New Features

ECA-4491 - Support Ed25519 and Ed448 (EdDSA) certificate issuance using soft crypto tokens

ECA-5333 - Ability to search for approval requests by part of Subject DN / or e-mail

ECA-6787 - Ability to specify Superadmin Validity during installation

ECA-6790 - Add "Enforce Key Renewal" Option

ECA-7162 - Add regex validation to usernames for EEP

ECA-8699 - Support encryption for SCEP in Azure Key Vault crypto token

ECA-8718 - Add test of "Enforce Key Renewal"

ECA-8781 - CLI command to import key recovery data for end entities

ECA-8848 - Database table for pre-produced OCSP responses

ECA-8849 - Service worker pre-produced OCSP responses

ECA-8850 - CA setting enabling pre-produced responses.

ECA-8852 - Publisher for OCSP Response Data

ECA-8866 - Create OCSP Cache for CA canned response setting

ECA-8878 - Session bean (interface etc) for OcspResponseData

ECA-8892 - Handling conflict between CA setting to pre-produce OCSP responses and OCSP Key binding nonce setting

ECA-8895 - Create indexes for the OCSPResponseData table

ECA-8899 - Approvals for SCEP RA mode

ECA-8913 - Support AWS KMS (Key Management Service, different from AWS CloudHSM)

ECA-8944 - Service worker UI for OCSP pre-production

ECA-8962 - Implement SCEP enrollment with approvals for already existing end entities

ECA-8990 - Update plugin sample to deploy cleanly

ECA-9051 - Shift the configuration of ExtendedUserDataHandlers (such as the UnidFnrHandler) from CMP configuration to CA configuration

ECA-9053 - Implement configuration of Request Processors in the CA

ECA-9057 - Implement a validator for the Google Safe Browsing API

ECA-9065 - Upgrade procedure after moving Request Processors from CMP to CA

ECA-9066 - Shift execution of Request Processors from CrmfRequestHandler into CertificateRequestSession

ECA-9072 - Service worker logic for final OCSP response

ECA-9074 - Support for CLI batch generation with EdDSA keys

ECA-9142 - Create a webservice call for creating an externally signed CA.

ECA-9163 - Add support for WS createExternallySignedCa command in clientToolBox

Tasks

ECA-7435 - Java 11: SOAP WS Client and Tests do not work

ECA-8212 - Batch enrollment GUI does not build under JDK11

ECA-8651 - Update resteasy jars used for junit testing

ECA-8695 - Security: Upgrade external dependency

ECA-8696 - Update db2jcc4.jar used for jenkins tests

ECA-8700 - Use reflection in CESeCoreUtils to support older version of Java

ECA-8717 - Java 11: ejbca-ws-cli uses endorsed.dirs which is not supported in java 11

ECA-8724 - Upgrade cert-cvc to 1.4.10

ECA-8727 - Documentation: Oracle JDK 8 not listed any longer in prerequisites

ECA-8730 - Fix JUnit, UserFulfillEndEntityProfileTest and CommandLibraryTest tests that fail on Java 11 (due to issues in tests)

ECA-8731 - Remove old commons-httpclient 3.1 and upgrade commons httcomponents to latest stable version

ECA-8733 - Update ConfigImport "known limitations"

ECA-8744 - FindBugs: fix warning about NP_NULL_PARAM_DEREF

ECA-8804 - Security: Upgrade external dependency

ECA-8807 - Change the copyright footer to 2020

ECA-8855 - Automate test ECAQA-128: End Entity Profile - Custom Validity

ECA-8898 - Document known issue related to approval requests after an upgrade to EJBCA 6

ECA-8918 - Documentation: Document support for Cloud HSMs

ECA-8980 - EJBCA Testing: ACME (Continued) Testing

ECA-9011 - Upgrade apache cfx

ECA-9049 - Investigate CRL-related test failures in Jenkins

ECA-9050 - Code cleanup: Remove dead encrypt/decrypt methods in CA

ECA-9079 - Add selecatable head banner with advisory notice and consent warning

ECA-9088 - Grab ClientToolBox test from Git

ECA-9089 - Learn how the current EJBCAClientToolBox test works.

ECA-9090 - Create/Extend JenkinsFile and DockerFile for EJBCAClientToolBox

ECA-9091 - Setup Jenkins Job to run EJBCA ClientToolBox

ECA-9100 - Documentation: update JBoss security about Diffie-Hellman keysize and datasource passords

ECA-9114 - Upgrade jackson databind

ECA-9168 - Regression Test & Automation EcaQa75

ECA-9187 - Add configuration steps for WildFly 18

ECA-9197 - Document how to limit length of DN fields using regexp validation

Improvements

ECA-1758 - Add system tests for caRenewCertRequest (WS)

ECA-4130 - Publishers: Show the publisher type next to the name in the Publishers page

ECA-5912 - Trim spaces and check syntax of CT URLs when they are added

ECA-6284 - Use something faster than java.beans.XMLEncoder/Decoder

ECA-6296 - Limit length of subject DN in RA GUI search results

ECA-6505 - Documentation: Add diagram how CA, CPs and EEPs are related

ECA-7064 - Disallow creation of Peer Connectors with the same name

ECA-7633 - New flag in 'ejbca.sh ca republish' command to list certificates instead of end entities

ECA-7722 - Minor usability improvements on Edit CA page

ECA-7819 - Remove old installation properties and ant targets

ECA-7959 - A user should be able to click a link to be returned to the previous page after error occurs

ECA-8157 - Add back the username field to EEP

ECA-8636 - CT systemtest - Publish precert

ECA-8670 - Allow selenium setup to run with different ManagementCA name

ECA-8672 - Fix trivial warnings in cesecore-common

ECA-8675 - Fix CryptoToken import in configdump

ECA-8694 - Automate ECAQA-155

ECA-8698 - Unclear UI messages for RA CA name in EST alias

ECA-8703 - Trim space for ACME Aliases Add function

ECA-8706 - Refactor CAInterfaceBean and related classes

ECA-8713 - Automate ECAQA-152

ECA-8715 - Optimize Azure Key Vault Crypto Token to not make unessecary REST calls when checking for status

ECA-8716 - Optimize PKCS11 Crypto Token to not make unessecary PKCS#11 calls on deactivated crypto tokens

ECA-8720 - Jenkins: upgrade powermock dependencies for JDK11+

ECA-8721 - Jenkins: EJBCA_JDK_DOCKERS

ECA-8722 - Update cert-cvc library to build with Java 11

ECA-8725 - Optimize render of created/edit CA page to not list all crypto token keys

ECA-8729 - ConfigImport Admin Roles import order

ECA-8738 - Make it possible to run tests within eclipse

ECA-8746 - Add small help text for subject DN field when creating a CA

ECA-8747 - Give error message when trying to import an IS certificate to a DVCA

ECA-8749 - ApprovalProfileSession.removeApprovalProfile throws exception when profile does not exist, does not follow javadoc contract

ECA-8754 - Optimize CaSessionBean.getCAIdToNameMap to use cache

ECA-8755 - Optmize CryptoTokenManagementSessionBean.getKeyPairInfo to not list all aliases

ECA-8758 - Sort "Extended Key Services Specification" dropdown

ECA-8765 - Document in Client Toolbox how to include CESeCoreUtils

ECA-8774 - Fix some NPEs in the log when accessing without proper session

ECA-8775 - Improve output format in CertDistServlet listcerts command

ECA-8783 - Add test case for va publisher data source (Selenium)

ECA-8788 - Inconsistent behaviour between CLI and AdminWeb created CA using CA defined AIA

ECA-8789 - Allow UNUSED data value in databaseprotection.properties

ECA-8793 - Add new HTTP security headers

ECA-8794 - Add HTTP security headers to CertDistServlet

ECA-8795 - Improve error handling in PublicWeb when entering invalid DN

ECA-8797 - The wrong path of a language configuration file in the document

ECA-8801 - Change text uses->allows in configuration checker message about ECC keys

ECA-8809 - Fix formating in CertStoreServletTest and CertFetchAndVerify

ECA-8813 - Show a warning when basic constraints are violated

ECA-8821 - Better error message when trying to sign with an inactive crypto token

ECA-8839 - Allow serial numbers to be entered with colon or spaces also

ECA-8863 - Jenkins jobs improvement

ECA-8865 - Selenium test constantly failing on RA-web

ECA-8872 - Documentation Clarify what multiple issuers in the CAA validator means

ECA-8879 - Create end entity based on UPN in certificate when running "importcertsms" CLI command

ECA-8882 - Improve Swedish translation of the RA web

ECA-8907 - Add validator for SAN field in Create CA page and improve error handling.

ECA-8908 - Update documentation for pre-produced OCSP responses

ECA-8911 - Ability to get version of clientToolBox

ECA-8921 - Automate ECAQA-113

ECA-8924 - Automate ECAQA-116

ECA-8926 - Add delete method in OcspDataSession bean.

ECA-8930 - The Save button in the RA web edit end entity page should be located at the bottom

ECA-8932 - Document improvement in CRL Behaviour after CA Revocation

ECA-8936 - Revise the OcspResponseData table and primary key.

ECA-8943 - Public key blacklist should handle Debian blacklist format

ECA-8958 - Modify CmpRAUnidTest to run without the Unid datasource

ECA-8961 - Improve debug logging for approvals to easily see type

ECA-8975 - Code cleanup: Encode EC keys generated by a Pkcs11NgCryptoToken without explicit params first

ECA-8977 - Add sample token properties to changecatoken CLI command to make it easier to use

ECA-8996 - Code cleanup: Azure crypto token

ECA-8997 - Code cleanup: AWS KMS crypto token

ECA-8999 - Add cabforganizationidentifier as argument to WS cli

ECA-9003 - Code cleanup: OidsObjectLinkedHashSetConverter and write unit test

ECA-9027 - Check that all certificate/end entity profile pairs have at least one usable CA

ECA-9032 - Configurable time before expire for Ocsp Response Presigner

ECA-9033 - Improve JPQL query for getting expired responses

ECA-9034 - Support SHA1 and SHA256 hashes for Pre-produced OCSP responses

ECA-9035 - Upgrade to BC 1.65

ECA-9036 - Increase column size of subject DN and subject email for MySQL/MariaDB

ECA-9041 - SCEP: Debug log message encryption algorithms

ECA-9045 - Enable legacy browser enrollment in IE11 on Windows 10

ECA-9058 - On-demand setting for OCSP pre-production

ECA-9067 - Improve CryptoToken Config: Verify Auto-Activation Codes

ECA-9070 - Add support for CAs using SHA256WithDSA

ECA-9096 - Peer publisher for OCSP response data

ECA-9097 - Show only relevant curves/key sizes on certificate profile page

ECA-9098 - Retrieving curves and algorithms on RA web needs to be optimized

ECA-9107 - Add peering configuration capability to CLI to support scripting external VA/RA

ECA-9113 - CLI ca importcertdir command should use random password

ECA-9123 - Don't check key length is we have allowed Ed25519 or Ed448

ECA-9124 - Add "Cache-control" header to HTTP POST OCSP responses.

ECA-9131 - Clean-up job for expired OCSP Responses

ECA-9132 - Support Archive Cutoff for pre-produced OCSP responses

ECA-9135 - Improve documentation about allow.external-dynamic.configuration in ejbca.properties and cesecore.properties

ECA-9139 - Trigger OCSP Response Publisher on generation

ECA-9160 - Allow CLI upgrade command to run post-upgrade automatically

ECA-9162 - Allow to store pre-produced OCSP responses in response to requests with Nonce, if response does not have Nonce

ECA-9186 - Make new XmlSerializer code locale insensitive and deterministic

ECA-9189 - Allow OCSP Response Pre-Signer to only do Final Responses

ECA-9208 - Don't render OCSP Pre Production in EJBCA CE

Bug Fixes

ECA-1691 - Reject issuance if both notBefore and notAfter are in the past

ECA-2052 - Country code in Subject DN of CVC CA is case sensitive

ECA-2068 - Export CA key Store with incorrect password shows an exception on the screen

ECA-4155 - Check if RoleMember matched by X.509 certificate has a plausible CA and certificate serial number combination

ECA-4363 - Use different return codes for importprofiles CLI command

ECA-4735 - Unify appearance in "Edit CA" page between "CA life cycle" and "Externally signed CA creation/renewal"

ECA-5704 - Extended Key Usages / Prevent user from adding same Label for different OIDs

ECA-5705 - Extended Key Usages / Adding new Label with an existing OID replaces the old one without any error

ECA-6113 - SAN with escaped commas (e.g. in directoryName) is not displayed correctly

ECA-6189 - Subject DN e-mail field and EE e-mail field conflated in the RA

ECA-6770 - Extra slashes introduced on links from some admin web pages

ECA-7060 - Handle invalid input on 'Approval Profiles' page

ECA-7072 - Long text input in field validation of Manage Data Source page causes crash

ECA-7299 - Unit tests require PKCS#11 "slot 1" to exist and do not work with SoftHSM

ECA-7333 - It is possible to add Internal Key Bindings without a name

ECA-7678 - 'Close' button not functioning under 'Roles and Access Rules' page

ECA-7733 - Security hardening

ECA-7739 - Using a certificate profile template does not select the correct fields

ECA-8049 - Treat Subject Directory Attributes the same way as Subject DN.

ECA-8146 - OCSP signer renewal via peers not working for throw-away CA

ECA-8233 - "invalid use of tag" warnings from Javadoc for WS exceptions on JDK 11

ECA-8237 - Getting "XML Parsing Error: no root element found" when clicking "View Older" in View Certificate popup

ECA-8376 - RA Web doesn't build in CE.

ECA-8496 - Document how to prevent BouncyCastle not being loaded by an EJBCA classloader

ECA-8659 - Error message is not displayed in Audit Log UI page when database protection fails to verify

ECA-8679 - Security issue

ECA-8680 - Index recommendation will not allow use of partitioned CRLs

ECA-8687 - Fix selenium test failures due to wrong Certificate Profile save message

ECA-8689 - Enable /administrator when granting access to the WS protocol over peers

ECA-8690 - Import of IKB doesn't set bound cert Id

ECA-8691 - Add upgrade notes for ECA-8679

ECA-8697 - Audit log menu item visible on some pages even if the audit log is disabled

ECA-8707 - Key sequence ignored when renewing CA

ECA-8711 - Regression: Cannot change "Signed by" option for CAs in Uninitialized state

ECA-8712 - No alias for key purpose 0 error when editing external CA

ECA-8714 - Use CRL partitions should not be rendered for External CAs

ECA-8719 - 'Make New Request' on 'RA Web' on 'Clean Installation' results in StackOverflowError

ECA-8723 - cert-cvc should use Bouncy Castle provider for verification of CVCAuthenticatedRequest

ECA-8728 - TestDatafields in cert-cvc fails if clock is 00:00-00:59

ECA-8734 - Incorrect warning of ConfigExport/Import SCP Publisher

ECA-8735 - Some system tests fail if ManagementCA is called something else

ECA-8736 - HealthCheckTest.testAuditLogHealthCheck does not restore databaseprotection.keyid.AuditRecordData

ECA-8737 - change/addUser should throw a proper error message instead of NPE when changing a user to a non-existing EE profile

ECA-8739 - NPE when importing brainpoolP256r1 DVCA certificate

ECA-8742 - Delete tests leave crypto tokens left behind by system tests

ECA-8743 - KeyGenParams is not serializeable

ECA-8752 - CA message handlers may throw NPE instead of CADoesntExistsException when CA does not exist

ECA-8756 - ClassCastException on Wildfly 14 when saving a certificate profile with "Subject DN Subset" enabled

ECA-8757 - CaImportCACommand doesn't activate KeyRecoveryCAServiceInfo

ECA-8759 - Unclear error message CA/B Forum Organization Identifier is blank or missing

ECA-8761 - Certificate Extensions not enabled in the Certificate Profile give no error

ECA-8766 - Certificate pinning for Authentication Key Bindings is not working if the pinned certificate is not in the database

ECA-8772 - Minor security issue

ECA-8773 - Security issue

ECA-8777 - Security issue

ECA-8778 - WS request with missing required extension field can still be issued

ECA-8779 - WS request with extension field that is in CP but not EEP can be issued

ECA-8780 - KeyRecoverySessionBean.addKeyRecoveryData does not return false is data already exists

ECA-8782 - ServiceSession logs incorrect administrator when editing a service

ECA-8785 - Statedump import fails when there is an unconfigured EST alias

ECA-8786 - Making a CVC WS request can fail if there is an unitialized CVCA

ECA-8791 - Cannot search by year 2020 in Admin Web

ECA-8796 - Sometimes wrong default setting for "Send notification" in the RA, when notifications are enabled

ECA-8799 - Regression: Wrong JKS is downloaded in the "CA Certificates & CRLs" page

ECA-8803 - NPE in Admin UI if script publisher configured and after that external scripts are disabled

ECA-8811 - CVCA link certificate has wrong validity

ECA-8816 - 'Remove from CRL' should be removed from 'Revocation Reason' list

ECA-8819 - Cannot use 7.x RA with 6.15 CA

ECA-8823 - Bad default CRL parameters when importing CA

ECA-8832 - Create button enabled while viewing CA non privileged.

ECA-8858 - Test failure in ConfigdumpCertificationAuthorityUnitTest

ECA-8859 - CA does not get selected on Add End Entity page load, test failure in EcaQa59_EEPHidden

ECA-8861 - Strip key alias when creating new keys

ECA-8864 - I cannot download generated certificate request as PEM or DER. An exception has occurred.Server returned: 500

ECA-8869 - Fix duplicate/ambiguous network name on old Jenkins jobs

ECA-8870 - Fix selenium tests jobs of Domain Blacklists on Jenkins

ECA-8871 - Test EcaQa5_AddEndUserEndEntity fails due to changing element IDs and incorrect profile

ECA-8873 - No certificate profile specified in EcaQa202_NegativeBlacklistExactMatch test

ECA-8874 - EcaQa77_EndEntitySearch is sensitive to the environment

ECA-8880 - UpdatePublicKeyBlacklistCommandTest contains empty folder in resources, which fails with GIT

ECA-8881 - Empty POST to /.well-known/est/simpleenroll results in NullPointerException

ECA-8884 - PKCS#11 CP5 Cryptotoken type displayed even if no libraries are configured

ECA-8885 - HealthCheckTest fails on Community Edition

ECA-8888 - Test failures in Selenium jobs due to port conflict

ECA-8890 - Certificate Validator ignores profile settings

ECA-8893 - ServiceLocatorException on approval/notification when mail is not configured

ECA-8900 - The wrong certificate profile is edited when opening two certificate profiles in different tabs/windows

ECA-8910 - Jenkins Oracle DB is missing indexes, which causes failures

ECA-8912 - No remote key bindings listed on CA when any keybinding references a non-existent key

ECA-8915 - Usability: Verify allowed characters in key aliases when generating keys in using Azure Key Vault REST API.

ECA-8916 - Fix Jenkins test failure in EcaQa76_AuditLogSearch

ECA-8917 - Pre-sign Certificate Validator gives error when using ECDSA and a CA using HSM

ECA-8925 - Fix timing sensitivity in CTLogTest

ECA-8942 - Web Services - DN Merge Issue with Multiple OU Fields

ECA-8948 - Avoid NPE when no CA configured in EST alias

ECA-8955 - SCEP renewal should give nice error message when renewal cert does not exist

ECA-8956 - SCEP RA mode should not log on error level for normal handled error cases

ECA-8957 - Fingerprints not normalized on public key blacklist import

ECA-8959 - Public EC keys generated by a Pkcs11NgCryptoToken are always using explicit EC parameters

ECA-8960 - Regression: throwing checked Exceptions from postConstruct is not allowed in JEE spec

ECA-8985 - Certutil dump file created in Windows cannot be read by 'ejbca.sh ca importcertsms'

ECA-8989 - Unable to upload a zip with custom CSS files

ECA-8993 - CMP response message with PBE protection does not include configured extra certs

ECA-9012 - 'General Settings' Help/Documentation link 'Edit Validator' page is broken

ECA-9015 - Import Help/Documentation is broken under System Configuration/Custom RA Styles

ECA-9024 - AJAX for associating an RA style with a role is broken

ECA-9025 - Weird error message when certificate profile cannot be removed

ECA-9028 - Validators Help/Documentation link is broken under Edit CA page

ECA-9029 - Approval request not done by cert authenticated admins shows blank in Requested By

ECA-9030 - Improve audit logging for custom RA styles

ECA-9038 - NPE clicking Receive Certificate Response in Edit CA screen, if nothing is uploaded

ECA-9048 - Some languages not working for subject DN when viewing certificates in CA GUI

ECA-9060 - Adding a new label with a existing OID does not give you any error/message.

ECA-9064 - Prevent inactive CmsCAService to try to load keystore

ECA-9069 - Some CA lists in services are not sorted

ECA-9071 - Regression - 2 Edit buttons displayed in RA Web End Entity Details page

ECA-9073 - Approvals can't be edited by admin

ECA-9078 - Documentation link for Enable End Entity Profile Limitations? is broken

ECA-9080 - Documentation link for 'Create Authenticated Certificate Signing Request' is broken

ECA-9082 - 'ETSI PSD2 QC Statement' Documentation link refers to the wrong page

ECA-9086 - Missing documentation for CA/Browser Forum Organization Identifier

ECA-9103 - Ed448 and Ed25519 not supported in RA UI and Public Web

ECA-9104 - Edit end entity can log the wrong changed DN if DN merge is used

ECA-9106 - Regression: Unable to submit to CT logs

ECA-9109 - Regression: RA GUI: Regardless of the format chosen the downloaded certificate is always a PKCS12 certificate.

ECA-9110 - EJBCA adminweb is not accessible after configuring "Custom Publisher"--An exception has occurred. For input string: "60000"

ECA-9111 - Regression: EJBCA CA key renewal service does not work on subCAs

ECA-9112 - Selenium Tests in Jenkins

ECA-9125 - Avoid that upgrade adds duplicate OCSP extension that already exists

ECA-9126 - Methods to delete Ocsp Responses fail

ECA-9128 - Regression: Peers cannot deserialize TreeMap

ECA-9129 - Custom extensions cannot be deserialized by EJBCA

ECA-9130 - Regression: can not change CVC terminal type in CA UI

ECA-9136 - RaMasterApi reports wrong API_VERSION

ECA-9137 - Regression: Not possible to activate rollover renewal, CA rollover cert activation is not rendered in Admin UI

ECA-9138 - Documentation link broken in Edit Publisher 'Publisher Queue' section

ECA-9143 - NPE editing SCEP alias after rename of end entity profile and SCEP alias list items are not sorted

ECA-9150 - Audit Log page error

ECA-9152 - Some certificates are missing when downloading a JKS chain

ECA-9153 - Always close SSH connections created by the SCP publisher

ECA-9154 - Regression: can't edit ICAO document type list in adminweb

ECA-9157 - OCSP audit and account logging does not work when serving pre-produced responses

ECA-9159 - NJI11ReleasebleSessionPrivateKey always assumes RSA

ECA-9166 - Class was not found on classpath

ECA-9167 - Typo error in ORM mapping for ApprovalData

ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6

ECA-9172 - Rollover of expired CA will not make it active due to CRL generation failure

ECA-9174 - NPE in configuration checker if certificate profile linked from end entity profile does not exist

ECA-9178 - HealthCheckServlet is trying to create a "filename.properties" with no path

ECA-9181 - Deleting token used for 'Force Local Key Generation' breaks Basic Configurations page

ECA-9188 - Don't persist responses with status 'Unknown'

ECA-9190 - NullPointerException in Statedump when a non-existent publisher is still in use

ECA-9192 - Not possible to add additional CA certificates to CMP response

ECA-9200 - Regression: Several ajax calls on certificate profile page broken

ECA-9202 - Statedump support for the Google Safe Browsing Validator

ECA-9204 - It is possible to rename a CA with no name

ECA-9205 - NPE when testing the connection of a VA Peer Publisher referencing non-existing peer system

ECA-9207 - Regression: Created CVC Authenticated requests can not be downloaded in Admin UI