EJBCA 6.1 Release Notes

The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.1.

The following covers information on new features and improvements in the 6.1.x releases:

Read the EJBCA 6.1 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 6.1.0


This is a major release with new features, bug fixes and improvements.

The biggest news in this release are support for EAC 2.10 access control templates, more OCSP improvements as well as improvements for Key Recovery.

Noteworthy changes

  • OCSP improvements and new features related to RFC 6960, minimizing size of OCSP responses (see note below).

  • Implemented OCSP signing algorithm including client requested algorithms.

  • CVC certificate profiles (ePassport PKI) now supports EAC 2.10 access control templates.

  • Improvements to Key Recovery enabling encryption key rollover and providing more information about encryption keys.

  • Windows build/install is now working.

  • ManagementCA created during a default install now uses SHA256WithRSA.

  • EJBCA now compiles (deployment/running not supported however) on WildFly 8 and Glassfish 4, also using Java 8.

  • EJBCA can now use certificate serial number longer than 64 bits.

  • Minor improvements and fixes to make life easier for everyone.

images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg OCSP responses no longer includes the Root CA Certificate, unless the Root CA is the OCSP signer, and it is configured to include the signer certificate. Having OCSP responses as small as possible is an important performance feature, and since the
client must have the root certificate as trusted there is no need to include the root certificate in the chain.

images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg In EJBCA 6.1.0 the Public Web interface logo filename was changed. If you have customized your own logo, you need to rename the logo filename from 'logotype.png' or 'ejbca_pki_by_primekey_logo.png' to 'banner_ejbca-public.png'.

Known issues

  • One test failure on DB2: ECA-3298

  • OCSP request signer verification does an additional database lookup: ECA-3299

  • Poorly created primary keys for the AdminEntityData table causes issues in some cases: ECA-3469

EJBCA 6.1.1


This is a maintenance release with a few bug fixes. EJBCA 6.1.0 was never distributed publicly, see EJBCA 6.1.0.

  • Fixed some regressions that prevented 6.1.0 from functioning optimally.

EJBCA 6.1.2


This is a maintenance release with one bug fix:

  • Fixed an issue where browser enrollment link was generated with incorrect encoding

For more information, see EJBCA 6.1.0.

EJBCA 6.1.3


This is a maintenance release with only minor bug fixes. In all 4 issues have been fixed.

Noteworthy changes

  • Fixed a small typo and some localizations in a few GUI messages.

  • Backport some fixes to the statedump command (Enterprise only).

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 6.1.0-6.1.3, refer to our JIRA Issue Tracker.

Issues Resolved in 6.1.0

Released on 24 March 2014

Bug Fixes

[ECA-3179] - Regression: NoTicket (r17302) introduced a dependency on EJBCA in a CESeCore test class
[ECA-3182] - Regression: ECA-2988 introduced a dependency on EJBCA in a CESeCore test class
[ECA-3427] - Syntax for jboss-cli.bat through ant targets fails in Win
[ECA-3432] - CertificateCreateException: java.lang.NumberFormatException: For input string: "LU002" when trying to create a foreign DVCA
[ECA-3433] - OcspResponseGeneratorSessionBean.init should not throw AuthDeniedException
[ECA-3435] - JUnit failure in PublisherTest when DB protection enabled, add subjectKeyId to CertificateInfo
[ECA-3439] - Creating a CA with DN: <anyfield>=, creates a StringIndexOutOfBoundsException
[ECA-3447] - Regression: serial numbers in administrator list are not clickable
[ECA-3452] - Make sure that decline+recursive rules aren't saved from the GUI
[ECA-3455] - Files missing from cesecore-common.jar
[ECA-3457] - Unnecessary WARN message
[ECA-3458] - Ant paths don't work Windows via jboss-cli
[ECA-3460] - State dump tool does not import any data with "-overwrite no"
[ECA-3467] - Mail from address is not configured
[ECA-3470] - SCEP operations may fail when using an HSM

Improvements
[ECA-3348] - Add individual OCSP get cache settings for revoked, unknown and good responses
[ECA-3351] - OCSP: don't include root certificate in response certificate chain
[ECA-3411] - Use SHA256WithRSA as default for ManagementCA
[ECA-3429] - Compile on Glassfish 4
[ECA-3430] - Compile on WildFly 8
[ECA-3434] - Upgrade Guava library in order to deploy in JEE7 container
[ECA-3440] - Support running clientToolBox EjbcWsRaCli with IBM java
[ECA-3443] - Allow empty values for start and end time without printing 'invalid' when adding end entity
[ECA-3445] - Document how to use slotLabels with clientToolBox
[ECA-3461] - Add encryption key information to key recovery data in database
[ECA-3472] - Improve usability of edit CA page by marking required fields

New Features
[ECA-3133] - Support RFC6960 extension for client requested algorithm selection
[ECA-3350] - OCSP: Add option to include signer certificate or not
[ECA-3415] - CVC access control template for additional DGs
[ECA-3444] - Allow longer certificate serial numbers than 64 bits
[ECA-3449] - Show issuer and seralNumber after public web enroll

Task
[ECA-3450] - Update the Public Web logo filename for better integration

Issues Resolved in 6.1.1

Released on 27 March 2014

Bug Fixes

[ECA-3479] - Regression: OCSPSigningCache debug causes an NPE for internal OCSP default responders
[ECA-3480] - Regression: Creating a CA in Adminweb issues Stacktrace
[ECA-3485] - Regression: Certificate Profiles with EAC 2.10 AT role doesn't work with database protection
[ECA-3487] - Regression: Unique certificatedata_idx12 is not detected

Issues Resolved in 6.1.2

Released on 9 April 2014

Bug Fixes

[ECA-3514] - Browser enrollment link is generated with incorrect encoding

Issues Resolved in 6.1.3

Released on 28 April 2014

Bug Fixes

[ECA-3520] - CAs from statedump signed by external CA cannot be initialized
[ECA-3523] - Backport Statedump bug fixes to 6.1
[ECA-3526] - GUI: Missing l10n message keys in CMP Alias Edit page
[ECA-3527] - GUI: Misspelled DN attribute in CMP Alias Edit page