EJBCA 6.9 Release Notes

The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.9.

The following covers information on new features and improvements in the 6.9.0 releases:

Read the EJBCA 6.9 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 6.9.0

Greetings to all, and welcome back after a long summer. Just in time for CAA to go live on September 8th, we'd like to present to you all the release of EJBCA 6.9.0. All in all we've fixes about 90 issues during the summer, but we'd like to highlight the four major features of this release:

  • Delegated Keypair Generation: As requested by some customers running EJBCA instances as RAs over Peers, this feature is similar to the key recovery feature long used in EJBCA in that it stores generated soft keys encrypted in the database, but with the purpose that the soft keys are generated on the RA (instead of on the CA). The purpose of this is security - where the owner of the RA doesn't wish for the keys to ever be transmitted to the CA but merely be signed. Since this feature requires an EJBCA instance running as RA, it only applies to Enterprise customers.

  • RSA/ECC Key Validation: A long requested feature, we've now created an API for running validators during certificate creation. Foremost we've implemented Key Validators, which can be applied to a CA to reject incoming signing requests based on inadequate key length or poorly chosen exponents.

  • BlackList Validators: We've also developed an API for blacklisting signing requests based on known information. In EJBCA 6.9.0 we've implemented a Key Blacklist Validator, which will check incoming certificate requests against a user defined blacklist of known bad keys.

  • CAA: Last and absolutely not least, EJBCA 6.9.0 can perform CAA checks during or after certificate issuance. This has partly been implemented as a Validator (which is run during certificate issuance) or as a manual CLI tool which can be used by an RA administrator after issuance. CAA support is an Enterprise only feature.

EJBCA 6.9.0.1

In the final stages of testing of 6.9.0 we found ECA-6088, which could potentially lead to caching issues for installations running clusters. Was fixed before EJBCA 6.9.0 was released to the wild.

EJBCA 6.9.0.2

Database creation scripts referred to PublicKeyBlacklistData instead of BlacklistData.

EJBCA 6.9.0.3

Patch release for ECA-6099, where adding an EE from the Admin Web or WS and then enrolling using the RA would lead to an NPE.

EJBCA 6.9.0.4

Patch release for ECA-6106, which allows a CAA lookup to continue up the domain tree even if the lookup for a subdomain failed.

EJBCA 6.9.0.5

Patch release for ECA-6107, which fixed an issue in which CAA lookups weren't properly handled for wildcarded domains with subdomains.

EJBCA 6.9.0.6

Patch release fixing issues with CAA.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 6.9.0.x releases, refer to our JIRA Issue Tracker.

Issues Resolved in 6.9.0

Released on 28 August 2017

Epic
[ECA-5175] - Support for delegated key pair generation

New Features
[ECA-2853] - Implement CMP ImplicitConfirm
[ECA-4219] - Verify public keys before cert issuance
[ECA-5286] - Make CA based Key recovery possible on RA
[ECA-5627] - DNS Certification Authority Authorization (CAA) Resource Record
[ECA-5644] - Add the ability to download P10 from approval and end entity view in RA
[ECA-5866] - Add configuration value to approval profiles for whether or not the original submitter should be allowed to approve
[ECA-5954] - Add system config option for local key generation
[ECA-5955] - Document Key validators
[ECA-5956] - Encrypt keypair for key recovery using a selectable crypto token, for local key generation
[ECA-5957] - Ability to request key recovery from RA Web
[ECA-5966] - Add MIME type for VBScript (for IE enrollment)
[ECA-5972] - Support for getting the certificate chain as response in the IKB update message
[ECA-5983] - Document delegated key recovery
[ECA-5987] - Make it possible to mark certificate for recovery using local key generation
[ECA-6006] - ClearCacheCommand should clear validator cache
[ECA-6019] - Add EjbcaWS support for key recovery with local key pair generation
[ECA-6045] - Implement CAA Validator in EJBCA
[ECA-6047] - Implement the IODEF CAA record type (e-mail)

Task
[ECA-6015] - Update RA documentation with Role Management
[ECA-6021] - Work around hibernate bug with MS-SQL that makes ResultSetMapping fail
[ECA-6025] - Document how to increase max parameter count in WildFly

Improvements
[ECA-5697] - Certificate Profiles usability
[ECA-5884] - Upgrade EJBCA to BouncyCastle 1.57
[ECA-5907] - certprofiles.zip / entityprofiles.zip is not a zip file
[ECA-5919] - Name Constraints exception when adding End Entity
[ECA-5948] - Make pre-issuance public key blacklist available outside of EJB context
[ECA-5952] - Base key validators on Profiles and put into ProfileData
[ECA-5958] - Extract ProfileSessionBean from ApprovalProfileSessionBean
[ECA-5962] - cmpclient: be more forgivning of cache-control content
[ECA-5974] - Restrict visibility of key validators by Certificate Profile
[ECA-5976] - Move KeyValidatorsBean.importKeyValidatorsFromZip(byte[]) into session beans
[ECA-5996] - SecureXMLDecoder should handle exported classes
[ECA-5999] - Remove unused constants from UserDataVOWS
[ECA-6000] - Improve label consistency on role pages in the RA
[ECA-6007] - Improve Role Member performance
[ECA-6013] - Default PKCS #11 libraries updated (OpenSC, SoftHSM, PKCS11 Spy)
[ECA-6014] - Sort list of CAs and Certificate Profiles in the CMP alias page
[ECA-6028] - System test for delegated key generation
[ECA-6029] - Have EjbcaWS.getRemainingNumberOfApprovals(int) throw exceptions for approval requests which have been denied or which have expired
[ECA-6054] - Generalize PublicKeyBlacklistData into BlacklistData
[ECA-6062] - Sort validators alphabetically and list validator type in menu
[ECA-6067] - Have selecting the "Apply for all Certificate Profiles" checkbox in Validators disable the "Apply for Certificate Profiles" list
[ECA-6077] - Documentation on the format and perform validation on certificate validity fields on Validators Edit page
[ECA-6079] - Validators is not available for pre-defined RA_Administrator
[ECA-6082] - Remove imports/export functionality for Validators.

Bug Fixes

[ECA-4853] - Some fields aren't grayed out in read-only services

[ECA-5524] - Admin GUI should prevent saving of empty QC statement

[ECA-5672] - Add/Edit End Entity page silently removes e-mail if domain is omitted

[ECA-5904] - Stack trace printed on screen when enrolling EE with invalid QC

[ECA-5905] - Link certificate should have the same expire date as old ca certificate

[ECA-5917] - Auditor, wrong layout on 'Certificate Profiles'

[ECA-5946] - Possible to send a request to create an End Entity that already exists from RA Web

[ECA-5949] - WebService API: the field sendNotification in UserDataVOWS isn't set

[ECA-5950] - Duplicate entries of the member 'SuperAdmin' in 'Super Administrator Role'

[ECA-5960] - CMPv2 extraCerts field not correctly (re)ordered in all cases

[ECA-5965] - Missing value for view_request_page_data_value_UNREVOKE

[ECA-5967] - E-mail notification sends the old 'uniqueId' if request has been rejected

[ECA-5969] - transactionId and recipiantNonce are not always set in CMP error messages.

[ECA-5971] - NullPointerException if clicking 'Save state' in failed Approval Action window

[ECA-5975] - getApprovalProfileForAction can throw exception if no approval is required

[ECA-5978] - RA enrollment with requestid doesn't authenticate password with reusecert = true

[ECA-5979] - Request to change Username of End Entity changes the Username and sends a request

[ECA-5980] - Unable to approve End Entity revocation request

[ECA-5981] - Enrollment by username does not work on the RA

[ECA-5984] - Two admins opening the same approval request and trying to approve causes NullPointerException

[ECA-5988] - Checking if key recovery is possible in the RA checks all listed certificates

[ECA-5989] - Statedump: "AuthorizationDeniedException: Granted access of the current administrator might be affected by this change"

[ECA-6003] - Public Web: The field SAN MS-UPN is broken in Self-registration

[ECA-6005] - Various NPEs for CMP Revocation requests with faulty payloads

[ECA-6009] - ClearCache fails with exception in some cases

[ECA-6012] - Key recovery flag not reset on rejected approval using local key generation

[ECA-6016] - Approval Profiles doesn't update until logout

[ECA-6018] - Deleting an Approval/Certificate Profile and then clicking 'View' causes NullPointerException

[ECA-6020] - Adding end entity in admin GUI with autogenerated username gives error

[ECA-6022] - Rejecting both partitions of Approval Request generates error message

[ECA-6023] - AuthenticationKeyBinding.isClientSSLCertificate should not require KU keyEncipherment

[ECA-6030] - Upgrade is never called for Validator

[ECA-6033] - Non-modifiable empty End Entity E-mail should not be allowed in EEP

[ECA-6034] - WebService: CertificateCreateException should be wrapped in order to pass on good message and error code to client

[ECA-6035] - Selecting nothing under 'Available CAs' when editing an EEP causes NullPointerException

[ECA-6036] - [Public Web] Request Registration should not display step 2 if EEP/CP is invalid

[ECA-6060] - Disabled remote key bindings not displayed as such in admin gui

[ECA-6061] - End entity profiles with User Notifications can't be imported

[ECA-6065] - 'New...' button for 'Namespace' does not function if you haven't selected an existing 'Namespace'

[ECA-6066] - CA_Administrator documentation does not match about 'Renew CA'

[ECA-6070] - Approving a Key Recovery request on the RA requires /ca_functionality/approve_caaction/

[ECA-6074] - RA Web: enroll with username and code displays "Key Algorithm: null null"

[ECA-6076] - 'Available bit lengths' is disabled under 'RSA Key Validator Settings'

[ECA-6080] - Auditor pre-defined role can not view selected Validators

[ECA-6081] - Validators Access Rules not saved for RA Administrators,Auditors and Supervisors pre-defined role

Bug Fixes

[ECA-6088] - Role Member caching does not play well with clusters

[ECA-6089] - NPE when upgrading from 6.9.0Beta to 6.9.0Final due to IODEF

[ECA-6091] - NPE in View Certificates in RA Web if certificates have no KeyUsage

Bug Fix

[ECA-6088] - Create tables scripts all refer to the PublicKeyBlacklistData instead of BlacklistData

Bug Fix

[ECA-6099] - Ra Web: Trying to enroll P12 for user added in Admin GUI gives NPE

Improvement

[ECA-6106] - CAA Validator should keep looking up domain tree even if NXDOMAIN is encountered

Improvement

[ECA-6107] - CAA validation allows issuance of wildcard certificates for subdomains, even though issuance is prohibited.

Bug Fixes

ECA-6107] - CAA validation allows issuance of wildcard certificates for subdomains, even though issuance is prohibited.

[ECA-6124] - CAA max recursion count is triggering for other checks than CNAMES

[ECA-6125] - KeyValidatorSession splits DNSNames incorrectly for CAA lookups

[ECA-6126] - CAA Validator fails for a SocketTimeoutException