EJBCA 6.6 Release Notes

The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.6.

The following covers information on new features and improvements in the 6.6.0 releases:

Read the EJBCA 6.6 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 6.6.0

Being the release with the most number of issue fixed ever, this release of EJBCA 6.6.0 adds a completely new RA architecture, including a brand new RA GUI.

Together with all other improvements, bugfixes and security enhancements, this is a leap forward for EJBCA and many man years of work has gone into making this release.

  • New RA GUI with configurable approval work-flow and administrator edit capabilities.

  • The RA can work as an integrated RA or as a standalone external RA (EJBCA Enterprise only subject to separate license).

  • Running as an External RA there are only outgoing network connections from the CA, using Peer Connectors.

  • User friendly Certificate search in the new RA GUI with free text search on both subject DN and altName (see note below regarding altName search).

  • Location based access control for the new RA, different RAs can have different access combined with the administrators access.

  • Easy to configure user and administrator privileges for the RA during the Peer Connector setup.

  • Full GUI support for the new eIDAS standard (QC statement extension in certificates)

  • Completely reworked Approvals with multiple approvals, ordered or not, with flexible approval notifications.

  • Support for RegisteredID (rfc5280), xmppName (rfc6120) and srvName (rfc4985) subject alternative names.

  • Now allows longer subject DN and altName by default in new installations.

  • Additional CVC OIDs for SHA512 and SHA384

  • Add support for Services that run on all hosts to enable HSM Keepalive Service to run on all nodes in a cluster

  • Additional security hardening and improvements

  • Lots of bug fixes and improvements

During issuance of X.509 certificates, the Subject Alternative Name can be stored in a searchable database column. This is enabled for all new Certificate Profiles, but not for existing profiles.

The CertificateData table has three new columns "notBefore", "endEntityProfileId" and "subjectAltName". A CA upgrade using direct database publishing to VA also requires schema changes on the connected VAs. For details, see EJBCA 6.6 Upgrade Notes.

EJBCA 6.6.1

The first patch release in the 6.6 branch, EJBCA 6.6.1 brings improvements regarding both functionality and performance.

Features

  • New features related to Validity. You can now configure certificate validity down to minutes and seconds, and certificate start offset which was previously default to -10 minutes is now configurable. There are many new options related to validity, check the documentation.

  • Certificate expiration can now be configured to prevent expiration on specific week days.

  • Added an option to keep expired certificates on the CRL instead of removing them, which is the default and still recommended behavior.

  • Added a new CLI command to change crypto token for a CA.

Improvements

  • When CA certificates are revoked, OCSP responder will respond revoked for leaf certificates only if CA revocation reason indicates a CA compromise (from EJBCA 6.5.4).

  • Several performance optimizations has been done to boost issuing speed.

  • You can now add multiple PDS URIs in the Admin GUI, for Qualified Certificate statement

  • EJB timers are now non-persistent, no need to clean JBoss timer directory on restart anymore.

Bugfixes

  • CT log timeout are configurable again

  • Legacy OCSP signer renewal is now prevented from from processing the same entry twice

  • Prevent change, triggered by changing hostname while running, of audit log node id once sequence is initialized

  • Updates to imported CA certificates is now persisted properly in the CertificateData table.

Documentation

  • Updated Quick Start documentation

EJBCA 6.6.2

This release of EJBCA fixes and improves stability of submissions for Certificate Transparency logs.

This feature is only related to issuance of publicly trusted TLS certificates.

Bugfixes:

  • CT Log submission could fail in certain circumstances when it should not

EJBCA 6.6.3

This release fixes nine minor issues which we were dying to make live before our next feature release due for Q1, and primarily fixes issues which cropped up when using ExternalRA since 6.6.0, a bug in the upgrade script for Oracle databases and a bug which caused an inability to create CRLs on MSSQL.

As with all minor releases, no upgrade steps are required.

EJBCA 6.6.4

This release of EJBCA only fixes two issues related to upgrades in specific cases.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 6.6.x, refer to our JIRA Issue Tracker.

Issues Resolved in 6.6.0

Released on 19 October 2017

Bug Fixes

[ECA-3897] - Unrevoked certificates do not appear on delta CRLs
[ECA-4549] - In Basic Access Rules, 'All' is listed last in the list of CAs
[ECA-4596] - ClientToolBox is unable to verify signature when testing more exotic EC keys in HSM
[ECA-4647] - Basic Access Rules: Pre-selected end entity rules for RAAdmin role template do not correspond to actual rules.
[ECA-4834] - Security hardening
[ECA-4856] - Security Hardening
[ECA-4858] - Confusing audit log message when reactivating a crypto token
[ECA-4860] - CryptoToken Id not updated when importing a statedump with the merge option
[ECA-4862] - CmpMessageHelper.createUnprotectedErrorMessage throws an NPE if a nonce is not included in the CMP message
[ECA-4872] - System configuration page broken in WildFly 10
[ECA-4877] - CertTools.isCertificateValid logs cert serno in decimal instead of hex
[ECA-4882] - CMP Proxy: Message signer chain should have its own configuration key in cmpProxy.properties
[ECA-4883] - CMP Proxy: NPE when the right CA certificate is not found
[ECA-4884] - Reference to Hudson in code when deploying ant
[ECA-4885] - Key recovery requires 'Edit End Entities'-rights
[ECA-4889] - Change all references from "Enrolment" to "Enrollment"
[ECA-4892] - Clearing caches fails locally if clearing the cache on any clustered nodes fails as well.
[ECA-4893] - CMP Proxy: Revocation status cache is read incorrectly
[ECA-4915] - SecureXMLDecoder can't deserialize all standard types
[ECA-4923] - ClientToolBox is missing lib/ejbca-ws.jar dependency
[ECA-4925] - Old version of cert-cvc still under lib
[ECA-4928] - CMP Proxy Servlet doesn't properly handle messages with faulty ASN.1 syntax
[ECA-4929] - Sample code not updated after refactorings
[ECA-4930] - Left-over old generated web services sources
[ECA-4931] - Minor security issue
[ECA-4945] - Edit admin entities broken in WildFly 10
[ECA-4955] - CMP Proxy swallows underlying error message when verifying certificate path
[ECA-4956] - Regression: Key alias in CMS CA service was changed so it can not be read after upgrade
[ECA-4964] - NoClassDefFound in PeerConnectorServlet.destroy(), causes JBoss to freeze
[ECA-4971] - Partial fix for handling InterruptedException correctly
[ECA-4974] - Regression: SecureXMLDecoder doesn't allow import of CertificatePolicy objects
[ECA-4988] - CMP Aliases can't handle that End Entity Profiles are renamed
[ECA-4990] - CMP aliases can't handle CA removal
[ECA-4992] - SHA256WithRSAAndMGF1 broken in some cases
[ECA-4996] - Editing a CMP configuration while having limited access leads to hidden aliases being deleted
[ECA-5003] - Profiles export fail if hard tokens are enabled.
[ECA-5005] - Root access required to save system configuration
[ECA-5072] - KeyBindings do not work if there's a CVC CA or uninitialized CA available
[ECA-5098] - ApprovalProfile table breaks EJBCA DB CLI
[ECA-5128] - Invoke postUpgrade instead of upgrade from placeholder
[ECA-5165] - Access rule "store_certificate" is not used in the code
[ECA-5185] - Regression: can not revoke user when user's registered CAId does not exist
[ECA-5187] - languagefile.en.properties: correct different typings of ID
[ECA-5193] - Fix broken jenkins test with non-serializable Keystore in RaMasterApi
[ECA-5204] - RA enrollment: User doesn't get its request ID if RA is running on peer
[ECA-5206] - CMP revocation requests fails CA authorisation if issuer CA has X.500 ordering
[ECA-5213] - GUI bug in send notification, can not be set afterwards if set to required in profile
[ECA-5216] - Checking requestId gives possibility to finalize even if it's not possible
[ECA-5217] - WebService method checkRevokationStatus does not return null for non existing certificates as documented
[ECA-5220] - Notification related fields show up on the approvals page
[ECA-5224] - RA enrollment: Fix and improve the enrollment with approval buttons
[ECA-5228] - Circular dependency between ApprovalProfileCacheBean and StartupSingletonBean
[ECA-5232] - Adding approval profile metadata fields only works correctly for the final step
[ECA-5234] - Store authentication token instead of admin cert serial number/issuer in approval requests
[ECA-5236] - 'Hour' format in Advanced Mode for Search End Entities
[ECA-5239] - GUI improvements to the Manage Request page
[ECA-5244] - Cloning Approval Profiles ignores the new name and it's not possible to rename
[ECA-5245] - NPE approving as another Admin in KaRA
[ECA-5258] - RA enrollment: Support for enrolling PEM keystores
[ECA-5260] - Occasional ConcurrentModificationException when re-deploying
[ECA-5261] - Use id instead of approvalId as a Request ID
[ECA-5262] - End Entity notifications when using approval always uses the requestAdmin, and not the approvalAdmin
[ECA-5267] - RA enrollment: Unique Subject DN check is done after approval
[ECA-5268] - Internal database constraint test audit logs certificate storage
[ECA-5275] - Deleting Approval steps doesn't actually remove the step
[ECA-5277] - Fix NPE when trying to list processed approvals in the RA
[ECA-5278] - Handle approval editing in one step in ApprovalSessionBean, so the id can be preserved
[ECA-5281] - EjbcaWSTest.test25CreateandGetCRL fails sporadically
[ECA-5282] - Update "previous steps" in the RA approval page to handle partitions
[ECA-5289] - Approval requests listing in the RA are never shown if older than the default validity (8 hours)
[ECA-5293] - Regression: Manage Request page does not work over peers
[ECA-5296] - Approval class has updated serialVersionUID
[ECA-5297] - Number of remaining approvals is reset after upgrade
[ECA-5298] - Fix Exceptions in RA GUI approvals
[ECA-5299] - EjbcaWSTest.test03_5CertificateRequest fails with End Entity Profile limitations on
[ECA-5305] - Regression: SecureXMLDecoder doesn't allow import of CTLog objects
[ECA-5321] - JUnit: handle test case where we try to add non existing DN parameter to EE profile
[ECA-5323] - Client toolbox start script not working for p11 when JAVA_HOME is set
[ECA-5324] - NPE when trying to approve and the approval profile is to type Accumulative
[ECA-5335] - KaRA: authorization cache is for ever, even with clear caches
[ECA-5338] - External RA GUI should not bundle hibernate jar to deploy on WildFly 10
[ECA-5342] - ui:repeat does not respect the "rendered" parameter on the RA Manage Request page, causing exceptions
[ECA-5345] - KaRA: Manage Requests->Processed doesn't show anything
[ECA-5346] - Name field does not work on Manage Request page
[ECA-5347] - Java type inconsistencies in NameToIdMap
[ECA-5349] - Not able to import statedump from EJBCA 6.5 into EJBCA 6.6
[ECA-5350] - CA importcert CLI command should halt on error when no superadmincn is provided
[ECA-5351] - statedump.sh script doesn't handle relative paths
[ECA-5353] - Statedump source ziprelease includes .class files
[ECA-5358] - KaRA: Text for 'Upload CSR' in RA GUI truncated
[ECA-5363] - Headers are offset by one in Manage Requests view in mobile layout
[ECA-5366] - Login link on public RA pages does not work
[ECA-5367] - Edit End Entity requests show up with type = "???" in the RA
[ECA-5375] - Enrollment from RA requires Edit End Entity access, instead of Add End Entity
[ECA-5376] - Missing Administrator info in 'Waiting for Approval' section
[ECA-5378] - Fix NPE when deleting the only step in an approval profile
[ECA-5388] - OCSPResponseGenerator should use BC provider for signature verification
[ECA-5391] - Wrong encoding of documentTypeList in ICAO 9303 DS certificates
[ECA-5392] - ApprovalProfileBase.getSteps checks for null instead of empty
[ECA-5403] - Improve messages in the RA Enrollment page
[ECA-5411] - Email Notification parameters containing $ sign causes error
[ECA-5414] - Systemtest failures with non JDK handled EC curves
[ECA-5420] - Availability of EEPs in RA is cached session cached
[ECA-5422] - Access rule misspelled in AdminCertReqServlet
[ECA-5425] - Error codes of Peer Connectors does not work
[ECA-5427] - NPE when doing direct issuance via RA
[ECA-5431] - Typo in 'Notification Messages' under End Entity Profile page
[ECA-5435] - Don't render Provide User Credentials section in RA when empty
[ECA-5436] - Regression: Order of CT log might not be respected
[ECA-5439] - Installation instructions don't work for Wildfly 10 / JBoss EAP 7.0 in some cases
[ECA-5440] - Verification of database protection not working for Custom Certificate extensions
[ECA-5441] - Statedump import failure for InternalKeyBinding
[ECA-5454] - NPE in AdminGUI when the same admin approves a request a second time

Improvement
[ECA-3959] - Editing end entity profile generates unnecessary INFO
[ECA-4413] - Simplify EJB lookups in CAAdminSessionBean
[ECA-4438] - Remove unused caid parameter in CA.createPKCS7Rollover
[ECA-4499] - Allow longer SAN and DN by default
[ECA-4673] - Downloading an non-existent delta-CRL on the public web leads to a 404
[ECA-4690] - Replace deprecated references to org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.SubjectPublicKeyInfo(ASN1Sequence)
[ECA-4795] - External RA: NPE in external RA gui when externalra-gui.issuerchain points to a non existing file
[ECA-4803] - Security hardening
[ECA-4906] - Limit OCSP Nonce to 32 bytes
[ECA-4914] - Don't throw RTE when checking for non-existing CryptoToken activation status
[ECA-4932] - Exclude install properties files from ejbca.ear
[ECA-4936] - ConcurrentCache: Improve performance
[ECA-4947] - Resetting an end entity password after key recovery should not require 'Edit End Entities'-rights
[ECA-4952] - Simplified X509CertificateAuthenticationToken constructor
[ECA-4963] - Certificate Profiles: Keep sorting, but sort default profile types first.
[ECA-4970] - Set secure flag on Admin GUI session cookie
[ECA-4983] - ejbcajslib.js has unneeded comment chars
[ECA-4987] - Set search.cgi welcome page for RFC 4387 CRL and certificate stores
[ECA-4998] - Document that CMP Unid support currently isn't supported
[ECA-5029] - Usability improvement, limit Policy User Notice text field to 200 characters
[ECA-5044] - Security Improvement
[ECA-5047] - Improve pom.xml for cert-cvc
[ECA-5088] - Move all CRUD methods from ApprovalData into ApprovalSessionBean
[ECA-5106] - Add database column for subjectAltNames (SAN) in CertificateData
[ECA-5115] - Allow notifications to be sent when admin has an external certificate not available in the database
[ECA-5130] - Fix some resource leaks and thread locking issues in source
[ECA-5142] - Generalize and improve InternalKeyBindingProperty
[ECA-5147] - MS SQL server support in External RA build task
[ECA-5148] - Perform some cosmetic improvements to the approve action page
[ECA-5160] - Have externalized Approvals initialize their authentication tokens
[ECA-5168] - Improve system tests for application servers that enforce class loading
[ECA-5192] - Don't show admin roles that can't approve or view approvals
[ECA-5195] - RA Enrollment: Show password only with downloading keystore
[ECA-5196] - RA Enrollment: Provide user with more verbose error message during token creation
[ECA-5203] - RA enrollment: Add support for autogenerated passwords
[ECA-5212] - Sort Approvals by Request Date by default
[ECA-5214] - KaRA: creating end entity should set email notification when it is required
[ECA-5215] - KaRA: PRA Error handling when not unique subject DN or public key
[ECA-5226] - Improve exceptions handling over peers to support more than just a message
[ECA-5241] - Improve RA API exception handling
[ECA-5247] - Change which requests are shown under the Pending and Processed tabs
[ECA-5257] - RA enrollment: Download Token name should be CN value
[ECA-5273] - Query.toString() should output something readable
[ECA-5300] - Certificate Policies in the same order in certificate encoding as in the GUI
[ECA-5301] - Add instruction for upgrade
[ECA-5307] - PRA: Manage requests should show request ID
[ECA-5317] - Autogenerated EE usernames as configurable with EEP
[ECA-5318] - RA enrollment: Remove password fields with certificate creation if approval are not required
[ECA-5332] - Statedump import should skip revocation of end entities' certificates
[ECA-5343] - KaRA: AuthLoginException should contain error code, fix missing parameter to error messages
[ECA-5344] - KaRA: password should be called enrollment code
[ECA-5355] - KaRA: some reasons missing when explaining why admin can't approve a certain request
[ECA-5356] - Delete modules/dist directory on clean
[ECA-5357] - KaRA Usability: request form clearing and email
[ECA-5362] - KaRA Usability: Rename "Needs Approval" and "Pending Approval"
[ECA-5371] - KaRA Usability: more information when finalizing enrollment
[ECA-5377] - Improvements for Approval Profiles Documentation
[ECA-5393] - Log subject DN of cert failing validity check
[ECA-5400] - KaRA: Document authorization rules for RA User and RA Admin
[ECA-5405] - Security hardening
[ECA-5410] - Approval profile notifications ability to include admin who last approved request
[ECA-5418] - Show approval request type on the Manage Request page
[ECA-5421] - CA Token Properties upgrade should debug log and be case insensitive

Master Ticket
[ECA-5315] - KaRA Usability: improve usability of wording in KaRA

New Feature
[ECA-2277] - NetBeans IDE project
[ECA-2390] - Import CRL via the WebUI
[ECA-2842] - Add SAN SRVName OtherName for Service Name in Certificates (RFC 4985)
[ECA-2843] - Add SAN XmppAddr OtherName for XMPP Client certificates (RFC 6120)
[ECA-4379] - Add additional CVC OIDs for SHA512 and SHA384
[ECA-4473] - Shell script for running statedump tool
[ECA-4861] - Add Windows Certificate Autoenroll files as module
[ECA-4972] - GUI Support for PKI Disclosure Statements (PDS) QCStatement and QCType
[ECA-5111] - ID on SIM (RFC-4683) support in cesecore
[ECA-5145] - Internal profile support for eIDAS Qualified Extension types Type and PDS
[ECA-5264] - Make requestID available for end entity notifications when an Approval request to add end entity is created (waiting for approval)
[ECA-5265] - Configure WS genTokenCertificates and viewHardToken to use the new approval profiles
[ECA-5274] - Audit log approval profiles
[ECA-5279] - Support RegisteredID in subject alternative name
[ECA-5310] - Update SQL scripts for EJBCA 6.6.0 database schema changes
[ECA-5322] - Ability to use variables in email subject for email expiration service
[ECA-5412] - Add support for Services that run on all hosts to enable HSM Keepalive Service to run on all nodes in a cluster

Story
[ECA-4782] - RA must be configurable to demand logged in users
[ECA-4784] - RA interface must handle certificate management tasks including requesting revocation
[ECA-4786] - RA must allow searching for End Entities
[ECA-4788] - All requests must be given a universal identifier so that they can be tracked through logs
[ECA-4796] - RA must handle certificate requests by manual CSRs
[ECA-4801] - RA Administrators must be able to be notified about user requests
[ECA-4804] - Notify other administrators about certificate issuances or revocations
[ECA-4805] - RA administrators must be able to edit user requests.
[ECA-4820] - RA users should be able to see the status of their requests
[ECA-4863] - Approvals should be partitioned
[ECA-4873] - PRA must allow searching for Certificates
[ECA-4895] - RA users will be able to request server side generated keystores
[ECA-4896] - Logged in RA users should see the certificate types types they're authorized to
[ECA-4979] - RA Interface should allow download of CA certificates and CRLs
[ECA-5153] - RA administrators must be able to create end entities from the PRA
[ECA-5336] - KaRA: As a RA User I have forgotten my requestID and need to finalize enrollment

Task
[ECA-4868] - Security Issue
[ECA-5031] - Update cmp proxy web.xml to JEE6
[ECA-5209] - Remove additional left-over old generated web services sources
[ECA-5263] - Update the RA to handle partitioned approvals properly
[ECA-5348] - Add JUnit test for Certificate Profile extension
[ECA-5361] - Evaluate security test report
[ECA-5370] - KaRA usability: Rename Generate buttons to Download
[ECA-5408] - Add authorization checks when trying to edit a request
[ECA-5409] - Allow the Auditor role to see all RA pages except enrollment
[ECA-5413] - Update CT log documentation
[ECA-5437] - Document that Wildfly 10 config also applies to JBoss EAP 7.0.x
[ECA-5446] - Prevent locales used during development to be selected in RA

Technical Requirement
[ECA-4817] - An authentication token must travel in a nestled fashion from the RA to the CA, rights will be the intersection of all nestled tokens' rights
[ECA-4819] - CA->ERA/PRA should use Peers to establish their connection
[ECA-4826] - ERA/PRA must extract a subset of access rules from the CA
[ECA-4869] - Deployable Public RA interface (PRA) as part of the EJBCA EAR
[ECA-4917] - RA Proxy Authorization Cache

Sub-task
[ECA-4446] - Introduce typing for ListDataModel
[ECA-4800] - Support for request revocation of authorized certificates
[ECA-4867] - Long hanging peer connections for reverse calls
[ECA-4870] - Create a module for the Public RA interface and make sure it is deployed with the EJBCA EAR
[ECA-4874] - Add End Entity Profile ID column to CertificateData
[ECA-4875] - Create a basic PrimeKey branded CSS for the RA interface
[ECA-4879] - Create/modify an authentication token that handles nestled credentials
[ECA-4881] - Reverse calls should use AuthenticationToken with caller's server side TLS cert
[ECA-4898] - Create initial RA enrollment workflow
[ECA-4907] - Implement Approval Profiles and convert the old approvals to the appropriate profile.
[ECA-4908] - KaRA-Approvals: Handle approval request according to approval profiles
[ECA-4911] - KaRA-Approvals: Implement "Edit"
[ECA-4918] - Method to list access rules that the AuthenticationToken is authorized to
[ECA-4919] - Call RA peer when access rules change
[ECA-4920] - RaAccessBean on RA for checking authorization
[ECA-4922] - Introduce PublicAccessAuthenticationToken
[ECA-4927] - Improve logging and retries of peer connections
[ECA-4934] - Improve performance of LookAheadObjecInputStream tree
[ECA-4937] - Proper error handling
[ECA-4938] - Basic RA client HTTP session handling
[ECA-4940] - I18N: Handle right to left languages in RA
[ECA-4941] - I18N: Use UTF-8 in resource bundles and add fallback to default language
[ECA-4942] - Peer Connector config for long-handing RA threads
[ECA-4944] - Simplify authorization of server side TLS certificates for Peer RA
[ECA-4948] - Test required access rules for EJBCA WS keyRecovery operation
[ECA-4954] - Event driven throttle up of long hanging connections
[ECA-4962] - Per-AuthenticationToken cache for AccessSets
[ECA-4966] - Prevent race condition when app server is started and quickly shutdown
[ECA-4969] - Prevent HTTP session stealing for TLS authenticated clients
[ECA-4973] - Reloading the RA Authorization Cache instead of clearing it
[ECA-4975] - Improve RA JSF base according to best practices
[ECA-4977] - KaRA: Add OWASP ESAPI best practices
[ECA-4981] - KaRA Approvals: Create access rules to manage ApprovalProfiles
[ECA-4984] - RA page for CA certificate and CRL downloads
[ECA-4986] - Leave a database mark for EEP Id population when upgrading to 6.6.0
[ECA-4994] - Convert RaMasterApiProxy into a singleton
[ECA-4995] - Progressive Enhancement with KickAss RA
[ECA-5006] - Page to view/handle approval requests in the RA UI
[ECA-5011] - Create certificate search base page and basic API call to improve on
[ECA-5013] - Use RaAccessBean to limit displayed choices in the menu
[ECA-5016] - Use reflection Proxy for RaMasterApi mock objects in tests
[ECA-5018] - Detect if RFC4387 CRL store is enabled and adapt CRL download URLs
[ECA-5028] - Inform RA of latest authorization cache update number on reconnect
[ECA-5032] - Create end entity search base page and basic API call to improve on
[ECA-5040] - Test search functionality on large dataset and limit query database load when possible
[ECA-5042] - Override serialization of CertificateDataWrapper, to handle passing CertificateData between different versions
[ECA-5051] - KaRA-Approvals: Move method accessing the database to the session bean
[ECA-5052] - KaRA-Approvals: Replace the current cache with a @singleton bean
[ECA-5053] - KaRA-Approvals: Sort approval profiles in the AdminGUI
[ECA-5054] - Remove unused approvals code from UI
[ECA-5058] - Add Approval and Request Expiration periods options to Approval Profile
[ECA-5061] - KaRA-Approvals: Set the right approval profiles
[ECA-5064] - Change class name of ApprovalProfileNumberOfApprovals
[ECA-5067] - KaRA-Approvals: Approval Profile Cache should be cleared in the CLI too
[ECA-5068] - KaRA-Approvals: Update documentation about approvals
[ECA-5070] - Authorization rights for enrollment with new request
[ECA-5077] - KaRA-Approvals: ApprovalProfileTypes in ServiceLoader
[ECA-5082] - Maintain 100% uptime when upgrading Approvals
[ECA-5090] - Clean up test methods in RaMasterApi
[ECA-5092] - JUnit test for API design violations
[ECA-5097] - RA Certificate chain download as PKCS#7
[ECA-5100] - Certificate details view in RA
[ECA-5109] - Serialize exceptions from invocations
[ECA-5110] - Implement RA certificate search by Subject Alternative Name
[ECA-5113] - RA method to get approval request by hash (approvalId)
[ECA-5120] - Public Access token match either PLAIN or CONFIDENTIAL transport
[ECA-5121] - AccessMatchType.NONE should not requre a matchValue
[ECA-5123] - Admin should be able to see which admin an approval request is waiting for
[ECA-5125] - Log who edited an approval request
[ECA-5126] - Add notBefore column to CertificateData
[ECA-5127] - Implement RA certificate search by issuance date as advanced option
[ECA-5137] - Split generic search string into fields
[ECA-5143] - Add view functionality for EEs in RA
[ECA-5154] - Show preview of certificate during RA enrollment
[ECA-5157] - Update admin guide on Peer Systems with new RA functionality
[ECA-5159] - Invoke EEP's revoked notification when an individual certificate is revoked
[ECA-5162] - Add approval metadata to Partitioned Approval Profiles
[ECA-5163] - Add view rights to partitioned approval profiles
[ECA-5164] - Display completed steps as view only when performing approval (if view rights are held)
[ECA-5172] - Add an e-mail field to approval partitions
[ECA-5173] - Add notification evaluation to approval executions
[ECA-5177] - Refactor download credentials type during enrollment on PRA
[ECA-5180] - Show "certificate preview" during enrollment on PRA
[ECA-5182] - Enforce certificate profile algorightms for CSR during PRA enrollment
[ECA-5183] - Fix approvals in the RA GUI after the refactoring
[ECA-5186] - PRA enrollment: add support for the multiple non-modifiable values for EE fields
[ECA-5189] - Approval Profile page renderes non-JS button in view mode
[ECA-5200] - Add Web Designer styles and modifications, including mobile
[ECA-5201] - Add support for nesting of parameter type List<AuthenticationToken> in RaMasterApi
[ECA-5202] - Deserialized NestableAuthenticationTokens needs to be re-initialized within JVM
[ECA-5205] - Use certs-only PKCS#7 / CMS on RA
[ECA-5207] - Allow configuration of /ra_slave/manage from simplified peer auth view
[ECA-5208] - RA enrollment: Refactor the RA interface according to the synchup week 27
[ECA-5211] - Clean up GUI request authorization checks
[ECA-5218] - Use more efficient backend call for RaMasterApi.getApprovalDataByRequestHash
[ECA-5219] - Add buttons for changing step order in the approval profile UI
[ECA-5221] - Split generic search string into fields
[ECA-5222] - RA enrollment: Improve handling of NoJS buttons
[ECA-5225] - RA enrollment: Hide static fields by default
[ECA-5229] - Better handling of CSR upload during RA enrollment
[ECA-5231] - Remove the approvalprofileid column from ApprovalData
[ECA-5237] - Populate modifiable SAN fields from CSR during RA enrollment
[ECA-5243] - Enforce CSR or key spec in EndEntityInformation when issuing a certificate
[ECA-5248] - Don't localize logged messages using current users selected locale
[ECA-5313] - KaRA Usability: Start step with nr 1 instead of 0 in Approval Profiles in Admin GUI
[ECA-5314] - KaRA Usability: should be able to notify what partition (name) was performed
[ECA-5316] - KaRA Usability: rename the word Partition for appoval parts
[ECA-5340] - KaRA Usability: Shorten auto-generated username to 32 chars

Issues Resolved in 6.6.1

Released on 23 November 2016

Master Ticket

[ECA-5509] - Performance optimizations

Bug

[ECA-3554] - CVC certificate validity should not be backdated 10 minutes
[ECA-5253] - NPE should be avoided when not receiving an OCSP response in CmpProxyServlet
[ECA-5387] - Issuer Alternative Name not included in Root CA until it's renewed
[ECA-5479] - NPE when trying to view list of CMP configurations with missing profile
[ECA-5489] - Incorrect regex breaks "view certificate" page from Internal Key Bindings page for some CA DNs
[ECA-5495] - Update of imported CA certificate is not persisted to the CertificateData table
[ECA-5502] - Prevent legacy OCSP signer renewal from processing the same entry twice
[ECA-5514] - Make DynamicUiProperty.values thread safe

New Feature

[ECA-1628] - Add option to keep revoked expired certificates on CRLs.
[ECA-5141] - Specify hours, minutes and seconds in certificate profile
[ECA-5330] - Certificate expiration period specific to certain days
[ECA-5419] - Make CT Log timeout editable again, as well as the other fields
[ECA-5470] - Document trailing space in RDN value behavior in test
[ECA-5491] - Add CLI command to change crypto token for a CA
[ECA-5492] - Update Ubuntu quick start guide to 16.04 and Java 8

Task

[ECA-5428] - Get DB2 job on Jenkins running again
[ECA-5507] - Use available helper method for ContentVerifier creation

Improvement

[ECA-4447] - Make EJB timers non-persistent
[ECA-5451] - Prevent change of audit log node id once sequence is initialized
[ECA-5459] - Only regard revocation reasons *Compromise and unspecified as CA private key compromise in VA
[ECA-5460] - Update RHEL quick start in installation doc
[ECA-5469] - Document that WS certificateRequest method overwrites the end entity
[ECA-5478] - Ability to add multiple PDS URIs
[ECA-5486] - Document Java version requirements when running JBoss 7.1.1.GA or JBoss EAP 6
[ECA-5490] - Add new recommended database index for CRL generation
[ECA-5493] - Excessive logging when editing Certificate Profile
[ECA-5496] - IKB certificate import should not use the current CA certificate if public key does not match
[ECA-5501] - Don't initialize classes in ServiceManifestBuilder
[ECA-5517] - javascript for convertdot during ziprelease only works on JDK8

Sub-task

[ECA-5511] - Remove extra call to getDataMap() from ProfileData.getProfile()
[ECA-5512] - Remove some unneded calls to EndEntityInformation.extendedInformationToStringData()
[ECA-5513] - Make assertSerialNumberForIssuerOk() more light weight
[ECA-5516] - Investigate efficiency of ExtendedInformation persistence conversion

Issues Resolved in 6.6.2

Released on 4 December 2016

Bug

[ECA-5549] - CT Log submission can fail in certain circumstances when it shouldn't

Issues Resolved in 6.6.3

Released on 22 December 2016

Bug

[ECA-5527] - PeerRaMasterServiceBean delays shutdown
[ECA-5554] - View certificate throws StringIndexOutOfBoundsException when certificate cannot be read
[ECA-5568] - Incorrect column type used in Oracle upgrade script
[ECA-5571] - ApprovalProfileSession is not sent to Workers, leading to an NPE
[ECA-5575] - Error generating CRL on MSSQL, update dialect to SQLServer2008Dialect
[ECA-5577] - Import certificate profiles in Admin GUI ignores profileId
[ECA-5578] - ExternalRA fails if no approval profile has been set

Improvement
[ECA-5079] - Make sun classes for PKCS#11 available using jboss-deployment-structure.xml
[ECA-5526] - Add new RA Web to Admin GUI menu

Issues Resolved in 6.6.4

Released on 20 February 2017

Bug

[ECA-5687] - EJBCA 6.5.0 Community post-upgrade does not fail gracefully
[ECA-5700] - Upgraded ValidationAuthorityPublisher settings cannot be changed in GUI