[ECA-3640] - Modifying uninitialised CAs (from statedump) even if keys are missing/crypto token is offline
[ECA-3662] - Don't export end-entity passwords from statedump
[ECA-3663] - Don't export crypto token auto-activation passwords in statedump
[ECA-3665] - Import all crypto tokens in inactive state during statedump import
[ECA-3666] - Better error message during statedump export if crypto token is offline
[ECA-3667] - Show warnings during statedump export for exclude patterns that did not match anything
[ECA-3668] - Improve options format of statedump tool
[ECA-3669] - Better warning/error output in statedump utility
[ECA-3677] - Do not allow export of CA keystores not protected by password
[ECA-3689] - Improve parameter naming per internal suggestions

New Features

[ECA-3636] - Statedump CLI command to initialize statedump-imported CA
[ECA-3637] - Ability to limit what is exported in statedump
[ECA-3639] - Placeholders for keys in crypto tokens imported via statedump
[ECA-3642] - Include end entity information in statedump

Issues Resolved in 6.2.2

Released on 3 September 2014

Bug Fixes

[ECA-3683] - Statedump: For an uninitialised CA, it appears in its own list of possible issuers.
[ECA-3687] - Error upgrading old installations to JBoss 7 (jboss serialization)
[ECA-3692] - Regression: Certificate and CRL store download pages empty after server restart
[ECA-3695] - 100% upgrade from EJBCA 4 to 6 fails on CertificatePolicy
[ECA-3696] - If there are Ocsp key binding with messed up certificate, you can get NPE
[ECA-3698] - Clear all caches makes crypto tokens off-line
[ECA-3714] - Authority Information Access is deselected in Certificate Profiles under some circumstances when upgrading from EJBCA 4 to EJBCA 6
[ECA-3721] - Import of internal key bindings via statedump requires crypto token to be online
[ECA-3725] - EJBCA CLI prompts twice for the CLI password when using -p
[ECA-3727] - Deprecated (null) extended key usages visible in Certificate profile
[ECA-3729] - Statedump: Properties object is copied the wrong way when generating cryptotoken keys from a template
[ECA-3730] - Not finding some OCSP request signer certificate in DB
[ECA-3732] - clientToolbox ocsp test was not updated after that the root certificate was removed from the certificate chain in the OCSP response.
[ECA-3733] - cryptotoken create command requires attr flag
[ECA-3735] - Statedumped end entities do not keep clear password settings
[ECA-3736] - Unable to "Save and Initialize" externally-signed sub-CA imported via statedump
[ECA-3744] - InternalKeyBindingCreateCommand misses a null check for missing cryptotokens

Improvements
[ECA-3688] - "ant build" failes on JBoss EAP 6.2 installed via RPM package from Redhat repositories
[ECA-3690] - Possible information leakage
[ECA-3691] - Improve message when profile changes name during work in the GUI
[ECA-3707] - Do not generate non-active XKMS and CMS certificates as it can violate name constraints

New Features
[ECA-3149] - OCSP responder support for CertId using SHA256 in OCSP requests

Task
[ECA-3703] - Upgrade tomahawk to latest 1.1.14

Issues Resolved in 6.2.3

Released on 25 September 2014

Bug Fixes

[ECA-3749] - Batch generation information for end entities in statedumps ignored during import
[ECA-3755] - Regression: Modifying approval settings when editing a certificate profile is broken
[ECA-3760] - Possible ClassCastException when using Subset of SubjectDN in Certificate Profile
[ECA-3763] - InternalKeyBinding.getListOfTrustedCertificates trusts everything if specified with a non existing certificate
[ECA-3765] - ca init command in cli.xml is missing two switches
[ECA-3779] - Values from first loaded certificate profile is shown and saved when editing other profiles
[ECA-3783] - Statedump can not export (custom)publisher where all classes are not on statedump classpath

New Feature
[ECA-3437] - Cert Safe Publisher for EJBCA

Issues Resolved in 6.2.4

Released on 29 October 2014

Bug Fixes

[ECA-3633] - CMP response caPubs field contain entity certificate instead of CA certificate
[ECA-3657] - RA administrator, failure while Approvement
[ECA-3716] - Regression: Externally imported CAs appear in list of signers when creating a CA
[ECA-3718] - Fix using trusted certificates in Internal Key Binding
[ECA-3776] - Prevent API call from setting InternalKeyBinding status to "active" if there is no referenced certificate
[ECA-3814] - getcacert does not return CA Certificate
[ECA-3822] - CertSafePublisher.testConnection doesn't test URL properly
[ECA-3834] - CertSafePublisher does not work under JDK6
[ECA-3845] - Certificate Transparency, not selecting any CT log passes issuance even if Min SCTs is 1
[ECA-3853] - AKID is different from CA SKID in CRLs, if not using SHA1
[ECA-3868] - Attempting to use a non-ocsp certificate for an OCSPKeyBinding fails silently

Improvements
[ECA-3826] - ant install shows annoying but harmless error messages
[ECA-3843] - Create a link from basic access rules page to documentation
[ECA-3848] - Shift GlobalConfiguration* to CESeCore, make plugin friendly
[ECA-3860] - New call to get registered global configuration types
[ECA-3889] - Allow more than one IKB renewal per second

New Features
[ECA-3580] - Certificate Transparency: Private Domains
[ECA-3794] - Default OCSP responder improvements

Task
[ECA-3801] - Enterprise feature

Issues Resolved in 6.2.5

Released on 14 November 2014

Bug Fixes

[ECA-3901] - Possible NPE when debug is enabled
[ECA-3906] - Missing key in CryptoToken for mapped purpose in CAToken will hang healthcheck
[ECA-3907] - CAToken to CryptoToken upgrade failure
[ECA-3909] - InternalKeyBindingMgmtSessionBean.generateNextKeyPair fails if nextKey already exists

Improvement
[ECA-3723] - Allow verbose preference for CLI
[ECA-3866] - JavaDoc CLI enums
[ECA-3905] - Add instructions how to import certificate profiles in GUI
[ECA-3915] - External RA GUI browser enroll does not work with FF 33 and later

New Feature
[ECA-3900] - Allow CT log publisher to use HTTP Proxy java system settings

Issues Resolved in 6.2.6

Released on 3 December 2014

Bug Fixes

[ECA-3608] - EJB CLI cryptotoken create command issues
[ECA-3828] - Regression: HttpMethodsTest and WebdistHttpTest test failures
[ECA-3862] - Security Issue
[ECA-3931] - Key recovery fails when user data has changed CA
[ECA-3933] - Symmetric keys in crypto token's HSM slot prevent listing of slot keys
[ECA-3935] - Regression: Wrong key length used when creating keystore from public web
[ECA-3936] - Extra space at end of line in transaction log.
[ECA-3937] - Result of stand-alone JUnit tests are discarded during ant test:run
[ECA-3943] - Fix ServiceManifestBuilderTest
[ECA-3944] - superadmin.cn value lacks quotes in cli.xml
[ECA-3948] - OCSP log values ISSUER_NAME_DN and SIGN_ISSUER_NAME_DN contain SERIALNUMBER= instead of SN=
[ECA-3958] - Cannot create new CertSafe publisher
[ECA-3969] - Default OCSP responder is not used for external CAs without OCSP key binding
[ECA-3972] - PKCS#11 keys aren't extractable when they should be

Improvements
[ECA-3916] - WS: Return the EndEntity/Certificate profile of a specific profile ID
[ECA-3927] - Make systemtests.properties available to peer module and PKCS#11 system tests
[ECA-3938] - Add a regression test for ocsp.nonexistingisrevoked
[ECA-3942] - Improve logging of ServiceManifestBuilderTest failures
[ECA-3954] - Improve the properties output of InternalKeyBindingListCommand to show default property values
[ECA-3956] - OCSP response if the requested certificate is revoked is identical in logs to case where issuer of signing cert is revoked.
[ECA-3967] - Update httpclient and httpcore to latest version

New Features
[ECA-3939] - Add EV Certificate specific DN components

Issues Resolved in 6.2.6.8

Released on 26 September 2016

New Features

[ECA-2842] - Add SAN SRVName OtherName for XMPP Client certificates (RFC 6120)
[ECA-2843] - Add SAN XmppAddr OtherName for XMPP Client certificates (RFC 6120)

Issues Resolved in 6.2.6.7

Released on 8 September 2016

New Features

[ECA-5322] - Ability to use variables in email subject for email expiration service

Issues Resolved in 6.2.6.6

Released on 1 August 2016

New Features
[ECA-5279] - Support RegisteredID in subject alternative name

Issues Resolved in 6.2.6.5

Released on 22 March 2016

Improvement
[ECA-4947] - Resetting an end entity password after key recovery should not require 'Edit End Entities'-rights

Issues Resolved in 6.2.6.4

Released on 10 March 2016

Bug
[ECA-4885] - Key recovery requires 'Edit End Entities'-rights

Issues Resolved in 6.2.7

Released on 14 January 2015

Bug Fixes

[ECA-3902] - Update EJBCA user guide documentation
[ECA-3973] - OCSP key renewal for all keys leads to NPE when logging
[ECA-3977] - Regression: CMP algorithmId lacking DERNull when using PKCS#11
[ECA-3978] - End entities aren't sorted in statedump output
[ECA-3983] - External CAs turn up on the "CA Activation" list.
[ECA-3991] - CertTools.stringToBcX500Name fails for sn=#foo
[ECA-3994] - ejbca-db-cli copy command does not work due to invalid temp files
[ECA-3995] - Upgrade documentation for CMP has wrong ordering of arguments
[ECA-4000] - Potential security issue without known exploit
[ECA-4007] - "Certification Authorities" and "Publishers" missing from admin menu with access rule /ca_functionality (recursive, accept)
[ECA-4009] - Post upgrade fails when old admin groups don't exist
[ECA-4014] - CRL Downloader doesn't store empty CRLs
[ECA-4019] - Wrong error message for Name Constraint violations with short subject DNs

Improvements

[ECA-3798] - Statedump: Incorrect number of end entity profiles are logged as exported
[ECA-3970] - Log in OCSPResponder when revoked OCSP certificates are read to the cache
[ECA-3984] - Debug log HTTP response body on CT log error
[ECA-3985] - Edit CA page load is slow with many keys in referenced Crypto Token
[ECA-3986] - Optimize CAToken.getTokenStatus
[ECA-3989] - Allow recovery from a bad upgrade of CA Tokens to CryptoTokens
[ECA-3992] - Remove critical BC warnings in order to upgrade BouncyCastle to version 1.51
[ECA-4008] - Port adjustable transaction timeouts to JBoss 7 / EAP 6
[ECA-4017] - Remove database lookups that can be read from cache
[ECA-4024] - Add a [?] link from the User Data Sources page to the admin guide

New Feature

[ECA-4006] - Add test for legacy subject encoding with override enabled via CMP