EJBCA 6.0 Release Notes

The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.0.

The following covers information on new features and improvements in the 6.0.x releases:

Read the EJBCA 6.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 6.0


EJBCA 6.0.0 is the latest major release of EJBCA, and both introduces and redefines a number of core concepts.

Main Changes

  • The concept of Crypto Tokens has been introduced in order to separate CAs from the keys tied to them. Crypto Tokens allow for reuse of keystores between CAs or for other services like OCSP, and make configuration of keystores, both hard and soft, far simpler.
    For additional information see Admin Guide and http://blog.ejbca.org/2013/08/whats-new-in-ejbca-6-part-1-crypto.html

  • CMP is now fully configurable in the Admin GUI, and you can simultaneously use multiple different CMP configurations, called CMP aliases.
    For additional information see Admin Guide and http://blog.ejbca.org/2013/09/whats-new-in-ejbca-6-part-2-cmp-aliases.html

  • There is a new concept of Internal Key Bindings to bind a Crypto Token to a certificate for different usages, OCSP signing and TLS authentication.
    For additional information see User Guide and http://blog.ejbca.org/2013/10/whats-new-in-ejbca-6-part-3-internal.html

  • The merging of EJBCA and VA deployments. VA deployments are no longer anemic versions of EJBCA, instead all VA functionality has been merged into EJBCA proper. This for a single installation procedure, and for a machine to function as a CA and a VA simultaneously.

Other Noteworthy Changes

  • Internal OCSP services are no longer configurable from the CA, but are instead automatically set up and always active.

  • OCSP code has been brought up to CESeCore standard

  • The installation work-flow and ant targets have changed to be more logical for deployment and installation.

  • 'Certificate Request History' is now disabled by default for new CAs.

  • PKCS11 crypto tokens can now be managed by slot label (in addition to slot number and index)

  • JBoss 7.1 and EAP 6 are now supported

  • Java 7 is now the default recommended Java version.

Minor Changes

  • The term 'Admin Group' has been mostly purged and replaced with 'Role', as has the term 'User' been replaced by 'End Entity'

  • Changes to certificate profiles:

    • The PKIX QCSyntax-v1 identifier from RFC3739 has been removed and will never be generated.

    • If "PKIX QCSyntax-v2" in the Certificate Profile is unchecked, no QCStatement with QCSyntax will be generated (new behavior).

    • If "PKIX QCSyntax-v2" in the Certificate Profile is checked, a QCStatement with PKIX QCSyntax-v2 will be generated (same as before).

  • The default management CA has been renamed from AdminCA to ManagementCA.

  • Many many minor features, improvements and bug fixes (over 300 issues are resolved for this release)

Known issues

  • Other Rules for Supervisor role is not cleared is previously selected for another role type: ECA-3297

  • One test failure on DB2: ECA-3298

  • OCSP request signer verification does an additional database lookup: ECA-3299

EJBCA 6.0.1


This is a maintenance release with bug fixes and improvements.

  • Improve statedump command (Enterprise).

  • Fix bug causing OCSP healthcheck to always return error.

  • Minor security fix and improvement.

EJBCA 6.0.2


This is a maintenance release with bug fixes and improvements.

  • Fix some issues with, and improve, OCSP signing cache reloading.

  • Fix rotation of safer log4j logs.

  • Support returning revoked for non issued certificates, instead of unknown (RFC6960).

  • Minor CMP improvements, including full chain in responses and improve GUI.

EJBCA 6.0.3


This is a maintenance release with bug fixes, new features and improvements.

Noteworthy Changes

  • Support for OCSP extended revoked status compliant with RFC6960.

  • Ensure OCSP RFC5019 responses with unknown response code are not cached, compliant with CABForum discussions.

  • Add OCSP archive cutoff date for expired certificates.

  • Speedups starting the Command Line Interface.

  • Bug fixes for Internal Key Bindings.

Known issues

  • Cannot deploy with web-services disabled: ECA-3361

  • Deployment on Windows does not work due to jboss-cli.bat arguments differing from jboss-cli.sh

  • One test failure on DB2: ECA-3298

  • OCSP request signer verification does an additional database lookup: ECA-3299

EJBCA 6.0.4


This is a maintenance release with new features, bug fixes and improvements.

The biggest news in this release is support for Certificate Transparency in EJBCA Enterprise.

Apart from that all issues reported from installations of EJBCA 6.0.3 has been fixed.

One of the fixes is a security fix. The security issue is rated as low, and can lead only to excessive CPU usage, if exposed to untrusted networks.

Noteworthy Changes

  • Support for Certificate Transparency, RFC6962 (EJBCA Enterprise only).

  • Support for JBoss EAP 6.2 that changed default behavior when creating datasources.

  • SCEP GetCACaps command now works from iOS.

  • Ensure that OCSP RFC5019 responses with nonces are not cached.

  • Minor Command Line improvement.

  • Fixed most issues reported from installations of EJBCA 6.0.3.

Read the full Changelog for details. For upgrade instructions, please see UPGRADE.

Known issues

  • One test failure on DB2: ECA-3298

  • OCSP request signer verification does an additional database lookup: ECA-3299

  • Deployment on Windows does not work due to jboss-cli.bat arguments differing from jboss-cli.sh (half fixed some remaining)

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 6.0.0-6.0.4, refer to our JIRA Issue Tracker.

Issues Resolved in 6.0.0

Released on 8 November 2013

Bug Fixes

[ECA-1015] - A ' is valid in an email address - but gets stripped by EJBCA.
[ECA-1640] - Sample code for advanced custom extension missing some arguments
[ECA-1947] - LDAPPublisher have problems with comma in DN
[ECA-2144] - ExtRA PKCS10Request does not set user status to FAILED after failed requests
[ECA-2150] - SignSessionTest.test37privateKeyUsagePeriod_both fails randomly
[ECA-2159] - Password not cleared issuing keystores
[ECA-2200] - CA defined certificate policy ignored when renewing CA
[ECA-2330] - Build failure for External RA with OpenJDK if JavaScript is not available
[ECA-2365] - OCSPCAService upgrade on every startup
[ECA-2393] - Create Certificate Authority Page only gives blank page on wrong validity input
[ECA-2442] - Multiple selectable email addresses in rfc822 altName gives wrong display in edit end entity
[ECA-2477] - Import CA does not generate initial CRL
[ECA-2527] - Wrong exception thrown in HardTokenSessionBean for some errors.
[ECA-2534] - Regression: Not checking that the administrator has the role defined in the hard token issuer any more.
[ECA-2547] - clientToolBox StressTestCommand always logs an error when a certificate is returned
[ECA-2669] - Still possible to create DECLINE RECURSIVE rules in CLI
[ECA-2689] - Misleading error message in JBoss log while trying create a sub CA from the CLI when the root CA is offline.
[ECA-2719] - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames
[ECA-2734] - OCSP rekeying not implemented in trunk yet.
[ECA-2794] - EJB and WS CLI have bad type outputs
[ECA-2815] - OcspExtensionsCache should be made thread safe
[ECA-2834] - Unhelpful error message when changing permission rules for non-existing end entity profile in CLI
[ECA-2860] - Default CRL overlap time is set to 10 hours instead of 10 minutes for imported CA
[ECA-2863] - CMP FailInfo codes are sent as incorrect codes
[ECA-2865] - rfc822Name field can be edited when adding new end entity even if not marked as modifiable
[ECA-2877] - ant test:run breaks installation. Figure out why and fix
[ECA-2894] - Messing up the Validity field in Certificate Profiles gives no warning
[ECA-2905] - PrivateKeyUsagePeriod not matching notBefore of certificate when using validityOverride
[ECA-2914] - Filename of downloaded keystore file is truncated
[ECA-2918] - Clear all caches gives bad error message when host can not be reached
[ECA-2921] - Deprecate InitializeHardTokenIssuing
[ECA-2923] - JUnit class junit.framework.Assert has moved to org.junit.Assert
[ECA-2934] - Revoking a CA revokes all issued certificates, but with fixed reason
[ECA-2940] - Ant target test:runsys broken
[ECA-2952] - Update to new logo in renewal pages
[ECA-2958] - Wrong comments about PrimeCard
[ECA-2961] - Button for viewing CA certificate chain has incorrect text
[ECA-2964] - Native query mapping using MariaDB
[ECA-2977] - ProviderException not handled in BaseCryptoToken
[ECA-2989] - AccessTreeCacheTest can fail if reading the configuration takes too long time
[ECA-2994] - Broken property "xkms.response.causedforsigning" in defaultvalues.properties
[ECA-2996] - Update/set CryptoToken auto-activation PIN from EJB CLI
[ECA-3024] - Error during startup with integrity protected audit disabled
[ECA-3031] - Support EC key generation with ClientToolBox
[ECA-3035] - CA and CryptoToken creation not handled in a transaction.
[ECA-3036] - Cryptotoken prevents a CA to be created with the same name as a previous one.
[ECA-3046] - Help reference for Windows Autoenroll broken
[ECA-3052] - Minor authorization issue
[ECA-3054] - OcspResponseGeneratorSessionBean merely logs a failed signature attempt
[ECA-3056] - Issue PEM with full certificate chain from Public Web certificate request
[ECA-3057] - CryptoTokenManagement logs success deletion even if no crypto token is deleted
[ECA-3058] - CryptoTokenManagement logs success before action is tried
[ECA-3061] - Clean-up CAInterface bean and dependencies
[ECA-3065] - NPE: Inactive (including unsigned) CAs should be ignored by the OCSP Signing Cache
[ECA-3072] - Cmp default CA setting is DN in one place and CA name in another
[ECA-3074] - CMP TCP sets log level to FINEST for JBoss 7/EAP6
[ECA-3079] - Close all existent resource leaks
[ECA-3087] - 'bin/ejbca.sh ca info <unknownca>' tosses stacktrace instead of helpful error message
[ECA-3088] - Test missing for creating a subca from CLI
[ECA-3096] - 'ra finduser' command outputs password as 'null' if hidden.
[ECA-3098] - Regression: Home screen in Admin GUI shows online CAs to be offline for some roles.
[ECA-3101] - Regression: RequestMessage.getRequestX500Name returns SERIALNUMBER instead of SN
[ECA-3103] - Test failures because of left over stuff in database
[ECA-3107] - Investigate strange output from OCSP
[ECA-3111] - JBoss 7 / EAP 6 always binds to 127.0.0.1
[ECA-3113] - JBoss 7: Can't run ant install on HS with blank password
[ECA-3115] - JBoss EAP 6 freezes with WS stress test with 30 threads
[ECA-3117] - client toolbox p11 multi thread test fails when slot is given with TOKEN_LABEL.
[ECA-3121] - Regression: OCSP signing cache may fail to load on startup
[ECA-3129] - Keystore is used instead of truststore for validating client certificates
[ECA-3131] - Encode EC private keys in generated PKCS#12 keystores with NamedCurves
[ECA-3134] - JBOSS 7 / EAP 6 fails in deployment
[ECA-3138] - External RA IE cert enroll ignoring (override) of encryption provider selection
[ECA-3141] - Regression: ECA-3056 introduced a dependency on EJBCA in CESeCore code
[ECA-3142] - Regression: ECA-2973 introduced a dependency on EJBCA in CESeCore code
[ECA-3143] - Regression: ECA-3056 introduced an other dependency on EJBCA in CESeCore code
[ECA-3176] - Regression: Keys possible for CA renewal are only RSA
[ECA-3177] - Data is not validated before being passed to org.bouncycastle.util.encoders.Base64.decode in findActiveCertificatesByType
[ECA-3183] - Healthcheck failure when there are not active OcspKeyBindings
[ECA-3184] - JBOSS7 /EAP 6 fails in installation
[ECA-3186] - Regression: Custom certificate extensions added to certextensions.properties
[ECA-3188] - Document Internal Key Bindings
[ECA-3197] - ClientToolBox requires that CA certificate be included CSP response in order to verify
[ECA-3200] - Healthcheck status is enabled when editing a CA
[ECA-3203] - Disable of CryptoToken auto-activation takes token offline
[ECA-3207] - Regression: add-hoc upgrade of PKCS#11 keystore on VA responder not working
[ECA-3209] - Regression: OCSP default responder configuration uses subject instead of issuerDN
[ECA-3212] - Internal Key Binding certificate link has caid=0
[ECA-3213] - Regression: CA healthcheck does not check token status
[ECA-3215] - Roles renamed with RoleManagementSessionBean.renameRole get wrong primary keys
[ECA-3219] - OcspKeyBinding contains values that become cast to BigDecimals instead of Integers
[ECA-3220] - Regression: Reload OCSP signing cache uses wrong timer property, and a value of 0 makes timers go crazy
[ECA-3221] - Can't edit an OCSPKeyBinding without filling Serial Number (for Trusted Certificates) field.
[ECA-3223] - When new CA is generated with soft keys, unwanted warnings appear in jboss log
[ECA-3224] - Trying to create Internal Key Binding without crypto tokens gives NPE
[ECA-3227] - DirectoryCache should catch errors in initialization
[ECA-3234] - Hard Token Functionality header printed twice
[ECA-3235] - Unwanted warning in jboss-log when we create keys through AdminGUI
[ECA-3237] - cmpTcpProxy fails to start, missing defaultvalues.properties
[ECA-3239] - InternalKeyBindings with a deleted CryptoToken throw NPE when trying to view/edit
[ECA-3242] - Errors in jboss log when 'ca createcrl' and some CAs are not active
[ECA-3246] - Unwanted warning in jboss-log when running AuthenticationModulesTest
[ECA-3251] - Activating/deactivating CA logs as Crypto Token activated/de-activated
[ECA-3266] - EndEntityManagementSession.addUser throws a strange exception
[ECA-3269] - Unwanted warning in jboss-log when running XKMSKRSSTest
[ECA-3270] - Test 'testPublisherOperations' fails when running EjbcaWsCommonCriteriaTest
[ECA-3271] - External CESeCore configuration override is read from the wrong location
[ECA-3274] - Unwanted warnings in jboss-log when running RAApiTest
[ECA-3276] - Unwanted error in jboss-log when running CrmfRARequestTest
[ECA-3277] - Unwanted warning in jboss-log when running NestedMessageContentTest
[ECA-3279] - Fix issues in OCSP TransactionLogger
[ECA-3280] - Upgrade instructions need to be updated for JBoss 7 / EAP 6.1
[ECA-3281] - Fix upgrade message from 4.x to 6.0
[ECA-3284] - ValueExtractor fails for ApprovalId Integer in DB2
[ECA-3286] - Browser enroll Firefox does not take configured encoding into account
[ECA-3287] - OCSP signing exhausts threadpool after some time
[ECA-3288] - Saving "Other rules" when edit access rules does not work
[ECA-3294] - Security issue
[ECA-3300] - OCSP Transaction Logger outputs a newline between each log entry

Improvement
[ECA-519] - Move configuration file from bin/ to conf/
[ECA-786] - Email notification cannot be edited correctly
[ECA-1010] - Simplify installation procedure
[ECA-1398] - Enforce PrivateKeyUsage period when CAs issue certificates
[ECA-1594] - HashCode of Subject/Issuer DN in a certificate is not always the same as CA Id
[ECA-1814] - Make non consecutive ID possible for Extended Key Usage
[ECA-2023] - Trim the values in catoken.properties when importing a CA from CLI
[ECA-2049] - Constants in CertificateHelper should be final
[ECA-2164] - test01PinServiceToNodesIncludingThis is failing randomly
[ECA-2208] - Move authorization for hard tokens into hard token session bean and remove authorization caching.
[ECA-2225] - server TLS for mail requires manual configuration
[ECA-2367] - Refactor CrlCreateSession for CRL publishing
[ECA-2492] - Improve mysql-privileges script to allow users at different hosts etc
[ECA-2500] - Upgrade to BC v1.47
[ECA-2510] - Move methods in PublisherQueueSessionBean to local only.
[ECA-2528] - Clean SecConst
[ECA-2540] - Improve support for ipv6 in subjectAltNames
[ECA-2545] - SCEP GetCaCert operation doesn't support empty message
[ECA-2554] - CMP: Need better error message when a request is not signed by the sender
[ECA-2558] - Improve the run times of some system tests
[ECA-2561] - CMP: Remove repeated code to return the value cmp.authenticationparameter
[ECA-2565] - Move CliAuthenticationToken to authentication component
[ECA-2566] - Disallow server generated tokens when user submits a CSR in public web
[ECA-2568] - CMP: improve ConfirmationMessageHandler
[ECA-2582] - Make an enum for end entity types
[ECA-2623] - Use new BC API for CRL creation.
[ECA-2628] - Use BC CMP classes instead of Novosec
[ECA-2641] - Use BC 1.47 OCSP classes
[ECA-2680] - Clean HardTokenSessionBean of unnecessary AuthenticationToken parameters.
[ECA-2683] - Clean authorization handling in AdminPreferenceSessionBean
[ECA-2684] - Clean authorization in CertReqHistorySession
[ECA-2685] - Clean authorization in KeyRecoverySessionBean
[ECA-2686] - Clean Authorization in ServiceSessonBean
[ECA-2692] - Handle HSM timeouts - handle timeouts elegantly.
[ECA-2725] - CAInfo.setValidity should have long parameter
[ECA-2752] - Deprecate and stop using UserDataConstants. Use EndEntityConstants instead
[ECA-2757] - Add more getters and setters and null checks, use Lists instead of Collections where needed.
[ECA-2793] - Improve javadoc for RoleManagementSession
[ECA-2800] - Move OCSPUnid* classes from org.ejbca.core.protocol.ocsp to org.ejbca.core.protocol.ocsp.extension.unid
[ECA-2807] - Remove PrimeCardHSM references from documentation
[ECA-2821] - Increase concurrency in stand alone tests
[ECA-2826] - RoleManagementSessionBean requires additional authorization checks
[ECA-2840] - ant javatruststore -Dtrust.keystore parameter is treated relative to the ejbca/bin/ directory
[ECA-2857] - EndEntityAccessSession.findUserBySubjectAndIssuerDN should return a List
[ECA-2864] - Change the wording for the E-mail Domain option in end entity profiles
[ECA-2879] - Add custom serialno test test that fails when there is no unique index
[ECA-2895] - Provide ability to provide the administrator password through file for new admins roles GUI with CLI user
[ECA-2903] - Simplify AuthenticationToken framework
[ECA-2908] - Support ECC for CMP signature protection
[ECA-2917] - Rename AdminCA1 to ManagementCA
[ECA-2941] - Unclear description of CRL publishing conditions in Validation Authority Publisher
[ECA-2943] - Modularize the CESeCore source tree
[ECA-2948] - Improve handling of default profiles when using CMP RA mode
[ECA-2957] - Add known PKCS#11 libraries as default available
[ECA-2965] - Allow password to be supplied via command line for clientToolBox PKCS11HSMKeyTool generate
[ECA-2970] - Log remote IP for ADMINISTRATOR_LOGGED_IN events and web service access
[ECA-2978] - Database connection problems can give stacktrace with no msg
[ECA-2986] - Property for hiding manual classpath entry from custom publishers and services
[ECA-2987] - Add debug logging in AccessTreeCacheTest
[ECA-3016] - Ugly errors creating CA with CLI when CryptoToken or CA already exists
[ECA-3018] - Exception classes should end with "Exception" not "Error"
[ECA-3020] - Fix tests using incorrect values for CRL settings
[ECA-3022] - Turn of autocompletion of password on public web
[ECA-3026] - Have parameters outputted from localized messages even if not found
[ECA-3027] - Improve CMP configurations possibilities
[ECA-3028] - Make possible using custom CMP configurations through alias in the URL
[ECA-3030] - Make possible to edit CMP configurations in the AdminGUI
[ECA-3033] - Upgrade BC from 1.49b01 to 1.49b15
[ECA-3062] - Simplify certificate enrollment page
[ECA-3064] - Disable CertReqHistory by default for new CAs
[ECA-3069] - Replace deprecated class org.bouncycastle.jce.PKCS10CertificationRequest with org.bouncycastle.pkcs.PKCS10CertificationRequest
[ECA-3091] - Detect browser directly instead of using of via the log-in page
[ECA-3093] - Re-sort menu options in Admin GUI alphabetically
[ECA-3094] - Update nomenclature in CLI
[ECA-3099] - Add a "result page" after certificate enrollment has been performed
[ECA-3102] - Public Web: rename password to enrollment code
[ECA-3104] - Default key length for batch generation should be 2048, not 1024
[ECA-3105] - Introduce ability of not having any QC statements in the QC extension in certificate profile configuration
[ECA-3106] - Keylength defaults should be 2048 not 1024
[ECA-3108] - Encoding of MS Certificate Template Name extension should be BMPString
[ECA-3112] - Limited admins in admin GUI spams with INFO logs
[ECA-3136] - Support listing of PKCS#11 slots in the AdminGUI by token label
[ECA-3145] - Clean up left overs of EJBCA OCSP code
[ECA-3166] - Use better wording for Certificate Request Data in Admin GUI
[ECA-3175] - Clear All Caches button should also clear GUI session cache
[ECA-3189] - CMP: Read the CA from the relevant End Entity instead of from the request or cmp.defaultca
[ECA-3190] - CMP: Enforce configuration of EndEntityCert authentication module for KeyUpdate request
[ECA-3191] - CMP: Improve the conditions and readability of CMP authentication modules
[ECA-3206] - CMP: Remove PBE authenticating of ConfirmMessage
[ECA-3218] - OCSP cache update logs access control
[ECA-3243] - Editing Internal Key Bindings is slow
[ECA-3244] - Error message about OCSP key renewal although renewal is disabled
[ECA-3245] - Clean up and format the UPGRADE document
[ECA-3247] - Unwanted warning in jboss-log when running CrmfRAPbeRequestTest
[ECA-3254] - Unwanted warning in jboss-log when running CmpRaThrowAwayTest
[ECA-3257] - Exception cancelling already cancelled OCSP renewal timers
[ECA-3259] - unwanted warning in jboss-log when running ProtocolOcspSignedHttpTest
[ECA-3262] - Make saving global and cmp configuration safe
[ECA-3263] - Allow AnyCA to be the only selected available CA in EEPs
[ECA-3285] - Datasources should have validate-on-match=true in order to reconnect from failures

Master Ticket
[ECA-3049] - Optimize trunk
[ECA-3116] - Possibility to Export/Import all CA configurations (a.k.a "The Great Dump")
[ECA-3252] - CMP log fixes for CC test plan
[ECA-3261] - Master ticket for OCSP log tickets

New Feature
[ECA-862] - Command for ascii/XML dump of CA installation
[ECA-1866] - WS-API to get last CRL for a CA
[ECA-1998] - Support for GOST R digital signature and hash algorithms
[ECA-2066] - Support for JBoss 7.1 and EAP 6
[ECA-2621] - cert-cvc: upgrade to work with BouncyCastle (BC) v1.47
[ECA-2691] - Handle HSM timeouts - allow creation of pure keepalive services from GUI/CLI
[ECA-2722] - Validation/conformance tool for certificates and OCSP responses
[ECA-2780] - Integration of DSTU4145-2002 in EJBCA
[ECA-2801] - Manage HSM keys from web GUI
[ECA-2881] - Ukrainian translation of admin GUI
[ECA-2926] - External RA GUI and SCEP deploy on JBoss 7
[ECA-2930] - SCEP RA mode for blind certificate issuance
[ECA-2936] - Support ECC for database integrity protection
[ECA-2972] - EJBCA support for South Slavic languages - Bosnian QA process
[ECA-2973] - Unified OCSP
[ECA-2974] - Use ServiceLoader for Publishers and Services
[ECA-2988] - Unified OCSP: In main build, merge Standalone and Integrated OCSP into a single SSB
[ECA-2992] - White listing of available CryptoToken PKCS#11 slots
[ECA-3092] - Make it possible to hide the menu in publicweb
[ECA-3095] - HSM slot label. Resolve existent issues from ECA-3071, add support for GUI/CLI/Upgrade
[ECA-3128] - Add support for slot labels to ca init command, database protection and ocsp

Task
[ECA-2296] - Master Issue: Look over authorization in all session beans.
[ECA-2298] - Master issue: Unify all names in EJBCA
[ECA-2317] - Migrate OCSP functionality from CESeCore to EJBCA
[ECA-2350] - Add support to other match values than X500Principal based
[ECA-2445] - Rename all references to "Admin Groups" to "Roles"
[ECA-2462] - Rename RSASignSessionBean to SignSessionBean
[ECA-2464] - Change references from 'User' to EndEntity where appropriate. UserAdminSessionBean should be renamed EndEntityManagementSessionBean
[ECA-2488] - Remove all internal references to UserAdminSession.changeUser
[ECA-2498] - Go through build-dependencies.xml and search for and remove nonexisting files in classpaths and include tags
[ECA-2499] - Improve some @BeforeClass and @AfterClass in tests
[ECA-2521] - Merge changes from ECA-1978
[ECA-2522] - Merge changes from ECA-2094
[ECA-2523] - Merge changes from ECA-2157
[ECA-2524] - Merge changes from ECA-2468
[ECA-2525] - Merge changes from ECA-2504
[ECA-2526] - Merge changes from ECA-2518
[ECA-2531] - Remove org.ejbca.config.ExtendedKeyUsageConfiguration
[ECA-2541] - Replace the contents of EjbRemoteHelper with a clever datastructure
[ECA-2550] - Remove transient from PrePersist, PreUpdate and PostLoad annotation
[ECA-2555] - Merge changes from ECA-2454
[ECA-2556] - Make sure that EjbRemoteHelper is used instead of JndiHelper for retrieving remote interfaces
[ECA-2562] - CMP: More tests for the KeyUpdate request
[ECA-2581] - Eliminate the duplicate constants in SecConst and EndEntityConstants
[ECA-2596] - Merge changes from ECA-2580
[ECA-2597] - Merge changes from ECA-2585
[ECA-2605] - Merge changes from ECA-2575
[ECA-2611] - Merge changes from ECA-1979
[ECA-2619] - CliAuthenticationProviderSessionBean does not follow our naming standard
[ECA-2620] - Upgrade hibernate to latest version
[ECA-2622] - Merge changes from ECA-2583
[ECA-2630] - Reimplement OCSP HealthCheckServlet
[ECA-2631] - Merge changes from ECA-2579
[ECA-2635] - Merge changes from ECA-2627
[ECA-2637] - Merge changes from ECA-2634
[ECA-2640] - Merge changes from ECA-2633
[ECA-2646] - Merge changes from ECA-2584
[ECA-2651] - Merge changes from ECA-2577
[ECA-2688] - AccessRulesConstants.ROLE_SUPERADMINISTRATOR should be declared deprecated and removed internally
[ECA-2702] - EjbcaWebBean code cleanup
[ECA-2707] - Merge changes from ECA-2625
[ECA-2735] - Verify that the functionality of ECA-2069 is ok in trunk
[ECA-2744] - Merge changes from ECA-2624
[ECA-2748] - Merge changes from ECA-2745
[ECA-2751] - Merge changes from ECA-2750
[ECA-2754] - Merge changes from ECA-2753
[ECA-2756] - Merge changes from ECA-2755
[ECA-2767] - Merge changes from ECA-2759
[ECA-2772] - Merge changes from ECA-2769
[ECA-2803] - Merge changes from ECA-2746
[ECA-2831] - Merge changes from ECA-2829
[ECA-2850] - Merge changes from ECA-2802
[ECA-2898] - Merge changes from ECA-2897
[ECA-2900] - Merge changes from ECA-2890
[ECA-2902] - Merge changes from ECA-2899
[ECA-2925] - Upgrade to BouncyCastle 1.49b01
[ECA-2959] - UniqueSernoWSTest fails due to JBoss 7 classloader
[ECA-2979] - Unified OCSP: Move StandAlone OCSP files into main build
[ECA-3023] - Document JBoss 7 hardening
[ECA-3041] - Make sure EJBCA builds and deploy on JBoss 7.2 and EAP 6.1
[ECA-3044] - Use fast Random, instead of slow SecureRandom for GUID generation
[ECA-3048] - Upgrade BouncyCastle to 1.49 final
[ECA-3075] - XKMS KRSS tests not working on JBoss 7 / EAP6
[ECA-3084] - OCSP transaction logging and safer log4j not working
[ECA-3127] - External RA not working on JBoss 7
[ECA-3130] - Update Admin GUI HSM chapter with new Crypto Token GUI
[ECA-3148] - Rename the files under ejbca/doc/sql-scripts/ with the appropriate name (ejbca version)
[ECA-3193] - Sample custom publisher with UID=certificate serialNo in decimal
[ECA-3228] - Make sure that system tests clean up after themselves
[ECA-3229] - Remove unnecessary warnings during build and startup
[ECA-3241] - Eliminate deprecated values from ocsp.properties as far as possible and remove them from all but upgrade code.
[ECA-3291] - Access rules unclear

Technical task
[ECA-3152] - Possibility to Export/Import all CryptoTokens
[ECA-3153] - Possibility to Export/Import all CAs
[ECA-3154] - Possibility to Export/Import all Certificate Profiles
[ECA-3155] - Possibility to Export/Import all End Entity Profiles
[ECA-3156] - Possibility to Export/Import all Publishers
[ECA-3157] - Possibility to Export/Import all Services
[ECA-3158] - Possibility to Export/Import all Roles
[ECA-3159] - Possibility to Export/Import all CMP configuration
[ECA-3192] - Possibility to change Subject DN in dump files from CLI

Issues Resolved in 6.0.1

Released on 19 November 2013

Bug Fixes

[ECA-3302] - Escaping of user-provided data when no characters are forbidden
[ECA-3303] - SECURITY: XSS issue
[ECA-3306] - Leaving out "Validity" with Javascript disabled gives an exception
[ECA-3307] - Renamed CAs not be overwritten by statedump
[ECA-3308] - OCSP HealthCheck does not work with InternalKeyBindings
[ECA-3310] - Wrong items are selected in uninitialized CAs

Improvement
[ECA-3295] - Allow editing most fields in uninitialized CAs
[ECA-3301] - Unify error messages for invalid username and pwd
[ECA-3312] - Can't create CAs with DSA extended services key
[ECA-3313] - Problems with extended services and uninitialized (statedumped) CAs
[ECA-3317] - Allow import even if not all files exist

Master Ticket
[ECA-3296] - Improve Statedump usability and fix bugs

New Feature
[ECA-3311] - Ability to choose names to not overwrite during statedump import

Task
[ECA-3305] - Modularize database integrity protection and database cli

Issues Resolved in 6.0.2

Released on 29 November 2013

Bug Fixes

[ECA-2449] - Creating a CA without a valid SubjectDN causes double JS popups.
[ECA-3321] - Improve CMP configuration user interface
[ECA-3324] - Quote arguments of ca init during install
[ECA-3327] - SaferDailyRollingFileAppender extends wrong base class
[ECA-3328] - OCSP Signing cache should handle cache discrepancies gracefully
[ECA-3331] - EJBCA does not deploy without ejbca-db-cli sources available
[ECA-3334] - Change untilNextUpdate and maxAge properties in OcspKeyBinding from Integer to Long

Improvement
[ECA-3132] - Support returning "revoked" for unknown certificates in line with RFC6960
[ECA-3309] - Some versions of MySQL picks bad index mixing OR and AND
[ECA-3318] - CMP: Include certificate chain in certificate responses
[ECA-3323] - Reload OCSP cache manually
[ECA-3325] - Minimize locking in audit log's sequence counter

Issues Resolved in 6.0.3

Released on 30 December 2013

Bug Fixes

[ECA-3293] - Customer specific LDAP Publisher should use correct time in loginfo attribute
[ECA-3297] - Other Rules for Supervisor role is not cleared if previously selected for another role type
[ECA-3339] - Statedump doesn't delete certain .jar files on "ant clean"
[ECA-3341] - Creating internal key binding with CLI does not consider types for property values
[ECA-3344] - Regression: PKCS11 sun config does not work
[ECA-3345] - Regression: Max-Age and Response validity no longer visible/editable for ocsp key bindings
[ECA-3346] - CMP Config CLI command should use lazy instatiation of remote EJB
[ECA-3349] - EJBCA deployment not working in WINx64 due to PKCS11
[ECA-3360] - Ejbca deployment tries to use jboss-cli.sh instead of jboss-cli.bat on windows
[ECA-3367] - Editing Key binding integer/long value sin GUI removes the value (becomes default 0)

Improvement
[ECA-3289] - Do not cache "Unknown" OCSP GET responses
[ECA-3347] - Modify EJB CLI to use ServiceLocator
[ECA-3352] - Faster CLI start, use lazy instantiation in EJB CLI
[ECA-3359] - Move authentication tokens from cesecore-interface to cesecore-common

New Feature
[ECA-3314] - OCSP Archive Cutoff
[ECA-3332] - Add Extended Revoked Definition OCSP extension when returning revoked for non existing certificate
[ECA-3335] - Create a standalone manifest builder tool

Task
[ECA-3316] - Modularize EAC
[ECA-3338] - Modularize CMP vendor CA mode
[ECA-3340] - Modularize ValidationTool
[ECA-3342] - Make JUnit tests run for EJBCA Community

Issues Resolved in 6.0.4

Released on 20 February 2014

Bug Fixes

[ECA-3055] - Not authorized to edit publisher when publisher cache disabled
[ECA-3198] - Regression: ECA-2973 introduced a dependency on EJBCA in CESeCore test code
[ECA-3210] - CA upgrade when ExtRACAServiceWorker fails to persist
[ECA-3337] - KeyBind EJB CLI fingerprint reference is case sensitive
[ECA-3361] - Cannot deploy with web-services disabled
[ECA-3364] - ExternalRA: Allow SCEP GetCACaps without message parameter
[ECA-3366] - Syntax in jboss-cli.bat for passing commands fails in Win
[ECA-3372] - OCSP Archive Cutoff can give NPE
[ECA-3373] - init() method is not called on OCSP extensions
[ECA-3375] - CLI ca restorekeystore gives exception for soft ca
[ECA-3382] - Test files have lost character encoding, change source file encoding to UTF-8
[ECA-3383] - CertTools.genPKCS10CertificationRequest does not use the specified provider
[ECA-3386] - httpserver.external.privhttps default to 8443 even though httpserver.privhttps is set to something else
[ECA-3387] - Can not edit Sub CA signed by external CA
[ECA-3388] - editcapage.jsp contains a slightly confusing help text
[ECA-3389] - OCSP key binding properties visible for authentication key binding
[ECA-3392] - InternalKeyBindingDataSessionBean.getInternalKeyBindingForEdit(int) throws NPE if no value was found.
[ECA-3395] - Proper handling of certificate import/update when base64cert is not populated
[ECA-3396] - InternalKeyBinding error using Postgres 9
[ECA-3397] - Subject key ID not published by VA publisher
[ECA-3398] - java.lang.IllegalArgumentException thrown when importing OCSP key binding certificate
[ECA-3399] - Incorrect error message when editing uninitialised CAs if private keys are missing
[ECA-3401] - Can not generate keys on soft crypto token with allowExport=false
[ECA-3403] - Admin GUI create CRL fails with UTF-8 encoded CA DN
[ECA-3405] - StateDump test fails because of refactorization
[ECA-3406] - Trying to delete a non-existing keybinding causes NPE
[ECA-3408] - StateDump import overwrites CAs with the same name without asking
[ECA-3410] - StateDumpTest needs Hibernate compatibility jar
[ECA-3421] - Upgrade jar file
[ECA-3423] - Fix statedump overwrite response handling and test

Improvement
[ECA-2828] - Document authorization rules in EJBCA
[ECA-2982] - Add option to 'bin/ejbca.sh ca republish' command to republish only CA certificate and CRL
[ECA-3081] - Improved error message during batch generate when using invalid key size
[ECA-3082] - Improve message about configuration during batch generate
[ECA-3150] - Remove scripts used on ejbca.org from bundled documentation.
[ECA-3169] - Improve wording of some options of "Externally signed CA"
[ECA-3290] - Cache headers still present for OCSP responses containing nonce
[ECA-3365] - Audit log Internal Key Binding operations
[ECA-3370] - Allow import of OCSP certificates with non-repudiation key usage
[ECA-3371] - Make JBoss EAP 6 specific physical file deployment of BC provider
[ECA-3374] - Add JUnit test for OCSPUnidExtension
[ECA-3384] - Add a password argument to CaImportCACommand
[ECA-3385] - Movie audit implementation classes to cesecore-ejb-interface
[ECA-3404] - StateDump test should run from test:runsys when availabe
[ECA-3407] - Optimize JBoss reload during deploy
[ECA-3409] - Sort XML in statedump exports in a deterministic order
[ECA-3424] - Regression: All cli commands prints out loading batch properties from default

Master Ticket
[ECA-3355] - Implement Certificate Transparency

Task
[ECA-3368] - Deploy on JBoss EAP 6.2.0 has disabled datasource by default
[ECA-3380] - Move keybinding implementation classes from cesecore-ejb-interface to cesecore-common
[ECA-3400] - Shift OcspExtension* to cesecore-common from cesecore-ejb-interface

Sub-task
[ECA-3377] - Create unit tests for all CLI Commands