EJBCA Change Log Summary

The following lists change logs for all EJBCA versions released, sorted by date and listed per release in the table of contents below.

For more information on a specific release, see the respective EJBCA Release Notes for details on issues resolved in the release.

EJBCA 7.9.1

Released June 2022

    New Features

    ECA-10693 - Periodically update public keys on Azure OAuth Alias


    ECA-10561 - ACME EAB with multiple keys

    ECA-10519 - Add proper Git readme and license files in root directory

    ECA-10746 - Improve ACME DNS challenge error handling and logging

    ECA-10562 - Add support for EE email in REST /v1/certificate/pkcs10enroll POST

    Bug Fixes

    ECA-10519 - MSAE alias "Test connection" clears user input

    ECA-10545 - RA Web Make New Request does not correctly parse CSR

    ECA-10692 - Intune revocation poller fails if CA uses ldap order

    ECA-10734 - ADConnectionSingletonBean - could not obtain lock within 5000MILLISECONDS

    ECA-10745 - MSAE "RelatesTo" Id can ger overwritten during parallel requests

    ECA-10758 - Sun PKCS11 not working on RedHat OpenJDK 11.0.15

    ECA-10763 - Name constraints throwing NPE after 7.6.0

    EJBCA 7.9

    Included in this release are also the changes made in EJBCA 7.8.2, which was only released internally.

    Released April 2022

      New Features

      ECA-7321 - RA Web should accept CSR in DER format

      ECA-9834 - ACME configuration alias max. length of 250 characters

      ECA-10261 - Add support for RFU bits in cert-cvc

      ECA-10263 - Add support for RFU bits in EJBCA

      ECA-10467 - Define new CA type for ITS CA's

      ECA-10468 - ITS CA Type in the UI

      ECA-10470 - REST Resource for ITS Certificate Request

      ECA-10529 - ITS end entity request and response creation and verification

      ECA-10554 - Allow CMPv2 enrollment in RA mode using vendor certificate

      ECA-10592 - Authorization validation for ETSI certificates and integration to REST

      ECA-10593 - End Entity management over REST for C-ITS ETSI

      ECA-10612 - Import CITS CA and other UI changes for CITS

      ECA-10613 - Subject attributes validation during registration, EC enroll and authorization validation

      ECA-10614 - Download or rest endpoint for CITS certificates

      ECA-10625 - Future Dated CRLs from the CLI.

      ECA-10627 - Allow WS requests using Request Processors send through editUser as well


      ECA-7381 - Sunset Public Web

      ECA-7588 - Remove CADataHandler

      ECA-7765 - Allow public user to finalize enrollment in RA Web

      ECA-8476 - Only show logout button in CA web when "Session timeout" is enabled

      ECA-9256 - Allow an OCSP Responder to sign for other CAs

      ECA-9566 - The Option "Send notification" is Not Available in RA Web

      ECA-9799 - Search for Certificates at RA Web doesn't reflect Expired status in the main table list

      ECA-10296 - Update EJBCA libs for Swagger to work on Wildfly > 22.0.0

      ECA-10345 - Put PIN last in the GUI when creating crypto token

      ECA-10413 - Allow EEP Subject DN values to be enforced

      ECA-10414 - Add E-mail checkbox "Use email from address field" to RA-web

      ECA-10416 - Increase CSR Size Limit

      ECA-10418 - Name constraint support for make new request in RA web

      ECA-10421 - Add checkbox to RA Web when creating end entity to activate key recovery

      ECA-10452 - Trim external log lib

      ECA-10454 - Improve dn merge procedure for end entities

      ECA-10456 - Add end entity with clear text password in the RA web

      ECA-10459 - Code cleanup: modules/oldlogexport

      ECA-10460 - Code cleanup: modules/externalra-gui

      ECA-10469 - Define MVP TBSCertificate fields for ITS CA's

      ECA-10473 - Complete the rest endpoint implementation for CITS

      ECA-10474 - Increase length of ACME EAB with symmetric keys generated key.

      ECA-10476 - Introduce ITS Certificate Profile

      ECA-10488 - Upgrade ITS epic branch with BC 1.7.1 b03

      ECA-10489 - Create enrollment endpoint for the ITS REST API

      ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect

      ECA-10501 - Remove support for CMP over TCP

      ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2

      ECA-10512 - Upgrade EJBCA Intune Integration to Use Microsoft Graph API

      ECA-10530 - Update standalone scripts with log4j compatability flag

      ECA-10538 - SHAxWithRSAAndMGF1 / SHAxWithRSASSA-PSS not working with Azure Key Vault or AWS KMS Crypto tokens

      ECA-10539 - Update slf4j

      ECA-10543 - Update PublicAccessToken to not require delete end entities access rule

      ECA-10548 - Add CrmfRequestTest into Jenkins

      ECA-10555 - OEREncoding for InnerECRequest/Response

      ECA-10558 - REST endpoint for ITS-S Registration

      ECA-10576 - System test for ITS REST endpoint

      ECA-10584 - Update ejbca.cmd with log4j changes

      ECA-10585 - Deprecate and remove legacy batch enrollment GUI

      ECA-10610 - Hardening

      ECA-10615 - Upgrade BC to 1.71, pull in main branch changes

      ECA-10619 - Upgrade commons-cli to 1.5

      ECA-10628 - Allow the encryptpwd CLI command to run without appserver active

      ECA-10633 - Upgrade jack11nji

      ECA-10642 - Refactor ITS enrollment operation to be performed by CA implementation

      ECA-10647 - Improve EJBCA's behavior when looking up invalid DNS records for CAA

      Bug Fixes

      ECA-9950 - Batchenrollment gives BCFKS error

      ECA-10219 - New role members cannot manage existing approval requests

      ECA-10228 - Invalid ocsp certificate prevents wildfly startup

      ECA-10279 - CVC is not working in RA web

      ECA-10388 - Peer connections using RSA Authentication Key binding with P11NG, Azure and AWS crypto tokens stopped working after JDK update

      ECA-10424 - Logging Location of API Requests

      ECA-10426 - Configurable DN order in LDAP Publisher

      ECA-10436 - Regression: Error editing Key Vault crypto Token

      ECA-10437 - CA Functions CRL download link fails to download CRL when CA SubjectDN contains ampersand

      ECA-10457 - REST configdump export can fail even if ignore errors is enabled

      ECA-10463 - ConfigDump Export/Import EEPs with multiple DNs/SANs

      ECA-10471 - Regression - ejbca-db-cli not working after upgrading to

      ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE

      ECA-10485 - CMP Certificate Confirmation - Default CA

      ECA-10490 - Cannot re-activating suspended cert with "Safe Direct Publishing"

      ECA-10491 - X.509 CA sequence is compared with keysequence from cert request in a wrong way

      ECA-10497 - Regression: OCSP signing cache is always reloaded for requests with unknown CAs

      ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms

      ECA-10532 - Fix ACME issuance of certificates with non-validated domains

      ECA-10533 - EJBCA RA - Navigation dead-ends

      ECA-10534 - Enrollment fails with GetCACert enabled in SCEP CA mode

      ECA-10535 - AWSS3Publisher causes OCSP Peer Publishing to fail

      ECA-10549 - Disable "Use queue ..." options when "Safe Direct Publishing" enabled

      ECA-10550 - Regression: Potential NPE causes test failures when Trace logging is enabled

      ECA-10557 - Jenkins CMP test failure

      ECA-10569 - Create tests for cmp update command in cli

      ECA-10571 - Make "Unspecified" revocation reason in OCSP responses configurable

      ECA-10572 - URI Name Constraints should not allow/require protocol to be specified.

      ECA-10577 - Key algorithm of uploaded CSR field shows wrong value

      ECA-10579 - Clean up access rules requirements for using a CSR on the Make New Request page

      ECA-10583 - Name constraint error produces stacktrace and unintuitive error message in RA UI

      ECA-10591 - Startup database error due to deprecated property UserData.hardTokenIssuerId

      ECA-10601 - Failures in PostgreSQL running create-index sql script, comment out drop index statements

      ECA-10603 - ejbca-db-cli Broken

      ECA-10620 - Request and EE CA mismatch still cause EE status change

      ECA-10621 - Minor security issue

      ECA-10622 - Changing an EE status over RA web leads to unwanted disabling of Batch generation (clear text pwd storage) checkbox

      ECA-10626 - Support 'Any' cryptoProivder in MSAE templates

      ECA-10634 - Fix IOException in db-cli

      ECA-10635 - Update AzureBlobPublisher to use new Azure auth

      ECA-10637 - Azure Key Vault only lists the first 25 key aliases

      ECA-10638 - EJBCA restricts OCSP nonce to 30 octets instead of 32 as stated in RFC8954

      ECA-10644 - The publisher queue inspection window should display the time with a 24-hour clock

      ECA-10662 - Intune Resource URL not honored in new SCEP code


      EJBCA was an internal release, not generally available for customers.

      EJBCA 7.8.2

      EJBCA 7.8.2 was an internal release, not generally available for customers.

      Released February 2022


        ECA-10479 - Library upgrade

        ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect

        ECA-10501 - Remove support for CMP over TCP

        ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2

        ECA-10509 - Remove SaferDaily, SigningDaily and ScriptrunningDailyRollingFileAppender

        ECA-10510 - Upgrade Appender in TestLogAppenderResource to Log4J2

        ECA-10530 - Update standalone scripts with log4j compatability flag

        ECA-10531 - Resolve test failures after log4j upgrade

        Bug Fixes

        ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE

        ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms

        ECA-10532 - Fix ACME issuance of certificates with non-validated domains

        EJBCA 7.8.1

        Released December 2021

          New Features

          ECA-9561 - ACME IP Identifier Validation http-01 Challenge

          ECA-9760 - REST searchCertificates call with pagination

          ECA-10108 - Merge additional support for the NONEwithRSAandMGF1 (raw RSASSA-PSS) signature algorithm in P11NG

          ECA-10184 - KeyVault Machine Identity Authentication

          ECA-10334 - HTTP Basic Authentication in EST client mode

          ECA-10344 - REST API support for configdump export

          ECA-10347 - REST API support for configdump import

          ECA-10349 - Add configdump support to Azure BLOB publisher

          ECA-10356 - Add Primus HSM PKCS#11 library path

          ECA-10380 - Domain Allow List Validator

          ECA-10395 - Add support for URI Name Constraints


          ECA-5472 - Foldable view when there are many optional fields in the RA

          ECA-8562 - Improve tests coverage of Configdump's import of Certificate Profiles

          ECA-8745 - Increase the number of SANs configurable in end entity profiles (to >100)

          ECA-9681 - Fix AcmeOrderData end entity stored including binary data as map

          ECA-9763 - Change the message for CA Activation with approvals

          ECA-10092 - Add cert auth to Azure Trusted OAuth Provider

          ECA-10266 - Upgrade Nimbus JOSE+JWT to nimbus-jose-jwt-9.12.1.jar

          ECA-10284 - Check if all invocations of AcmeAccountSessionBean.updateAccount are required

          ECA-10293 - Bad signature performance using P11-NG with network HSMs

          ECA-10302 - Revoking certificates from adminweb with reason 'Privileges withdrawn'

          ECA-10318 - Add roles claim to Azure OAuth for Authentication

          ECA-10322 - Create tables SQL script for NDB cluster has flaws

          ECA-10324 - Combine ACME and general EAB

          ECA-10327 - Reduce CRL and OCSP Validities by 1 second

          ECA-10330 - Change default settings SCT in EJBCA 7.x

          ECA-10333 - REST Search - Return eep and cp values

          ECA-10339 - Viewing CRL's for CA with MS Compat Enabled

          ECA-10345 - Put PIN last in the GUI when creating crypto token

          ECA-10352 - MS CA compat with Sub CA in EJBCA and External Root

          ECA-10353 - Allow name constraints to block all DNS Names

          ECA-10354 - Fix ACME pre-authorization returns order object without authorization

          ECA-10355 - Update EJBCA to work with Wildfly 25

          ECA-10358 - ACME performance - refactor AcmeOrderSessionBean.processPendingOrders

          ECA-10360 - Add aliases cache for P11-NG crypto tokens

          ECA-10361 - PKCS#10 REST endpoint using end entity information (not CSR)

          ECA-10367 - Optimize PKCS#11 sign to avoid redundant PKCS#11 calls

          ECA-10377 - EE REST API support search by modified date

          ECA-10382 - Allow to configure ignored CAA properties when their processing is done outside EJBCA

          ECA-10384 - Differentiate rows in CA Structures & CRLs

          ECA-10398 - Align buttons in Certificate Profile and Publishers sections

          ECA-10400 - X509CACrlUnitTest test fix

          ECA-10406 - Merge smaller P11-NG changes from SignServer

          ECA-10428 - Remove extra dot from cert

          ECA-10430 - Upgrade BC to 1.70

          Bug Fixes

          ECA-6166 - CA key export does not warn if no RSA keys are present for encryption.

          ECA-7235 - Settings are reset when Match with setting is changed

          ECA-8227 - It is possible to revoke an already revoked end entity

          ECA-9203 - Exception occurrs even if 'Gender' value is given

          ECA-10126 - Error when syncing to VA via peer connector

          ECA-10157 - Security Issue

          ECA-10172 - EST Vendor Mode ChangeSubjectName should not compare with the CSR DN

          ECA-10224 - CREATE CA: NullPointerException

          ECA-10229 - CMP Authentication Radio Buttons are not disabled in view page

          ECA-10237 - Trusted OAuth Providers are removed without any warning or confirmation

          ECA-10254 - SCEP alias for Intune not allowing certain characters for client secret.

          ECA-10264 - Configdump import failed if the /cryptotoken/keys/remove/ rule is set

          ECA-10295 - Configdump does not import Approval Profiles

          ECA-10301 - Revoking certificates from adminweb with reason 'AA compromise'

          ECA-10303 - Throwaway CA Revocation Broken in 7.6.0

          ECA-10311 - View CMP Alias page says: Edit CMP Alias

          ECA-10319 - Broken RA End Entity edit page

          ECA-10320 - OCSP not working when CA uses Ed25519

          ECA-10323 - Enrollment code can not be empty when setting EE status from Generated to New with autogenerated enrollment codes

          ECA-10343 - NumberFormatException when creating a crypto token using token label when cryptotoken.p11.lib.X.slotlist is used

          ECA-10357 - Ignore keys which cannot be read by the P11NgCryptoToken

          ECA-10363 - Make audience check optional

          ECA-10365 - Fix links in ACME HTTP response headers

          ECA-10383 - In RAWeb custom values "Set validity" doesn't work

          ECA-10390 - "Republish" publisher queue view action uses wrong PublishQueueProcessWorker

          ECA-10391 - 'Required' restriction on name constraints in end entity profiles are not validated.

          ECA-10394 - Clean up of cesecore-p11 is not optional

          ECA-10399 - ExpiredCertsOnCRL encodes with fractional seconds

          ECA-10404 - Make EEP upgrade for 7.8.1 cluster compatible

          ECA-10407 - Audience cannot be empty when "disable audience check" is selected

          ECA-10410 - Reintroduce ECA-9475

          ECA-10422 - Fix failing tests

          EJBCA 7.8


          Released November 2021

          Bug Fixes

          ECA-10254 - SCEP alias for Intune not allowing certain characters for client secret.


          EJBCA was an internal EJBCA SaaS specific release


          Included in the EJBCA release are also changes made in EJBCA 7.8.0, which was an internal release, not generally available for customers.

          Released October 2021


            ECA-10327 - Reduce CRL and OCSP Validities by 1 second

            Bug Fixes

            ECA-10303 - Throwaway CA Revocation Broken in 7.6.0

            EJBCA 7.8.0

            EJBCA 7.8.0 was an internal release, not generally available for customers.

            Released September 2021


              ECA-8561 - Add a validation check for Configdump Handlers

              ECA-9685 - Improve German translation for AdminWeb and RA

              ECA-9752 - Access control too restrictive when searching for end entities using EjbcaWS.findUser

              ECA-10069 - Enroll menu in the RA web is not shown until the rule create_end_entity is set to Allowed

              ECA-10120 - Deploying EJBCA with oracle 19c DB

              ECA-10183 - CABF Compliance: EJBCA follows redirect to other ports than BR 1.7.6 Authorized Ports when validating ACME http-01 challenge

              ECA-10205 - Would like to be able to specify key sizes and curves in clientToolBox stresstest

              ECA-10208 - Fix message typo: modifyable = modifiable

              ECA-10235 - Documentation: Not possible to use custom DN attributes with number 200, as recommended in sample file

              ECA-10247 - Ant target for ACME system tests is broken

              ECA-10248 - Security issue

              ECA-10249 - Extend CLI recover command with delta functionality

              ECA-10309 - Implement transaction-aware direct publishing

              Bug Fixes

              ECA-9235 - Validity of CVC certificate view in RA web should display only full days

              ECA-9551 - Permission Loss on EEP Import

              ECA-9850 - Configdump exports "CAs to check" for Services, even when it is not applicable

              ECA-9991 - Regex validation breaks Certificate Profile field update

              ECA-10068 - Possible to view end entities in RA web though the role is set to Deny

              ECA-10071 - Enrollment code can not be empty when setting status to generated in RA Web

              ECA-10142 - Regression: Notification Subject field in End Entity Profile currently max 40 characters.

              ECA-10147 - CA activation should not require /ca_functionality/edit_ca access

              ECA-10182 - OAuth is not working with Ping ID

              ECA-10185 - REST endentity add user with PEM token fails

              ECA-10190 - EST Client mode does not properly parse DN for UID attribute

              ECA-10191 - Cannot edit end entity after enabling revocation upon issuance

              ECA-10192 - Issuance revocation reason not set by the RA web

              ECA-10193 - Pre-Sign Linting is Not Possible for a CA with P-384

              ECA-10199 - Enrollment with PublicWeb does not consider the key specification selected by the user

              ECA-10200 - Clicking on Audit Log Details column scrolls to the top left of the page

              ECA-10201 - The text in the "Profile Description" field of the End Entity profile is not holding after saving the End Entity profile.

              ECA-10204 - Proper formatting for worker.properties when creating OCSP Presigner service using ejbca.sh cli

              ECA-10210 - OCSP Transaction / Audit log upgrade doesn't work

              ECA-10212 - Multiple COUNTRYOFCITIZENSHIP / COUNTRYOFRESIDENCE are silently discarded

              ECA-10215 - Database interruption during publishing can cause certificates to be lost

              ECA-10218 - Custom extension of type BITSTRING is encoded with double bytes when empty octet is removed

              ECA-10220 - Regression: ManagementCA fails to renew due to OID error, after editing CA

              ECA-10233 - Why does ant runinstall set the clear password

              ECA-10240 - Complete description texts for fields in the AcmeConfiguration

              ECA-10241 - Autoenrollment menu link not visible in add/search end entity pages

              ECA-10244 - RA Web Search for Certificate by full serial name does not work with Serial Number Octet Size less than 8

              ECA-10246 - Fix ACME Name Generation Scheme Re-enrollement + Tests

              ECA-10277 - Security Issue

              ECA-10289 - Upgrade problem EJBCA 7.4.3 to 7.7.0

              ECA-10290 - fix ConfigdumpOAuthKeyInfoUnitTest

              ECA-10305 - Implement EJBCA CLI command for getting relevant truststore

              ECA-10315 - Error when attempting to set name constraints via EJBCA WS

              EJBCA 7.7.0

              Released July 2021

                New Features

                ECA-3085 - Option to start audit log verification from a specified sequence number

                ECA-10074 - Azure CRL Publisher

                ECA-10180 - ACME Name Generation Scheme


                ECA-9797 - Documentation is missing for "extension_data" field in REST calls

                ECA-9863 - SCEP: add option to include CA chain in the GetCACert call (update for RFC8894)

                ECA-10050 - GUI option for Microsoft conformant CA creation

                ECA-10051 - OCSP Responder support for multiple signer keys

                ECA-10080 - Make ms conformant setting irreversible in other end points

                ECA-10081 - Improve DynamicUiProperty field validation user mesages

                ECA-10084 - UI: Hide "Partition CRL Settings" when "MS Key Updates" is enabled.

                ECA-10085 - CA signKey must correspond to partition.

                ECA-10086 - Suspend previous CRL partition with CA key re-keying.

                ECA-10087 - Enforce Partition CRLs with MS CA Key Updates

                ECA-10091 - Add approvals for ACME account management

                ECA-10140 - Enforce CRL Distribution Point in Edit CA page if MS CA Compatibilty mode is selected

                ECA-10152 - Enforce Use of Authority Key ID

                ECA-10153 - Generating Default CRL Dist. Point should use partition suffix

                Bug Fixes

                ECA-9805 - Enrollment code not shown in RA web when using key recovery

                ECA-10138 - Single Active Certificate Constraint sets revocation date to 1970

                ECA-10166 - IntuneRevocationWorker is missing setting for AUTH_AUTHORITY in 7.7

                ECA-10167 - CA certificate CDP not updated on MS CA re-keying

                ECA-10174 - SCEP Issuance has incorrect log message

                ECA-10194 - Azure CRL Publisher Not Publishing CRLs via peer

                ECA-10197 - CRL Publisher label wrong

                ECA-10198 - Azure CRL Publisher fails unless password entered

                EJBCA 7.6.0

                Included in the EJBCA 7.6.0 release are also changes made in EJBCA 7.5.1, which was only released internally.

                Released June 2021

                  New Features

                  ECA-8220 - CMP: possibility to configure Issuing CA certificate included or not in the caPubs field

                  ECA-9476 - Make it possible to restore end entity and certificate data from the WildFly log file

                  ECA-10043 - Update Intune dependencies

                  ECA-10078 - Add validation and display useful error messages

                  ECA-10090 - Validation of uploaded EAB config

                  ECA-10114 - Update documentation with RA web changes

                  ECA-10123 - Secret Input For Custom Worker UI


                  ECA-7640 - End entity editor in the RA Web

                  ECA-8473 - Support other authentication than password for Azure Key Vault Crypto Token

                  ECA-9276 - Support client certificate authentication for Azure Intune for SCEP enrollment

                  ECA-9553 - ACME EAB Documentation

                  ECA-9685 - Improve German translation for AdminWeb and RA

                  ECA-9832 - Security hardening

                  ECA-9836 - Add option to SCEP Alias to disable SHA-1 digest algorithm in responses

                  ECA-9936 - Add handling of unsupported role member types

                  ECA-9942 - Compile statedump-ejb without access to appserver

                  ECA-9996 - Migrate the OCSP transaction log and the OCSP audit log to the GUI

                  ECA-10001 - Give ACME aliases with EAB the option to generate the symmetric key

                  ECA-10021 - Add EAB support to REST for /v1/certificate/pkcs10enroll

                  ECA-10028 - Update REST Search functionality with the EAB ID

                  ECA-10029 - Add the EAB ID field to the RA Enroll page

                  ECA-10034 - Decide in a format that has namespace support

                  ECA-10061 - Security hardening

                  ECA-10064 - Language improvement and typo updates

                  ECA-10065 - Support Azure MHSM as a Key Vault crypto token

                  ECA-10079 - Help text on EAB upload page

                  ECA-10098 - Preview of uploaded EAB namespaces under System Configuration

                  ECA-10101 - Security hardening

                  ECA-10102 - Multi-select for EAB Namespaces in Certificate Profile

                  ECA-10165 - IntuneRevocationWorker is missing setting for AUTH_AUTHORITY

                  Bug Fixes

                  ECA-7972 - CN is not copied to dNSName when "Use entity CN field" is enabled in the end entity profile

                  ECA-9330 - Security Issue

                  ECA-9558 - Multiple choices of the same curves in certificate profile - unable to enroll ECDSA prime256v1 certificate via RA Web

                  ECA-9660 - Cannot enroll over ACME using an EC keypair

                  ECA-9975 - Pre-produced OCSP responses are only published to the first VA

                  ECA-9985 - DeltaCRL creation time

                  ECA-9999 - Incorrect response to ACME challenge URL when using POST-as-GET

                  ECA-10020 - Regression: CSR Upload in the RA Web causes spontaneous redirect to blank page

                  ECA-10022 - Fix ACME pre-authorization NPE and empty list of authorizations

                  ECA-10044 - Fix ACME EAB shared key encryption from RA

                  ECA-10048 - Security issue

                  ECA-10073 - Saving CA resets Subject Alternative Name field

                  ECA-10082 - Security issue

                  ECA-10083 - Autoenrollment: Clear header from outgoing SOAP message when one already exists

                  ECA-10088 - Autoenrollment: Enrollment permission check is too strict

                  ECA-10089 - Security issue

                  ECA-10093 - SSH settings must not be displayed in CE edition End-Entity Profile edit form

                  ECA-10097 - Regression: Security exception and missing classes on classpath when importing using EJBCA DB CLI

                  ECA-10104 - Regression: Exception occurs when viewing certificate

                  ECA-10106 - Signing of data larger than 20 KiB with ECDSA and PKCS#11 NG (e.g. eIDAS HSM) fails

                  ECA-10109 - Signing of data larger than 20 KiB with AWS KMS and Azure Key Vault fails

                  ECA-10113 - Maximum number of failed login attempts not working via RA Web

                  ECA-10116 - Run CRL partition index db update in post-upgrade instead of upgrade at a startup

                  ECA-10122 - Unable to set Intune key binding in SCEP configuration

                  ECA-10125 - Intune Scep Serialization Error

                  ECA-10129 - Intune revocation missing SCEP fields

                  ECA-10132 - Azure Crypto Token using cert auth with auto activation shows inactive when restarting wildfly

                  ECA-10133 - Fix selenium

                  ECA-10134 - EAB namespaces broken for configdump

                  EJBCA 7.5.1

                  EJBCA 7.5.1 was an internal release, not generally available for customers.

                  Internally Released May 2021

                    New Features

                    ECA-9270 - Allow Intune verification to be performed from the RA

                    ECA-9441 - Implement support for a keystore using FIPS compliant algorithms

                    ECA-9972 - Create a Service Worker for Intune Revocation

                    ECA-10010 - Use configured CAs

                    ECA-10016 - SCEP servlet should update intune after cert issuance


                    ECA-9658 - ACME agree to new ToS

                    ECA-9792 - Add a button for importing certificates to an OCSP responder

                    ECA-9833 - Configdump SCEP Import/Export with Intune settings

                    ECA-9898 - ACME: Limit followed redirect codes according to CABForum Ballot SC44

                    ECA-9974 - The domain ignore list used for CAA validation should be consistent with how domains names in certificates work

                    Bug Fixes

                    ECA-9372 - "Any CA" in Ocsp Pre-Signer Service has no effect

                    ECA-9408 - Security hardening

                    ECA-9903 - Remove Apache Velocity from /lib

                    ECA-9977 - Regression: ejbca.sh fails to import endentities profiles with notifications - need commons-lang3

                    ECA-9984 - Allowed Characters changing after disabling User Storage

                    ECA-10000 - p11ng-cli signperformancetest calculates signings per seconds incorrectly

                    ECA-10007 - MSAE Configuration displays in VA instances

                    ECA-10017 - Fix FindBugs warnings related to OAuth

                    EJBCA 7.5

                    EJBCA 7.5.0 was an internal release, not generally available for customers.


                    Released May 2021

                      New Features

                      ECA-6630 - Create YAML export for CMP configuration

                      ECA-6689 - Not possible to issue CA certificates through the RA web

                      ECA-9441 - Implement support for a keystore using FIPS compliant algorithms

                      ECA-9484 - Support for Ed25519 in P11NG

                      ECA-9490 - General Account Binding (GAB)

                      ECA-9491 - ACME External Account Binding (EAB)

                      ECA-9492 - ACME EAB Configuration UI

                      ECA-9494 - ACME EAB Implementation as specified in RFC8555

                      ECA-9495 - ACME EAB Implementation for public key signature validation

                      ECA-9500 - Add support for new eIDAS QC statement esi4-qcStatement-7, Legislation

                      ECA-9525 - Optionally, add cache header for OCSP unauthorized response

                      ECA-9527 - Add Role as standard DN field

                      ECA-9550 - Prevent deployment of EJBCA after a hardcoded date

                      ECA-9561 - ACME IP Identifier Validation http-01 Challenge

                      ECA-9572 - Create MSAE Servlet module in EJBCA

                      ECA-9633 - Support Thales DPoD

                      ECA-9671 - Option to disable http-01 challenge for ACME wildcard certificates

                      ECA-9696 - Make the ACME order validity configurable

                      ECA-9724 - Add XCEP implentation in the msae package

                      ECA-9737 - Add EST client mode

                      ECA-9738 - CLI support to create new Crypto Token with Azure key vault (ejbca.sh ca cryptotoken)

                      ECA-9762 - Read token and give access (RA Web)

                      ECA-9767 - Add MS Intune Azure Active Directory authentication URL to SCEP alias

                      ECA-9771 - Add Intune verification Auth. URL to SCEP alias configuration

                      ECA-9780 - Add MSAE to protcol configuration

                      ECA-9816 - Add Intune resource URL and Graph related fields to SCEP alias configuration and mask app key field

                      ECA-9817 - Add CRL generation upon revocation and configdump


                      ECA-9005 - Integrate Microsoft Autoenrollment (MSAE) into the EJBCA RA

                      ECA-9624 - OAuth Support

                      ECA-9716 - CRL Generation upon revocation


                      ECA-4750 - Change default configuration of User Notice text to use UTF-8

                      ECA-7391 - Only show CA-related approvals in CA Web (and vice versa)

                      ECA-7844 - The space before the Validator name is not trimmed

                      ECA-8350 - Implement 'revokeCert' resource authorization for an ACME account holding all of the identifiers in the certificate

                      ECA-8705 - Deleting items with dependencies

                      ECA-8940 - Make P11-NG an optional provider for EJBCA

                      ECA-9006 - Certificate Template Enrollment Authorization Bypass

                      ECA-9282 - Replace outmoded language in EJBCA

                      ECA-9361 - Add "Flush" and "Republish" to publisher queue view

                      ECA-9378 - Improve the error logging for OCSP response generation

                      ECA-9475 - Make REST search result limit rely on global config

                      ECA-9489 - Add support for key unwrapping in P11-NG provider

                      ECA-9526 - Fix OWASP job in Jenkins

                      ECA-9532 - ACME system test failures

                      ECA-9533 - ACME EAB config dump

                      ECA-9540 - Selenium setup script fails in EJBCA CE

                      ECA-9554 - Update nimbus-jose-jwt-8.19.jar to latest release 9.1.2

                      ECA-9573 - Invoke RaMasterApi from MSAE Servlet

                      ECA-9600 - Documentation improvement: E-mail Notification Configuration in EEP

                      ECA-9608 - Separate CP5 functionality from regular P11 in P11-NG

                      ECA-9611 - ACME EAB UI layout and code convention improvements

                      ECA-9612 - Log which CMP message type is received

                      ECA-9613 - Improve ACME EAB ConfigDump

                      ECA-9626 - Add selenium tests for ECA-8705

                      ECA-9627 - Improve ACME EAB Implementation for public key signature validation GUI

                      ECA-9628 - Issue a qualified certificate with multiple Semantics Identifier (OIDs)

                      ECA-9629 - Library upgrade in MSAE Servlet

                      ECA-9646 - Re-enable OAuth configuration in CA UI

                      ECA-9657 - Configure Keycloak login url

                      ECA-9664 - MSAE Servlet Kerberos authentication

                      ECA-9667 - Fix failing unit tests in Jenkins

                      ECA-9670 - Improve Documentation: Remove meaningless instruction in REST example script

                      ECA-9673 - Change kerberos configuration runtime

                      ECA-9687 - Improve clean up of ACME nonce data

                      ECA-9701 - Make it possible to query different AD machines from EJBCA server.

                      ECA-9704 - OAuth login page for RA UI

                      ECA-9715 - Improve caching for Azure Crypto Token

                      ECA-9718 - Unit test for OAuth request

                      ECA-9720 - Minor UX improvements for OAuth

                      ECA-9728 - Query AD Policies from XCEP Service

                      ECA-9729 - Encrypt ACME EAB symmetric key

                      ECA-9730 - Make the CES (MSAE) implementation a Java WebService

                      ECA-9731 - Option to use SSL / TLS AD connection in MSAE

                      ECA-9732 - UI Configuration for MSAE

                      ECA-9753 - Merge CertUtils and CertTools

                      ECA-9754 - Convert AD time format to Java

                      ECA-9761 - Fix JSF dynamic UI components update of value range

                      ECA-9766 - Replace static list of AD Templates in MSAE UI Configuration

                      ECA-9772 - Refactor MSAE AD Connection

                      ECA-9773 - CEP Service: Invoke AD connection from external package

                      ECA-9774 - CES Service: Invoke AD connection from external package

                      ECA-9775 - Create unit tests for MSAE ASN1 helper class

                      ECA-9784 - Add default P11 provider path for AWS CloudHSM

                      ECA-9785 - Rename PKCS#11 CP5 to PKCS#11 NG in crypto token driver select list

                      ECA-9796 - Add a CLI command to view detailed information about an OAuth provider

                      ECA-9804 - MSAE UI option for policy name

                      ECA-9811 - Support SHA256 and SHA512 RSA signatures for certificates issued by RSA based SSH CAs

                      ECA-9835 - Read AD templates dynamically from CESService

                      ECA-9838 - REST End Entity Management enabled by default

                      ECA-9845 - Try to authenticate using OAuth when client certificate authentication fails

                      ECA-9846 - Pin OAuth role members to a specific provider

                      ECA-9858 - Support SHA224WithECDSA in P11-NG

                      ECA-9875 - REST unable to pkcs10Enroll when EE profile uses auto generated password

                      ECA-9878 - ACME pre-authorization system test

                      ECA-9894 - Allow usage of JWK public key for OAuth

                      ECA-9901 - Strip trailing slash from OAuth URL for KeyCloak providers

                      ECA-9907 - Update mapped AD template settings

                      ECA-9910 - Set ACME problem response content type to application/problem+json

                      ECA-9913 - Fallback to database is CEP Service CA cert isn't found in cache.

                      ECA-9917 - Prevent the user from adding public keys with duplicate keyids

                      ECA-9923 - Administrator name should not be UUID when logging in with KeyCloak

                      ECA-9960 - Revisit MSAE libs

                      ECA-9964 - Allow CEP service to represent multiple CAs

                      ECA-9965 - Rename default provider type

                      Bug Fixes

                      ECA-6010 - CLI importcacert can't import CA chain certificates

                      ECA-7447 - Disable "set password" in RA web if end entity profile enrollment code is "auto-generated"

                      ECA-7485 - EEP default CA selection doesn't work on adminweb EE creation and RaWeb enrollmakenewrequest pages

                      ECA-8499 - Not possible to mix Sun PKCS#11 and CP5 PKCS#11 tokens

                      ECA-8947 - The CLI command mergecatokens is not working for CAs with token type provider Pkcs11NgCryptoToken

                      ECA-9140 - CA Structure & CRLs links do not work if CA DN contains &

                      ECA-9155 - Certificate is generated without Username

                      ECA-9317 - When "Use entity CN field" In The EEP is Enabled, it is not visible on adminweb while adding EE

                      ECA-9499 - Security Issue

                      ECA-9534 - Wrong label in end entity profile: "UID, Unique Identifier" subject DN field should be "userid"

                      ECA-9543 - Fix DynamicUiProperty / DynamicUiModel property validation.

                      ECA-9544 - Insert DynamicUiModel JSF into existing table grid

                      ECA-9545 - Fix DynamicUiProperty / DynamicUiModel component enabling / visibility

                      ECA-9546 - Adding RA Proxying of EjbcaWS.softTokenRequest

                      ECA-9549 - Incorrect encoding of non-english languages in RA web on Java 11

                      ECA-9558 - Multiple choices of the same curves in certificate profile - unable to enroll ECDSA prime256v1 certificate via RA Web

                      ECA-9565 - Make the CE index page show the correct version information

                      ECA-9568 - Remove the final/static keywords from EJB methods

                      ECA-9586 - Regression: First letters of first DC component in CA DN always capitalized

                      ECA-9590 - CA signing algorithm suggestion defaults to SHA1WithRSA after selecting crypto token

                      ECA-9615 - Regression: When selecting multiple keys in a crypto token the wrong key(s) are removed

                      ECA-9619 - Remote internal key binding updater service fails with nullpointer exception

                      ECA-9622 - Null pointer exception is thrown when the CA tries to issue a certificate using a corrupt CSR

                      ECA-9630 - Regression: EST re-enroll stopped working due to authorization of re-enrolling entity

                      ECA-9632 - ExtendedInformation is not parsed correctly by SecureXMLDecoder for some values

                      ECA-9634 - Fix ACME revokeCert resource for revocations for account holders having all authorizations for the identifiers in a certificate

                      ECA-9638 - Fix ACME EAB exception handling

                      ECA-9640 - CMP 3GPP: Unable to enroll Ericsson eNodeB in Vendor Mode

                      ECA-9656 - EJBCA will debug log a private key if sent with CSR

                      ECA-9660 - Cannot enroll over ACME using an EC keypair

                      ECA-9661 - No check if Allow Subject DN Override by CSR in REST

                      ECA-9666 - Missing space in TLS error message

                      ECA-9675 - SCEP – null name for End Entity generated instead of DN serialNumber

                      ECA-9714 - Some system tests failing on processing PKCS10 requests

                      ECA-9721 - Error Admin UI rendering creating CAs with crypto token errors

                      ECA-9726 - Regression: error about ApprovalData column when exporting using ejbca-db-cli

                      ECA-9727 - REST API fail to enroll CSR with Subject Directory Attribute

                      ECA-9736 - Regression: Add/Edit End Entity actions are not logged to Audit Log

                      ECA-9741 - RA web ignores Subject Directory Attributes in user CSR

                      ECA-9749 - Regression: Intune not working, upgrade intune libraries

                      ECA-9764 - Fix failing configdump unit tests in Jenkins

                      ECA-9765 - Regression: EjbcaWS.processSoftTokenReq does not work when end entity already exist

                      ECA-9768 - REST API: NullPointerException enrolling end entity without ExtendedInformation

                      ECA-9783 - Warnings printed from CEP Service on startup

                      ECA-9802 - Regression: Response to acme endpoints is not correct in all cases.

                      ECA-9805 - Enrollment code not shown in RA web when using key recovery

                      ECA-9806 - AlgorithmTools is spamming the log, lower log level for list of available algorithms

                      ECA-9807 - Workaround C_GetAttributeValue bug in AWS CloudHSM

                      ECA-9808 - CE build broken. Package org.cesecore.keys.token.p11ng.provider does not exist (in CE)

                      ECA-9809 - Unable to sign RSA public keys with SSH CA

                      ECA-9815 - OAuth login page is not shown when authentication fails on a JSP page

                      ECA-9822 - Regression: ejbcaClientToolBox.bat does not work

                      ECA-9824 - Edit CA resets Extended Services Key Specification for CMS CA Service

                      ECA-9839 - Theoretical NPE in EjbcaWebBeanImpl

                      ECA-9841 - OAuth provider without keys cannot be deleted

                      ECA-9847 - Regression: Missing library in CMP HTTP proxy

                      ECA-9851 - OAuth Client Secret should be input type password

                      ECA-9853 - OAuth refresh token assumes there is also an access token

                      ECA-9855 - Security issue

                      ECA-9859 - Read profiles via Peers for MSAE UI Configuration

                      ECA-9860 - Same MSAE policy UID is used for all machines

                      ECA-9862 - MSAE AD password is shown cleartext

                      ECA-9871 - Fix trace interceptor invocation duration

                      ECA-9872 - Regression: Peer publishing between 7.5 and older is broken

                      ECA-9873 - Error clicking "previous" CA certificate in CA structure certificate view

                      ECA-9877 - External RA: Unable to access external RA

                      ECA-9886 - Fix ACME pre-authorization order creation

                      ECA-9887 - Security Issue

                      ECA-9895 - Oauth login fails in chrome

                      ECA-9896 - Failed to get token from authorization server. HTTP status code 401

                      ECA-9900 - Fix AcmeConfiguration upgrade method.

                      ECA-9904 - LDAP Connection resets regularly

                      ECA-9908 - Test connection doesn't use the saved password

                      ECA-9909 - List of "Available MS Templates" isn't sorted

                      ECA-9912 - Incorrect table definition in sql script for MS-SQL for OcspResponseData.rowProtection

                      ECA-9916 - Implement oid claim for Azure

                      ECA-9919 - PKCS11HSMKeyTool fails with missing jna dependency

                      ECA-9924 - AD Search Scope too narrow

                      ECA-9931 - Security hardening

                      ECA-9932 - Fix exception with "default method" in Java on some environments

                      ECA-9933 - Must enter client secret again when saving OAuth provider

                      ECA-9938 - OAuth login in RA UI does not work over peer connection

                      ECA-9949 - OAuth: Failed to get token from authorization server.

                      ECA-9954 - Regression: NPE when getting non-existent configuration over peers, when debug logging is enabled

                      ECA-9956 - Conf files update is not reflected

                      ECA-9958 - Regression: NPEs on System Configuration page

                      ECA-9959 - MSAE SAN DNS Contains only domain part

                      ECA-9963 - EstRAModeBasicTest failing due to typo in expected error string

                      ECA-9967 - Errors in CA UI when TLS session is restarted

                      ECA-10042 - ACME EAB secret key logged on debug level


                      Released February 2021

                      Bug Fixes

                      ECA-9749 - Regression: Intune not working, upgrade intune libraries

                      ECA-9779 - Invalid backport: not working in OpenJDK 8u272/11.0.6 without Java patch

                      ECA-9809 - Unable to sign RSA public keys with SSH CA


                      Released December 2020


                      ECA-9694 - Security issue


                      ECA-9669 - Workaround for MSSQL Hibernate driver issue that leads to duplicates in CRL
                      ECA-9679 - Signing with RSASSA-PSS not working in OpenJDK 8u272/11.0.6 without Java patch
                      ECA-9693 - Security Issue

                      Bug Fixes

                      ECA-9557 - SSH Certificate Signer not working with p11
                      ECA-9705 - Invalid storage of SIM value (RFC4683) in the Subject Alternative Name of a certificate
                      ECA-9711 - AWS KMS request throttling when reading public keys results in unusable keys

                      EJBCA 7.4.3

                      Released October 2020

                      New Features

                      ECA-5333 - Ability to search for approval requests by part of Subject DN / or e-mail

                      ECA-7994 - Not possible to request CVC certificates in RA web

                      ECA-8845 - Planning of grab new installations issue

                      ECA-9237 - Authentication path for OAuth in CA UI

                      ECA-9239 - Authentication path for OAuth in RA web

                      ECA-9240 - Ability to manage OAuth keys via AdminWeb

                      ECA-9241 - Ability to manage OAuth keys via CLI

                      ECA-9333 - REST API commands for End Entity Management

                      ECA-9337 - Landing page for "grab new installation"

                      ECA-9346 - CLI support to create new CA with AWS/Azure KMS crypto token (ejbca.sh ca init)

                      ECA-9350 - Authentication path for OAuth in WebService and REST API

                      ECA-9351 - Ability to configure default OAuth key

                      ECA-9376 - Add language strings for OAuth in RA Web

                      ECA-9421 - Add entry for Trident HSM to web.properties defaults

                      ECA-9431 - System test of URL access with JWT Bearer token

                      ECA-9450 - Add OAuth support to AuthenticationFilter

                      ECA-9451 - Add OAuth support to JSP pages

                      ECA-9453 - Make it possible to ask the healthcheck servlet which VAs are up to date

                      ECA-9471 - Unit test of OAuth Keys in Configdump

                      ECA-9481 - Updating preferences in RA Web and CA UI with OAuth authentication

                      ECA-9509 - Trigger landing page for new installations


                      ECA-8905 - Update JWT libraries for EJBCA

                      ECA-9315 - Document CA rekey recommendations

                      ECA-9380 - Upgrade jackson-databind to

                      ECA-9381 - Remove jdom jar

                      ECA-9383 - Upgrade hibernate jars

                      ECA-9515 - New Swagger version requires json-patch JAR and newer jackson-databind JAR

                      ECA-9539 - Skip REST related test in CE


                      ECA-8750 - KeyGenParams is handled inconsistently for RSA

                      ECA-8800 - Improve usability when selecting crypto tokens/algorithms on CA

                      ECA-9023 - Use prepared statements in ApprovalSessionBean and org.ejbca.util.query.Query

                      ECA-9215 - Configure full Azure Key Vault Name which would include the DNS FQDN

                      ECA-9238 - Ability to access CA UI via OAuth without allowing unauthenticated usage

                      ECA-9243 - Change or remove svn.revision property

                      ECA-9283 - SSH Implementation improvements

                      ECA-9293 - SSH Implementation remaining TODOs

                      ECA-9309 - CleanUp the code, discovered in SSH implementation/review

                      ECA-9328 - Improve JackNJI11ProviderTest

                      ECA-9355 - Prevent admin lock-out when using OAuth

                      ECA-9368 - Fail over to another node if CRL updater cannot complete work due to crypto token being inaccessible

                      ECA-9379 - Document how to view number of CRLs for each issuer in housekeeping guide

                      ECA-9412 - Export\import OAuth keys with configdump

                      ECA-9415 - Add ACME support for cert-manager

                      ECA-9428 - Some WS methods swallow AuthorizationDeniedException

                      ECA-9430 - Avoid using SHA1 for HSM public key dummy certificates

                      ECA-9457 - Lower logging level in from ERROR to INFO when request key is not allowed

                      ECA-9458 - Trim external lib

                      ECA-9462 - Remove unused jar file

                      ECA-9464 - Upgrade internal library

                      ECA-9465 - Upgrade internal library

                      ECA-9467 - Upgrade internal library

                      ECA-9469 - Upgrade internal library

                      ECA-9514 - Temporarily remove OAuth configuration from CA Web

                      ECA-9522 - UI Improvements to installation page

                      ECA-9523 - EJBCA's validity definition does not align with the one from RFC5280 and baseline requirements

                      Bug Fixes

                      ECA-8681 - CRLData query wrongly assumes unique result

                      ECA-9031 - Regression: certificate validity option for key validators are not shown

                      ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6

                      ECA-9185 - Security Issue

                      ECA-9213 - Regression: 'Close' button not functioning under Role Members 'View Certificate' page

                      ECA-9280 - SecureXmlDecoder lacks support for UserDataVO, causing deserialization error

                      ECA-9291 - Incorrect encoding of critical options for SSH certificates

                      ECA-9296 - SSH values still show up in end entity profiles even if SSH module is not present

                      ECA-9301 - EJBCA freezes at startup if cyclic cross-signed root certificates are used in OCSP chain

                      ECA-9302 - Regression: Unable to Generate Certs from WebService When the Username is Set To Autogenerated in the EEP

                      ECA-9304 - Missing CA causes NPE when viewing KeyBindings

                      ECA-9318 - Wrong defaultKey selected from crypto token

                      ECA-9325 - Add quotation marks to the properties argument in the sample command in the CLI for services

                      ECA-9335 - Regression: SerialNr Octet size not retained after upgrade

                      ECA-9343 - Duplicated close on stream in EndEntityProfileSessionBean and CertificateProfileSessionBean

                      ECA-9349 - CLI does not include plugins-ee on first build

                      ECA-9364 - EjbcaWS.findCerts(username, isValid=true) should also return certificates with status = 21

                      ECA-9365 - Not possible to delete publisher, if exists ssh CA

                      ECA-9370 - CMP's EndEntityCertificateAuthenticationModule does not use BC to verify certificates

                      ECA-9392 - ACME system test includes invalid altName extension in CSR

                      ECA-9413 - Fix ACME test failures in main

                      ECA-9426 - OCSP responses without extensions are sent with an empty "singleExtensions" list

                      ECA-9432 - Removal of unidfnr/src-test causes Unit tests failure and partial execution of unit tests

                      ECA-9434 - Multiple CRLs with different CRL partition indexes after upgrade causes NonUniqueResultException

                      ECA-9436 - ProtocolOcspHttpStandaloneTest failure (false positive)

                      ECA-9437 - Avoid random StringToolsTest failure

                      ECA-9440 - Regression: CA UI links do not work with a HTTP proxy running on a different port/hostname/scheme

                      ECA-9448 - Regression: Changes in EndEntityProfileSessionBean and CertificateProfileSessionBean in try-with-resources produce incomplete xml

                      ECA-9452 - Test for pkcs10enroll endpoint returns error when user is set to autogenerated in EEP

                      ECA-9455 - Possible NPE in REST search certificate call

                      ECA-9456 - Approvals created without cert authenticated admins fail in RA Web

                      ECA-9482 - Missing icon and name of access rule with misconfigured peer connector

                      ECA-9485 - Regression: XmlSerializer does not B64 encode non-ASCII strings, causing audit record to fail in some cases

                      ECA-9498 - Regression: OCSP keybinding certificate import fails when CA fingerprint is missing in database

                      ECA-9501 - Test Failure: KeyValidatorSession

                      ECA-9503 - Test Failure: REST System tests

                      ECA-9506 - Update method invocations to getPendingEntriesCountForPublisherInIntervals

                      ECA-9517 - ant ziprelease doesn't set git revision properly

                      ECA-9518 - AdminWeb header/logo URL is sometimes not shown due to incorrect URL

                      ECA-9520 - Jenkins RA/VA builds using invalid revsion property

                      ECA-9524 - EJBCA CE doesn't build from main

                      ECA-9528 - ACME NPE while running same certbot request twice or more

                      ECA-9529 - Regression: Custom logo does not load

                      ECA-9535 - Too many CT keys would fill up screen during CA creation

                      ECA-9538 - AcmeConfiguration is missing configdump setting for getRetryAfter

                      ECA-9541 - Test failures after inclusive validity range fix

                      ECA-9547 - "ant ziprelease" produces Community Edition zip release that does not build

                      ECA-9548 - Regression: PKI Disclosure Statements are not encoded correctly in audit log

                      EJBCA 7.4.2

                      Released September 2020

                      New Feature

                      ECA-9360 - Omit "unspecified" revocation reason in OCSP responses


                      ECA-9328 - Improve JackNJI11ProviderTest

                      ECA-9341 - Permit inclusion of additional subject DN fields when using ACME

                      Bug Fixes

                      ECA-9165 - Certbot 1.4.0-1.6.0 fails to enroll over RA peer

                      ECA-9285 - Warn about incorrect peer role configuration that breaks RA nodes

                      ECA-9301 - EJBCA freezes at startup if cyclic cross-signed root certificates are used in OCSP chain

                      ECA-9342 - SCP Publisher doesn't close all connections

                      ECA-9344 - DB import fails when number of objects are high

                      ECA-9357 - Count of successful publishing operations not correct in PublisherQueueSessionBean

                      EJBCA 7.4.1

                      Released July 2020

                      New Features

                      ECA-9244 - Allow the SCEP SSB to verify messages from Intune

                      ECA-9248 - Add option to certificate serial number generator to use a FIPS/SP800 BC hybrid entropy source

                      ECA-9250 - Modify ziprelease command to not include the SSH module by default

                      ECA-9251 - Review implementation of the SSH CA

                      ECA-9252 - Modifications to End Entity and Certificate Profiles for SSH Certificates

                      ECA-9253 - Review implementation of SSH Public Keys

                      ECA-9254 - Review implementation of SSH Certificates

                      ECA-9255 - Review implementation of SSH-related WS methods

                      ECA-9265 - Add REST stress test command to clientToolBox


                      ECA-8432 - OCSPkeyBinding Default Responder DB Queries

                      ECA-8787 - Add the ability to have multiple DVCAs with the same holder country and mnemonic

                      ECA-9211 - Optionally include certificate chain in /pkcs10enroll response

                      ECA-9275 - Database protection compatibility code should skip automatic upgrade

                      ECA-9283 - SSH Implementation improvements

                      ECA-9289 - Allow validity changes for SSH certificate profiles

                      ECA-9293 - SSH Implementation remaining TODOs

                      ECA-9294 - Microsoft Intune feature documentation

                      ECA-9295 - Make sure all files under the ssh module have the Enterprise license header

                      ECA-9299 - Remove unneeded values from intune configuration

                      ECA-9319 - Add CVC WS system test how to renew a domestic DV from a CVCA in the same instance

                      Bug Fixes

                      ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6

                      ECA-9206 - Prevent peer system from being removed when referenced by a publisher

                      ECA-9217 - ACME http challenge validation process fails when the server redirects to HTTPS

                      ECA-9278 - SHA512withRSAandMGF1 cannot be used by JackNJI11

                      ECA-9291 - Incorrect encoding of critical options for SSH certificates

                      ECA-9296 - SSH values still show up in end entity profiles even if SSH module is not present

                      ECA-9298 - Security Issue

                      ECA-9314 - Regression: "Key already in use" functionality stopped working on CA page

                      ECA-9326 - SCEP approvals only works with soft Crypto Tokens, not HSM.

                      EJBCA 7.4.0

                      Released June 2020

                      New Features

                      ECA-4491 - Support Ed25519 and Ed448 (EdDSA) certificate issuance using soft crypto tokens

                      ECA-5333 - Ability to search for approval requests by part of Subject DN / or e-mail

                      ECA-6787 - Ability to specify Superadmin Validity during installation

                      ECA-6790 - Add "Enforce Key Renewal" Option

                      ECA-7162 - Add regex validation to usernames for EEP

                      ECA-8699 - Support encryption for SCEP in Azure Key Vault crypto token

                      ECA-8718 - Add test of "Enforce Key Renewal"

                      ECA-8781 - CLI command to import key recovery data for end entities

                      ECA-8848 - Database table for pre-produced OCSP responses

                      ECA-8849 - Service worker pre-produced OCSP responses

                      ECA-8850 - CA setting enabling pre-produced responses.

                      ECA-8852 - Publisher for OCSP Response Data

                      ECA-8866 - Create OCSP Cache for CA canned response setting

                      ECA-8878 - Session bean (interface etc) for OcspResponseData

                      ECA-8892 - Handling conflict between CA setting to pre-produce OCSP responses and OCSP Key binding nonce setting

                      ECA-8895 - Create indexes for the OCSPResponseData table

                      ECA-8899 - Approvals for SCEP RA mode

                      ECA-8913 - Support AWS KMS (Key Management Service, different from AWS CloudHSM)

                      ECA-8944 - Service worker UI for OCSP pre-production

                      ECA-8962 - Implement SCEP enrollment with approvals for already existing end entities

                      ECA-8990 - Update plugin sample to deploy cleanly

                      ECA-9051 - Shift the configuration of ExtendedUserDataHandlers (such as the UnidFnrHandler) from CMP configuration to CA configuration

                      ECA-9053 - Implement configuration of Request Processors in the CA

                      ECA-9057 - Implement a validator for the Google Safe Browsing API

                      ECA-9065 - Upgrade procedure after moving Request Processors from CMP to CA

                      ECA-9066 - Shift execution of Request Processors from CrmfRequestHandler into CertificateRequestSession

                      ECA-9072 - Service worker logic for final OCSP response

                      ECA-9074 - Support for CLI batch generation with EdDSA keys

                      ECA-9142 - Create a webservice call for creating an externally signed CA.

                      ECA-9163 - Add support for WS createExternallySignedCa command in clientToolBox


                      ECA-7435 - Java 11: SOAP WS Client and Tests do not work

                      ECA-8212 - Batch enrollment GUI does not build under JDK11

                      ECA-8651 - Update resteasy jars used for junit testing

                      ECA-8695 - Security: Upgrade external dependency

                      ECA-8696 - Update db2jcc4.jar used for jenkins tests

                      ECA-8700 - Use reflection in CESeCoreUtils to support older version of Java

                      ECA-8717 - Java 11: ejbca-ws-cli uses endorsed.dirs which is not supported in java 11

                      ECA-8724 - Upgrade cert-cvc to 1.4.10

                      ECA-8727 - Documentation: Oracle JDK 8 not listed any longer in prerequisites

                      ECA-8730 - Fix JUnit, UserFulfillEndEntityProfileTest and CommandLibraryTest tests that fail on Java 11 (due to issues in tests)

                      ECA-8731 - Remove old commons-httpclient 3.1 and upgrade commons httcomponents to latest stable version

                      ECA-8733 - Update ConfigImport "known limitations"

                      ECA-8744 - FindBugs: fix warning about NP_NULL_PARAM_DEREF

                      ECA-8804 - Security: Upgrade external dependency

                      ECA-8807 - Change the copyright footer to 2020

                      ECA-8855 - Automate test ECAQA-128: End Entity Profile - Custom Validity

                      ECA-8898 - Document known issue related to approval requests after an upgrade to EJBCA 6

                      ECA-8918 - Documentation: Document support for Cloud HSMs

                      ECA-8980 - EJBCA Testing: ACME (Continued) Testing

                      ECA-9011 - Upgrade apache cfx

                      ECA-9049 - Investigate CRL-related test failures in Jenkins

                      ECA-9050 - Code cleanup: Remove dead encrypt/decrypt methods in CA

                      ECA-9079 - Add selecatable head banner with advisory notice and consent warning

                      ECA-9088 - Grab ClientToolBox test from Git

                      ECA-9089 - Learn how the current EJBCAClientToolBox test works.

                      ECA-9090 - Create/Extend JenkinsFile and DockerFile for EJBCAClientToolBox

                      ECA-9091 - Setup Jenkins Job to run EJBCA ClientToolBox

                      ECA-9100 - Documentation: update JBoss security about Diffie-Hellman keysize and datasource passords

                      ECA-9114 - Upgrade jackson databind

                      ECA-9168 - Regression Test & Automation EcaQa75

                      ECA-9187 - Add configuration steps for WildFly 18

                      ECA-9197 - Document how to limit length of DN fields using regexp validation


                      ECA-1758 - Add system tests for caRenewCertRequest (WS)

                      ECA-4130 - Publishers: Show the publisher type next to the name in the Publishers page

                      ECA-5912 - Trim spaces and check syntax of CT URLs when they are added

                      ECA-6284 - Use something faster than java.beans.XMLEncoder/Decoder

                      ECA-6296 - Limit length of subject DN in RA GUI search results

                      ECA-6505 - Documentation: Add diagram how CA, CPs and EEPs are related

                      ECA-7064 - Disallow creation of Peer Connectors with the same name

                      ECA-7633 - New flag in 'ejbca.sh ca republish' command to list certificates instead of end entities

                      ECA-7722 - Minor usability improvements on Edit CA page

                      ECA-7819 - Remove old installation properties and ant targets

                      ECA-7959 - A user should be able to click a link to be returned to the previous page after error occurs

                      ECA-8157 - Add back the username field to EEP

                      ECA-8636 - CT systemtest - Publish precert

                      ECA-8670 - Allow selenium setup to run with different ManagementCA name

                      ECA-8672 - Fix trivial warnings in cesecore-common

                      ECA-8675 - Fix CryptoToken import in configdump

                      ECA-8694 - Automate ECAQA-155

                      ECA-8698 - Unclear UI messages for RA CA name in EST alias

                      ECA-8703 - Trim space for ACME Aliases Add function

                      ECA-8706 - Refactor CAInterfaceBean and related classes

                      ECA-8713 - Automate ECAQA-152

                      ECA-8715 - Optimize Azure Key Vault Crypto Token to not make unessecary REST calls when checking for status

                      ECA-8716 - Optimize PKCS11 Crypto Token to not make unessecary PKCS#11 calls on deactivated crypto tokens

                      ECA-8720 - Jenkins: upgrade powermock dependencies for JDK11+

                      ECA-8721 - Jenkins: EJBCA_JDK_DOCKERS

                      ECA-8722 - Update cert-cvc library to build with Java 11

                      ECA-8725 - Optimize render of created/edit CA page to not list all crypto token keys

                      ECA-8729 - ConfigImport Admin Roles import order

                      ECA-8738 - Make it possible to run tests within eclipse

                      ECA-8746 - Add small help text for subject DN field when creating a CA

                      ECA-8747 - Give error message when trying to import an IS certificate to a DVCA

                      ECA-8749 - ApprovalProfileSession.removeApprovalProfile throws exception when profile does not exist, does not follow javadoc contract

                      ECA-8754 - Optimize CaSessionBean.getCAIdToNameMap to use cache

                      ECA-8755 - Optmize CryptoTokenManagementSessionBean.getKeyPairInfo to not list all aliases

                      ECA-8758 - Sort "Extended Key Services Specification" dropdown

                      ECA-8765 - Document in Client Toolbox how to include CESeCoreUtils

                      ECA-8774 - Fix some NPEs in the log when accessing without proper session

                      ECA-8775 - Improve output format in CertDistServlet listcerts command

                      ECA-8783 - Add test case for va publisher data source (Selenium)

                      ECA-8788 - Inconsistent behaviour between CLI and AdminWeb created CA using CA defined AIA

                      ECA-8789 - Allow UNUSED data value in databaseprotection.properties

                      ECA-8793 - Add new HTTP security headers

                      ECA-8794 - Add HTTP security headers to CertDistServlet

                      ECA-8795 - Improve error handling in PublicWeb when entering invalid DN

                      ECA-8797 - The wrong path of a language configuration file in the document

                      ECA-8801 - Change text uses->allows in configuration checker message about ECC keys

                      ECA-8809 - Fix formating in CertStoreServletTest and CertFetchAndVerify

                      ECA-8813 - Show a warning when basic constraints are violated

                      ECA-8821 - Better error message when trying to sign with an inactive crypto token

                      ECA-8839 - Allow serial numbers to be entered with colon or spaces also

                      ECA-8863 - Jenkins jobs improvement

                      ECA-8865 - Selenium test constantly failing on RA-web

                      ECA-8872 - Documentation Clarify what multiple issuers in the CAA validator means

                      ECA-8879 - Create end entity based on UPN in certificate when running "importcertsms" CLI command

                      ECA-8882 - Improve Swedish translation of the RA web

                      ECA-8907 - Add validator for SAN field in Create CA page and improve error handling.

                      ECA-8908 - Update documentation for pre-produced OCSP responses

                      ECA-8911 - Ability to get version of clientToolBox

                      ECA-8921 - Automate ECAQA-113

                      ECA-8924 - Automate ECAQA-116

                      ECA-8926 - Add delete method in OcspDataSession bean.

                      ECA-8930 - The Save button in the RA web edit end entity page should be located at the bottom

                      ECA-8932 - Document improvement in CRL Behaviour after CA Revocation

                      ECA-8936 - Revise the OcspResponseData table and primary key.

                      ECA-8943 - Public key blacklist should handle Debian blacklist format

                      ECA-8958 - Modify CmpRAUnidTest to run without the Unid datasource

                      ECA-8961 - Improve debug logging for approvals to easily see type

                      ECA-8975 - Code cleanup: Encode EC keys generated by a Pkcs11NgCryptoToken without explicit params first

                      ECA-8977 - Add sample token properties to changecatoken CLI command to make it easier to use

                      ECA-8996 - Code cleanup: Azure crypto token

                      ECA-8997 - Code cleanup: AWS KMS crypto token

                      ECA-8999 - Add cabforganizationidentifier as argument to WS cli

                      ECA-9003 - Code cleanup: OidsObjectLinkedHashSetConverter and write unit test

                      ECA-9027 - Check that all certificate/end entity profile pairs have at least one usable CA

                      ECA-9032 - Configurable time before expire for Ocsp Response Presigner

                      ECA-9033 - Improve JPQL query for getting expired responses

                      ECA-9034 - Support SHA1 and SHA256 hashes for Pre-produced OCSP responses

                      ECA-9035 - Upgrade to BC 1.65

                      ECA-9036 - Increase column size of subject DN and subject email for MySQL/MariaDB

                      ECA-9041 - SCEP: Debug log message encryption algorithms

                      ECA-9045 - Enable legacy browser enrollment in IE11 on Windows 10

                      ECA-9058 - On-demand setting for OCSP pre-production

                      ECA-9067 - Improve CryptoToken Config: Verify Auto-Activation Codes

                      ECA-9070 - Add support for CAs using SHA256WithDSA

                      ECA-9096 - Peer publisher for OCSP response data

                      ECA-9097 - Show only relevant curves/key sizes on certificate profile page

                      ECA-9098 - Retrieving curves and algorithms on RA web needs to be optimized

                      ECA-9107 - Add peering configuration capability to CLI to support scripting external VA/RA

                      ECA-9113 - CLI ca importcertdir command should use random password

                      ECA-9123 - Don't check key length is we have allowed Ed25519 or Ed448

                      ECA-9124 - Add "Cache-control" header to HTTP POST OCSP responses.

                      ECA-9131 - Clean-up job for expired OCSP Responses

                      ECA-9132 - Support Archive Cutoff for pre-produced OCSP responses

                      ECA-9135 - Improve documentation about allow.external-dynamic.configuration in ejbca.properties and cesecore.properties

                      ECA-9139 - Trigger OCSP Response Publisher on generation

                      ECA-9160 - Allow CLI upgrade command to run post-upgrade automatically

                      ECA-9162 - Allow to store pre-produced OCSP responses in response to requests with Nonce, if response does not have Nonce

                      ECA-9186 - Make new XmlSerializer code locale insensitive and deterministic

                      ECA-9189 - Allow OCSP Response Pre-Signer to only do Final Responses

                      ECA-9208 - Don't render OCSP Pre Production in EJBCA CE

                      Bug Fixes

                      ECA-1691 - Reject issuance if both notBefore and notAfter are in the past

                      ECA-2052 - Country code in Subject DN of CVC CA is case sensitive

                      ECA-2068 - Export CA key Store with incorrect password shows an exception on the screen

                      ECA-4155 - Check if RoleMember matched by X.509 certificate has a plausible CA and certificate serial number combination

                      ECA-4363 - Use different return codes for importprofiles CLI command

                      ECA-4735 - Unify appearance in "Edit CA" page between "CA life cycle" and "Externally signed CA creation/renewal"

                      ECA-5704 - Extended Key Usages / Prevent user from adding same Label for different OIDs

                      ECA-5705 - Extended Key Usages / Adding new Label with an existing OID replaces the old one without any error

                      ECA-6113 - SAN with escaped commas (e.g. in directoryName) is not displayed correctly

                      ECA-6189 - Subject DN e-mail field and EE e-mail field conflated in the RA

                      ECA-6770 - Extra slashes introduced on links from some admin web pages

                      ECA-7060 - Handle invalid input on 'Approval Profiles' page

                      ECA-7072 - Long text input in field validation of Manage Data Source page causes crash

                      ECA-7299 - Unit tests require PKCS#11 "slot 1" to exist and do not work with SoftHSM

                      ECA-7333 - It is possible to add Internal Key Bindings without a name

                      ECA-7678 - 'Close' button not functioning under 'Roles and Access Rules' page

                      ECA-7733 - Security hardening

                      ECA-7739 - Using a certificate profile template does not select the correct fields

                      ECA-8049 - Treat Subject Directory Attributes the same way as Subject DN.

                      ECA-8146 - OCSP signer renewal via peers not working for throw-away CA

                      ECA-8233 - "invalid use of tag" warnings from Javadoc for WS exceptions on JDK 11

                      ECA-8237 - Getting "XML Parsing Error: no root element found" when clicking "View Older" in View Certificate popup

                      ECA-8376 - RA Web doesn't build in CE.

                      ECA-8496 - Document how to prevent BouncyCastle not being loaded by an EJBCA classloader

                      ECA-8659 - Error message is not displayed in Audit Log UI page when database protection fails to verify

                      ECA-8679 - Security issue

                      ECA-8680 - Index recommendation will not allow use of partitioned CRLs

                      ECA-8687 - Fix selenium test failures due to wrong Certificate Profile save message

                      ECA-8689 - Enable /administrator when granting access to the WS protocol over peers

                      ECA-8690 - Import of IKB doesn't set bound cert Id

                      ECA-8691 - Add upgrade notes for ECA-8679

                      ECA-8697 - Audit log menu item visible on some pages even if the audit log is disabled

                      ECA-8707 - Key sequence ignored when renewing CA

                      ECA-8711 - Regression: Cannot change "Signed by" option for CAs in Uninitialized state

                      ECA-8712 - No alias for key purpose 0 error when editing external CA

                      ECA-8714 - Use CRL partitions should not be rendered for External CAs

                      ECA-8719 - 'Make New Request' on 'RA Web' on 'Clean Installation' results in StackOverflowError

                      ECA-8723 - cert-cvc should use Bouncy Castle provider for verification of CVCAuthenticatedRequest

                      ECA-8728 - TestDatafields in cert-cvc fails if clock is 00:00-00:59

                      ECA-8734 - Incorrect warning of ConfigExport/Import SCP Publisher

                      ECA-8735 - Some system tests fail if ManagementCA is called something else

                      ECA-8736 - HealthCheckTest.testAuditLogHealthCheck does not restore databaseprotection.keyid.AuditRecordData

                      ECA-8737 - change/addUser should throw a proper error message instead of NPE when changing a user to a non-existing EE profile

                      ECA-8739 - NPE when importing brainpoolP256r1 DVCA certificate

                      ECA-8742 - Delete tests leave crypto tokens left behind by system tests

                      ECA-8743 - KeyGenParams is not serializeable

                      ECA-8752 - CA message handlers may throw NPE instead of CADoesntExistsException when CA does not exist

                      ECA-8756 - ClassCastException on Wildfly 14 when saving a certificate profile with "Subject DN Subset" enabled

                      ECA-8757 - CaImportCACommand doesn't activate KeyRecoveryCAServiceInfo

                      ECA-8759 - Unclear error message CA/B Forum Organization Identifier is blank or missing

                      ECA-8761 - Certificate Extensions not enabled in the Certificate Profile give no error

                      ECA-8766 - Certificate pinning for Authentication Key Bindings is not working if the pinned certificate is not in the database

                      ECA-8772 - Minor security issue

                      ECA-8773 - Security issue

                      ECA-8777 - Security issue

                      ECA-8778 - WS request with missing required extension field can still be issued

                      ECA-8779 - WS request with extension field that is in CP but not EEP can be issued

                      ECA-8780 - KeyRecoverySessionBean.addKeyRecoveryData does not return false is data already exists

                      ECA-8782 - ServiceSession logs incorrect administrator when editing a service

                      ECA-8785 - Statedump import fails when there is an unconfigured EST alias

                      ECA-8786 - Making a CVC WS request can fail if there is an unitialized CVCA

                      ECA-8791 - Cannot search by year 2020 in Admin Web

                      ECA-8796 - Sometimes wrong default setting for "Send notification" in the RA, when notifications are enabled

                      ECA-8799 - Regression: Wrong JKS is downloaded in the "CA Certificates & CRLs" page

                      ECA-8803 - NPE in Admin UI if script publisher configured and after that external scripts are disabled

                      ECA-8811 - CVCA link certificate has wrong validity

                      ECA-8816 - 'Remove from CRL' should be removed from 'Revocation Reason' list

                      ECA-8819 - Cannot use 7.x RA with 6.15 CA

                      ECA-8823 - Bad default CRL parameters when importing CA

                      ECA-8832 - Create button enabled while viewing CA non privileged.

                      ECA-8858 - Test failure in ConfigdumpCertificationAuthorityUnitTest

                      ECA-8859 - CA does not get selected on Add End Entity page load, test failure in EcaQa59_EEPHidden

                      ECA-8861 - Strip key alias when creating new keys

                      ECA-8864 - I cannot download generated certificate request as PEM or DER. An exception has occurred.Server returned: 500

                      ECA-8869 - Fix duplicate/ambiguous network name on old Jenkins jobs

                      ECA-8870 - Fix selenium tests jobs of Domain Blacklists on Jenkins

                      ECA-8871 - Test EcaQa5_AddEndUserEndEntity fails due to changing element IDs and incorrect profile

                      ECA-8873 - No certificate profile specified in EcaQa202_NegativeBlacklistExactMatch test

                      ECA-8874 - EcaQa77_EndEntitySearch is sensitive to the environment

                      ECA-8880 - UpdatePublicKeyBlacklistCommandTest contains empty folder in resources, which fails with GIT

                      ECA-8881 - Empty POST to /.well-known/est/simpleenroll results in NullPointerException

                      ECA-8884 - PKCS#11 CP5 Cryptotoken type displayed even if no libraries are configured

                      ECA-8885 - HealthCheckTest fails on Community Edition

                      ECA-8888 - Test failures in Selenium jobs due to port conflict

                      ECA-8890 - Certificate Validator ignores profile settings

                      ECA-8893 - ServiceLocatorException on approval/notification when mail is not configured

                      ECA-8900 - The wrong certificate profile is edited when opening two certificate profiles in different tabs/windows

                      ECA-8910 - Jenkins Oracle DB is missing indexes, which causes failures

                      ECA-8912 - No remote key bindings listed on CA when any keybinding references a non-existent key

                      ECA-8915 - Usability: Verify allowed characters in key aliases when generating keys in using Azure Key Vault REST API.

                      ECA-8916 - Fix Jenkins test failure in EcaQa76_AuditLogSearch

                      ECA-8917 - Pre-sign Certificate Validator gives error when using ECDSA and a CA using HSM

                      ECA-8925 - Fix timing sensitivity in CTLogTest

                      ECA-8942 - Web Services - DN Merge Issue with Multiple OU Fields

                      ECA-8948 - Avoid NPE when no CA configured in EST alias

                      ECA-8955 - SCEP renewal should give nice error message when renewal cert does not exist

                      ECA-8956 - SCEP RA mode should not log on error level for normal handled error cases

                      ECA-8957 - Fingerprints not normalized on public key blacklist import

                      ECA-8959 - Public EC keys generated by a Pkcs11NgCryptoToken are always using explicit EC parameters

                      ECA-8960 - Regression: throwing checked Exceptions from postConstruct is not allowed in JEE spec

                      ECA-8985 - Certutil dump file created in Windows cannot be read by 'ejbca.sh ca importcertsms'

                      ECA-8989 - Unable to upload a zip with custom CSS files

                      ECA-8993 - CMP response message with PBE protection does not include configured extra certs

                      ECA-9012 - 'General Settings' Help/Documentation link 'Edit Validator' page is broken

                      ECA-9015 - Import Help/Documentation is broken under System Configuration/Custom RA Styles

                      ECA-9024 - AJAX for associating an RA style with a role is broken

                      ECA-9025 - Weird error message when certificate profile cannot be removed

                      ECA-9028 - Validators Help/Documentation link is broken under Edit CA page

                      ECA-9029 - Approval request not done by cert authenticated admins shows blank in Requested By

                      ECA-9030 - Improve audit logging for custom RA styles

                      ECA-9038 - NPE clicking Receive Certificate Response in Edit CA screen, if nothing is uploaded

                      ECA-9048 - Some languages not working for subject DN when viewing certificates in CA GUI

                      ECA-9060 - Adding a new label with a existing OID does not give you any error/message.

                      ECA-9064 - Prevent inactive CmsCAService to try to load keystore

                      ECA-9069 - Some CA lists in services are not sorted

                      ECA-9071 - Regression - 2 Edit buttons displayed in RA Web End Entity Details page

                      ECA-9073 - Approvals can't be edited by admin

                      ECA-9078 - Documentation link for Enable End Entity Profile Limitations? is broken

                      ECA-9080 - Documentation link for 'Create Authenticated Certificate Signing Request' is broken

                      ECA-9082 - 'ETSI PSD2 QC Statement' Documentation link refers to the wrong page

                      ECA-9086 - Missing documentation for CA/Browser Forum Organization Identifier

                      ECA-9103 - Ed448 and Ed25519 not supported in RA UI and Public Web

                      ECA-9104 - Edit end entity can log the wrong changed DN if DN merge is used

                      ECA-9106 - Regression: Unable to submit to CT logs

                      ECA-9109 - Regression: RA GUI: Regardless of the format chosen the downloaded certificate is always a PKCS12 certificate.

                      ECA-9110 - EJBCA adminweb is not accessible after configuring "Custom Publisher"--An exception has occurred. For input string: "60000"

                      ECA-9111 - Regression: EJBCA CA key renewal service does not work on subCAs

                      ECA-9112 - Selenium Tests in Jenkins

                      ECA-9125 - Avoid that upgrade adds duplicate OCSP extension that already exists

                      ECA-9126 - Methods to delete Ocsp Responses fail

                      ECA-9128 - Regression: Peers cannot deserialize TreeMap

                      ECA-9129 - Custom extensions cannot be deserialized by EJBCA

                      ECA-9130 - Regression: can not change CVC terminal type in CA UI

                      ECA-9136 - RaMasterApi reports wrong API_VERSION

                      ECA-9137 - Regression: Not possible to activate rollover renewal, CA rollover cert activation is not rendered in Admin UI

                      ECA-9138 - Documentation link broken in Edit Publisher 'Publisher Queue' section

                      ECA-9143 - NPE editing SCEP alias after rename of end entity profile and SCEP alias list items are not sorted

                      ECA-9150 - Audit Log page error

                      ECA-9152 - Some certificates are missing when downloading a JKS chain

                      ECA-9153 - Always close SSH connections created by the SCP publisher

                      ECA-9154 - Regression: can't edit ICAO document type list in adminweb

                      ECA-9157 - OCSP audit and account logging does not work when serving pre-produced responses

                      ECA-9159 - NJI11ReleasebleSessionPrivateKey always assumes RSA

                      ECA-9166 - Class was not found on classpath

                      ECA-9167 - Typo error in ORM mapping for ApprovalData

                      ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6

                      ECA-9172 - Rollover of expired CA will not make it active due to CRL generation failure

                      ECA-9174 - NPE in configuration checker if certificate profile linked from end entity profile does not exist

                      ECA-9178 - HealthCheckServlet is trying to create a "filename.properties" with no path

                      ECA-9181 - Deleting token used for 'Force Local Key Generation' breaks Basic Configurations page

                      ECA-9188 - Don't persist responses with status 'Unknown'

                      ECA-9190 - NullPointerException in Statedump when a non-existent publisher is still in use

                      ECA-9192 - Not possible to add additional CA certificates to CMP response

                      ECA-9200 - Regression: Several ajax calls on certificate profile page broken

                      ECA-9202 - Statedump support for the Google Safe Browsing Validator

                      ECA-9204 - It is possible to rename a CA with no name

                      ECA-9205 - NPE when testing the connection of a VA Peer Publisher referencing non-existing peer system

                      ECA-9207 - Regression: Created CVC Authenticated requests can not be downloaded in Admin UI


                      Released May 2020

                      ECA-9128 - Regression: Peers cannot deserialize TreeMap
                      ECA-9129 - Custom extensions cannot be deserialized by EJBCA
                      ECA-9136 - RaMasterApi reports wrong API_VERSION


                      Released March 2020

                      ECA-8959 - Public EC keys generated by a Pkcs11NgCryptoToken are always using explicit EC parameters


                      Released March 2020


                        ECA-8775 - Improve output format in CertDistServlet listcerts command

                        ECA-8783 - Add test case for va publisher data source (Selenium)

                        ECA-8793 - Add new HTTP security headers

                        ECA-8809 - Fix formating in CertStoreServletTest and CertFetchAndVerify


                        ECA-8790 - Perform upgrade testing

                        ECA-8807 - Change the copyright footer to 2020

                        Bug Fixes

                        ECA-7060 - Handle invalid input on 'Approval Profiles' page

                        ECA-7153 - Security issue

                        ECA-8719 - 'Make New Request' on 'RA Web' on 'Clean Installation' results in StackOverflowError

                        ECA-8757 - CaImportCACommand doesn't activate KeyRecoveryCAServiceInfo

                        ECA-8772 - Minor security issue

                        ECA-8773 - Security issue

                        ECA-8776 - Backport - ClassCastException on Wildfly 14 when saving a certificate profile with "Subject DN Subset" enabled

                        ECA-8777 - Security issue

                        ECA-8782 - ServiceSession logs incorrect administrator when editing a service

                        ECA-8791 - Cannot search by year 2020 in Admin Web

                        ECA-8802 - Acme failure

                        ECA-8811 - CVCA link certificate has wrong validity

                        ECA-8819 - Cannot use 7.x RA with 6.15 CA

                        ECA-8823 - Bad default CRL parameters when importing CA

                        ECA-8858 - Test failure in ConfigdumpCertificationAuthorityUnitTest

                        ECA-8874 - EcaQa77_EndEntitySearch is sensitive to the environment

                        ECA-8875 - Backport Domain Blacklist test reliability fixes

                        ECA-8880 - UpdatePublicKeyBlacklistCommandTest contains empty folder in resources, which fails with GIT

                        ECA-8883 - RA fails into an endless loop on load when missing /ra_master/invoke_api access

                        ECA-8890 - Certificate Validator ignores profile settings


                        Released November 2019

                          Bug Fixes

                          ECA-8679 - Security issue

                          ECA-8708 - P11NG - SHA384withECDSA doesn't work

                          EJBCA 7.3.1

                          Released November 2019

                            New Features

                            ECA-6784 - Improved peer publisher reporting - Create and download report after manual synchronization

                            ECA-8461 - Add the ability to view queued publisher items in the CA web


                            ECA-7272 - Update readme documentation for dependency libs

                            ECA-8450 - Add OWASP Dependency checker to Jenkins

                            ECA-8638 - Update commons-beanutils to version 1.9.4

                            ECA-8639 - Add CT changes to documentation

                            ECA-8640 - Upgrade nimbus-jose to version 8.2

                            ECA-8643 - Update db2jcc4.jar used for jenkins tests

                            ECA-8644 - Update clover.jar, only used for tests, to version 4.4.1


                            ECA-6205 - Remove unused method testImportFromZip

                            ECA-6979 - If a CT-configured certificate does not accumulate enough SCTs, it should be written to update OCSP, but not distributed to subscriber

                            ECA-8524 - Check for expired key binding certificates in the Configuration Checker

                            ECA-8635 - CT systemtest - Precert store

                            ECA-8648 - Notify if a search result is a pre-certificate in RA web

                            ECA-8660 - Add GCM mode ciphers for outgoing peer connections

                            Bug Fixes

                            ECA-8377 - Regression: Fast-fail is triggered when a CT submission is interrupted

                            ECA-8404 - CT publisher with direct publishing enabled, publishes old certificate on renewal

                            ECA-8630 - Incorrect handling of empty subjectAltName in a CSR in the RA UI

                            ECA-8658 - Error downloading CV certificate via Admin GUI search end entities screen

                            ECA-8667 - Update CESeCoreUtils and back-port build.cesecore.p11.jar option

                            ECA-8678 - Inspect publisher queue page shows wrong hour

                            ECA-8685 - "CMP" mentioned in EST CLI commands


                            Released 30 October 2019

                              New Features

                              ECA-8530 - Add CLI support for EST config enhancements

                              ECA-8554 - Configdump import of EST Configuration

                              ECA-8606 - EJB CLI command for controlling enabled protocols


                              ECA-8582 - Resolve circular dependency between Certification Authority and Certificate Profile

                              ECA-8583 - Detect early on if export versions are compatible with current software version

                              ECA-8602 - Review and update configdump documentation as needed

                              ECA-8637 - Security: Upgrade external dependency

                              ECA-8650 - Security: Upgrade external dependency


                              ECA-8396 - System test for P11NG

                              ECA-8572 - Prevent NPE in PeerPublisher if Peer Connector does not exist

                              ECA-8574 - Profile edit notification

                              ECA-8580 - Option to disable adding of new nodes to GlobalConfiguration

                              ECA-8584 - Detect and prompt for all passwords that will be used during import

                              ECA-8585 - Add link to Apple CT log list to admin GUI, in addition to Googles

                              ECA-8586 - Improve documentation for Managing CAs

                              ECA-8589 - CA Life Cycle JSF rendering conditions are wrong

                              ECA-8591 - Do not print stack trace in CLI when application server is not running

                              ECA-8593 - Add more detailed error message to clientToolBox certreq command when csr can not be read or directory is invalid

                              ECA-8600 - Check ConfigDump for unused/unimplemented code

                              ECA-8601 - Normalize configdump/src-cli

                              ECA-8604 - Refactor ConfigDumpImportItem and BaseCrud

                              ECA-8609 - Remove replace option in Configdump

                              ECA-8611 - Improve configdump error handling

                              ECA-8612 - Auto-resolve configdump references after import

                              ECA-8613 - ConfigdumpException should result in rollback

                              ECA-8614 - Configdump flag to control non-interactive behavior

                              ECA-8626 - Update PMD scan pipeline to use warnings-ng plugin syntax

                              ECA-8642 - Improve detection of current software version for Configdump Import

                              ECA-8646 - Change session timeouts to 15 minutes for PCI DSS compliance

                              Bug Fixes

                              ECA-8544 - P11 slot is already used warning displayed incorrectly

                              ECA-8553 - Importing CA hierarchies in Configdump not always working

                              ECA-8578 - REST API certificate search for active certificates do not include certificates notified about expiration

                              ECA-8595 - ant clean does not clean ra-gui or batchenrollment-gui modules

                              ECA-8596 - Delta CRL is not generated correctly when a certificate is released from hold

                              ECA-8597 - Link to delta CRL in CA web fetches base CRL instead

                              ECA-8605 - EJBCA 7.3.0 and ACME with cleartextpassword

                              ECA-8617 - Exclude tests for org.cesecore.keys.token.p11ng from non-eidas release

                              ECA-8620 - Default OCSP responder always sends "Unknown" for non-existing CA, regardless of settings

                              ECA-8623 - Use correct port override in EST alias systemtest

                              ECA-8624 - Disabling node tracking prevents local clear cache

                              ECA-8625 - p11ng cache not cleared on token reactivation

                              ECA-8641 - Improve configdump error message when write access is denied

                              ECA-8647 - Fix configdump import of Certificate Policy in Certificate Profile

                              ECA-8655 - Ordering of role members varies in Configdump exports

                              ECA-8661 - ACME newOrder fails due to lack of access to EEP or other failed assumption

                              ECA-8662 - problem importing Scep configuration with configdump

                              ECA-8663 - ConfigDump Import: PKCS12 key store mac invalid

                              EJBCA 7.3.0

                              Released October 2019

                                New Features

                                ECA-7278 - Initial support for Azure Key Vault as EJBCA Crypto Token

                                ECA-8039 - Make OCSP Archive cutoff configurable in the CA UI, for all OCSP responses, and with (optional) static date (CA notBefore)

                                ECA-8236 - CA/Browser Forum Organization Identifier Field certificate extension (OID: for PSD2 certificates

                                ECA-8371 - Add RA proxying to get global configurations

                                ECA-8372 - Get GlobalAcmeConfiguration over peer

                                ECA-8379 - EST support in Statedump

                                ECA-8390 - Convert caaIdentities URLs to IDN (ASCII) for ACME processing

                                ECA-8402 - Update SCEP GetCACaps return message to scep draft23

                                ECA-8403 - SCEP: set default hash algorithm to SHA-256 and support 3DES as response message encryption

                                ECA-8438 - Create Configdump EJB interface

                                ECA-8439 - Create configdump import CLI command

                                ECA-8440 - Add EJBCA version field to Configdump exports

                                ECA-8449 - Overwrite option for Configdump CLI: Replace/Update/Leave

                                ECA-8461 - Add the ability to view queued items in the CA web

                                ECA-8517 - Configdump import of Custom Certificate Extensions

                                ECA-8518 - Configdump import of Extended Key Usages

                                ECA-8519 - Configdump import of Internal Key Bindings

                                ECA-8520 - Configdump import of Publishers

                                ECA-8521 - Configdump import of Services

                                ECA-8522 - Configdump import of Certification Authorities


                                ECA-7435 - Java 11: ClassNotFoundException: org.apache.geronimo.osgi.locator.ProviderLocator from WS Tests

                                ECA-8277 - clientToolBox uses the ext dir, which no longer exists in Java 11

                                ECA-8380 - ACME: QA Testing of ACME Changes

                                ECA-8405 - Documentation: Clarify CMP concurrent request to same user fails

                                ECA-8453 - Update some external dependencies

                                ECA-8454 - Update the last MySQL5Dialect to MySQL5InnoDBDialect in (old) external RA

                                ECA-8459 - Webtests: Add platform verification feature

                                ECA-8474 - Documentation: Add database driver and DataSource for PostgreSQL

                                ECA-8500 - QA Testing 7.3

                                ECA-8526 - System Test Investigation: EE_COS7_OpenJDK8_WF10_NOHSM_MSSQL2017


                                ECA-7596 - Unification and consolidation of dockers' shell scripts

                                ECA-8073 - Include key information in ConfigDump

                                ECA-8247 - Allow CT logs to pick sharding by period

                                ECA-8273 - acme: Reduce code duplication

                                ECA-8329 - Clean up language files (Hard Token)

                                ECA-8330 - GUI: Rename all "Administrator Role" to "Role"

                                ECA-8335 - Update ACME authorization resources to RFC 8555 compliance

                                ECA-8336 - Update ACME 'revokeCert' resource to RFC 8555 compliance

                                ECA-8337 - Update ACME 'directory' resource to RFC 8555 compliance

                                ECA-8338 - Update ACME certificate resources to RFC 8555 compliance

                                ECA-8339 - Update ACME 'newAccount' resource to RFC 8555 compliance

                                ECA-8340 - Update ACME account resources to RFC 8555 compliance

                                ECA-8341 - Update ACME order resources to RFC 8555 compliance

                                ECA-8342 - Update ACME 'keyChange' resource to RFC 8555 compliance

                                ECA-8346 - Include references to the sql scripts available in the documentation.

                                ECA-8347 - Update ACME 'newNonce' resource to RFC 8555 compliance

                                ECA-8350 - Implement 'revokeCert' resource authorization for an ACME account holding all of the identifiers in the certificate

                                ECA-8356 - Exceptions caught by the EST servlet are not logged properly

                                ECA-8370 - Update ACME challenge response resource to RFC 8555 compliance

                                ECA-8397 - Update ACME documentation to RFC 8555 compliance

                                ECA-8399 - Remove ACME 'challenge' GET resource

                                ECA-8401 - Display a fingerprint of the imported Statedump after it has been imported in the CA web

                                ECA-8406 - Give a proper error message when using an attributes file for Client Toolbox in EJBCA

                                ECA-8409 - Select the correct attribútes file when editing a crypto token

                                ECA-8413 - Include the configured OCSP archive cutoff extension in all OCSP responses, not only for expired certs

                                ECA-8422 - Add CLI functionality for listing and editing OCSP extensions

                                ECA-8441 - Add import to ConfigdumpCore

                                ECA-8442 - Add YamlReader class

                                ECA-8443 - Add PoC for import of one object type in ConfigdumpSessionBean

                                ECA-8444 - Add import of important objects types in ConfigdumpSessionBean

                                ECA-8445 - Add import in configdump dump handlers

                                ECA-8446 - Create functional test (system test) for configdump import

                                ECA-8447 - CLI test for Configdump

                                ECA-8466 - ACME test suite re-factorings

                                ECA-8468 - Only report when available upstream RA peers changes

                                ECA-8475 - ACME end point test coverage

                                ECA-8477 - Add import of End Entity Profiles in Configdump

                                ECA-8478 - Configdump import of roles

                                ECA-8481 - Add implementation version in jar files to CAA cli tool, and other tools

                                ECA-8482 - Fix call of ACME operations with explicit ACME alias

                                ECA-8490 - Configdump import of Certificate Profiles

                                ECA-8502 - Create test for CaImportMsCaCertificates (import dump file created by certutil)

                                ECA-8513 - Sort items in list boxes on the role_edit.xhtml page in alphabetic order

                                ECA-8523 - Print CRL and public key when CRL fails to verify

                                ECA-8525 - Test of configdump import of Publishers

                                ECA-8527 - Option to export defaults in Configdump

                                ECA-8528 - Configdump documentation

                                ECA-8529 - AzureCryptoToken: Fix missing html ID and log if password is empty

                                ECA-8537 - Test of Configdump import of Internal Key Bindings

                                ECA-8543 - Exclude configdump import from ziprelease

                                Bug Fixes

                                ECA-7320 - CN from CSR not loaded correctly when "Changing a CSR"

                                ECA-7486 - EEP default Token type selection doesn't work on RaWeb enrollmakenewrequest page

                                ECA-7739 - Using a certificate profile template does not select the correct fields

                                ECA-7849 - Regression: foot_banner not used

                                ECA-7947 - Unused access rules are saved in basic mode

                                ECA-8033 - For configdump, allow it to skip past CAs waiting for a response and complete.

                                ECA-8099 - CA created with "Signed By External CA" has Serial Number Octet Size -1

                                ECA-8232 - IPv6 RFC compliant HREF links in EJBCA

                                ECA-8307 - CryptoTokenData: P11CryptoToken row entry touched/updated without need

                                ECA-8319 - "clientToolBox PKCS11HSMKeyTool linkcert" command should work according to ICAO 9303

                                ECA-8320 - SCP Publisher uses managing admin to sign payload

                                ECA-8322 - CertificateCrlReader does not handle revocation publications correctly

                                ECA-8323 - Fix findbugs warnings

                                ECA-8325 - CMP Configuration UI issues

                                ECA-8326 - CryptoToken.getPublicKey return javadoc differs from implementation

                                ECA-8344 - Jenkins job EE_COS7_OpenJDK8_WF10_NOHSM_DB2 cannot find DB2 Express-C docker image

                                ECA-8345 - Jenkins failing test 'org.ejbca.core.model.services.worker.CertificateCrlReaderSystemTest.testReadCertificateFromDisk'

                                ECA-8354 - First column not displayed when running the script language-tool.sh -s

                                ECA-8360 - Generated CRL Distribution Point and Issuer do not show correct DN

                                ECA-8375 - Regression: Failing Selenium test EcaQa206_CRLPartitionsIncorrectSettings

                                ECA-8383 - Reference lib.jpa.classpath not found when building cmpProxy for Tomcat.

                                ECA-8391 - New EST alias fields missing from ConfigDump export

                                ECA-8407 - User is asked to confirm slot re-use when editing an existing PKCS#11 crypto token

                                ECA-8410 - Set EJBCA_HOME in ejbca.sh if not set already

                                ECA-8411 - CRL is stored in publisher queue even if direct publishing is successful

                                ECA-8412 - PublishQueueProcessWorker always reports a NO_ACTION ServiceExecutionResult

                                ECA-8419 - Jenkins failing test 'org.ejbca.core.ejb.ProfilingTest.retrieveStats'

                                ECA-8420 - Jenkins failing test 'org.ejbca.core.ejb.upgrade.UpgradeSessionBeanTest.testUpgradeOcspExtensions6120'

                                ECA-8423 - Update Muehlbauer WS for removed Hardtoken

                                ECA-8426 - Trim CT log URLs

                                ECA-8428 - EST Name Generation USERNAME option gives error message when client username not set

                                ECA-8433 - Add placeholder to ejbca resourses CMP error message

                                ECA-8434 - OCSP Extensions are temporarily saved, even when the Save button is not clicked

                                ECA-8435 - Some CA lists in RA Web is sorted case sensitive

                                ECA-8436 - Caching issue with PSD2 fields in RA-web

                                ECA-8457 - Database protection broken on existing installations

                                ECA-8464 - EST configuration in Admin UI is not cleared when navigating away from the page

                                ECA-8465 - MSSQL Jenkins job (DB collation has to support case sensitivity)

                                ECA-8470 - Regression: GUI doesn't render "</br>" correctly for view certificate screen

                                ECA-8479 - Crypto token manage page checks for wrong permission

                                ECA-8484 - RA enrollment returns older certificate when validation fails

                                ECA-8485 - Legacy External RA not working with Wildfly 14 because of problem with the hibernate provider.

                                ECA-8486 - NPE when you click on 'Export selected' without selecting anything on Manage End Entity Profile page

                                ECA-8488 - L10n: Typo in English language

                                ECA-8492 - Importing Microsoft CA fails using ejbca.sh

                                ECA-8504 - Inconsistency when creating roles in CA web and RA web

                                ECA-8506 - Add missing textfield id for textfieldsharedcmprasecret

                                ECA-8509 - Regression: EJBCA Ignores CryptoToken Selection While Creating CA When Using the Default Key Option for the CertSignKey

                                ECA-8514 - RA Web incorrectly claims that role has members

                                ECA-8515 - Peer connector missing permissions when Approval management is set

                                ECA-8532 - Allow subject DN override and allow extension override is not honoured in the REST API

                                ECA-8538 - Regression: exception clicking on "Clear caches" button

                                ECA-8540 - Configdump error when exporting new unmodified ACME alias

                                ECA-8541 - Missing setters and unhandled nulls cause errors in Configdump

                                ECA-8542 - Fix configdump warning when importing certain End Entity Profiles


                                Released on 22 August 2019

                                Bug Fixes

                                ECA-8457 - Database protection broken on existing installations

                                ECA-8428 - EST Name Generation USERNAME option gives error message when client username not set

                                EJBCA 7.2.1

                                Released on 30 July 2019

                                New Features

                                ECA-8255 - AWS S3 Publisher for publishing certs and CRLs to an S3 bucket

                                ECA-8355 - EST Name Generation Enhancements

                                ECA-8232 - IPv6 RFC compliant HREF links in EJBCA


                                ECA-8356 - Exceptions caught by the EST servlet are not logged properly

                                ECA-8266 - Possibility to issue a final OCSP responses with unlimited end date 99991231235959Z

                                Bug Fixes

                                ECA-8099 - CA created with "Signed By External CA" has Serial Number Octet Size -1

                                ECA-8265 - Security Issue

                                ECA-8320 - SCP Publisher uses managing admin to sign payload

                                ECA-8322 - CertificateCrlReader does not handle revocation publications correctly

                                ECA-8365 - Error message and stack trace is lost when there are repeated CT log errors

                                ECA-8364 - Regression: CT log "Acquire semaphore was interrupted"

                                ECA-8363 - IPv6 Bug: SAN IPv6 field ignored on issuance

                                ECA-8351 - Regression: possible to delete EE profile with entities registered. EE becomes uneditable after deleting its EE profile

                                ECA-8312 - EJBCA installation fails on Windows SQL Server

                                EJBCA 7.2.0

                                Released on 20th of June 2019

                                New Features

                                ECA-7943 - Add selenium test for creating a CA with partitioned CRLs

                                ECA-8092 - Remove Hard Tokens - a followup ticket

                                ECA-8113 - Add REST endpoint for cryptotoken management

                                ECA-8114 - Write systemtests for crypto token REST resource

                                ECA-8115 - Update static swagger file for documentation

                                ECA-8116 - Create REST endpoint for cryptotoken activation

                                ECA-8117 - Create REST endpoint for cryptotoken deactivation

                                ECA-8118 - Create REST endpoint for cryptotoken key creation

                                ECA-8127 - Create REST endpoint for CA Activation

                                ECA-8151 - Update CLI to allow viewing/generating partitioned CRLs

                                ECA-8249 - Import CVC CA CLI command should be able to import DVCA


                                ECA-8125 - As a tester, I would like to call Rest endpoints for both testing and utilities that will work internally and externally of a docker image.

                                ECA-8137 - POC: Remote access for REST using GIT

                                ECA-8141 - Testing: Integration / Verification Testing

                                ECA-8176 - Exploratory testing using Swagger-UI

                                ECA-8182 - Document new REST resources

                                ECA-8194 - Add example script for ejbca-rest-api/v1/certificate/pkcs10enroll to the REST documentation

                                ECA-8209 - -Ddoc.update=true does not work anymore


                                ECA-7059 - Remove properties files for CRLstore and CertStore

                                ECA-7272 - Security verification

                                ECA-7418 - Java 11: Xerces throws ClassNotFoundException: org.w3c.dom.ls.DocumentLS

                                ECA-8053 - Return correct version from REST status endpoint

                                ECA-8129 - Enable CT fastfail caching / backoff by default

                                ECA-8130 - Set up CT log test server and document it

                                ECA-8131 - Create DB update scripts and ORM files for new SCT table

                                ECA-8132 - Entity Bean for SCT disk cache

                                ECA-8134 - Saving SCT data to persistent table

                                ECA-8135 - Save and Read SCTs from persistent SCT table

                                ECA-8136 - Upgrade notes for persistent SCTs

                                ECA-8138 - Unit test of OcspCtSctListExtension

                                ECA-8149 - Code cleanup April 2019

                                ECA-8152 - Prevent broken certificate chain from being imported in the CLI using the 'ca importca' command

                                ECA-8156 - Generate URLs for URL rewrite with Client Toolbox

                                ECA-8158 - Documentation: Update CertSafePublisher description

                                ECA-8159 - Improve HealthCheck to also perform test signatures on the audit log

                                ECA-8165 - Create REST endpoint for CA Deactivation

                                ECA-8167 - Possibility to issue a final CRL with unlimited end date 99991231235959Z

                                ECA-8170 - Improve reliability of service workers in a cluster

                                ECA-8173 - Service workers always log success if the service ran, no matter the result

                                ECA-8181 - Warn when slot does not contain a key with the alias 'testKey' and relax the naming convention for these keys

                                ECA-8192 - Move REST resources into separate modules

                                ECA-8203 - CA token sign test should not sign with the same key twice

                                ECA-8206 - Use SHA256 with creating signed PKCS7 messages from X509 CAs

                                ECA-8208 - Refactor SCT caching to cache partial results also

                                ECA-8211 - Create a return type for publishers in order to track numbers of successes and failures

                                ECA-8229 - Debug log all steps in StartupSingletonBean

                                ECA-8230 - Base archiveCutoff on actual producedAt time instead of currentTimeMillis

                                ECA-8231 - Use the default CA of the SCEP alias, if no CA is specified in the message

                                ECA-8239 - Remove jsessionid from URLs on first session visit

                                ECA-8250 - Protocol Configuration for new REST resources

                                ECA-8264 - Update version in CT user agent to 1.1

                                ECA-8280 - Seconds in certificate's "valid from" and "valid to" fields (EJBCA API)

                                Bug Fixes

                                ECA-7739 - Using a certificate profile template does not select the correct fields

                                ECA-7828 - Drop down menu for 'Select Worker' under 'Services' is not responsive

                                ECA-7841 - Regression: Missing JAXB in JDK11 and lack of bundled API JAR causes complication error for Acme classes

                                ECA-8025 - Regression: Wrong CA-certificate is downloaded in the CA web

                                ECA-8079 - Edit CA page problems when creating CA from statedump

                                ECA-8099 - CA created with "Signed By External CA" has Serial Number Octet Size -1

                                ECA-8144 - Unable to change publisher type during edit

                                ECA-8147 - Regression: Cannot enter LDAP protocol CDP URL

                                ECA-8148 - Unable to edit and save access rules in basic mode

                                ECA-8153 - CertSafe Publisher throws NPE

                                ECA-8155 - Return not found on unhandled EST operations

                                ECA-8160 - ejbca.sh does not detect current working directory correctly

                                ECA-8161 - Ticket #215 VIECA?

                                ECA-8168 - NPE in RA web when rendering view enrollwithusername.xhtml

                                ECA-8191 - Change the ocsp.nonexistingisbad.uri pattern

                                ECA-8215 - Converter missing in selectManyListbox

                                ECA-8216 - Installation: Ejbca.ear does not deploy on Wildfly 10

                                ECA-8234 - OCSP requests with missing issuerKeyHash causes exception

                                ECA-8240 - Typos in create database postgresql script

                                ECA-8243 - Regression: NPE when a service is not scheduled to run

                                ECA-8253 - Integer converter missing in selectManyListbox on LDAP Publisher page

                                ECA-8254 - Check and possibly fix public key AlgorithmIdentifier parameters when issuing certificates

                                ECA-8308 - OcspKeyBinding CSR is not compatible with Microsoft CA


                                13 Jun 2019

                                Bug Fixes

                                ECA-7828 - Drop down menu for 'Select Worker' under 'Services' is not responsive

                                ECA-8144 - Unable to change publisher type during edit

                                ECA-8147 - Regression: Cannot enter LDAP protocol CDP URL

                                ECA-8148 - Unable to edit and save access rules in basic mode

                                ECA-8153 - CertSafe Publisher throws NPE

                                ECA-8215 - Converter missing in selectManyListbox

                                EJBCA 7.1.0

                                Released on the 29th of April 2019

                                New Features

                                ECA-961 - Partitioning of large CRLs by number of issued certificates

                                ECA-7384 - Protocol (WS/CMP/REST/CLI) support for issuing with multi-value RDNs

                                ECA-7474 - GUI support to enable/disable multi-value RDNs in End Entity Profiles

                                ECA-7785 - New validator phase that will run before using the CA private key to sign the tbsCertificate

                                ECA-7815 - Selenium tests for Domain Blacklist Validator

                                ECA-7906 - Remove CA related UI parts from RA/UI builds.

                                ECA-7907 - Rendering conditions for "Certificate Authority" page on different builds

                                ECA-7909 - Hide unusable commands from EJBCA CLI (ejbca.sh)

                                ECA-7910 - Create separate module for X509CA

                                ECA-7911 - Split X509 CA into common and build specific parts

                                ECA-7912 - Create new ant target for RA/VA ziprelease

                                ECA-7921 - Configdump support for Domain Blacklist Validator

                                ECA-7934 - Add CRL partition index column in certificate tables

                                ECA-7935 - Add crlPartitionIndex column in CRLData

                                ECA-7936 - Add partition configuration in X509CAInfo

                                ECA-7937 - User interface for configuration of CA CRL partitioning

                                ECA-7938 - Add documentation for partitioned CRL configuration

                                ECA-7939 - Update X509CA.generateCRL function to handle partitioned CRLs

                                ECA-7940 - Assign certificates to CRL partitions upon issuance or import

                                ECA-7941 - Show available CRL URLs if partitioning is used, in Edit CA page

                                ECA-7942 - Method generating partitioned CRL CDP URLs

                                ECA-7945 - Perform regression testing for certificate issuance with and without CRL partitioning

                                ECA-7946 - Add extensive system test of CRL partitioning

                                ECA-7953 - Allow for the export of single CP/EEPs

                                ECA-7962 - Make "ca republish" CLI command work with partitioned CRL

                                ECA-7963 - Update CRL Download Service to handle Partitioned CRLs

                                ECA-7964 - Create a separate module for CVC CA

                                ECA-7966 - RA-API, WS and REST support for Partitioned CRLs

                                ECA-8030 - Add YubiHSM2 P11 library to known P11 libraries

                                ECA-8048 - Add support for Partitioned CRLs in CertDistServlet, GetCRLServlet and CRLStoreServlet

                                ECA-8052 - Partitioned CRLs should not be allowed without "Issuing Distribution Point" CRL extension


                                ECA-7385 - Document multi value RDN behavior for 'Subset of Subject DN' (not working with multi-value)

                                ECA-7389 - Document Administrator matching of multi-valued RDNs

                                ECA-7435 - Java 11: ClassNotFoundException: org.apache.geronimo.osgi.locator.ProviderLocator from WS Tests

                                ECA-7766 - Create a Jenkins job for testing Oracle DB

                                ECA-7825 - Java 11: ejbca-db-cli uses endorsed.dirs which is not supported in java 11

                                ECA-7857 - Create a Jenkins job for testing openJdk11

                                ECA-7892 - Make validationtool tests runnable

                                ECA-7904 - Investigate what to remove from Admin Web in RA/VA builds

                                ECA-7913 - Document changes RA / VA / CA builds.

                                ECA-7944 - Exploratory testing

                                ECA-7956 - Refactoring ExternalProcessTools.writeTemporaryFileToDisk for readability

                                ECA-7970 - Update changelog summary

                                ECA-7987 - Clarify documentation of fixed octet random serial number generator

                                ECA-7990 - Remove usage of SecureRandom from test cases to avoid copy-paste

                                ECA-8026 - Create Jenkins jobs for limited RA / VA builds

                                ECA-8027 - Fix remaining failures for Selenium tests in Jenkins

                                ECA-8034 - Upgrade testing of Partitioned CRL

                                ECA-8045 - Exemplify of the Required flag for custom certificate extensions

                                ECA-8050 - Add to CRL documentation - expired certs not included in new CRL

                                ECA-8058 - Fix EcaQa198 selenium test fail in Jenkins.


                                ECA-7272 - Security verification

                                ECA-7391 - Only show CA-related approvals in CA Web (and vice versa)

                                ECA-7418 - Java 11: Xerces throws ClassNotFoundException: org.w3c.dom.ls.DocumentLS

                                ECA-7521 - User must fix malformed file when making cert request.

                                ECA-7554 - POC of Jenkins warnings job to analyze the code style/quality/shape

                                ECA-7593 - Add ClientToolBoxTest in new Jenkins

                                ECA-7596 - Unification and consolidation of dockers' shell scripts

                                ECA-7622 - Ability to edit token type in the RA Web

                                ECA-7722 - Minor usability improvements on Edit CA page

                                ECA-7797 - Upgrade JAX-RS 2.0 related libraries, correct swagger ACME generation and rely more on app server's JAX-RS implementation

                                ECA-7798 - Unit tests for the Configuration Checker

                                ECA-7853 - Change default digest alg of CMP request and response messages to SHA256

                                ECA-7884 - System test for copying DNSName from CN over WS

                                ECA-7902 - Add ExtentReport Plugin

                                ECA-7954 - Replace "Export profiles..."-links from profiles pages with buttons.

                                ECA-7957 - Improve error message when pinging an unknown peer system

                                ECA-7965 - Document CertTools.verify behavior for bad params with JUnit test

                                ECA-7975 - Avoid using two executors for Jenkins jobs

                                ECA-7986 - Better validation message when CAA validator is running on a certificate without dNSNames

                                ECA-7997 - Translate the RA web to Swedish

                                ECA-8000 - External Command Validator output not forwarded to EJBCAWS

                                ECA-8011 - Make crlPartitionIndex nullable instead of DEFAULT 0

                                ECA-8013 - Upgrade BC to 1.61

                                ECA-8016 - Database publishing of partitioned CRLs

                                ECA-8029 - Remove Hard Tokens, Hard Token Profiles and Hard Token Issuers from EJBCA

                                ECA-8097 - Selenium test for CA with incorrect Partitioned CRL settings

                                ECA-8101 - Upgrade notes for partitioned CRLs

                                ECA-8103 - CRL Update Worker should handle partitioned CRLs

                                ECA-8107 - Change terminology for "retired CRL partitions"

                                ECA-8109 - CRL partition fields in new CA page appear after changing Crypto Token

                                ECA-8110 - Document that CRL partition 0 gets URL without partition number

                                Bug Fixes

                                ECA-7626 - Fix out of memory issues on new Jenkins

                                ECA-7731 - Subject AltName does not appear in the RA Web when Subject DN is not used

                                ECA-7733 - Security Fix

                                ECA-7753 - Selenium Docker Jenkins followup ticket - NoInitialContextException: Need to specify class name in environment or system property

                                ECA-7841 - Regression: Missing JAXB in JDK11 and lack of bundled API JAR causes complication error for Acme classes

                                ECA-7868 - Regression: CA names in Edit End Entity Profile page should be sorted

                                ECA-7915 - Unexpected error while using Create Authenticated Certificate Signing Request in CA page

                                ECA-7929 - Fingerprints downloaded from the RA Web are scrambled

                                ECA-7952 - Some rules not applied when creating a role from the RA Web

                                ECA-7958 - New fields in X509CAInfo should be added to configdump

                                ECA-7973 - Clicking Test Command twice in External Command Certificate Validator gives exception

                                ECA-7974 - Community Edition build broken in trunk

                                ECA-7977 - CRL Downloader can't handle entries with extensions, but no reason code

                                ECA-7984 - Jenkins not cleaning up temporary fles

                                ECA-7985 - Unit tests do not respect tests.jvmargs

                                ECA-7989 - Possible race condition in SerialNumberGenerator with different CAs use different octet sizes

                                ECA-7991 - Make ApprovalSessionTest reliable

                                ECA-8002 - CRL Partition: CA does not retain CRL Partition settings

                                ECA-8004 - List of validators in certificate profiles is not sorted

                                ECA-8005 - NPE when trying to change ca token of a non existing CA

                                ECA-8010 - JBoss CLI on Jenkins uses too much memory on Jenkins

                                ECA-8012 - Regression: Delegated key pair generation doesn't work with RA-Gui enrollment

                                ECA-8014 - Trivial typo in revoke end entity reason codes

                                ECA-8015 - Exception in Admin UI trying to view a crypto token configured with a non-existing P11 library file

                                ECA-8018 - For Signed CMP messages, signed error message may not be signed with the expected signature for some errors

                                ECA-8023 - Update the default key aliases when importing keystores

                                ECA-8040 - Regression: End Entity Profiles ZIP file with directory cannot be imported

                                ECA-8042 - Cannot create CA with 'Use CRL partitions' option checked

                                ECA-8046 - Jenkins jobs use the same name for docker resources

                                ECA-8047 - Regression: Some End Entity Profiles ZIP files cannot be imported

                                ECA-8054 - Some classes still try to instantiate EjbcaWebBean

                                ECA-8055 - Log errors at initialization failure of EjbcaWebBeanImpl

                                ECA-8061 - Creating a CA using CRL Partition gives EntityExistsException

                                ECA-8062 - EST reenrollment fails if the DN includes more components than CN

                                ECA-8063 - ExtRAMessagesTest does not compile

                                ECA-8072 - CaRenewCACommandTest stops working after 2019-04-15

                                ECA-8075 - The "Generate" buttons do not include the "&partition=*" if using Partitioned CRLs in a new CA

                                ECA-8083 - Certification Authorities: Creating new CA with CRL Partitions fails

                                ECA-8085 - Fix potential race condition in REST initialization found by PMD

                                ECA-8087 - Unable to create CA with CRL Partitions

                                ECA-8090 - Certificate created with "use partitions" CA has 0 as crlPartitionindex

                                ECA-8095- Null pointer exception when a certificate profile uses CA defined AIA values, but the CA has defined none

                                ECA-8105- Regression: Cannot edit approval requests in RA-web

                                ECA-8111- SoftHSM directory has wrong owner on Jenkins


                                28 May 2019

                                Bug Fixes

                                ECA-8215 - Converter missing in selectManyListbox


                                02 May 2019

                                Bug Fixes

                                ECA-7828] - Drop down menu for 'Select Worker' under 'Services' is not responsive

                                ECA-8144 - Unable to change publisher type during edit

                                ECA-8148 - Unable to edit and save access rules in basic mode

                                ECA-8161 - [Ticket #215] VIECA?


                                ECA-8174 - Regression Test: Verify patch release for the Appliance Release


                                ECA-8159 - Improve HealthCheck to also perform test signatures on the audit log

                                ECA-8170 - Improve reliability of service workers in a cluster


                                21 Mar 2019

                                Bug Fixes

                                ECA-8012 - Regression: Delegated key pair generation doesn't work with RA-Gui enrollment


                                18 Mar 2019

                                Bug Fixes

                                ECA-7989 - Possible race condition in SerialNumberGenerator with different CAs use different octet sizes


                                13 Mar 2019

                                Bug Fixes

                                ECA-7916 - CA with fixed validity end date cannot be created in EJBCA 7

                                ECA-7918 - Domain Blacklist Validator rebuilds internal cache on each request

                                ECA-7919 - Minor security issue

                                ECA-7920 - Regression: ConfigDump error in validators

                                ECA-7977 - CRL Downloader can't handle entries with extensions, but no reason code

                                New Features

                                ECA-7930 - Test button for Domain Blacklist Validator

                                EJBCA 7.0.1

                                Released on 4 March 2019

                                New Features

                                ECA-4991 - Allow configuration of serial number octet size per CA

                                ECA-5865 - Add a summary of visible prior approval steps before final approval

                                ECA-6052 - Add Domain Blacklist validator

                                ECA-7206 - End Entity Profile setting to allow dnsName SAN field to be automatically populated by the CN in a CSR

                                ECA-7340 - PSD2 GUI support when adding end entity

                                ECA-7770 - Database protection for CSR in CertificateData

                                ECA-7779 - Implement test function in SCP Publisher

                                ECA-7780 - Implement EJBCA Issue Checker Framework

                                ECA-7808 - Add Domain Blacklist Validator class with basic structure

                                ECA-7809 - Persistance of Domain Blacklists

                                ECA-7810 - Show warning at validation failure in Approval process

                                ECA-7860 - New Approval issuance phase for Validators

                                ECA-7861 - Implement DomainBlacklistAsciiLookalikeNormalizer

                                ECA-7863 - Implement Domain Blacklist Checker classes


                                ECA-5438 - English translations for ErrorCodes in the RA

                                ECA-5667 - Add a file link metadata type to Approvals

                                ECA-6075 - RA Web: Improve validator error messages

                                ECA-7526 - Add a description field to Certificate and End Entity Profiles

                                ECA-7607 - Optimize ejbca-db-cli speed when verifying audit log

                                ECA-7693 - CSR download and clear buttons in Ra Web

                                ECA-7709 - Update tag library schemas for JEE7

                                ECA-7756 - Improve error message when CA signingkey was changed without renewing CA certificate

                                ECA-7782 - Add documentation for the EJBCA Issue Checker

                                ECA-7783 - Attach access control logic to tickets

                                ECA-7791 - Update to JEE7 API library

                                ECA-7793 - Log4j priority is deprecated

                                ECA-7803 - Label the EJBCA Issue Checker as experimental

                                ECA-7812 - Unit tests for matching against Blacklists

                                ECA-7817 - Add autocomplete=off to all h:inputSecret fields

                                ECA-7826 - Wrap tickets descriptions in a class

                                ECA-7837 - Make Dynamic UI Property handle empty lists

                                ECA-7838 - Include two choosable head banners for test and acc systems

                                ECA-7840 - Implement Integer multiple-choice for DynamicUiProperty

                                ECA-7842 - System test for "Approval" validation phase

                                ECA-7843 - EJBCA startup does full table analysis on Oracle causing timeout issue during startup

                                ECA-7852 - Change the menu option "View Log" into "Audit Log"

                                ECA-7854 - Rename "Constraints" label in CT logs to "Log Sharding"

                                ECA-7862 - Investigate and fix shouldConvertToCorrectEndEntityInformation test failure.

                                ECA-7870 - Introduce a ValidatorsHelper for UI tests

                                ECA-7871 - Add more path examples for windows paths in properties files

                                ECA-7872 - Update the documentation tags and improve labels for roles pages

                                ECA-7882 - Sort Admin UI lists ignoring case

                                ECA-7883 - Rename "Issue Checker" to "Configuration Checker"

                                ECA-7887 - Improve Domain Blacklist checkers

                                ECA-7889 - Syntax check of domains in domain blacklists

                                ECA-7897 - Disallow "Abort certificate issuance" option for Approval Request issuance phase

                                ECA-7898 - Disallow Approval Request issuance phase for CAA Validators

                                ECA-7900 - Show matching blacklist entry when a domain is blacklisted

                                Bug Fixes

                                ECA-5326 - SCEP RA mode should not require batch generation checkbox in EE profile

                                ECA-7608 - CSR stored in End Entity is never cleared but re-used

                                ECA-7664 - Regression: Cannot enable CMS for existing CA

                                ECA-7717 - Trying to save P11 crypto token with incorrect PIN makes EJBCA think token already exists

                                ECA-7758 - Fix WebTest failures

                                ECA-7759 - Regression: Widgets gone missing in JSF conversion - End Entity Profiles -> notifications

                                ECA-7772 - Avoid foreign key constraints creation for obsolete AccessRulesData and AdminEntityData

                                ECA-7773 - Hide harmless alter table error from DB CLI import command

                                ECA-7775 - ziprelease-cesecore-src and ziprelease-cesecore-bin build targets broken

                                ECA-7776 - ConfigDump: Publish Queue Process Service configs are being exported as "Renew CA Service" Workers

                                ECA-7777 - Can't view end entity with deleted profile in RA

                                ECA-7786 - Regression: not possible to export CA keystore

                                ECA-7787 - Regression: Edit CA page does not show key aliases from Statedumps correctly

                                ECA-7794 - SCP Publisher does not store/load the password properly

                                ECA-7796 - Fix FindBugs warnings

                                ECA-7804 - Update MySQLDialect since it uses MyISAM instead of InnoDB with upgraded Hibernate libs

                                ECA-7805 - Fix failures in ConfigdumpCoreUnitTest and YamlWriterUnitTest

                                ECA-7806 - NPEs during scanning

                                ECA-7807 - NumberFormatException during scan

                                ECA-7821 - Regression: CA key types not updated when creating CA and selecting signature algorithm

                                ECA-7850 - Fix checks for numeric IDs

                                ECA-7855 - SHA384 missing from algorithms selection when returning signed CMP messages

                                ECA-7858 - Not all certificate profiles shown in Issue Checker for limited admins

                                ECA-7859 - Regression: addendentity CLI command can not be used for auto-generated passwords

                                ECA-7873 - Regression: CA cert list in CA Structure & CRLs changes order causing CRL generation to fail

                                ECA-7874 - InstantiationException when trying to view JSP pages

                                ECA-7876 - Cannot create CVC CA on JBoss EAP 7.1

                                ECA-7877 - View Certificate in Edit CA screen not available for CV Certificates

                                ECA-7879 - Regression: list of CAs is sorted case sensitive

                                ECA-7885 - Upload controls on Edit Validator page does not work

                                ECA-7888 - DynamicUiProperty of label type cause NPE on post back to server

                                ECA-7890 - Missleading error message in adminweb when Domain Blacklist Validation fails

                                ECA-7896 - EditCAsMBean.initApprovalRequestItems() doesn't init any request item types

                                ECA-7899 - Increase POST Size for New Blacklist Validator

                                ECA-7901 - Blacklist validator classes are no longer found ini GUI


                                ECA-7764 - Add a Magnum-CI job that tests trunk on an HSM enabled installation.

                                ECA-7813 - Check upload file size limit on Appliance

                                ECA-7816 - Place holder issue for GUI testing of Domain Blacklist Validator

                                ECA-7820 - Remove installation documentation for WildFly 8,9 and Glassfish

                                ECA-7864 - DOCUMENTATION: please add FIPS same key restriction

                                ECA-7880 - Document the Domain Blacklist Validator

                                EJBCA 7.0.0

                                Released on February 7th 2019

                                New Features

                                ECA-3076 - Detect and audit log when an administrator logs out of the CA Web UI

                                ECA-6777 - Create new DB column for storing CSR in CertificateData

                                ECA-7225 - Note in approvals that values have been changed from the default

                                ECA-7256 - Allow the creation of unenrolled EEs from the RA Web

                                ECA-7339 - PSD2 ASN.1 module and API code

                                ECA-7383 - Core API support for multi-value RDN and End Entity Profile validation of multi-value RDNs

                                ECA-7401 - Implement ConfigDump export for MultiGroupPublisher

                                ECA-7413 - Add SHA348withRSAandMGF1 and SHA512withRSAandMGF1 to the list of selectable signature algorithms

                                ECA-7414 - Make EJBCA build with Java 11

                                ECA-7419 - Can't paste ACME root anchor with tabs

                                ECA-7440 - Configdump exports parts of ACME configuration even if excluded

                                ECA-7444 - User Data Source access control does not let superadmins select "Any CA"

                                ECA-7470 - Possibility to add array values in edit CA CLI

                                ECA-7539 - Add subcommand to clientToolBox to interact with database over pure JDBC

                                ECA-7556 - ClientToolBox command for running a health check

                                ECA-7562 - Add WS CLI method to get remaining number of approvals

                                ECA-7586 - Implement a session timeout from the CA Web UI


                                ECA-3724 - Convert Certificate Profiles pages to JSF

                                ECA-4348 - Remove remaining NetID integration code

                                ECA-4377 - CertTools.isCertificateValid logging refers to OCSP.

                                ECA-4630 - Convert Edit End Entity Profile page to JSF

                                ECA-5804 - Make ApprovalSessionTest less timing sensetive

                                ECA-5851 - Convert Certificate Authority pages to JSF

                                ECA-5932 - Upgrade bundled Hibernate jars

                                ECA-6210 - Stop using Ejb3Configuration in DatabaseSchemaScriptCommand

                                ECA-6801 - Convert EJBCA Home page to JSF

                                ECA-6802 - Convert CA Activation Page to JSF

                                ECA-6803 - Convert CA Structure & CRLs page to JSF

                                ECA-6804 - Convert Edit Crypto Tokens page to XHTML

                                ECA-6805 - Convert Manage Crypto Tokens page to XHTML

                                ECA-6806 - Convert Manage Publishers page to JSF

                                ECA-6807 - Convert Edit Publishers page to JSF

                                ECA-6808 - Convert Manage End Entity Profiles page to JSF

                                ECA-6810 - Convert Manage User Data Sources page to JSF

                                ECA-6811 - Convert Edit User Data Source page to JSF

                                ECA-6812 - Convert Manage Hard Token Issuers page to JSF

                                ECA-6813 - Convert Edit Hard Token Issuers page to JSF

                                ECA-6816 - Convert Manage Approval Profiles page to XHTML

                                ECA-6817 - Convert Edit Approval Profile page to XHTML

                                ECA-6818 - Convert Audit Log page to XHTML

                                ECA-6819 - Convert Manage Keybindings page to XHTML

                                ECA-6820 - Convert Edit Keybindings page to XHTML

                                ECA-6821 - Convert Manage Peer Connectors page to XHTML

                                ECA-6822 - Convert Edit Peer Connectors page to XHTML

                                ECA-6824 - Convert Manage Services page to XHTML

                                ECA-6825 - Convert Edit Services page to XHTML

                                ECA-6826 - Convert Manage CMP Aliases page to JSF

                                ECA-6827 - Convert Edit CMP Alias page to JSF

                                ECA-6828 - Convert Manage EST Aliases page to JSF

                                ECA-6829 - Convert Edit EST Alias page to JSF

                                ECA-6830 - Convert Manage SCEP aliases page to XHTML

                                ECA-6831 - Convert Manage SCEP alias page to XHTML

                                ECA-6832 - Convert System Configuration page to XHTML

                                ECA-6833 - Convert Preferences page to JSF

                                ECA-7263 - Remove "Administration" title from CA UI

                                ECA-7276 - Database CLI import from XML format

                                ECA-7284 - Fix broken web tests for JSF conversion

                                ECA-7289 - Improvements to Certificate Transparency section in certificate profiles

                                ECA-7292 - Add proper error handling for JSF

                                ECA-7298 - EJBCA CLI's "Merge CA Tokens" leaves unused crypto tokens behind

                                ECA-7312 - Increase initial size of ProtectionStringBuilder for Certificate Profiles to avoid unessecary warnings in debug log

                                ECA-7313 - Change mime type for CRLs from application/x-x509-crl to application/pkix-crl as defined in RFC5280

                                ECA-7314 - Implement "Custom Certificate Extension Data" field for RA enrollment

                                ECA-7315 - findCertificatesByExpireTime API calls, CLI and RA UI, should not return already expired certificates

                                ECA-7317 - SCEP error messages when CA can not be found are not complete

                                ECA-7325 - Extend tests for Custom Certificate Extensions

                                ECA-7327 - Convert viewcainfo.jsp and viewcertificate.jsp popUps to jsf

                                ECA-7334 - Review End Entity Profiles UI Tests

                                ECA-7343 - Refactor org.ejbca.webtest.helper.CaHelper

                                ECA-7344 - Refactor org.ejbca.webtest.helper.AdminRolesHelper

                                ECA-7348 - Introduce a CaStructureHelper for UI tests

                                ECA-7355 - Review Convert CA Structure & CRLs UI tests

                                ECA-7356 - Introduce an ApprovalProfilesHelper for UI tests

                                ECA-7357 - Review Approval Profiles UI tests

                                ECA-7362 - Review Administrator Roles UI Tests

                                ECA-7365 - Add a Jenkins job for EJBCA UI Tests

                                ECA-7367 - Acme must be in status unavailable under System Configuration (community edition)

                                ECA-7371 - Usage of sun.security.pkcs11 is not allowed when compiling in Java 11

                                ECA-7375 - Crypto Tokens page messages are displayed twice.

                                ECA-7380 - Missing space between 'Title' and '?' in Manage Crypto Tokens page

                                ECA-7421 - configdump module's unit tests are not collected by Jenkins unit tests job 'EJBCA_TRUNK_UNIT_PUPPET'

                                ECA-7423 - Failing tests of org.ejbca.configdump.core.ConfigdumpCoreUnitTest

                                ECA-7437 - Clean up unused imports, parameterize, remove unused variables ect.

                                ECA-7456 - VendorAuthenticationTest.test01_3GPPMode depends on server time zone

                                ECA-7471 - Allow system tests to run with EJBCA not on localhost

                                ECA-7491 - Use relative URLs in AdminGUI

                                ECA-7492 - Fun refactoring task - WebLanguages class uses property arrays, but should be remade in more OOP way

                                ECA-7508 - EJBCA-CLI: Do not add duplicate role members

                                ECA-7514 - Fix failing tests in EjbcaRestHelperUnitTest

                                ECA-7518 - Allow tests to run with TLS certificates not issued by ManagementCA

                                ECA-7522 - Add proper configuration to jenkins-files/*/conf/

                                ECA-7527 - Investigate and fix ACME failing tests in trunk

                                ECA-7530 - Convert ACME Configuration page to xhtml

                                ECA-7531 - Convert ACME Alias Configuration page to xhtml

                                ECA-7532 - Add Deviation List Signer Extended Key Usage

                                ECA-7537 - Simplify and improve configuration of CMP tests

                                ECA-7541 - Change CT log policy labels to not use mathematical symbols

                                ECA-7546 - Make API and log use of requestID and approvalID consistent and easier to understand

                                ECA-7547 - Allow OCSP KeyBinding certificate without Key Usage

                                ECA-7555 - Acme SystemTest(s) failure for 6.15X EJBCA_TRUNK_DB2V105_UBUNTU1204_JBOSSEAP61_PUPPET jenkins job

                                ECA-7557 - Fix failing CMP TCP system tests

                                ECA-7563 - Separate out EjbcaWSTest.test02FindUser into its own test class

                                ECA-7566 - EjbcaWS.findUser() does not work for subjectEmail

                                ECA-7567 - Allow browser binary to be configured for Web Tests

                                ECA-7573 - Improve error handling and remove dead code in AdminWeb

                                ECA-7574 - Convert Approval Actions page to XHTML

                                ECA-7575 - Convert Approval Action page to XHTML

                                ECA-7576 - Clarifications in the Multi Group Publisher documentation

                                ECA-7579 - Editing EE functionality in RA Web is hidden behind the View-button

                                ECA-7594 - fun refactoring task: ViewCertificateManagedBean parseRequest method needs the button control logic refactored out into their own methods

                                ECA-7604 - Get rid of PublisherDataHandler class

                                ECA-7605 - Fix admin-gui build.xml

                                ECA-7609 - Clear hibernate cache in ejbca-db-cli to avoid high memory usage

                                ECA-7612 - VendorAuthenticationTest test case fail in Jenkins

                                ECA-7614 - Implement ECAQA-196 test scenario.

                                ECA-7616 - Code refactoring in MultiGroup Publisher Data class.

                                ECA-7625 - Stop using System.lineSeparator, except for writing to files or pipes

                                ECA-7634 - ACME test improvements

                                ECA-7636 - Update system requirements in documentation

                                ECA-7642 - WebEjbcaClearCacheTest should be skipped if not running on localhost

                                ECA-7643 - EjbcaWSTest should not use hardcoded "superadmin" user

                                ECA-7644 - EJBCA ziprelease should not include scripts from jenkins-files

                                ECA-7645 - CrmfRAPbeRequestTest fails on community edition

                                ECA-7648 - EE_COS7_OpenJDK8_WF10_NOHSM_DB2 job failure

                                ECA-7649 - POC Automate profiles installation for Firefox

                                ECA-7650 - Ability to upload CT log key in raw B64 format

                                ECA-7654 - Update '© 2002–2018 PrimeKey Solutions AB' to 2019

                                ECA-7658 - Use white-list instead of black-list of allowed HTTP methods in web.xml

                                ECA-7679 - PeerConnectionsTest uses TLSv1, but should use TLSv1.2

                                ECA-7680 - PatternLoggers should check if log level is enabled before doing work

                                ECA-7682 - PeerConnectionsTest.testPublishCertificate should inform about prerequisite in failure message

                                ECA-7684 - Typo in error message on 'View Certificate' page

                                ECA-7689 - Update web.xml to Servlet 3.1 use correct JSF 2.2 schema in faces-config.xml

                                ECA-7692 - Add CSRs for unit testing the RSA Key Validator

                                ECA-7694 - Modify application.xml to reflect new JEE7 version

                                ECA-7696 - Add method to get filename from uploaded file

                                ECA-7701 - Upgrade persistence.xml to JEE7

                                ECA-7705 - AutoEnrollment Documentation Improvement

                                ECA-7707 - HttpMethodsTest.testDocs should not fail if internal docs are not used

                                ECA-7738 - JDK11 Compliance: Patch CESeCore with provider fix from DSSINTER-289

                                ECA-7740 - Simplify ant build scripts to cut build time

                                ECA-7755 - The copyright year should be updated to include 2019

                                ECA-7761 - Minor security improvement

                                Bug Fixes

                                ECA-6865 - Failure to publish to a Peer Publisher gives no error message in log in some cases

                                ECA-7013 - RA Style is deselected while modifying access rules

                                ECA-7269 - Regression: JSF errors on JBoss AS 7.1.1

                                ECA-7273 - Certificate profiles appear to be (but aren't) editable for an Auditor

                                ECA-7282 - Poor error message for incorrectly formatted CT public keys: "Extra Data Detected in Stream"

                                ECA-7285 - Add HEAD request for the endpoint revokeCert

                                ECA-7286 - Fix NPE which happens when de-registering account with certbot

                                ECA-7326 - Bound Certificate under Internal Key Binding is displayed wrongly

                                ECA-7329 - NPE when you click on 'Republish' button on View Certificate page under Authentication Key Binding

                                ECA-7332 - OCSP Extensions configurations is applied to the newly created ones

                                ECA-7338 - Regression: clearPwd flag on WS editUser does not work

                                ECA-7342 - Check for legal characters is not working for some pages

                                ECA-7366 - dncomponents.properties.sample order of orgaizationIdentifier differs from default in DnCompoonents.java

                                ECA-7370 - ServiceManifestBuilder does not run with Java 11

                                ECA-7378 - PublicWeb check certificate status inly works with 8 octet cert serialNumber

                                ECA-7379 - Regression: throwing checked Exceptions from postConstruct is not allowed in JEE spec

                                ECA-7404 - CA Activation backlink broken

                                ECA-7433 - Dry-run parameter not respected when importing validators using Statedump

                                ECA-7434 - Add modular protocol configuration to Statedump

                                ECA-7438 - NullPointerException in some Adminweb pages if External Script Access is disabled and you have Custom Publishers

                                ECA-7443 - CAs and Fields in User Data Sources are stored as strings, causing ClassCastException

                                ECA-7445 - Missing exclude option for Validators in Statedump

                                ECA-7460 - NPE when importing a CA where a previous certificate exists without expireDate

                                ECA-7480 - When creating an EndEntity in RA Web and delete_end_entity accessrule is disabled, the process ends incorrectly with success but end entity is not created

                                ECA-7499 - java.lang.IllegalStateException when using browser back/forward button

                                ECA-7500 - Certificate Request Generated despite choosing the wrong format

                                ECA-7511 - EjbcaWSHelperSessionBean.caRenewCertRequest lacks an null check

                                ECA-7516 - Investigate and fix duplicate ID exception in editservice.xhtml

                                ECA-7523 - Test failures in ProtocolOcspHttpTest due do missing cleanup

                                ECA-7524 - Regression: HttpMethodsTest fail because of unexpected HTTP header value

                                ECA-7525 - Domestic / Non-external CVCA/DVCA do not have the expiration field set

                                ECA-7529 - OcspExtensionsTest fails on community edition

                                ECA-7533 - Fix WS documentation for isApproved and getRemainingNumberOfApprovals

                                ECA-7534 - DnFieldDumpHandler missing DnFieldExtractor.URI in Map.

                                ECA-7535 - Regression: Upgrade of customcertextensions.properties fails

                                ECA-7536 - CertificateCrlReaderSystemTest fails on Windows

                                ECA-7540 - Importing a CVCA certificate with error triggers CSRF error

                                ECA-7543 - CertSafePublisherTest fails on Windows due to line endings

                                ECA-7544 - Fix UpgradePublisherTest

                                ECA-7550 - Missing label and fields cleared erroneously in Edit Services page

                                ECA-7552 - StatedumpTest should use systemtests.properties

                                ECA-7558 - Admin Web returns redundant security headers

                                ECA-7568 - OCSP unathorized (6) error adds blank line to OCSP transaction log

                                ECA-7572 - Publisher queue status on home page looks weird since JSF conversion

                                ECA-7583 - Regression: Errors when creating a CA are not handled

                                ECA-7584 - USERAUTH fail when publishing with the SCP Publisher

                                ECA-7587 - Fix NPE when exception lacks an error message

                                ECA-7591 - Configdump CA is missing support for getLatestSubjectDN

                                ECA-7595 - UpgradeSessionBeanTest.testUpgradeOcspExtensions6120 fails intermittently

                                ECA-7599 - AcmeConfigurationAndValidationSystemTest.leaveRevocationReasonUnchanged fails intermittently

                                ECA-7611 - Fix validity field in Edit CA page

                                ECA-7613 - CertificateCrlReaderSystemTest fails intermittently

                                ECA-7615 - Multigroup publisher errors handled incorrectly after conversion

                                ECA-7624 - Fix ConfigdumpValidatorUnitTest and YamlWriterUnitTest

                                ECA-7628 - configdump change causes test build failure in CE

                                ECA-7631 - Typo in Error message

                                ECA-7632 - RA Web enrollment, End entity removed if finishUser is unchecked in the CA

                                ECA-7647 - 'Receive Certificate Response' does not work for Externally signed CA

                                ECA-7662 - SecurityEvents*SessionBeanTest fails on H2 dues to use of ORDER in DELETE

                                ECA-7663 - CertificateRetrievalTest.test09FindWithMissingCertData assumes database.useSeparateCertificateTable=false

                                ECA-7665 - OutgoingPeerConnectionTest fails intermittently

                                ECA-7667 - Invalid single quotes in language file

                                ECA-7669 - The certificate link of an 'EJBCA Node Start' row in the Audit Log does not work

                                ECA-7676 - Nullcheck would have been NPE in BlacklistEntry

                                ECA-7677 - PeerConnectionsTest is missing slf4j runtime dependency

                                ECA-7697 - Regression: Default 'RA-Administrator' and 'Supervisor' roles gets 'Authorization Denied Cause: You are not authorized to view this page.'

                                ECA-7698 - Update example URL for external documentation

                                ECA-7699 - Can't access Admin web index page without /ca_functionality/view_ca access

                                ECA-7712 - Cannot save end entity profile where End Entity E-mail is disabled

                                ECA-7715 - Regression: Peer connectors cached in browser session not updated when cloning

                                ECA-7716 - Replace invalid double quotes in language files

                                ECA-7721 - Regression: CMP RA Name Generation Scheme don't use language strings anymore

                                ECA-7723 - Can't check "Critical" checkboxes on Edit CA page

                                ECA-7726 - Non-informative error message on Edit EST Aliases page

                                ECA-7730 - Clicking Logout in Adminweb gives NumberFormatException

                                ECA-7735 - Cloning a peer connector does not clone the flag for process incoming requests

                                ECA-7737 - Certificate of type "Sub CA" can't be published

                                ECA-7741 - Update tag library schemas for JEE7 in AdminWeb

                                ECA-7742 - CAA Validator fails DNSSEC validation for CH domains

                                ECA-7760 - ScpPublisher: Destination URL for certificates saved as crl.scp.destination and vice versa

                                ECA-7767 - Configdump validator export can fail with NPE

                                ECA-7769 - Fix warnings from DB CLI


                                ECA-6864 - Set up a Jenkins instance to test JDK8/Wildfly10 using Docker

                                ECA-7261 - Map which ECAQA automatic tests which need to be remapped

                                ECA-7275 - Test ACME wildcard cert issuance and pre-authorization with certbot.

                                ECA-7331 - Verify if Swagger UI for works for ACME API. If it does, add documentation to confluence. If not, hide the ACME part from swaggerUI

                                ECA-7545 - New Docker job on Jenkins - EE_COS7_OpenJDK8_WF10_NOHSM_DB2

                                ECA-7551 - Exploratory testing on CMP configuration page

                                ECA-7695 - Update persistence.xml and orm-dbtype.xml to reflect JEE7 version

                                ECA-7763 - Test upgrade from 6.15.0 to 7.0.0

                                ECA-7768 - Update readme with license information for Hibernate jars


                                21 Nov 2019


                                ECA-8693 - Security: Backport upgrade of external dependency

                                Bug Fixes

                                ECA-8679 - Security issue


                                01 Nov 2019

                                Bug Fixes

                                ECA-8667 - Update CESeCoreUtils and back-port build.cesecore.p11.jar option


                                06 Aug 2019

                                Bug Fixes

                                ECA-8319 - clientToolBox PKCS11HSMKeyTool linkcert" command should work according to ICAO 9303

                                ECA-8345 - Jenkins failing test 'org.ejbca.core.model.services.worker.CertificateCrlReaderSystemTest.testReadCertificateFromDisk'


                                27 Jun 2019

                                Bug Fixes

                                ECA-7991 - Make ApprovalSessionTest reliable

                                ECA-8010 - JBoss CLI on Jenkins uses too much memory on Jenkins

                                ECA-8017 - SernoGeneratorRandom fails to build on JDK7

                                ECA-8072 - CaRenewCACommandTest stops working after 2019-04-15

                                ECA-8320 - SCP Publisher uses managing admin to sign payload

                                ECA-8322 - CertificateCrlReader does not handle revocation publications correctly


                                23 Apr 2019


                                ECA-7626 - Fix out of memory issues on new Jenkins

                                ECA-7976 - Fix configdump test failure on 6.15.x branch

                                ECA-7977 - CRL Downloader can't handle entries with extensions, but no reason code

                                ECA-7984 - Jenkins not cleaning up temporary fles

                                ECA-7985 - Unit tests do not respect tests.jvmargs

                                ECA-7989 - Possible race condition in SerialNumberGenerator with different CAs use different octet sizes

                                EJBCA 6.15.2

                                Released on 7th of March 2019

                                New Features

                                ECA-7539 - Add subcommand to clientToolBox to interact with database over pure JDBC

                                ECA-7779 - Implement test function in SCP Publisher

                                ECA-7894 - Backporting "ECA-4991 Allow configuration of serial number octet size per CA" to EJBCA 6.15.2


                                ECA-5804 - Make ApprovalSessionTest less timing sensetive

                                ECA-7367 - Acme must be in status unavailable under System Configuration (community edition)

                                ECA-7421 - configdump module's unit tests are not collected by Jenkins unit tests job 'EJBCA_TRUNK_UNIT_PUPPET'

                                ECA-7423 - Failing tests of org.ejbca.configdump.core.ConfigdumpCoreUnitTest

                                ECA-7491 - Use relative URLs in AdminGUI

                                ECA-7520 - Make CertSafePublisherTest locale independent

                                ECA-7522 - Add proper configuration to jenkins-files/*/conf/

                                ECA-7537 - Simplify and improve configuration of CMP tests

                                ECA-7555 - Acme SystemTest(s) failure for 6.15X EJBCA_TRUNK_DB2V105_UBUNTU1204_JBOSSEAP61_PUPPET jenkins job

                                ECA-7576 - Clarifications in the Multi Group Publisher documentation

                                ECA-7609 - Clear hibernate cache in ejbca-db-cli to avoid high memory usage

                                ECA-7612 - VendorAuthenticationTest test case fail in Jenkins

                                ECA-7625 - Stop using System.lineSeparator, except for writing to files or pipes

                                ECA-7642 - WebEjbcaClearCacheTest should be skipped if not running on localhost

                                ECA-7643 - EjbcaWSTest should not use hardcoded "superadmin" user

                                ECA-7644 - EJBCA ziprelease should not include scripts from jenkins-files

                                ECA-7645 - CrmfRAPbeRequestTest fails on community edition

                                ECA-7648 - EE_COS7_OpenJDK8_WF10_NOHSM_DB2 job failure

                                ECA-7656 - Backport improvements for peer connector tests to 6.15.x

                                ECA-7658 - Use white-list instead of black-list of allowed HTTP methods in web.xml

                                ECA-7679 - PeerConnectionsTest uses TLSv1, but should use TLSv1.2

                                ECA-7680 - PatternLoggers should check if log level is enabled before doing work

                                ECA-7682 - PeerConnectionsTest.testPublishCertificate should inform about prerequisite in failure message

                                ECA-7707 - HttpMethodsTest.testDocs should not fail if internal docs are not used

                                ECA-7744 - Backport: Avoid defining clover ant task when unused

                                ECA-7755 - The copyright year should be updated to include 2019

                                ECA-7761 - Minor security improvement

                                ECA-7843 - EJBCA startup does full table analysis on Oracle causing timeout issue during startup

                                ECA-7878 - Disable Admin GUI -> View Log menu item when logging to database is disabled

                                Bug Fixes

                                ECA-7523 - Test failures in ProtocolOcspHttpTest due do missing cleanup

                                ECA-7525 - Domestic / Non-external CVCA/DVCA do not have the expiration field set

                                ECA-7529 - OcspExtensionsTest fails on community edition

                                ECA-7533 - Fix WS documentation for isApproved and getRemainingNumberOfApprovals

                                ECA-7535 - Regression: Upgrade of customcertextensions.properties fails

                                ECA-7536 - CertificateCrlReaderSystemTest fails on Windows

                                ECA-7540 - Importing a CVCA certificate with error triggers CSRF error

                                ECA-7542 - CertSafePublisher sends incorrect revocation date

                                ECA-7543 - CertSafePublisherTest fails on Windows due to line endings

                                ECA-7544 - Fix UpgradePublisherTest

                                ECA-7548 - Cannot create a crypto token with token label as slot reference

                                ECA-7552 - StatedumpTest should use systemtests.properties

                                ECA-7558 - Admin Web returns redundant security headers

                                ECA-7584 - USERAUTH fail when publishing with the SCP Publisher

                                ECA-7595 - UpgradeSessionBeanTest.testUpgradeOcspExtensions6120 fails intermittently

                                ECA-7599 - AcmeConfigurationAndValidationSystemTest.leaveRevocationReasonUnchanged fails intermittently

                                ECA-7601 - UNID-FNR fails to deploy on JBoss AS 7.1.1

                                ECA-7613 - CertificateCrlReaderSystemTest fails intermittently

                                ECA-7621 - Fix CMP tests on 6.15.x branch on new Jenkins server

                                ECA-7624 - Fix ConfigdumpValidatorUnitTest and YamlWriterUnitTest

                                ECA-7628 - configdump change causes test build failure in CE

                                ECA-7662 - SecurityEvents*SessionBeanTest fails on H2 dues to use of ORDER in DELETE

                                ECA-7663 - CertificateRetrievalTest.test09FindWithMissingCertData assumes database.useSeparateCertificateTable=false

                                ECA-7665 - OutgoingPeerConnectionTest fails intermittently

                                ECA-7676 - Nullcheck would have been NPE in BlacklistEntry

                                ECA-7677 - PeerConnectionsTest is missing slf4j runtime dependency

                                ECA-7698 - Update example URL for external documentation

                                ECA-7742 - CAA Validator fails DNSSEC validation for CH domains

                                ECA-7760 - ScpPublisher: Destination URL for certificates saved as crl.scp.destination and vice versa

                                ECA-7794 - SCP Publisher does not store/load the password properly


                                ECA-7641 - Transform CE job that used to be trunk to 6.15

                                ECA-7848 - Investigate 6.15 WS test failures


                                07 May 2019


                                ECA-8153 - CertSafe Publisher throws NPE


                                28 Nov 2018


                                ECA-7548 - Cannot create a crypto token with token label as slot reference


                                26 Nov 2018

                                Bug Fixes

                                ECA-7542 - CertSafePublisher sends incorrect revocation date


                                ECA-7520 - Make CertSafePublisherTest locale independent

                                EJBCA 6.15.1

                                Released on 20 November 2018

                                New Features

                                ECA-7202 - ACME system tests - analyse, improve and enable skipped system tests

                                ECA-7382 - GUI modifications in Edit Publisher for MultiGroupPublisher

                                ECA-7392 - Data structure for MultiGroupPublisher

                                ECA-7393 - Backend logic for MultiGroupPublisher

                                ECA-7395 - Code for converting between textfield data and MultiGroupPublishers groups

                                ECA-7396 - Implement PublisherSession.getPublisherNameToIdMap

                                ECA-7401 - Implement ConfigDump export for MultiGroupPublisher

                                ECA-7425 - Add SCP Publisher implementation

                                ECA-7426 - Implement Certificate/CRL Reader implementation


                                ECA-3917 - Warn user when trying to creating multiple representations of the same P11 slot

                                ECA-7402 - Add synchronization to org.cesecore.util.ui.DynamicUiProperty.values

                                ECA-7406 - Move EnterpriseValidationAuthorityPublisher from va module into plugin-ee module

                                ECA-7409 - Add option to send JUnit tests standard output to console

                                ECA-7416 - Speed up import of certificate directory using the CLI

                                ECA-7420 - Minor security issue

                                ECA-7424 - Move CertSafePublisher into plugins-ee module

                                ECA-7430 - Add missing "isRequired" CCE field to ConfigDump

                                ECA-7432 - Colour-code modular protocol configuration table

                                ECA-7436 - GDPR Adapt the Legacy VA Publisher

                                ECA-7442 - Allow creation of quick zipreleases without having SVN installed

                                ECA-7446 - Add authorization to CustomPublisherContainer.getCustomUiPropertyList

                                ECA-7449 - Security: fix minor scanner issues

                                ECA-7450 - Multi Group Publisher: Only queue certificate statuses that will be published

                                ECA-7451 - Remove leftover from certificatestore build.xml

                                ECA-7453 - Disallow deletion of publishers in use by Multi Group Publisher

                                ECA-7454 - Documentation for Multi Group Publisher

                                ECA-7465 - Documentation: Missing steps in AD publisher TLS configuration

                                ECA-7468 - Add revocation time to CertSafe Publisher JSON

                                ECA-7471 - Allow system tests to run with EJBCA not on localhost

                                ECA-7479 - Prevent compiling with Java 11, as long as it doesn't work

                                ECA-7490 - Use relative keystore paths in ejbca-setup.sh scripts

                                ECA-7493 - Allow any user of full checked out source to make alpha CE ziprelease

                                ECA-7507 - Skip ProtectedDataPKCS11Test when no PKCS#11 library is configured

                                ECA-7510 - DnFieldExtractorTest fails in CE version

                                Bug Fixes

                                ECA-7336 - OCSP warningBeforeExpirationTime not working

                                ECA-7407 - Probing confluence during build even if doc-update=false

                                ECA-7408 - Don't shadow remote EJB client classes in system tests

                                ECA-7411 - AcmeOrderData is missing ORM for all db types except "mysql"

                                ECA-7412 - ACME ORM XML for postgres uses <lob></lob>

                                ECA-7434 - Add modular protocol configuration to Statedump

                                ECA-7441 - EJBCA WS tests fail with SunCertPathBuilderException

                                ECA-7455 - Security: security issue

                                ECA-7472 - AcmeWorkflowTest assumes "which" is available on test system

                                ECA-7476 - Regression: X-FRAME-OPTIONS sometimes blocks admin UI head banner

                                ECA-7487 - Creating Crypto Token on same slot as database protection breaks DB protection

                                ECA-7489 - batchenrollmentgui does not build

                                ECA-7497 - Fix VaEnterpriseValidationAuthorityPublisherTest test failure

                                ECA-7506 - test:run fails to compile CertificateCrlReaderSystemTest

                                ECA-7509 - Extra field added to the legacy VA Publisher

                                ECA-7515 - NPE in getCaaIdentities when using ACME

                                EJBCA 6.15.0

                                Released on 5 October 2018

                                New Features

                                ECA-7019 - Write documentation for ACME

                                ECA-7185 - ACME persistence: Create ORM scripts AcmeAccountData

                                ECA-7187 - Add ACME to Statedump

                                ECA-7188 - Add ACME to Configdump

                                ECA-7198 - ACME persistence: Create ORM scripts/entities/CRUD for AcmeOrderData

                                ECA-7199 - ACME persistence: Create ORM scripts/entities/CRUD for AcmeAuthorizationData

                                ECA-7200 - ACME persistence: Create ORM scripts/entities/CRUD for AcmeChallengeData

                                ECA-7202 - ACME system tests - analyse, improve and enable skipped system tests

                                ECA-7237 - Swagger problems with ACME module

                                ECA-7244 - Add ability to link in compiled JARs as plugins

                                ECA-7250 - PKCS11 enable using CKA_LABEL also when a sun attributes file is used

                                ECA-7253 - Add a method to SignSession in order to sign arbitrary payloads

                                ECA-7257 - Add possibility to disable Crypto Token key generation for specific PKCS#11 drivers in GUI

                                ECA-7259 - Add Amazon CloudHSM p11 driver to known P11 drivers in web.properties

                                ECA-7264 - Re-use endentity for ACME cert renewal flow

                                ECA-7287 - Add Required checkbox to the custom extension configuration screen and logic in backend

                                ECA-7288 - Add wildcard identifier to the Certificate Extension OIDs


                                ECA-7138 - Ensure quality in ACME

                                ECA-7203 - Verify that ACME works with aliases

                                ECA-7207 - Verify & document External Account Binding in ACME

                                ECA-7252 - test ACME cert renewal and deacticvation flows with acme4j

                                ECA-7275 - Test ACME wildcard cert issuance and pre-authorization with certbot.

                                ECA-7323 - Document Peer RA Protocol Rules

                                ECA-7324 - Document Optional Custom Extensions

                                ECA-7331 - Verify if Swagger UI for works for ACME API. If it does, add documentation to confluence. If not, hide the ACME part from swaggerUI


                                ECA-6921 - ACME persistence: CRUD for AcmeAccountData

                                ECA-7114 - Improved test for ACME dns-01 validation.

                                ECA-7120 - Upgrade EJBCA/CESeCore to BouncyCastle 1.60

                                ECA-7125 - Precompile Swagger UI WAR and add to ejbca/dist

                                ECA-7194 - Create certificate only for order from request

                                ECA-7204 - Re-enable ACME in GUI

                                ECA-7227 - Remove "CA Service Activation" from Certificate Profiles

                                ECA-7233 - Remove JavaDoc and source files from lib directory

                                ECA-7234 - Use a StringBuilder to improve efficiency creating database protection

                                ECA-7239 - Make DNSSEC optional for dns validation

                                ECA-7240 - EJBCA_TRUNK_MARIADB_UBUNTU1204_JBOSS711GA_PUPPET tests failing

                                ECA-7243 - Hide external account binding option from ACME GUI

                                ECA-7247 - Improve the New Terms of Service Agreement functionality of EJBCA ACME server.

                                ECA-7248 - Use EJBCA name style for issuerDN in CMP revocation request handler

                                ECA-7251 - Remove clover jar from ziprelease

                                ECA-7304 - Update default DNSSEC trust anchors

                                ECA-7305 - Upgrade handling for new "DNS port" setting for ACME

                                ECA-7310 - Improve feedback from CAA Validator

                                ECA-7311 - Possible serialization failure when editing Access Rules in Advanced Mode

                                ECA-7316 - Missing svn:keywords

                                Bug Fixes

                                ECA-6872 - Cannot enroll user with Cyrillic characters using RA web + appliance

                                ECA-7096 - Don't store certificate meta data option makes expireDate not published, causing archiveCutOff

                                ECA-7154 - SQL Grammar Exception on MS SQL Server v12

                                ECA-7193 - Move check of requested certificate validity from finalize to newOrder

                                ECA-7201 - Documentation link to Renew CA gives 404

                                ECA-7211 - OCSP signing certificates aren't always published for throwaway CAs with revoke enabled

                                ECA-7215 - CMP: RA Name Generation Scheme with DN component serialNumber does not work

                                ECA-7220 - DROP table scripts for AcmeNonceData is missing

                                ECA-7224 - Broken class-path references in ctlog.jar causes WARN messages in the JBoss log file

                                ECA-7231 - StringTools B64 failing unit test after upgrade to BC 1.60

                                ECA-7238 - EjbcaWS doesn't handle timeformats ending with 'Z'

                                ECA-7242 - EJBCA is trying to parse the string 'KeyId' as an integer when authorising an admin

                                ECA-7245 - NPE when issuing certificate via certbot

                                ECA-7246 - EjbcaWSTest fails with clearpassword

                                ECA-7249 - HSMKeyTool --force flag does not work when using an attributes file

                                ECA-7258 - Security: information leak in debug log

                                ECA-7260 - CryptoToken key generate button shown when it should not

                                ECA-7268 - RA Web search End Entities doesn't render if not authorized to search certificates

                                ECA-7269 - Regression: JSF errors on JBoss AS 7.1.1

                                ECA-7274 - Test ACME wildcard certificate issuance and pre-authorization with acme4j

                                ECA-7277 - DatabaseProtection on CertificateProfileData incompatible between <=6.11 and >= 6.12

                                ECA-7285 - Add HEAD request for the endpoint revokeCert

                                ECA-7286 - Fix NPE which happens when de-registering account with certbot

                                ECA-7302 - Name Constraints error when saving existing CA

                                ECA-7306 - GUI bug in Edit CA page.

                                ECA-7307 - 'Close' button not functioning under 'View Certificate'

                                ECA-7322 - Import renewed CA certificates, for External CA does not import to CertificateData, for Externally Signed CA does not publish

                                EJBCA 6.14.1

                                Released on 24 August 2018

                                Bug Fixes

                                ECA-7209 - Configdump crashes on export due to 'isCaAllowed' in certificate profile

                                ECA-7210 - BC class conflict in some occasions: X509CertificateObject cannot be cast to org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier

                                ECA-7212 - EJBCA fails to start on JBoss AS 7.1.1

                                ECA-7213 - JSF errors on JBoss AS 7.1.1 and EAP 6.x

                                ECA-7221 - Configdump support for dumping issuers is missing

                                ECA-7222 - WebService keyRecoveryEnroll gives NPE if end entity extendedInformation is missing

                                ECA-7223 - processSoftTokenReq method requires end entity profile to allow clear text password

                                ECA-7229 - Can not start Peer Connector on JBoss EAP 6.4

                                ECA-7236 - NPE thrown by publisher when useSeparateCertificateTable is changed from false to true

                                ECA-7241 - EST enrollment requires end entity profile with batch enrollment enabled

                                ECA-7242 - EJBCA is trying to parse the string 'KeyId' as an integer when authorising an admin

                                EJBCA 6.14.0

                                Released on 7th August 2018

                                Technical Requirement

                                ECA-6978 - Implement Rest conventions

                                ECA-7022 - Specify license information for swagger dependencies


                                ECA-3298 - One Junit failure on DB2

                                ECA-4729 - getRequestServerName with ejbca behind a reverse proxy via ajp returns wrong server name

                                ECA-5416 - SoftCryptoToken used for database protection always debug logs stacktrace about PKCS12 keystore password

                                ECA-6292 - Common PKI CertHash OCSP extension should be a singleExtension instead of a responseExtension

                                ECA-6654 - PublicCryptoToken can't be used for database protection verification

                                ECA-6763 - EJB CLI still logs too much irrelevant info

                                ECA-6774 - Fix the active status logo in internal key binding.

                                ECA-6848 - Regression: 'Provide request info' hidden when only 'Select key algorithm' should be

                                ECA-6862 - CertificateDataSessionBean.findUsernameByIssuerDnAndSerialNumber declared final

                                ECA-6869 - Upgrade code for 6.11 creates access rules that are not normalized

                                ECA-6880 - fix unit tests for Commuity MariaDB+ubuntu+JBOSS711GA configuration

                                ECA-6887 - Return value for rejected approvals in EjbcaWS.getRemainingNumberOfApprovals(int) is incorrect

                                ECA-6895 - Refine behavior of ApprovalSessionBean.getRemainingNumberOfApprovals(int)

                                ECA-6901 - Handle non-DNs gracefully in CertTools.isDNReversed

                                ECA-6923 - Missed slashes in documentation links

                                ECA-6947 - Validator view not refreshed, editing Validators modifies cache content

                                ECA-6950 - Documentation: Custom certificate extension data link broken

                                ECA-6951 - Documentation links on Admin GUI overview page broken

                                ECA-6959 - Cache CA name lookup in RoleMembers page view scope

                                ECA-6997 - Database upgrade version comparison does not handle varying number if fields

                                ECA-7000 - Improve isFullQualifiedDomainName

                                ECA-7001 - ExternalCommandCertificateValidator handles stdout and stderr incorrectly

                                ECA-7004 - Public key blacklist validator fails match on RSA keys when not all algorithms are specified in validator

                                ECA-7014 - External Command Certificate Validator should fail on non-zero exit code

                                ECA-7015 - The enum constant UNKNOWN needs a corresponding case label in this enum switch

                                ECA-7016 - Unlikely argument problems in ACME implementation

                                ECA-7027 - WS API documentation has wrong URL

                                ECA-7031 - Documentation Link broken for 'Manage Publishers'

                                ECA-7040 - Regression: External RA (polling) does not work for Keystore Requests

                                ECA-7043 - Upgrade with long version number can fail

                                ECA-7057 - Fix documentation link from Public Web

                                ECA-7063 - Peer connector settings are not saved when creating a new peer connector

                                ECA-7078 - Jenkins builds failure for test EjbcaWSCVCTest

                                ECA-7079 - Jenkins builds failure for SystemTests of REST API

                                ECA-7080 - Jenkins builds failure for AcmeWorkflowTest of ACME

                                ECA-7083 - CaaValidator always succeeds when the domain ignore list matches

                                ECA-7084 - Fix Jenkins test error: Non unique method in RA Master API

                                ECA-7085 - Some JUnit tests don't run

                                ECA-7086 - Regression: Help labels and at least one option is gone from the CAA Validator

                                ECA-7088 - some REST-related unit tests are failing in EJBCA_TRUNK_UNIT_PUPPET

                                ECA-7090 - Swagger inputs in snakecase are not evaluated in REST method input

                                ECA-7094 - Error "Can't reset to root in the middle of the path" during `ant install` on JBoss ≥6.4.19

                                ECA-7099 - CRL generation as CRL Issue interval can miss some intervals

                                ECA-7100 - Revocation CA lookup for nonConflictingCertificateData does not use normalized DN format

                                ECA-7101 - EjbcaWS.getProfile leaks information about CA's and EEPs

                                ECA-7108 - X509CA.upgrade could upgrade CA Overlap Time wrong from ancient version

                                ECA-7111 - Troubleshooting missing from documentation

                                ECA-7112 - Fix test failure EndEntityProfileSessionBeanTest.testAuthorization

                                ECA-7115 - WS customLog call calculates CA ID wrong if caName is missing

                                ECA-7116 - WS customLog call swaps username and admin certificate parameters in log

                                ECA-7140 - Ignore Top Level Domains field in CAA Validators no longer work

                                ECA-7141 - orm entry for AcemNonceData incorrect for PostgreSQL

                                ECA-7142 - Documentation Link broken for under OcspKeyBinding Tab

                                ECA-7144 - RaMasterApi dispatches non-serializable objects

                                ECA-7145 - Invalid error handling for EjbcaWS.getProfile (remote)

                                ECA-7148 - Jenkin's job EJBCA_TRUNK_UNIT_PUPPET compilation failure

                                ECA-7149 - Jenkins job EJBCA_TRUNK_UNIT_PUPPET has failing unit test of RsaKeyValidatorTest.testRocaWeakKeys

                                ECA-7150 - Regression ejbca-db-cli crashes with ClassNotFoundException: AcmeNonceData

                                ECA-7155 - Manage ACME Aliases is linking to SCEP documentation

                                ECA-7157 - Fields notBefore and notAfter in the order object are optional

                                ECA-7158 - HEAD endpoint for new-order is missing and required for certbot compliance

                                ECA-7159 - REST API /expire offset and maxNumberofResults doesn't work on multiple nodes

                                ECA-7160 - HEAD endpoint for new-account is missing and required for certbot compliance

                                ECA-7167 - Regression: Cannot generate keystore with autogenerated password from RA

                                ECA-7173 - ConcurrentModificationException while editing end entity with custom, dynamic, extensions

                                ECA-7176 - Regression: RA Web upload CSR auto-parsing stopped working

                                ECA-7179 - Regression: RA Web cleanup deletes existing end entity

                                ECA-7180 - NPE in ProfileAndTraceInterceptor

                                ECA-7181 - CertBot fails due to null values in JSON

                                ECA-7182 - ACME Link headers are not encoded according to the standard

                                ECA-7183 - Fix ACME notAfter validation failure

                                ECA-7184 - Check for incorrect approval settings for ACME CA/profile fails

                                ECA-7192 - ziprelease excludes configdump.sh from release zip

                                New Feature

                                ECA-5711 - RA API call base for ACME

                                ECA-6750 - System tests: VA Publisher with Throwaway certs

                                ECA-6845 - Fixing unittests EJBCA_TRUNK_MARIADB_RHEL64_JBOSSEAP64_OPENJDK8 Jenkins build

                                ECA-6851 - Create automated test for ECAQA-3

                                ECA-6853 - Add Peer RA Protocol Rule for SCEP

                                ECA-6854 - Create automated test for ECAQA-76

                                ECA-6858 - Create automated test for ECAQA-67

                                ECA-6867 - Create automated test for ECAQA-24

                                ECA-6868 - Create automated test for ECAQA-62

                                ECA-6874 - Create module for REST API

                                ECA-6876 - Implement client certificate authentication for REST API

                                ECA-6878 - REST API call: List of CAs

                                ECA-6882 - Create JAXRS "certificate" endpoint in ejbca-rest-api module

                                ECA-6891 - POST service endpoint to certificatecontroller for requesting new server certificate

                                ECA-6893 - ACME: Implement dns-01 validation method

                                ECA-6896 - Create automated test for ECAQA-42

                                ECA-6897 - Create automated test for ECAQA-8

                                ECA-6898 - User documentation REST API

                                ECA-6902 - Create REST service for downloading CA certificates

                                ECA-6903 - REST method for revoking a certificate

                                ECA-6904 - GET method to get certificates that are about to expire

                                ECA-6934 - Add RA proxying of EjbcaWS.findUser(UserMatch) and EjbcaWS.editUser(UserDataVOWS)

                                ECA-6937 - Create a common exception handler for the REST API

                                ECA-6941 - Add Swagger to the REST API

                                ECA-6942 - Create automated test for ECAQA-74

                                ECA-6944 - Create automated test for ECAQA-28

                                ECA-6948 - Use HEX serial number as identifier in the REST API

                                ECA-6953 - REST Json provider configuration

                                ECA-6954 - REST exceptions cleanup

                                ECA-6955 - REST soft exceptions

                                ECA-6956 - Create remaining JUnit test for REST

                                ECA-6957 - REST system tests

                                ECA-6958 - REST Use profile names as input instead of ID

                                ECA-6964 - Refactor cert enrollment REST service to do profile and endentity lookups behind RaMasterApi to improve performance

                                ECA-6970 - Add RA Proxying of EjbcaWS.getAvailableCertificateProfiles

                                ECA-6971 - Add RA Proxying of EjbcaWS.getAvailableCAsInProfile

                                ECA-6972 - Add RA proxying to EjbcaWS.processCertReq

                                ECA-6973 - Add RA proxying to EjbcaWS.cvcRequest

                                ECA-6974 - Add RA proxying to EjbcaWS.customLog

                                ECA-6975 - Add RA proxying to EjbcaWS.findCerts

                                ECA-6982 - Add RA proxying to EjbcaWS.getAuthorizedEndEntityProfiles

                                ECA-6983 - Add RA proxying to EjbcaWS.getCertificate(String, String)

                                ECA-6984 - Add RA proxying to EjbcaWS.getCertificatesByExpirationTime

                                ECA-6985 - Add RA proxying to EjbcaWS.getCertificatesByExpirationTimeAndType

                                ECA-6986 - Add RA proxying to EjbcaWS.getCertificatesByExpirationTimeAndIssuer

                                ECA-6987 - Add RA proxying to EjbcaWS.getLastCAChain

                                ECA-6988 - Add RA proxying to EjbcaWS.getProfile(int, String)

                                ECA-6989 - Add RA proxying to EjbcaWS. getLatestCRL

                                ECA-6990 - Add RA proxying to EjbcaWS.getRemainingNumberOfApprovals

                                ECA-6991 - Add RA proxying to EjbcaWS.isApproved(int)

                                ECA-6992 - Add RA proxying to EjbcaWS.isAuthorized(int)

                                ECA-6993 - Add RA proxying to EjbcaWS.pkcs12Req(String, String, String, String, String)

                                ECA-6994 - Add RA proxying to EjbcaWS.republishCertificate(int)

                                ECA-6999 - REST endpoint for keystore enrollment

                                ECA-7007 - REST endpoint to get CRL

                                ECA-7008 - REST endpoint to search for certificates

                                ECA-7010 - REST endpoint to check certificate revocation status

                                ECA-7011 - Start using Converters in REST related response, request and entity classes

                                ECA-7029 - Link Rest API documentation to the proper place

                                ECA-7030 - Prevent Swagger exposure in Production

                                ECA-7032 - Add RA proxying to EjbcaWS.getPublisherQueueLength(String)

                                ECA-7033 - REST endpoint to finalize enrollment after approval

                                ECA-7034 - Add RA proxying to EjbcaWS.revokeUser(String, int, boolean)

                                ECA-7035 - Add CLI command to list publishers

                                ECA-7038 - Extend EJBCA EJB CLI to allow adding RoleMembers of any supported type

                                ECA-7039 - Add Cavium Nitrox III as known HSM driver

                                ECA-7051 - Add protocol configuration for REST

                                ECA-7052 - Add REST APIs to Peer RA Protocol access rules

                                ECA-7053 - Add ACME to Peer RA Protocol access rules

                                ECA-7067 - Add positive audit log messages for all Validation operations

                                ECA-7076 - REST API - SystemTest - Authorized client requesting a new server certificate

                                ECA-7077 - REST API - SystemTest - Authorized client revokes a certificate

                                ECA-7092 - REST API license headers to Enterprise

                                ECA-7122 - Add RA proxying to EjbcaWS with request local instance first.

                                ECA-7126 - Add RA Proxying of EjbcaWS.getAvailableCAs

                                ECA-7127 - Rest APi unit tests are not run in Jenkins

                                ECA-7156 - Implement CAA identities

                                ECA-7178 - contacts should not be mandatory for ACME's POST newAccount endpoint


                                ECA-6861 - Initial prototype of REST API

                                ECA-6871 - Add Fabiens cmp monitoring script to extras

                                ECA-6879 - Identification of certificates in REST API

                                ECA-6890 - Document Wildfly 12 configuration

                                ECA-6949 - Fix the Jenkins build EJBCA_TRUNK_MARIADB_RHEL64_JBOSSEAP64_OPENJDK8

                                ECA-7136 - Ensure quality in CAA Validator

                                ECA-7137 - Ensure quality in REST-API

                                ECA-7139 - Ensure quality in WS RA-proxying


                                ECA-6090 - Add ability to specify multiple issuers in CAA validator

                                ECA-6162 - CT log request - optional full hierarchy, full Json request in debug log

                                ECA-6436 - Ability to set explicit.ecc.publickey.parameters for crypto tokens

                                ECA-6849 - Simplification of p11 token login (Crypto Token Activation)

                                ECA-6856 - Use consistent format of library license references

                                ECA-6863 - Fix easy to fix compiler warnings in Admin GUI classes

                                ECA-6873 - Improve handling when receiving SCEP getCACaps request for missing CA

                                ECA-6883 - Refactor X509CAInfo constructors to use build pattern

                                ECA-6884 - Run Web Tests on windows

                                ECA-6885 - CMP: add senderKID to responses when they are signed

                                ECA-6888 - unidfnr.enabled should have a default value

                                ECA-6892 - Create exhaustive regression tests for ApprovalSessionBean.getRemainingNumberOfApprovals(int)

                                ECA-6900 - Shift "Contributors" page from ejbca.org into Confluence Documentation

                                ECA-6905 - ACME draft-12 update: Remove tls-sni-02 and oob-01

                                ECA-6906 - ACME draft-12 update: Use camelcase instead of dash

                                ECA-6907 - ACME draft-12 update: New finalize workflow

                                ECA-6908 - ACME draft-12 update: Update and review all JavaDoc

                                ECA-6910 - ACME draft-12 update: Remove authz and cert resources "up" Link

                                ECA-6911 - ACME draft-12 update: newNonce should respond with HTTP 200

                                ECA-6912 - ACME draft-12 update: Update AcmeAccount creation workflow

                                ECA-6913 - ACME draft-12 update: Directory meta info should indicate if external account is required

                                ECA-6914 - ACME draft-12 update: Wildcard certificate issuance

                                ECA-6915 - ACME draft-12 update: Remove AcmeAuthorization scope

                                ECA-6916 - ACME draft-12 update: Update AcmeChallenge workflow

                                ECA-6917 - ACME draft-12 update: Verify response code for wrong content type

                                ECA-6918 - ACME: AcmeAccount should belong to an AcmeConfiguration

                                ECA-6920 - ACME persistence: AcmeNonceData

                                ECA-6922 - ACME draft-06 cleanup: Remove custom JAX-B serialization

                                ECA-6924 - ACME: Verify certbot compliance

                                ECA-6926 - ACME: Enable as part of release

                                ECA-6931 - ACME: Implement the missing calls in RaMasterApi to allow proxy use

                                ECA-6932 - ACME UI Configuration: GlobalAcmeConfiguration and AcmeConfigurations

                                ECA-6960 - ACME draft-12 update: Remove authzDeactivate resource "up" Link

                                ECA-6966 - Info log details when a database upgrade is started

                                ECA-6977 - Certificate Transparency, add verification of embedded SCTs and upgrade version of google/certificate-transparency-java

                                ECA-6980 - Remove root certificate from CT submission

                                ECA-6981 - GUI: Crypto Tokens form usability

                                ECA-6995 - GUI: End Entities search result revocation usability

                                ECA-7005 - Small improvement to CT debug logging

                                ECA-7017 - REST Jackson library unification

                                ECA-7018 - Add ACME to modular protocols configuration

                                ECA-7020 - When a CT log returns an error, log at info level instead of debug

                                ECA-7028 - modify REST enrollKeystore to accept JSON body rather than query parameters

                                ECA-7036 - Unidfnr data class should have unid as part of protection string.

                                ECA-7037 - File system property to disable X.509 client cert requirement for Admin GUI

                                ECA-7041 - Access rule '/cryptotoken/keys/generate/' is required to create CSR for OCSP Key Binding

                                ECA-7044 - Support Role namespace in EJB CLI

                                ECA-7045 - Reorganize crypto tokens documentation into a concept and an operational section

                                ECA-7048 - Adapt new RA API methods to RA API Guidelines

                                ECA-7049 - Make sure all RA API methods work both locally and remotely, where applicable

                                ECA-7056 - Create a "CA Overview" page in the documentation

                                ECA-7081 - Log all CRL parameters used when making a decision to generate a CRL or not

                                ECA-7087 - improve EJBCA_TRUNK_UNIT_PUPPET jenkins build (or runsa ant target) somehow, so that build error would make the build red

                                ECA-7091 - Remove Norwegian FNR from log

                                ECA-7095 - Enable "Don’t allow ROCA weak keys" in CA/B Forum RSA Key Validation Template

                                ECA-7097 - Merge REST revocation response classes

                                ECA-7113 - Make the dns resolver and iana root anchor configurable for acme

                                ECA-7121 - REST - return correct response code from POST and PUT endpoints

                                ECA-7123 - REST revocationstatus returns 'revoked' for non-existing entries

                                ECA-7124 - Complete IEjbcaWS JavaDoc for new RA master API calls.

                                ECA-7129 - Use static json for static swagger REST API documentation

                                ECA-7131 - SystemTest for REST Certificates search

                                ECA-7132 - Remove "default" ACME alias

                                ECA-7134 - Improve REST endpoint Swagger descriptions

                                ECA-7147 - Use consistent serial number response format in REST API

                                ECA-7166 - Update the documentation links for the OCSP keybindings page

                                ECA-7172 - Add new index for searches on AuditRecordData

                                ECA-7174 - Improve ProfileAndTraceInterceptor to print arguments properly

                                ECA-7177 - Increase CRL upload size from 60 KB to 250 MB

                                ECA-7186 - ACME Configuration: Hide EMPTY profile and add info text about Default CA etc.

                                ECA-7191 - Add request/response logging for REST calls

                                EJBCA 6.13.0

                                Released on 3 May 2018


                                ECA-5792 - Allow peer publisher to only publish required data for OCSP

                                ECA-6727 - Revocation of Throwaway Certificates

                                New Features

                                ECA-6734 - New DB Table (Part of Alpha)

                                ECA-6737 - New SSB with basic NoConflictCertificateData functionality (Part of Alpha)

                                ECA-6738 - CA config changes + Admin GUI mods

                                ECA-6739 - Certificate lookup from PublishQueueServiceWorker

                                ECA-6740 - Changes in CRL generation logic

                                ECA-6741 - Update Database CLI

                                ECA-6743 - Modify EjbcaWS.revokeCert call (Part of Alpha)

                                ECA-6744 - Modify EjbcaWS.revokeCert call to accept more meta data

                                ECA-6745 - Manual tests with asynchronous replication

                                ECA-6746 - ECA-QA click test for Revocation of Throwaway Certs

                                ECA-6748 - System tests: WS call (Part of Alpha)

                                ECA-6750 - System tests: VA Publisher with Throwaway certs

                                ECA-6751 - Performance tests: Check existing tests (Revoke & OCSP)

                                ECA-6752 - Performance tests: Perform tests (before & after)

                                ECA-6753 - Document revocation of throw away certs

                                ECA-6789 - Edit CA page should include an option to select which certificatedata table to write to


                                ECA-6756 - Add manual test of OCSP for UnidFnr

                                ECA-6778 - Update all occurrences of ocsp.extensionoid and extensionclass in documentation


                                ECA-4337 - EJBCA client toolbox PKCS11HSMKeyTool generate command should not overwrite existing keys

                                ECA-6362 - Document all pages in the UI that are going to be deprecated by EJBCA 7.0

                                ECA-6572 - Remove timeStampClient.jar from documentation

                                ECA-6762 - Make existing EjbcaWS.revokeCert call work without certificate data being present

                                ECA-6764 - Fix missing header and id in test related classes.

                                ECA-6766 - System test of publishing of throw away certificate revocation status, with mock publisher

                                ECA-6767 - CertificateDataWrapper should handle revoked throw away certificate case

                                ECA-6772 - GUI: Usability about GeneralNames type fields (e.g. for Subject Alternative Name)

                                ECA-6779 - Update Confluence documentation for QC-Statements

                                ECA-6786 - VA Publisher should not update if revocation reason is permanent

                                ECA-6791 - Create separate CRUD bean for CertificateData and NoConflictCertificateData, for database queries etc.

                                ECA-6795 - CMP: don't log stack trace if CMP alias does not exist

                                ECA-6796 - Check new option "Accept revocations for non-existing entries" in backend code

                                ECA-6836 - Make it possible to issue throw-away certificates with publishers enabled

                                ECA-6837 - Restrict "Accept revocation of non-existing certificates" option to throw-away CAs only

                                ECA-6844 - Create fingerprint sheet in RA web

                                ECA-6850 - Add backend code for selecting which certificate data table to write to.

                                ECA-6856 - Use consistent format of library license references

                                ECA-6859 - Improved naming and ordering of Throw Away Certificate Revocation options

                                Bug Fixes

                                ECA-6717 - Remove clientToolBox dependency on ejbca-ejb

                                ECA-6728 - NPE when changing Approval Profile type

                                ECA-6761 - Republish/re-activate in the Admin Web passes html encoded data to API

                                ECA-6768 - DirectoryName in CMP (RA mode) requests doesn't work

                                ECA-6771 - GUI: Wrong designation of QC-Statements "Name Registration Authorities"

                                ECA-6775 - Unidfnr entity bean must handle longtext datatype.

                                ECA-6797 - ConfigDump does not find certain profiles etc. when --exclude option is used

                                ECA-6800 - junit ProtocolOcspHttpTest freezes

                                ECA-6823 - checkRevocationStatus returns wrong value for throw away CAs

                                ECA-6848 - Regression: 'Provide request info' hidden when only 'Select key algorithm' should be

                                ECA-6852 - Upgrade ocsp extensions does not account for '*' prefix

                                EJBCA 6.12.0

                                Released on 4 April 2018


                                ECA-6464 - Implement UnidFnr as a Module

                                ECA-6466 - YAML Based Configuration Export

                                New Features

                                ECA-1960 - GUI: End-Entity Search results usability (actions with buttons)

                                ECA-5752 - Split out CSS from AdminGUI template.xhtml and provide theme support

                                ECA-5840 - Create an ant script that automatically exports EJBCA documentation to a local directory

                                ECA-6477 - Create base classes for the web test module

                                ECA-6514 - Create test + pilot export with basic End Entity Profiles export using YAML

                                ECA-6515 - Finish End Entity Profile YAML export

                                ECA-6516 - Create CLI interface for YAML export

                                ECA-6517 - Create YAML export for Validators

                                ECA-6518 - Create YAML export for CAs

                                ECA-6519 - Create YAML export for Certificate Profiles

                                ECA-6521 - Create YAML export for EST Configuration

                                ECA-6522 - Create YAML export for Services

                                ECA-6523 - Create YAML export for Publishers

                                ECA-6524 - Create YAML export for Crypto Tokens

                                ECA-6525 - Create YAML export for Roles

                                ECA-6526 - Create YAML export for Peer Connectors

                                ECA-6527 - Create YAML export for Internal Key Bindings

                                ECA-6528 - Create YAML export for Ocsp Configuration

                                ECA-6530 - Create YAML export for Admin Preferences

                                ECA-6532 - Options for what to include and exclude in YAML export

                                ECA-6533 - Create module for YAML export

                                ECA-6543 - Add CLI support for EST configs

                                ECA-6544 - Update test.xmli for YAML module

                                ECA-6546 - Implement java.util.Map to YAML conversion

                                ECA-6549 - Create automated test for ECAQA-153

                                ECA-6550 - Create automated test for ECAQA-87

                                ECA-6560 - Create automated test for ECAQA-98

                                ECA-6567 - Create automated test for ECAQA-78

                                ECA-6580 - Create YAML export for User Notifications in End Entity Profiles

                                ECA-6606 - Certificate revocation using EJBCA WebService API through External (Peer) RA

                                ECA-6615 - Fail hard if building with Confluence pull property set, but Confluence server can't be contacted.

                                ECA-6617 - Ensure that the Confluence docs are automatically (and always) updated with the ziprelease.

                                ECA-6620 - Put a placeholder page in Documentation if building without any prior Documentation retrieved

                                ECA-6629 - Create YAML export for SCEP configuration

                                ECA-6634 - Support SCEP via the RA

                                ECA-6646 - Remap all ? links in CA UI from old documentation to new Confluence based documentation

                                ECA-6649 - Configdump CA fixes

                                ECA-6661 - Remove init code from UNID-FNR OCSP Extension implementation

                                ECA-6662 - Entity bean (protected data)

                                ECA-6663 - SSB (with logic to check signature)

                                ECA-6664 - Create Scripts for DB Table

                                ECA-6665 - Module for UnidFnr

                                ECA-6666 - UnidFnr upgrade handling

                                ECA-6671 - Add CA ID generation to clientToolBox

                                ECA-6672 - OCSP ext. UI selection per keybinding

                                ECA-6695 - Create automated test for ECAQA-138

                                ECA-6696 - Create a helper class for Web Tests

                                ECA-6714 - Add description field for IKB "Trusted Certificates"


                                ECA-6465 - Investigate the impact of curve aliases changing in BC v1.59

                                ECA-6483 - Add static code analyzing support for EJBCA code base.

                                ECA-6493 - Clean up warnings in CertProfileBean

                                ECA-6513 - Investigate and decide library to use for YAML

                                ECA-6553 - Update copyright year to 2018

                                ECA-6561 - Clean up ejbca.org and tighten up site

                                ECA-6585 - Create a CT logging Test Root

                                ECA-6720 - Remove old UNID-FNR properties from ocsp.properties.sample


                                ECA-2156 - GUI: Search forms layout and usability

                                ECA-2731 - Move all find* methods from EndEntityManagementSession to EndEntityAccessSession

                                ECA-3417 - CaSession.getCAInfo and other get* methods in CaSession should return null

                                ECA-3610 - Bring all CRUD methods from UserData to EndEntityAccessSession

                                ECA-3772 - InformationMemory and associated cache classes are redundant and should be removed

                                ECA-5382 - RA: Allow certain admins to see requests that they are not allowed to approve

                                ECA-5499 - Use Facelet templating instead of frames

                                ECA-5520 - Additional information shown for CSRs uploaded

                                ECA-5675 - Request custom search should have date help in the RA

                                ECA-5769 - Support for nameSpace in EJBCA CLI

                                ECA-5864 - Make it possible to change EEP of an EE

                                ECA-6298 - CaInfo.getCertificateChain should return a List instead of a Collection

                                ECA-6320 - Allow validators to render dynamic values.

                                ECA-6325 - RA Web: Make the EE/Cert Details page match the search page

                                ECA-6352 - RA Web: Add a link back to the EE when viewing a certificate

                                ECA-6356 - Create system tests for modular protocol configuration

                                ECA-6411 - Move ServiceManifestBuilder into its own project

                                ECA-6437 - Ability to specify a subjectAltName and issuerAltName when creating CAs with CLI

                                ECA-6479 - Approval Partition names are not shown in the CA UI.

                                ECA-6501 - Add sun/security/action to jboss-deployment-structure.xml

                                ECA-6503 - Remove Web Tests from zip release

                                ECA-6506 - Null Pointer Exception when viewing an Accumulative Approval Request in Admin GUI

                                ECA-6551 - Format validation message properly under QueryGenerator

                                ECA-6554 - clientToolBox test with 8192 bit RSA keys fails with exception

                                ECA-6563 - GUI: Improve punctuation in English language for Admin GUI

                                ECA-6565 - Clean up language files

                                ECA-6566 - Clarifying ocsp.extensionoid description

                                ECA-6583 - Command line option to turn Configdump exceptions into warnings

                                ECA-6586 - Append file extension to YAML files

                                ECA-6590 - Replace spaces and special characters in configdump file names

                                ECA-6592 - Make YAML keys case consistent

                                ECA-6595 - Configdump export should require authentication token

                                ECA-6596 - Improve debug logging in CT with some more details

                                ECA-6600 - State BR version in the drop down in key validators

                                ECA-6605 - Create a unit test to ensure that CAA record sets that contain no ISSUE/ISSUE_WILD statements allow issuance

                                ECA-6607 - Refactoring the message keys of actions

                                ECA-6608 - GUI: Harmonize all popup windows

                                ECA-6610 - Remove redundant CAA language properties

                                ECA-6611 - Move guides section from EJBCA homepage to Confluence Documentation

                                ECA-6612 - Create an atomic WS call to perform key recovery

                                ECA-6613 - Include ConfigDump in ZipRelease

                                ECA-6614 - Allow PKCS#10 challengePassword encoded as IA5String

                                ECA-6616 - Source Confluence information from a PK-only properties file to avoid leaking data

                                ECA-6618 - Remove legacy documentation from EJBCA trunk

                                ECA-6619 - More gracefully handle deploying a Community release on an Enterprise installation

                                ECA-6637 - Basic System Configuration YAML export

                                ECA-6642 - When calling WS separate error messages if not authorized or if WS is disabled

                                ECA-6643 - Report unhandled getters in ConfigDump as errors

                                ECA-6645 - Make crypto token page resilient agains NPE when downgrading to Community

                                ECA-6650 - Ability to provide password piped to PKCS11HSMKeyTool

                                ECA-6651 - Update all links in the PrimeKey site to point to the new documentation.

                                ECA-6652 - ClientToolBox: document that generatenewuser uses two WS calls, and reference to certreq for the same functionality with a single WS call

                                ECA-6653 - EST re-enrollment should not also require username and password authentication

                                ECA-6657 - Improve performance when add a warning to each key in the crypto token already in use by another CA

                                ECA-6658 - Run.bat not in ejbca-db-cli

                                ECA-6675 - Move release notes, change log and upgrade documentation to Confluence

                                ECA-6679 - ConfigDump should handle relative paths on the CLI

                                ECA-6693 - Add ability to set explicitecc Crypto Token flag when renewing CA using the CLI

                                ECA-6697 - Allow for the same CT log appear in multiple CT log groups

                                ECA-6701 - Add Last-Modified, Expires and Etag headers to OCSP Post Responses

                                ECA-6706 - Restructure OCSP unid extension module to ejbca-ejb

                                ECA-6708 - Update tests for ProtocolLookupServerHttpTest for new UNID implementation

                                ECA-6716 - Remove Unid Data Source configuration and clean up Unid tests

                                ECA-6722 - Improve OCSP Extensions section in Admin GUI

                                ECA-6729 - File upload for test function of ExternalCommandCertificateValidator broken for Firefox and Chrome

                                Bug Fixes

                                ECA-5683 - Unescape escaped characters in SubjectAltName

                                ECA-6110 - Save should result in an error when 'Required' is checked for Subject DN Attributes

                                ECA-6489 - Header/footer filenames in System Configuration get reverted to default values

                                ECA-6500 - Typo in cesecore.properties.sample about ca.keepocspextendedservice

                                ECA-6502 - Approval state is not saved in Admin GUI

                                ECA-6507 - Certificate profile Approval style broken/ugly

                                ECA-6508 - ${ca.tokenpassword} in cli.xml should be quoted to allow whitespace and empty password

                                ECA-6510 - Cannot create certificate with a plus sign in SAN URI field

                                ECA-6538 - Modify all calls to FileUtils.writeStringToFile(...) to specify charset.

                                ECA-6548 - Approval Profiles WARNING javax.enterprise.resource.webcontainer.jsf.renderkit

                                ECA-6555 - Approve Actions with Status 'Expired' shows when Status 'Waiting' is used

                                ECA-6559 - Regression: CA Functions page broken due to non-JSP friendly code

                                ECA-6564 - Replace the word 'Unselect' by 'Deselect' in English language

                                ECA-6570 - Default CA Id is incorrect when importing an end entity profile with a missing CA Id

                                ECA-6571 - Search for expired approvals in RA Web is broken

                                ECA-6575 - Regression: importcacert command does not work with parameter 'initauth'

                                ECA-6579 - GUI: Word 'Actions' with 's' in table column headers

                                ECA-6581 - Regression: Add End Entity with name constraints permitted causes stacktrace

                                ECA-6589 - Regression: Editing an EE with name constraints causes NPE

                                ECA-6591 - Regression: DynamicUiProperty radio buttons not rendered

                                ECA-6597 - CAFingerprint of certificates are not populated correctly when importing CA and user certificates

                                ECA-6602 - Missing last used EE profile in Admin Preferences causes ConfigDump error

                                ECA-6609 - GUI: Tables graphically broken on home page

                                ECA-6621 - RA Web: Alignment of Certificate table

                                ECA-6639 - RA: New role can not be created if RA-login-role belongs to Namespace

                                ECA-6640 - Advanced search of EE doesn't follow RA Admin profile restrictions

                                ECA-6641 - WS through Peer RA does not work without a local Role on the RA

                                ECA-6644 - clientToolBox can not create proper CVCA link certificates

                                ECA-6654 - PublicCryptoToken can't be used for database protection verification

                                ECA-6656 - Order of SAN fields should not change if it comes from the CSR

                                ECA-6660 - RA: A comma in the certificate subject DN is displayed with leading /

                                ECA-6677 - ejbca-setup quick install script fails to run SQL cleanup commands

                                ECA-6678 - Warning about missing IKB ID null from ConfigDump

                                ECA-6681 - Fix warning about missing Validator getters from ConfigDump

                                ECA-6694 - CMP Configuration upgrade does not work

                                ECA-6698 - Unknown key binding causes Internal Key Bindings page to crash

                                ECA-6699 - CT label requirements (e.g. Google / non-Google) are sometimes not satisfied

                                ECA-6709 - Regression: Certificates with tag characters < > in directory name cannot be imported

                                ECA-6712 - 'Use IODEF E-mail' and 'Use IODEF WEB' checkmarks are behaving strangely

                                ECA-6718 - keyRecover WS call forwarded over peer connection throws if not available locally

                                ECA-6723 - OSCP signing cache does not update properly.

                                ECA-6725 - Fields not disabled when viewing a Validator

                                ECA-6730 - Fix test failures due to NPE in CaTestCase

                                EJBCA 6.11.1

                                21 Feb 2018

                                Bug Fixes

                                [ECA-6431] - End Entity Profile field validation should not allow empty fields
                                [ECA-6439] - GeneralPurposeCustomPublisher test command shows error message with empty path
                                [ECA-6443] - clientToolBox OCSP GET does not work with TLS connections
                                [ECA-6461] - Regression: Cannot enroll in Public Web
                                [ECA-6463] - Fix CrmfRequestTest.test12ServerGeneratedKeys
                                [ECA-6467] - Null pointer exception when enroling with EC in RA web
                                [ECA-6471] - Regression: It's only possible to add partitions to the first approval step
                                [ECA-6481] - Base64 decoding fails with BC v1.59
                                [ECA-6509] - XStream 1.4 lib requires JDK8
                                [ECA-6535] - EST not working on local CA when a peer connection to a VA is present
                                [ECA-6537] - EST: in EST profile Certificate Profile field not updated automatically when End Entity profile field is changed
                                [ECA-6542] - EST Aliases fail to add values for future keys
                                [ECA-6547] - Regression: Approval requests cannot be edited
                                [ECA-6556] - EST certificate profile and default CA is stored with name instead of ID
                                [ECA-6587] - No End Entity Profiles selected when viewing Role in Basic Mode after upgrading
                                [ECA-6603] - EST - Enroll with username/password not working through external RA
                                [ECA-6622] - CAA Issuance fails for domains where both issue and issuewild records exist in a certain order
                                [ECA-6624] - PeerConnectionTest.publishCertificate fails with database protection enabled
                                [ECA-6625] - Regression: Statedump and Database CLI doesn't work on with JDK8
                                [ECA-6633] - CMP: check if extraCert is active does not consider if it is notified about expiration
                                [ECA-6638] - Crypto Tokens are re-created and activated every time cache is reloaded


                                [ECA-6468] - CMP changes to return caPub certificates and lessen DN checks on VC certificate

                                New Features

                                [ECA-6212] - Add support for SHA3 signature algorithms
                                [ECA-6512] - CMP Vendor mode: ability to issue multiple certificates authenticated by the same Vendor certificate
                                [ECA-6577] - CMP ability to select CA certificates to add to caPubs in CMP responses (multiple order defined)
                                [ECA-6601] - CMP ability to select CA certificates to add to extraCerts in CMP responses (multiple order defined)


                                [ECA-6434] - CMP Vendor mode: Ability to have different requestDN from VendorCert DN where request DN lacks extract username component
                                [ECA-6435] - CMP Vendor mode: Ability to have different requestDN from VendorCert DN
                                [ECA-6440] - ExternalCommandCertifciateValidator to call external scripts only
                                [ECA-6460] - Upgrade EJBCA to BC 1.59
                                [ECA-6536] - Info-loggning for incoming and outgoing EST requests
                                [ECA-6540] - EST: improve help messages in EST alias
                                [ECA-6541] - EST/CMP/SCEP configuration should use password field
                                [ECA-6558] - Make EST be displayed in a nice way Enterprise vs Community
                                [ECA-6569] - Documentation: clarify steps to renew OCSP certificates
                                [ECA-6573] - Update CustomerLdapPublisher1
                                [ECA-6574] - Add documentation links to CMP and EST aliases pages
                                [ECA-6631] - CMP: find registered end entity by DN if username (extracted from DN) is not found
                                [ECA-6632] - CMP: don't include trust anchor in extraCert certificate list to verify



                                Bug Fixes

                                [ECA-6470] - Regression: Editing of approval profiles with multiple steps is broken
                                [ECA-6472] - Approval Requests with view rights don't turn up under the pending tab
                                [ECA-6490] - All approval partitions are visible when approving in the CA GUI
                                [ECA-6495] - EC Validator doesn't recognize keys with "EC" as algorithm
                                [ECA-6496] - RA Web, improve session re-authentication checks
                                [ECA-6498] - Minor security issue
                                [ECA-6504} - Null Pointer Exception when opening executed approval in Admin GUI

                                New Features

                                [ECA-6454] - Add NoCacheFilter to Public Web


                                [ECA-6482] - RA Style Improvements
                                [ECA-6497] - Improve authentication checks in Admin Web

                                EJBCA 6.11.0


                                Bug Fixes

                                [ECA-6086] - Document CAA IODEF limitations
                                [ECA-6120] - Document that CAA Validator requires TCP ports to be open in firewall
                                [ECA-6187] - clientToolBox. SCEPTest compares the wrong types in responses
                                [ECA-6199] - AdminWeb: Partitioned approval "Request has been executed"
                                [ECA-6222] - Public key exponent min value can be larger than max value for the RSA Key Validator.
                                [ECA-6223] - Possible to enter negative values in all numerical fields in RSA Key Validator
                                [ECA-6236] - Titles "Import CRL" and "Basic Functions" are not localized
                                [ECA-6237] - Display bug in Certificate Profile viewing
                                [ECA-6238] - GUI: Unknown language keys found in Audit Log
                                [ECA-6264] - Fix javadoc compilation errors
                                [ECA-6326] - Error when listing tokens on a HSM
                                [ECA-6330] - Error if default OCSP responder is set to NONE
                                [ECA-6345] - EJBCA Certificate Enrollment Error page
                                [ECA-6348] - when trying to navigate RA Web nothing happens (Blank page). Error message occured in logs
                                [ECA-6371] - Status labels not localized in "Protocol Configuration"
                                [ECA-6374] - ECC Key Validator shows incorrect label
                                [ECA-6376] - Add fields in Partitioned Approval results in java.lang.NullPointerException
                                [ECA-6388] - RA Web: Role Members issued by External CAs states "Unknown CA"
                                [ECA-6391] - CT Log Lifetime table accepts negative values
                                [ECA-6392] - Supervisor does not have access to certificate in audit log
                                [ECA-6417] - MAXFAILEDLOGINATTEMPTS in ExtendedInformation can be saved as a string if set via WS
                                [ECA-6421] - Regression: System Config cannot be saved, NPE
                                [ECA-6422] - Google Ct Policy is reset after flushing cache and saving
                                [ECA-6424] - Clicking on Add End Entity(request) in Approve actions page results in Internal Server Error
                                [ECA-6427] - Misplaced null check in EST operations session bean
                                [ECA-6429] - Regression: NPE in Admin GUI editing CVC CA that was created before validators
                                [ECA-6433] - RA Web: End Entity status change doesn't work from external RA
                                [ECA-6442] - Add dummy AlwaysAllowAuthenticationToken.InternalMatchValue in order to deserialize expired approval requests
                                [ECA-6445] - Upgrade of CAA Validator not triggered when ValidatorBase changed
                                [ECA-6449] - All form fields in End Entity Profiles page should have auto-complete disabled

                                New Feature
                                [ECA-4220] - Support for EST protocol
                                [ECA-4650] - GUI: View functionality for default certificate profiles
                                [ECA-5869] - Add links to an End Entity's certificates in the RA EE Search page.
                                [ECA-5870] - Allow for EE status change from the RA
                                [ECA-5997] - StateDump Validators
                                [ECA-6051] - Add post-processing to Validator framework
                                [ECA-6083] - In the Create CA screen, add a warning to each key in the crypto token that is already used by another CA
                                [ECA-6279] - Add GUI support for CAA misissuance reports w. IODEF
                                [ECA-6280] - Add WS IODEF support in backend for CAA misissuance reports
                                [ECA-6293] - Implement datatype for IODEF
                                [ECA-6313] - Use XML converter for IODEF types
                                [ECA-6315] - Support for CVC certificate extensions
                                [ECA-6383] - Support for FIPS 201-2 PIV FASC-N subjectAltName
                                [ECA-6404] - Include CMP Transaction ID in the log of CMP Proxy
                                [ECA-6425] - Password generator in clientToolBox
                                [ECA-6447] - Add a configurable whitelist to external validators
                                [ECA-6455] - Write documentation for EST

                                [ECA-5944] - Go through RaMasterApi and verify that the presence of a certificate does not prevent forwarding of the request

                                [ECA-3838] - Move DummyApprovalRequest into a test module
                                [ECA-3844] - Move all CRUD methods from CAData into CaSessionBean
                                [ECA-4476] - Name constraints should be validated before approval request gets added
                                [ECA-6155] - Make "treat lookup failure as permission to issue" configurable for CAA lookups
                                [ECA-6229] - Clean up unused language keys
                                [ECA-6246] - Introduce protocol configurations in system config
                                [ECA-6247] - Deny access to disabled protocols globally
                                [ECA-6249] - Modular Protocol Configuration to the RA over Peers
                                [ECA-6257] - Code clean up in RA Preferences.
                                [ECA-6285] - Improve comment about 'web.errorpage.notification' in 'web.properties.sample'
                                [ECA-6286] - Standard Date/Time examples for the logs
                                [ECA-6291] - Language files clean up, sorting "Mostly Configuration Module"
                                [ECA-6329] - OcspKeybindings should display active status
                                [ECA-6331] - Refactoring "HELPER" message keys in language files
                                [ECA-6333] - Document modular protocol configuration
                                [ECA-6366] - Add jboss-deployment-structure for BC provider on Oracle JDK for external RA SCEP server
                                [ECA-6367] - Add a constant for key purpose 0, defaultKey
                                [ECA-6368] - Remove old unused help links
                                [ECA-6369] - Change default OCSP signature algorithm to use SHA-256
                                [ECA-6370] - Update 'second' CSS style according to 'default' one
                                [ECA-6377] - Move profile ID constants into the correct classes
                                [ECA-6379] - Old list of Role Members is used when an Approval Request is created
                                [ECA-6396] - Specify Bouncy Castle provider explicitly for audit log verification
                                [ECA-6402] - Add test for expiration year filtering of CT Logs
                                [ECA-6405] - Notify user when RA is offline
                                [ECA-6407] - Modular protocol configuration over Peers using access rules
                                [ECA-6409] - Internal Key Bindings page throws exceptions when there's a crypto token error
                                [ECA-6410] - Modular protocol configuration improvements - Implement servlet filter
                                [ECA-6418] - Improve error handling for CV certificates
                                [ECA-6423] - Add Javadoc for CaConstants
                                [ECA-6428] - Modular protocol configuration improvements - UI, Configuration
                                [ECA-6430] - Custom CVC extensions in link certificates
                                [ECA-6432] - Improve error message to distinguish between client and server cert in peer connector
                                [ECA-6446] - Add a system configuration value for enabling External Command Validators
                                [ECA-6452] - "External Command" text frame in External Command Certificate Validator should be wider
                                [ECA-6457] - Create an upgrade routine that enables External Scripts (under System Configuration) only if any General Purpose Custom Publishers exist



                                Bug Fixes

                                [ECA-6426] - EJBCA needs "System upgrade" (from 6.8 -> 6.10.1) on a freshly installed database on the appliance

                                EJBCA 6.10.1


                                Bug Fixes

                                [ECA-5945] - 'Roles which may approve this partition' resets when Members of role changes
                                [ECA-5977] - Continue to check connectivity to peers after MariaDB Galera Cluster error
                                [ECA-6198] - Upgrading KeyRecoveryData (with rows) past EJBCA 6.1.0 will fail
                                [ECA-6250] - AccessTreeUpdateData accessed too often, causing performance reduction
                                [ECA-6256] - "Description" attribute can not be used in Subject DN
                                [ECA-6258] - Approval partition metadata doesn't show up unless the partition has a title
                                [ECA-6264] - Fix javadoc compilation errors
                                [ECA-6268] - Approval metadata is lost in the RA gui when a request moves from Pending to Processed
                                [ECA-6274] - Approving/Viewing roles are removed when metadata is added to an Approval Profile
                                [ECA-6278] - CA Renewal with name change logs caid as 0
                                [ECA-6281] - Add flag to not reverse Custom DN order by the LDAP DN Order setting
                                [ECA-6300] - upgrade() in CAs should set new version last
                                [ECA-6327] - Wrong CT error message when saving certificate profile
                                [ECA-6341] - Upgrade of extended services from version before EJBCA 5 doesn't work correctly
                                [ECA-6343] - AccessUserAspectData must handle null matchValues after upgrade
                                [ECA-6346] - CAA fails to ignore issuewild statements for non-wildcard domains
                                [ECA-6348] - when trying to navigate RA Web nothing happens (Blank page). Error message occured in logs
                                [ECA-6349] - Error editing access rules and members in role in GUI after upgrade, can not get role with negative ID
                                [ECA-6358] - RA End Entity Search stops working until page reload if session is lost
                                [ECA-6359] - Certificates with null or zero End Entity Profile not accessible through RA
                                [ECA-6360] - X509AuthenticationToken match should ignore null values
                                [ECA-6375] - CAA mispelled in documentation
                                [ECA-6382] - Adding a new CT log without a label makes it unselectable
                                [ECA-6389] - Cosmetic Fixes to CT Log Configuration
                                [ECA-6393] - Sort CT Labels
                                [ECA-6394] - search.cgi certificate download by subejctKeyID hash doesn't always return the last if there are multiple
                                [ECA-6395] - Remove CTLOGTAB_MOVEDCTLOGS message
                                [ECA-6403] - Minimum SCTs should be possible to set to zero

                                New Features

                                [ECA-6303] - Replace the current "mandatory/non-mandatory" setting for CT logs with a basic label system
                                [ECA-6304] - Upgrade CT logs using the mandatory/non-mandatory binary setting to the label system
                                [ECA-6305] - Document new CT logs features
                                [ECA-6307] - Add code to System Configuration for adding/removing/editing CT log labels
                                [ECA-6309] - Modify Certificate Profiles to use the CT log label system instead of the mandatory/non-mandatory for min/max
                                [ECA-6310] - Create a table in CT settings for having the minimum number of logs set by validity at issuance
                                [ECA-6312] - Add an option in Certificate Profiles for CT log publishing to base the minimum number of logs on validity.
                                [ECA-6351] - Add CT backend support for labels, and submit to all logs in parallel
                                [ECA-6363] - Backport CVC Certificate Extensions to 6.10.1
                                [ECA-6365] - Custom CVC extensions in certificate requests
                                [ECA-6385] - Allow CT submission to use implicit min/max defined by validity (configuration option)
                                [ECA-6399] - Allow CT submission to use implicit min/max defined by validity (backend)


                                [ECA-6406] - Fix CT performance and error logging regressions
                                [ECA-5879] - Update quick install guide with ejbca-setup scripted installation
                                [ECA-6248] - Microoptimization of X509CertificateAuthenticationToken
                                [ECA-6260] - CaSession.getAllCaIds queries the database every time and should be cached
                                [ECA-6261] - Micro-optimize status lookup in WebAuthenticationSession.authenticate
                                [ECA-6262] - RaMasterAPI should cache active CA to determine if backend is available
                                [ECA-6263] - CertificateData.existsByIssuerAndSerno can be a micro-optimized
                                [ECA-6270] - Micro-optimize EndEntityManagementSession.existsUser
                                [ECA-6275] - Micro-optimize away one getIssuerDN in CertificateCreateSessionBean
                                [ECA-6276] - Remove dual verification of POPO
                                [ECA-6277] - Optimize to avoid repeated certificate encoding/decoding converting into BC class
                                [ECA-6297] - Optimize EjbcaWS to only enrich with raw subject DN when override will be used
                                [ECA-6306] - Avoid ArrayCopy in DNFieldExtractor.getUseFields
                                [ECA-6308] - Pre-allocate enough byte array buffer when writing XML
                                [ECA-6311] - Cache StringTools internal CharSet for forbidden characters
                                [ECA-6314] - Don't use Exception as condition handling in RequestMessageUtils
                                [ECA-6317] - Micro-optimize exists queries and get status
                                [ECA-6318] - Save one BCrypt operation internally in a transaction
                                [ECA-6334] - Remove old CT code
                                [ECA-6335] - Document required upgrade steps from EJBCA 3.x to 6.10
                                [ECA-6353] - Duplicated role members after upgrade to 6.8
                                [ECA-6381] - Forbid upgrading EJBCA from versions prior to 5.0.0
                                [ECA-6397] - Filter CT logs based on expiration date of certificate



                                Bug Fixes

                                [ECA-6346] - CAA fails to ignore issuewild statements for non-wildcard domains



                                Bug Fixes

                                [ECA-6251] - Regression: "Custom" access rule template no longer shows up in the simple role page
                                [ECA-6267] - Regression: Don't issue for gazebear.org
                                [ECA-6269] - Regression: Preferences tab in RA gives error
                                [ECA-6273] - References to commons-logging upgrade not updated for CMP Proxy


                                [ECA-6244] - Issue for gazebear.info when DNSSEC enabled

                                EJBCA 6.10.0


                                [ECA-5959] - Disabling OcspKeyBinding doesn't take effect until restart
                                [ECA-6004] - RA Web: The field SAN MS-UPN is broken in Make New Request
                                [ECA-6042] - Forbid non-modifiable empty Subject DN/Alt Name/Directory Attributes in EEP
                                [ECA-6043] - Public Web: Create Keystore for Key Recovery displays Key specification drop-down menu
                                [ECA-6101] - Disabling authorization cache, with value -1, gives error
                                [ECA-6102] - Possible NPE when looking for database error to display
                                [ECA-6119] - Regression: Role Members normalizes serial numbers with leading zeros
                                [ECA-6143] - Regression: RA web can't process CSR
                                [ECA-6147] - CMP Revocation with PBE responseProtection where KeyId is missing gives NPE
                                [ECA-6151] - Misplaced "invalid certificate request" message
                                [ECA-6153] - Regression: Processed approvals not listed in RA web
                                [ECA-6157] - NPE in RA enrollment page when there's an end entity e-mail but no SAN
                                [ECA-6158] - EST checkin causes Community build to fail
                                [ECA-6159] - CMP: revocation should handle empty header.recipient
                                [ECA-6163] - CAA Validator outputs stacktrace for expired DNSSEC protected records
                                [ECA-6164] - Regression: ClassCastException when visiting "Search End Entities" in /ejbca/adminweb
                                [ECA-6181] - NPE editing end entity with name constraints in profile, but no ExtendedInformation in entity
                                [ECA-6183] - ServiceTypeHolder and ModuleTypeHolder.equals compares the wrong type
                                [ECA-6184] - HardTokenInformation.equals compares the wrong type
                                [ECA-6185] - RaRoleMemberBean compares the wrong type in getAvailableMatchKeys
                                [ECA-6186] - PeerRaMasterServiceThreadBean compares the wrong type in keepServingRaPeer
                                [ECA-6188] - GUI: Certificate Profiles form visually broken
                                [ECA-6190] - EJBCA 6.x should handle legacy access match types from EJBCA 3.x
                                [ECA-6193] - ejbca.cmd on windows does not handle enough arguments for all commands
                                [ECA-6194] - CMP: enabling CMP over tcp causes deployment failure on modern Jboss
                                [ECA-6201] - CMP: CA by KeyId function should work with internaltionalized characters, but be limited in length
                                [ECA-6209] - CAA Validator seems to fail for gaps in DNSSEC domain records
                                [ECA-6214] - Fix warnings in CT code
                                [ECA-6216] - EJBCA's implementation of ValidatingResolver fails to receive an NSEC3 if CAA record set on domain is empty
                                [ECA-6218] - Regression: NPE when performing browser enrollment with "allow extension override" enabled
                                [ECA-6225] - Concurrent modifiation in ConfigurationHolder during startup with custom WS modifications
                                [ECA-6231] - OCSP Responder may crash the VA's default responder signing certificate has expired.
                                [ECA-6232] - Upgrade seems to cause a ConcurrentModificationException since lib upgrade
                                [ECA-6233] - Correct upgrade guide in terms of obligatory versions
                                [ECA-6235] - Hide EST Configuration menu options if module is not present
                                [ECA-6240] - Roles upgraded from old (<4.0) installations may create a stacktrace in the UI
                                [ECA-6242] - commons-configuration 1.10 breaks system tests

                                New Feature
                                [ECA-5848] - Allow an RA Admin to request a shorter validity time than is set in the profile
                                [ECA-6024] - CMP Central Key Generation
                                [ECA-6095] - Rewrite EJBCA RA Web to be able to read CSS files from an archive stored on the database.
                                [ECA-6096] - Add to the peers protocol the ability to transmit stored CSS archives from the CA to the RA
                                [ECA-6097] - Define RA CSS by the role of the logged in user
                                [ECA-6100] - Add possibility to import and store custom RA CSS file
                                [ECA-6176] - Ability to upload custom logo images and multiple CSS files
                                [ECA-6177] - Enable injection of uploaded logo images
                                [ECA-6178] - Introduce 'Preferences' menu item in RA
                                [ECA-6191] - Mandatory SCT responses
                                [ECA-6195] - Add Infineon weak key checking to RSAKeyValidator (ROCA,
                                [ECA-6197] - Document Custom RA Styles
                                [ECA-6213] - Apply RA Style selected from the 'Preference' menu in RA-web

                                [ECA-2723] - When deleting an End Entity Profile, list which end entities/authorization rules that actually use it.
                                [ECA-3222] - CMP: Add back the ability to use "KeyId" in AdminGUI
                                [ECA-5381] - Allow approval of other requests than Add End Entity in the RA if the admin is missing that privilege
                                [ECA-5383] - Upgrade external libraries
                                [ECA-5610] - Pagination during search exceeding max records
                                [ECA-5698] - Improve Certification Authorities usability
                                [ECA-5741] - All search pages appear to be case sensitive
                                [ECA-5927] - Review which Role Member match operators that should be case sensitive
                                [ECA-6108] - Move DnsNameValidatorMock to systemtests-common and log error for possible NPE when loading Profile
                                [ECA-6131] - Not possible to change CA subjectAltName using cli
                                [ECA-6138] - Parallelisation of CAA lookup for certificate with multiple SANs
                                [ECA-6150] - Stop writing complete stack traces for expected validation failures
                                [ECA-6167] - Add Peer Connector RA illustration to architecture documentation
                                [ECA-6168] - GUI: Internal Key Bindings form usability
                                [ECA-6169] - GUI: Certification Authorities form usability
                                [ECA-6170] - GUI: Crypto Token form usability
                                [ECA-6174] - Skip PKCS11-tests if no PKCS11 driver is installed
                                [ECA-6179] - Shorten AIA label in Certificate display popup
                                [ECA-6196] - Improve cache for custom RA styles
                                [ECA-6211] - Add Quirin's tests to CaaTestSuite
                                [ECA-6224] - Increase max length of Admin GUI altName input fields
                                [ECA-6228] - GUI: Validators form usability
                                [ECA-6245] - Remove EJBCA license headers from ValidatingResolver classes

                                EJBCA 6.9.1


                                [ECA-6103] - importcert command fails in some instances for DirectoryName SAN values
                                [ECA-6104] - DNAME records are not followed correctly by CAA Validator
                                [ECA-6115] - CMP: error verifying extraCerts in RA mode when more than the EE cert is present in a chain longer than two
                                [ECA-6117] - Certificate with empty attribute can not be imported
                                [ECA-6121] - CAA Validator doesn't fail for nonsense domains.
                                [ECA-6135] - Regression: Key WS Key recovery requires call to edituser() before enrollment
                                [ECA-6148] - Remaining login attempts counter not decreased using public web
                                [ECA-6152] - Regression: Uploading EC CSRs in RA result in exception

                                New Feature
                                [ECA-6063] - Make Trust Anchor for CAA Validators configurable
                                [ECA-6116] - Add TTL information to CAA Tool output
                                [ECA-6133] - Add whitelist possibility to CAA Validator

                                [ECA-6064] - Optimize issuance by minimizing EndEntity XML encoding/decoding
                                [ECA-6093] - Optimize ConfigurationHolder.getPrefixedPropertyNames
                                [ECA-6105] - Raw subject DN extended information should be base64 encoded
                                [ECA-6118] - Ability to use "description" attribute in directoryName fields
                                [ECA-6122] - Add additional logging to CAA Validator
                                [ECA-6123] - Make recursion depth configurable for CAA Validators
                                [ECA-6127] - CAA Validator should only lookup CAA records instead of ANY
                                [ECA-6128] - Make querying top level domains (TLDs) for CAA lookups optional
                                [ECA-6129] - Introduce DNS lookup caching for multiple SANs in the CAA Validator
                                [ECA-6136] - DNSSEC should be enabled by default in the CAA validator
                                [ECA-6137] - Issue if CAA lookup failed more than once and there is no DNSSEC chain to the ICANN root
                                [ECA-6145] - Support CNAME discovery as in Errata 5065
                                [ECA-6149] - Fill in default CAA Validator timout in the UI
                                [ECA-6150] - Stop writing complete stack traces for expected validation failures
                                [ECA-6161] - Make DNAME lookups in CAA validator optional



                                [ECA-6107] - CAA validation allows issuance of wildcard certificates for subdomains, even though issuance is prohibited.
                                [ECA-6124] - CAA max recursion count is triggering for other checks than CNAMES
                                [ECA-6125] - KeyValidatorSession splits DNSNames incorrectly for CAA lookups
                                [ECA-6126] - CAA Validator fails for a SocketTimeoutException



                                [ECA-6107] - CAA validation allows issuance of wildcard certificates for subdomains, even though issuance is prohibited.



                                [ECA-6106] - CAA Validator should keep looking up domain tree even if NXDOMAIN is encountered



                                [ECA-6099] - Ra Web: Trying to enroll P12 for user added in Admin GUI gives NPE



                                [ECA-6088] - Create tables scripts all refer to the PublicKeyBlacklistData instead of BlacklistData



                                [ECA-6088] - Role Member caching does not play well with clusters
                                [ECA-6089] - NPE when upgrading from 6.9.0Beta to 6.9.0Final due to IODEF
                                [ECA-6091] - NPE in View Certificates in RA Web if certificates have no KeyUsage

                                EJBCA 6.9.0


                                [ECA-4853] - Some fields aren't grayed out in read-only services
                                [ECA-5524] - Admin GUI should prevent saving of empty QC statement
                                [ECA-5672] - Add/Edit End Entity page silently removes e-mail if domain is omitted
                                [ECA-5904] - Stack trace printed on screen when enrolling EE with invalid QC
                                [ECA-5905] - Link certificate should have the same expire date as old ca certificate
                                [ECA-5917] - Auditor, wrong layout on 'Certificate Profiles'
                                [ECA-5946] - Possible to send a request to create an End Entity that already exists from RA Web
                                [ECA-5949] - WebService API: the field sendNotification in UserDataVOWS isn't set
                                [ECA-5950] - Duplicate entries of the member 'SuperAdmin' in 'Super Administrator Role'
                                [ECA-5960] - CMPv2 extraCerts field not correctly (re)ordered in all cases
                                [ECA-5965] - Missing value for view_request_page_data_value_UNREVOKE
                                [ECA-5967] - E-mail notification sends the old 'uniqueId' if request has been rejected
                                [ECA-5969] - transactionId and recipiantNonce are not always set in CMP error messages.
                                [ECA-5971] - NullPointerException if clicking 'Save state' in failed Approval Action window
                                [ECA-5975] - getApprovalProfileForAction can throw exception if no approval is required
                                [ECA-5978] - RA enrollment with requestid doesn't authenticate password with reusecert = true
                                [ECA-5979] - Request to change Username of End Entity changes the Username and sends a request
                                [ECA-5980] - Unable to approve End Entity revocation request
                                [ECA-5981] - Enrollment by username does not work on the RA
                                [ECA-5984] - Two admins opening the same approval request and trying to approve causes NullPointerException
                                [ECA-5988] - Checking if key recovery is possible in the RA checks all listed certificates
                                [ECA-5989] - Statedump: "AuthorizationDeniedException: Granted access of the current administrator might be affected by this change"
                                [ECA-6003] - Public Web: The field SAN MS-UPN is broken in Self-registration
                                [ECA-6005] - Various NPEs for CMP Revocation requests with faulty payloads
                                [ECA-6009] - ClearCache fails with exception in some cases
                                [ECA-6012] - Key recovery flag not reset on rejected approval using local key generation
                                [ECA-6016] - Approval Profiles doesn't update until logout
                                [ECA-6018] - Deleting an Approval/Certificate Profile and then clicking 'View' causes NullPointerException
                                [ECA-6020] - Adding end entity in admin GUI with autogenerated username gives error
                                [ECA-6022] - Rejecting both partitions of Approval Request generates error message
                                [ECA-6023] - AuthenticationKeyBinding.isClientSSLCertificate should not require KU keyEncipherment
                                [ECA-6030] - Upgrade is never called for Validator
                                [ECA-6033] - Non-modifiable empty End Entity E-mail should not be allowed in EEP
                                [ECA-6034] - WebService: CertificateCreateException should be wrapped in order to pass on good message and error code to client
                                [ECA-6035] - Selecting nothing under 'Available CAs' when editing an EEP causes NullPointerException
                                [ECA-6036] - [Public Web] Request Registration should not display step 2 if EEP/CP is invalid
                                [ECA-6060] - Disabled remote key bindings not displayed as such in admin gui
                                [ECA-6061] - End entity profiles with User Notifications can't be imported
                                [ECA-6065] - 'New...' button for 'Namespace' does not function if you haven't selected an existing 'Namespace'
                                [ECA-6066] - CA_Administrator documentation does not match about 'Renew CA'
                                [ECA-6070] - Approving a Key Recovery request on the RA requires /ca_functionality/approve_caaction/
                                [ECA-6074] - RA Web: enroll with username and code displays "Key Algorithm: null null"
                                [ECA-6076] - 'Available bit lengths' is disabled under 'RSA Key Validator Settings'
                                [ECA-6080] - Auditor pre-defined role can not view selected Validators
                                [ECA-6081] - Validators Access Rules not saved for RA Administrators,Auditors and Supervisors pre-defined role

                                [ECA-5175] - Support for delegated key pair generation

                                New Feature
                                [ECA-2853] - Implement CMP ImplicitConfirm
                                [ECA-4219] - Verify public keys before cert issuance
                                [ECA-5286] - Make CA based Key recovery possible on RA
                                [ECA-5627] - DNS Certification Authority Authorization (CAA) Resource Record
                                [ECA-5644] - Add the ability to download P10 from approval and end entity view in RA
                                [ECA-5866] - Add configuration value to approval profiles for whether or not the original submitter should be allowed to approve
                                [ECA-5954] - Add system config option for local key generation
                                [ECA-5955] - Document Key validators
                                [ECA-5956] - Encrypt keypair for key recovery using a selectable crypto token, for local key generation
                                [ECA-5957] - Ability to request key recovery from RA Web
                                [ECA-5966] - Add MIME type for VBScript (for IE enrollment)
                                [ECA-5972] - Support for getting the certificate chain as response in the IKB update message
                                [ECA-5983] - Document delegated key recovery
                                [ECA-5987] - Make it possible to mark certificate for recovery using local key generation
                                [ECA-6006] - ClearCacheCommand should clear validator cache
                                [ECA-6019] - Add EjbcaWS support for key recovery with local key pair generation
                                [ECA-6045] - Implement CAA Validator in EJBCA
                                [ECA-6047] - Implement the IODEF CAA record type (e-mail)

                                [ECA-6015] - Update RA documentation with Role Management
                                [ECA-6021] - Work around hibernate bug with MS-SQL that makes ResultSetMapping fail
                                [ECA-6025] - Document how to increase max parameter count in WildFly

                                [ECA-5697] - Certificate Profiles usability
                                [ECA-5884] - Upgrade EJBCA to BouncyCastle 1.57
                                [ECA-5907] - certprofiles.zip / entityprofiles.zip is not a zip file
                                [ECA-5919] - Name Constraints exception when adding End Entity
                                [ECA-5948] - Make pre-issuance public key blacklist available outside of EJB context
                                [ECA-5952] - Base key validators on Profiles and put into ProfileData
                                [ECA-5958] - Extract ProfileSessionBean from ApprovalProfileSessionBean
                                [ECA-5962] - cmpclient: be more forgivning of cache-control content
                                [ECA-5974] - Restrict visibility of key validators by Certificate Profile
                                [ECA-5976] - Move KeyValidatorsBean.importKeyValidatorsFromZip(byte[]) into session beans
                                [ECA-5996] - SecureXMLDecoder should handle exported classes
                                [ECA-5999] - Remove unused constants from UserDataVOWS
                                [ECA-6000] - Improve label consistency on role pages in the RA
                                [ECA-6007] - Improve Role Member performance
                                [ECA-6013] - Default PKCS #11 libraries updated (OpenSC, SoftHSM, PKCS11 Spy)
                                [ECA-6014] - Sort list of CAs and Certificate Profiles in the CMP alias page
                                [ECA-6028] - System test for delegated key generation
                                [ECA-6029] - Have EjbcaWS.getRemainingNumberOfApprovals(int) throw exceptions for approval requests which have been denied or which have expired
                                [ECA-6054] - Generalize PublicKeyBlacklistData into BlacklistData
                                [ECA-6062] - Sort validators alphabetically and list validator type in menu
                                [ECA-6067] - Have selecting the "Apply for all Certificate Profiles" checkbox in Validators disable the "Apply for Certificate Profiles" list
                                [ECA-6077] - Documentation on the format and perform validation on certificate validity fields on Validators Edit page
                                [ECA-6079] - Validators is not available for pre-defined RA_Administrator
                                [ECA-6082] - Remove imports/export functionality for Validators.



                                [ECA-6056] - Databaseprotection does not work with CertificateProfiles using Approvals

                                EJBCA 6.8.0


                                Technical Requirement
                                [ECA-4793] - RA configuration should be retrieved from the CA

                                [ECA-4550] - Space in email field results in misleading error message
                                [ECA-5287] - Stack overflow on peer RA if the rule /ra_master_invoke_api is not accepted
                                [ECA-5311] - RA Enrollment does not work if the request was added in the AdminGui
                                [ECA-5364] - CSR in End Entity extendedInformation is removed when request is edited in admin GUI
                                [ECA-5380] - Approve Actions search does not work with certain Status options is approval is expired
                                [ECA-5453] - DN value with only spaces causes exception in the RA enrollment page
                                [ECA-5458] - Extra access rules are required for creating certificates through the RA
                                [ECA-5480] - Remove prioritization arrows in View page for Approval Steps
                                [ECA-5483] - Buttons positions under Approval Steps are not positioned properly
                                [ECA-5485] - Approve Actions table items are not aligned properly
                                [ECA-5604] - /ca_functionality/view_certificate is seemingly unused
                                [ECA-5623] - When editing end entities timeModified and timeCreated are logged incorrectly
                                [ECA-5628] - Command description for RevokeCertificateCommand breaks formatting.
                                [ECA-5694] - Disable prioritizing arrows in Approval Profiles view-only
                                [ECA-5707] - Error sending approval profile notifications using MS-SQL
                                [ECA-5712] - 'Use UTF-8 in policy notice text' is disabled using the External CA
                                [ECA-5722] - Searching for certificates by serial number does not work in the RA
                                [ECA-5731] - GUI: Cosmetic bug in CA edit page
                                [ECA-5735] - WaitingForApprovalException changed in core but not WS
                                [ECA-5743] - Enable fresh install with new authorization system
                                [ECA-5748] - AccessRulePlugin needs to be able to provide resource name
                                [ECA-5758] - End Entity Profiles allows for creating hidden EEPs based on case
                                [ECA-5762] - EJBCA Installation Instructions, missing reload when adding email service
                                [ECA-5767] - Soft CA Token key alias set to wrong value in upgrade from 4.0
                                [ECA-5772] - Subscribe cache to local authorizations system updates
                                [ECA-5776] - RoleMemberData.tokenMatchValue is not allowed to be empty on Oracle
                                [ECA-5778] - Crypto Tokens page considers an apostrophe invalid in character names
                                [ECA-5784] - Legacy script based autoenrolment should not remove end entity profile
                                [ECA-5791] - Incorrect syntax in generated SQL query when searching for approval requests
                                [ECA-5794] - Denying access rule /ca/ (recursive for all CAs) allows listing of end entities from multiple CAs
                                [ECA-5801] - CMP: RA CA not found when using ProfileDefault EndEntityCertificate authentication module
                                [ECA-5803] - CMP key update request updates revoked certificates
                                [ECA-5807] - Attempting to add hard token issuer with insufficient access displays NumberFormatException
                                [ECA-5808] - Documentation regression: Error in installation instruction
                                [ECA-5812] - Internal key bindings allows listing of CAs not authorized to role
                                [ECA-5815] - Can't close role add/rename/delete dialogs if there's an error
                                [ECA-5822] - Importing a certificate in the CLI to a keybinding with the wrong keys causes a stacktrace
                                [ECA-5823] - CMP error handling causes a NullPointerException if message header lacks transaction ID
                                [ECA-5824] - Simplified AdminGUI authorization for request processing configuration fails to set all rules
                                [ECA-5829] - Advanced Search End Entities page in CA UI doesn't parse apostrophes
                                [ECA-5830] - Details column in Audit log shows only encoded base64 if text contains accent characters (ë, è, ê, etc)
                                [ECA-5831] - Non-ASCII characters in audit log export are incorrectly encoded as XML entities
                                [ECA-5834] - Search for on audit log using 'contains' on 'Details' column can't parse apostrophes
                                [ECA-5850] - Timing sensitive CT unit tests can fail if they run first
                                [ECA-5853] - Upgrade to 6.7.0 fails due to Use Default CA Issue value
                                [ECA-5859] - Change crypto token CLI command does not work if old crypto token does not exist
                                [ECA-5861] - Regression: EjbcaConfigurationHolder produces unwanted garbage output in CLI
                                [ECA-5871] - End Entity Profiles are sorted case sensitive in Access Rules Page.
                                [ECA-5872] - Viewing EE in RA-gui displays approval request ID incorrectly
                                [ECA-5874] - Custom certificate extension in GUI is missing RAW encoding option
                                [ECA-5887] - CESeCoreUtils.makeKeyUnmodifiable reports success even if HSM does not allow to change CKA_MODIFIABLE
                                [ECA-5888] - Better error message handing requests with dnEmail or UPN without @
                                [ECA-5890] - InternalKeybinding properties render in the wrong order
                                [ECA-5892] - PDS URL + location inside a QCstatement is not persisted when exporting the certificate profile
                                [ECA-5893] - Regression: Certificate profiles cannot be imported
                                [ECA-5895] - RA Manage request review causes NPE for revocation request
                                [ECA-5898] - Wrong default timeout for CT Logs
                                [ECA-5906] - 'Save state' in executed 'Approve Action' leads to NullPointerException
                                [ECA-5910] - Cloning an approval profile puts the old ID in the data of the new profile
                                [ECA-5911] - Approve request to add already existing End Entity causes NullPointerException
                                [ECA-5916] - CA Name Change link certificate shows wrong Issuer DN
                                [ECA-5918] - error in console log when editing certificate profiles
                                [ECA-5922] - Statedump: Internal key binding properties are not imported
                                [ECA-5923] - Create CA as CA Administrator gives Error message: For input string: ""
                                [ECA-5924] - Access to all CA's required to edit CA
                                [ECA-5925] - Exception removing last radio button on approval profile
                                [ECA-5930] - Old ExternalRA needs Base64GetHashMap as acceptable class for serialization
                                [ECA-5934] - Debug log always, falsely, claims cadata can not be fetched
                                [ECA-5938] - Unable to save end entity profiles without specified date when custom validity is enabled
                                [ECA-5939] - Available CAs in End Entity profile not sorted properly
                                [ECA-5940] - Perform more stringent validation of CMP Vendor and RA mode extraCert certificates

                                New Feature
                                [ECA-4222] - Support the EFF ACME (REST) protocol
                                [ECA-4779] - Support Windows Autoenrollment through a proxied RA
                                [ECA-5019] - Rolling upgrades of CA and RA servers should be possible
                                [ECA-5174] - Add GUI and WS support for ID on SIM subjectAltName
                                [ECA-5337] - WS method to import/update external CA certificates
                                [ECA-5617] - Create the new RoleMemberData object and associated session bean.
                                [ECA-5618] - Upgrade Roles/Rules according to the new design.
                                [ECA-5625] - Ability to do post-upgrade from GUI
                                [ECA-5629] - Create the new RoleData object and associated session bean.
                                [ECA-5630] - Create a basic page in the RA UI for Roles Management
                                [ECA-5631] - Create an RA page for Roles Management
                                [ECA-5632] - Create an RA page for Roles Members Management
                                [ECA-5633] - Create an RA page for editing Role and Access Rules Management
                                [ECA-5634] - Upgrade Role Members according to the new design.
                                [ECA-5635] - Use new Role and RoleMember instead of AdminGroupData and AdminEntityData
                                [ECA-5648] - Use value object RoleMember instead of RoleMemberData in API
                                [ECA-5653] - Add tokenIssuerId column to RoleMemberData
                                [ECA-5669] - Cache authorizations for the exact same client
                                [ECA-5676] - Always delete all Role's RoleMembers when deleted
                                [ECA-5714] - Add human readable description to Role Members
                                [ECA-5734] - Add P11Spy as known P11 implementation to web.properties
                                [ECA-5737] - Provide conversion from Role's accessRules to AccessSet
                                [ECA-5742] - Create system tests for for RoleMemberSessionBean
                                [ECA-5751] - Handle HardTokenIssuerData.adminGroupId during upgrade
                                [ECA-5755] - Write system tests for role namespaces
                                [ECA-5773] - Create documentation for all and any rules used in EJBCA
                                [ECA-5796] - Experimental support for Curve25519 (ECDSA with Curve25519 curve)
                                [ECA-5800] - Document all Audit Log Events
                                [ECA-5817] - RaMasterApi with outgoing upstream connection from RA
                                [ECA-5825] - System test RA over outgoing peer connections
                                [ECA-5842] - Ability to modify the built-in password encryption/obfuscation key
                                [ECA-5843] - Add Georgian as a language to QC Statements extension
                                [ECA-5846] - Implement CMP proxying on the RA
                                [ECA-5857] - Ability to download CSR from Approve requests and view end entity in RA
                                [ECA-5867] - Add Vietnamese language files
                                [ECA-5880] - Create "Unknown is unauthorized" mode for OCSP responses
                                [ECA-5886] - Disable the nonce extension for individual OCSP responders.
                                [ECA-5891] - Add Utimaco P11 R2 to default P11 libraries
                                [ECA-5894] - Add a WS method for getting the number of approval remaining for a certain request.

                                [ECA-4790] - KaRA should be well documented
                                [ECA-5170] - Public RA user must be able to finalize legacy enrollment with username and enrollment code

                                [ECA-5010] - Remove EJBCA wiki
                                [ECA-5775] - Clear RA cache on the cache reload event
                                [ECA-5878] - Add contributed ejbca-setup script downloading and installing full EJBCA Community
                                [ECA-5897] - Revert changes that were made to EJBCA trunk during original ACME implementation

                                [ECA-3164] - Use implicit match type for admins
                                [ECA-3363] - Auto register AccessMatchValues by using ServiceLoader for AuthenticationTokens
                                [ECA-3607] - Modify CLI to fail gracefully in case appserver is not running
                                [ECA-4097] - When editing EE profiles, if the default Cert profile i chosen as default but not among the allowed, it is added
                                [ECA-4530] - Prohibit admin from lowering own access
                                [ECA-4844] - Approval requests sorting should be shown with an icon
                                [ECA-5444] - Correct size of drop down boxes in RA search pages
                                [ECA-5544] - Improve RA log messages
                                [ECA-5545] - RA enrollment: Show/hide details button is shown when it's not needed
                                [ECA-5581] - Rename the "View More" link to something more obvious on approval page
                                [ECA-5584] - Log info on key used for database-protection
                                [ECA-5607] - Preparations for optimized lookup of preferred match value
                                [ECA-5614] - Treat authorization as a union of all grants by role memberships instead of based on DN order
                                [ECA-5620] - Implement new access control logic based on the new Role and RoleMember representations
                                [ECA-5621] - Add a namespace check to RoleSessionBean
                                [ECA-5637] - Upgrade commons-httpclient and move from lib/ext to lib
                                [ECA-5652] - Adapt the existing access rules page to the new access rule system
                                [ECA-5654] - Increase size of tokenMatchValue column in RoleMemberData
                                [ECA-5655] - Adapt the current AdminGUI Roles page to work with the MPKI generation roles
                                [ECA-5684] - Set secure flag on Public Web session cookie
                                [ECA-5685] - Corrected DatabaseSchemaTest fails on Oracle with ORA-24816
                                [ECA-5693] - Change 'Cancel' button to 'Back' in Approval Profiles in View mode
                                [ECA-5695] - Clean up old access control not needed for upgrade
                                [ECA-5701] - Handle P11 providers that are broken for EC when figuring out supported curves
                                [ECA-5715] - CMP - Do not enforce clear-text-password with EndEntityCertificate
                                [ECA-5723] - Replace 'Logged in <Username>' to 'Logged in as <Username>'
                                [ECA-5724] - Number(Short) and Number(Long) fields are printing numbers from right side
                                [ECA-5736] - Open 'RA Web' in a new tab
                                [ECA-5757] - Improving advanced access rule page usability
                                [ECA-5760] - Propagate authentication failures when checking authorization
                                [ECA-5761] - Show namespace in Role Members page
                                [ECA-5766] - System Configuration autoenrollment doc link should point to proper information
                                [ECA-5768] - Use new authorization system in the RA if available
                                [ECA-5774] - Audit log RoleMember changes
                                [ECA-5779] - Make RoleDataSession.persistRole idempotent
                                [ECA-5782] - Have LegalCharsValidator report what characters that break validation
                                [ECA-5789] - Finalize post-upgrade proceedure for 6.8.0
                                [ECA-5790] - Add org.apache.tomcat.util.http.Parameters.MAX_COUNT to standard JBoss 7 configuration
                                [ECA-5797] - Avoid authorization cache update when authorization never really changed
                                [ECA-5806] - Clean up unused and redundant access rules related to public_web_user/, basic_functions/ and secureaudit/auditor/
                                [ECA-5810] - Upgrade EJBCA/CESeCore to BC 1.56
                                [ECA-5813] - Improve error message on browser enrollment key generation failure
                                [ECA-5814] - Add possibility to get any CRL using Public and RA Web
                                [ECA-5818] - Clean up Roles produced during system tests
                                [ECA-5821] - Make note in doc/UPGRADE that upgrades directly from EJBCA 4 are possible
                                [ECA-5826] - Fix deprecations in PeerConnectorPool after upgrade of HttpComponents
                                [ECA-5832] - Decode B64 encoding in Audit Log XML export
                                [ECA-5836] - Remove AuditorQueryHelper
                                [ECA-5838] - Remove possibility to search in details column of Audit Logs
                                [ECA-5845] - Split approval profiles up for different types of requests
                                [ECA-5852] - Replace EJBCA logo with the new edition
                                [ECA-5855] - Replace references to primekey.se to primekey.com
                                [ECA-5858] - Improve/correct audit log entries for Crypto Token, id->ID
                                [ECA-5860] - Add signature algorithm to keybind list CLI command output
                                [ECA-5868] - Change default intresources.secondarylanguage to english
                                [ECA-5873] - Re-implement EFF ACME protocol support
                                [ECA-5899] - Add a CMP Key Update Request test to verify that admins can't request certificates from the wrong CA.
                                [ECA-5902] - Adjust OCSP max-age and next update (in response and RFC5019 headers) to OCSP signing certificate expire date, if expire is before configured values
                                [ECA-5914] - CMP: Handle several certs in extraCerts field
                                [ECA-5915] - CMP: Not all SubCAs need to be imported in Vendor mode
                                [ECA-5920] - Changes all references from Role "Administrators" to "Role Member"
                                [ECA-5929] - Publishers are not sorted alphabetically in select menus
                                [ECA-5933] - GUI: New eIDAS word for SSCD
                                [ECA-5942] - CryptoTokenManager: Make clear that the "Authentication Code" is not being *set* or *defined* here

                                [ECA-5745] - Use new authorization system in Admin GUI
                                [ECA-5750] - Use new authorization system for approvals
                                [ECA-5754] - Adapt statedump to new Roles and RoleMembers
                                [ECA-5780] - Remove legacy authorization system code used from Admin GUI
                                [ECA-5781] - Remove no longer needed use of ComplexAccessControlSession
                                [ECA-5783] - Remove no longer needed use of AccessControlSession
                                [ECA-5786] - Remove no longer needed use of RoleManagementSession and related classes
                                [ECA-5787] - Consolidate legacy authorization code needed for upgrade
                                [ECA-5788] - Remove AccessTree and related classes




                                [ECA-5853] - Upgrade to 6.7.0 fails due to Use Default CA Issue value

                                EJBCA 6.7.0



                                [ECA-2971] - Show error when validity is specified without unit in Certificate Profile form
                                [ECA-4021] - Creating a CA using an validity date in the past fails silently
                                [ECA-4140] - Access Rules: Remove forcing Advanced Mode
                                [ECA-4467] - SCEP rollover test case fails in certain circumstances
                                [ECA-5025] - Debug log if certain special characters in SubjectDNs are present when using statedump
                                [ECA-5284] - Requesting admin can still see approval options on CA
                                [ECA-5396] - Enrollment code (password) is not evaluated inside approval notification e-mail
                                [ECA-5530] - Regression: Order of CT logs is lost when saving system configuration
                                [ECA-5548] - Minor security issue
                                [ECA-5562] - Avoid read of cached GlobalConfigurationData from making it a managed entity
                                [ECA-5569] - Special characters are not displayed correctly in the AdminGUI
                                [ECA-5574] - Fix printing null as exception message on enrollment pages
                                [ECA-5580] - Accumulative profiles do not validate values
                                [ECA-5598] - KaRA approving certificate revocation requires /ca_functionality/approve_caaction privileges
                                [ECA-5599] - Autocomplete should be off in password fields
                                [ECA-5601] - Security Issue
                                [ECA-5605] - Security improvement
                                [ECA-5606] - Document that Public web self registration requires a new Approval profile after upgrade to 6.6.0 (or an NPE is thrown)
                                [ECA-5624] - Security improvement
                                [ECA-5626] - Regression: not possible to list CMP aliases that reference the KeyId end entity profile
                                [ECA-5643] - SLF4J gives warning output in CLI
                                [ECA-5682] - Unescape + character before generating a certificate
                                [ECA-5687] - EJBCA 6.5.0 Community post-upgrade does not fail gracefully
                                [ECA-5690] - EJBCA plugins doesn't work with JDK 8
                                [ECA-5718] - Regression: Characters ÄÅÖ are displayed incorrectly when you Add End Entity
                                [ECA-5738] - CA Name Change, CRL number of Name Changed CA CRL is not in sequence with the original CA

                                New Feature
                                [ECA-5124] - Custom search for approvals, for searching by date, for expired requests or different admin
                                [ECA-5139] - Limit OIDs that are acceptable in Extension Override
                                [ECA-5304] - Default "CA issuer URI" for CA
                                [ECA-5352] - Statedump should include approval profiles
                                [ECA-5550] - Ensure that self signed CA's include their own certificate in their revocation CRLs
                                [ECA-5593] - CMP: Allowing native CAs to be Vendor CAs in test mode
                                [ECA-5689] - OCSP transaction logging, add revocation reason as field

                                [ECA-5494] - Remove references to superseeded app.version.effective property
                                [ECA-5508] - Subtract actual wait in PeerRaThrottleCounter

                                [ECA-4294] - Use JDBC to detect index presence
                                [ECA-4382] - Deprecate ocsp.responderidtype in ocsp.properties
                                [ECA-4585] - Clarify value 0 for OCSP response validity and max-age
                                [ECA-4603] - Update CT jar and its dependencies
                                [ECA-4835] - Security hardening
                                [ECA-4838] - Security hardening
                                [ECA-4859] - Implement support for CT logs that use RSA instead of ECC
                                [ECA-4901] - Handle empty UserData and CertificateData subjectDN on Oracle and DB2 in Oracle compatibility mode
                                [ECA-4997] - Regression: Reimplement CMP Unid support
                                [ECA-5086] - KaRA-Approvals: Remove cache when getting approval profile authorization string
                                [ECA-5116] - Support for renaming key aliases via statedump overrides
                                [ECA-5308] - approvalSession.addApprovalRequest should return created id
                                [ECA-5325] - Improve javadoc of EnrollMakeNewRequestBean.getSubjectDn
                                [ECA-5369] - KaRA: Ability to un-expire an expired approval request
                                [ECA-5374] - Remove unused authenticationToken in ApprovalSession.query
                                [ECA-5423] - Fix spelling of getEndEntityProfileiId
                                [ECA-5426] - Audit log does not show the changes made in EE
                                [ECA-5457] - Rename ApprovalProfile.getApprovalProfileIdentifier()
                                [ECA-5463] - Add confirmation when saving End Entity Profiles
                                [ECA-5477] - Document that Allow subject DN override by CSR is a pre-requisite for CMPTest
                                [ECA-5504] - Make it possible to re-order CT logs
                                [ECA-5522] - newly added Log URL and Timeout (ms) display
                                [ECA-5551] - Minor EJBCA WS test robustness fixes
                                [ECA-5556] - Put public static variables in GeneralPurposeCustomPublisher in correct case
                                [ECA-5557] - Keep key aliases (key pair infos) sorted in statedumps
                                [ECA-5559] - Show key specification when viewing an approval request
                                [ECA-5560] - Replace references to the deprecated class X509Extension
                                [ECA-5561] - Approval requests from unauthenticated RA users appear to originate from CLI
                                [ECA-5563] - Pre-6.6.1 statedumps can no longer be imported since EJBCA 6.6.1
                                [ECA-5564] - Show all warnings from Statedump in CLI / AdminWeb output
                                [ECA-5572] - GenerateToken.generateOrKeyRecoverToken throws Exception
                                [ECA-5573] - Try to use NoSuchEndEntityException for all exception handling of lost EEs
                                [ECA-5576] - Remove unused variables in RAAuthorization
                                [ECA-5583] - ExternalRA tests can't run due to missing JARs
                                [ECA-5588] - Replace UserDoesntFullfillEndEntityProfile with EndEntityProfileValidationException
                                [ECA-5589] - Keep sort and search settings when going back in Manage Requests page
                                [ECA-5597] - Replace dummy CN values in keystore certs
                                [ECA-5636] - KaRA: add a request control filter
                                [ECA-5638] - Security: Upgrade commons-fileupload to 1.3.2
                                [ECA-5639] - Security: Upgrade batik to 1.7.1
                                [ECA-5640] - Security: Upgrade xstream to 1.4.9
                                [ECA-5641] - Security: Upgrade commons-beanutils to 1.9.3
                                [ECA-5645] - CSR should be stored as Base64 in ExtendedInformation instead of binary
                                [ECA-5646] - Add CSR if available to findendentity cli command
                                [ECA-5650] - Don't require @ in rfc822Name when validating End Entity profiles
                                [ECA-5651] - Add some documentation for Native MS Autoenrollment
                                [ECA-5691] - Add possibility to get any CRL using CLI command

                                EJBCA 6.6.4



                                [ECA-5687] - EJBCA 6.5.0 Community post-upgrade does not fail gracefully
                                [ECA-5700] - Upgraded ValidationAuthorityPublisher settings cannot be changed in GUI

                                EJBCA 6.6.3


                                [ECA-5527] - PeerRaMasterServiceBean delays shutdown
                                [ECA-5554] - View certificate throws StringIndexOutOfBoundsException when certificate cannot be read
                                [ECA-5568] - Incorrect column type used in Oracle upgrade script
                                [ECA-5571] - ApprovalProfileSession is not sent to Workers, leading to an NPE
                                [ECA-5575] - Error generating CRL on MSSQL, update dialect to SQLServer2008Dialect
                                [ECA-5577] - Import certificate profiles in Admin GUI ignores profileId
                                [ECA-5578] - ExternalRA fails if no approval profile has been set

                                [ECA-5079] - Make sun classes for PKCS#11 available using jboss-deployment-structure.xml
                                [ECA-5526] - Add new RA Web to Admin GUI menu

                                EJBCA 6.6.2

                                [ECA-5549] - CT Log submission can fail in certain circumstances when it shouldn't

                                EJBCA 6.6.1

                                Master Ticket
                                [ECA-5509] - Performance optimizations

                                [ECA-3554] - CVC certificate validity should not be backdated 10 minutes
                                [ECA-5253] - NPE should be avoided when not receiving an OCSP response in CmpProxyServlet
                                [ECA-5387] - Issuer Alternative Name not included in Root CA until it's renewed
                                [ECA-5479] - NPE when trying to view list of CMP configurations with missing profile
                                [ECA-5489] - Incorrect regex breaks "view certificate" page from Internal Key Bindings page for some CA DNs
                                [ECA-5495] - Update of imported CA certificate is not persisted to the CertificateData table
                                [ECA-5502] - Prevent legacy OCSP signer renewal from processing the same entry twice
                                [ECA-5514] - Make DynamicUiProperty.values thread safe

                                New Feature
                                [ECA-1628] - Add option to keep revoked expired certificates on CRLs.
                                [ECA-5141] - Specify hours, minutes and seconds in certificate profile
                                [ECA-5330] - Certificate expiration period specific to certain days
                                [ECA-5419] - Make CT Log timeout editable again, as well as the other fields
                                [ECA-5470] - Document trailing space in RDN value behavior in test
                                [ECA-5491] - Add CLI command to change crypto token for a CA
                                [ECA-5492] - Update Ubuntu quick start guide to 16.04 and Java 8

                                [ECA-5428] - Get DB2 job on Jenkins running again
                                [ECA-5507] - Use available helper method for ContentVerifier creation

                                [ECA-4447] - Make EJB timers non-persistent
                                [ECA-5451] - Prevent change of audit log node id once sequence is initialized
                                [ECA-5459] - Only regard revocation reasons *Compromise and unspecified as CA private key compromise in VA
                                [ECA-5460] - Update RHEL quick start in installation doc
                                [ECA-5469] - Document that WS certificateRequest method overwrites the end entity
                                [ECA-5478] - Ability to add multiple PDS URIs
                                [ECA-5486] - Document Java version requirements when running JBoss 7.1.1.GA or JBoss EAP 6
                                [ECA-5490] - Add new recommended database index for CRL generation
                                [ECA-5493] - Excessive logging when editing Certificate Profile
                                [ECA-5496] - IKB certificate import should not use the current CA certificate if public key does not match
                                [ECA-5501] - Don't initialize classes in ServiceManifestBuilder
                                [ECA-5517] - javascript for convertdot during ziprelease only works on JDK8

                                [ECA-5511] - Remove extra call to getDataMap() from ProfileData.getProfile()
                                [ECA-5512] - Remove some unneded calls to EndEntityInformation.extendedInformationToStringData()
                                [ECA-5513] - Make assertSerialNumberForIssuerOk() more light weight
                                [ECA-5516] - Investigate efficiency of ExtendedInformation persistence conversion

                                EJBCA 6.6.0


                                [ECA-3897] - Unrevoked certificates do not appear on delta CRLs
                                [ECA-4549] - In Basic Access Rules, 'All' is listed last in the list of CAs
                                [ECA-4596] - ClientToolBox is unable to verify signature when testing more exotic EC keys in HSM
                                [ECA-4647] - Basic Access Rules: Pre-selected end entity rules for RAAdmin role template do not correspond to actual rules.
                                [ECA-4834] - Security hardening
                                [ECA-4856] - Security Hardening
                                [ECA-4858] - Confusing audit log message when reactivating a crypto token
                                [ECA-4860] - CryptoToken Id not updated when importing a statedump with the merge option
                                [ECA-4862] - CmpMessageHelper.createUnprotectedErrorMessage throws an NPE if a nonce is not included in the CMP message
                                [ECA-4872] - System configuration page broken in WildFly 10
                                [ECA-4877] - CertTools.isCertificateValid logs cert serno in decimal instead of hex
                                [ECA-4882] - CMP Proxy: Message signer chain should have its own configuration key in cmpProxy.properties
                                [ECA-4883] - CMP Proxy: NPE when the right CA certificate is not found
                                [ECA-4884] - Reference to Hudson in code when deploying ant
                                [ECA-4885] - Key recovery requires 'Edit End Entities'-rights
                                [ECA-4889] - Change all references from "Enrolment" to "Enrollment"
                                [ECA-4892] - Clearing caches fails locally if clearing the cache on any clustered nodes fails as well.
                                [ECA-4893] - CMP Proxy: Revocation status cache is read incorrectly
                                [ECA-4915] - SecureXMLDecoder can't deserialize all standard types
                                [ECA-4923] - ClientToolBox is missing lib/ejbca-ws.jar dependency
                                [ECA-4925] - Old version of cert-cvc still under lib
                                [ECA-4928] - CMP Proxy Servlet doesn't properly handle messages with faulty ASN.1 syntax
                                [ECA-4929] - Sample code not updated after refactorings
                                [ECA-4930] - Left-over old generated web services sources
                                [ECA-4931] - Minor security issue
                                [ECA-4945] - Edit admin entities broken in WildFly 10
                                [ECA-4955] - CMP Proxy swallows underlying error message when verifying certificate path
                                [ECA-4956] - Regression: Key alias in CMS CA service was changed so it can not be read after upgrade
                                [ECA-4964] - NoClassDefFound in PeerConnectorServlet.destroy(), causes JBoss to freeze
                                [ECA-4971] - Partial fix for handling InterruptedException correctly
                                [ECA-4974] - Regression: SecureXMLDecoder doesn't allow import of CertificatePolicy objects
                                [ECA-4988] - CMP Aliases can't handle that End Entity Profiles are renamed
                                [ECA-4990] - CMP aliases can't handle CA removal
                                [ECA-4992] - SHA256WithRSAAndMGF1 broken in some cases
                                [ECA-4996] - Editing a CMP configuration while having limited access leads to hidden aliases being deleted
                                [ECA-5003] - Profiles export fail if hard tokens are enabled.
                                [ECA-5005] - Root access required to save system configuration
                                [ECA-5072] - KeyBindings do not work if there's a CVC CA or uninitialized CA available
                                [ECA-5098] - ApprovalProfile table breaks EJBCA DB CLI
                                [ECA-5128] - Invoke postUpgrade instead of upgrade from placeholder
                                [ECA-5165] - Access rule "store_certificate" is not used in the code
                                [ECA-5185] - Regression: can not revoke user when user's registered CAId does not exist
                                [ECA-5187] - languagefile.en.properties: correct different typings of ID
                                [ECA-5193] - Fix broken jenkins test with non-serializable Keystore in RaMasterApi
                                [ECA-5204] - RA enrollment: User doesn't get its request ID if RA is running on peer
                                [ECA-5206] - CMP revocation requests fails CA authorisation if issuer CA has X.500 ordering
                                [ECA-5213] - GUI bug in send notification, can not be set afterwards if set to required in profile
                                [ECA-5216] - Checking requestId gives possibility to finalize even if it's not possible
                                [ECA-5217] - WebService method checkRevokationStatus does not return null for non existing certificates as documented
                                [ECA-5220] - Notification related fields show up on the approvals page
                                [ECA-5224] - RA enrollment: Fix and improve the enrollment with approval buttons
                                [ECA-5228] - Circular dependency between ApprovalProfileCacheBean and StartupSingletonBean
                                [ECA-5232] - Adding approval profile metadata fields only works correctly for the final step
                                [ECA-5234] - Store authentication token instead of admin cert serial number/issuer in approval requests
                                [ECA-5236] - 'Hour' format in Advanced Mode for Search End Entities
                                [ECA-5239] - GUI improvements to the Manage Request page
                                [ECA-5244] - Cloning Approval Profiles ignores the new name and it's not possible to rename
                                [ECA-5245] - NPE approving as another Admin in KaRA
                                [ECA-5258] - RA enrollment: Support for enrolling PEM keystores
                                [ECA-5260] - Occasional ConcurrentModificationException when re-deploying
                                [ECA-5261] - Use id instead of approvalId as a Request ID
                                [ECA-5262] - End Entity notifications when using approval always uses the requestAdmin, and not the approvalAdmin
                                [ECA-5267] - RA enrollment: Unique Subject DN check is done after approval
                                [ECA-5268] - Internal database constraint test audit logs certificate storage
                                [ECA-5275] - Deleting Approval steps doesn't actually remove the step
                                [ECA-5277] - Fix NPE when trying to list processed approvals in the RA
                                [ECA-5278] - Handle approval editing in one step in ApprovalSessionBean, so the id can be preserved
                                [ECA-5281] - EjbcaWSTest.test25CreateandGetCRL fails sporadically
                                [ECA-5282] - Update "previous steps" in the RA approval page to handle partitions
                                [ECA-5289] - Approval requests listing in the RA are never shown if older than the default validity (8 hours)
                                [ECA-5293] - Regression: Manage Request page does not work over peers
                                [ECA-5296] - Approval class has updated serialVersionUID
                                [ECA-5297] - Number of remaining approvals is reset after upgrade
                                [ECA-5298] - Fix Exceptions in RA GUI approvals
                                [ECA-5299] - EjbcaWSTest.test03_5CertificateRequest fails with End Entity Profile limitations on
                                [ECA-5305] - Regression: SecureXMLDecoder doesn't allow import of CTLog objects
                                [ECA-5321] - JUnit: handle test case where we try to add non existing DN parameter to EE profile
                                [ECA-5323] - Client toolbox start script not working for p11 when JAVA_HOME is set
                                [ECA-5324] - NPE when trying to approve and the approval profile is to type Accumulative
                                [ECA-5335] - KaRA: authorization cache is for ever, even with clear caches
                                [ECA-5338] - External RA GUI should not bundle hibernate jar to deploy on WildFly 10
                                [ECA-5342] - ui:repeat does not respect the "rendered" parameter on the RA Manage Request page, causing exceptions
                                [ECA-5345] - KaRA: Manage Requests->Processed doesn't show anything
                                [ECA-5346] - Name field does not work on Manage Request page
                                [ECA-5347] - Java type inconsistencies in NameToIdMap
                                [ECA-5349] - Not able to import statedump from EJBCA 6.5 into EJBCA 6.6
                                [ECA-5350] - CA importcert CLI command should halt on error when no superadmincn is provided
                                [ECA-5351] - statedump.sh script doesn't handle relative paths
                                [ECA-5353] - Statedump source ziprelease includes .class files
                                [ECA-5358] - KaRA: Text for 'Upload CSR' in RA GUI truncated
                                [ECA-5363] - Headers are offset by one in Manage Requests view in mobile layout
                                [ECA-5366] - Login link on public RA pages does not work
                                [ECA-5367] - Edit End Entity requests show up with type = "???" in the RA
                                [ECA-5375] - Enrollment from RA requires Edit End Entity access, instead of Add End Entity
                                [ECA-5376] - Missing Administrator info in 'Waiting for Approval' section
                                [ECA-5378] - Fix NPE when deleting the only step in an approval profile
                                [ECA-5388] - OCSPResponseGenerator should use BC provider for signature verification
                                [ECA-5391] - Wrong encoding of documentTypeList in ICAO 9303 DS certificates
                                [ECA-5392] - ApprovalProfileBase.getSteps checks for null instead of empty
                                [ECA-5403] - Improve messages in the RA Enrollment page
                                [ECA-5411] - Email Notification parameters containing $ sign causes error
                                [ECA-5414] - Systemtest failures with non JDK handled EC curves
                                [ECA-5420] - Availability of EEPs in RA is cached session cached
                                [ECA-5422] - Access rule misspelled in AdminCertReqServlet
                                [ECA-5425] - Error codes of Peer Connectors does not work
                                [ECA-5427] - NPE when doing direct issuance via RA
                                [ECA-5431] - Typo in 'Notification Messages' under End Entity Profile page
                                [ECA-5435] - Don't render Provide User Credentials section in RA when empty
                                [ECA-5436] - Regression: Order of CT log might not be respected
                                [ECA-5439] - Installation instructions don't work for Wildfly 10 / JBoss EAP 7.0 in some cases
                                [ECA-5440] - Verification of database protection not working for Custom Certificate extensions
                                [ECA-5441] - Statedump import failure for InternalKeyBinding
                                [ECA-5454] - NPE in AdminGUI when the same admin approves a request a second time

                                [ECA-3959] - Editing end entity profile generates unnecessary INFO
                                [ECA-4413] - Simplify EJB lookups in CAAdminSessionBean
                                [ECA-4438] - Remove unused caid parameter in CA.createPKCS7Rollover
                                [ECA-4499] - Allow longer SAN and DN by default
                                [ECA-4673] - Downloading an non-existent delta-CRL on the public web leads to a 404
                                [ECA-4690] - Replace deprecated references to org.bouncycastle.asn1.x509.SubjectPublicKeyInfo.SubjectPublicKeyInfo(ASN1Sequence)
                                [ECA-4795] - External RA: NPE in external RA gui when externalra-gui.issuerchain points to a non existing file
                                [ECA-4803] - Security hardening
                                [ECA-4906] - Limit OCSP Nonce to 32 bytes
                                [ECA-4914] - Don't throw RTE when checking for non-existing CryptoToken activation status
                                [ECA-4932] - Exclude install properties files from ejbca.ear
                                [ECA-4936] - ConcurrentCache: Improve performance
                                [ECA-4947] - Resetting an end entity password after key recovery should not require 'Edit End Entities'-rights
                                [ECA-4952] - Simplified X509CertificateAuthenticationToken constructor
                                [ECA-4963] - Certificate Profiles: Keep sorting, but sort default profile types first.
                                [ECA-4970] - Set secure flag on Admin GUI session cookie
                                [ECA-4983] - ejbcajslib.js has unneeded comment chars
                                [ECA-4987] - Set search.cgi welcome page for RFC 4387 CRL and certificate stores
                                [ECA-4998] - Document that CMP Unid support currently isn't supported
                                [ECA-5029] - Usability improvement, limit Policy User Notice text field to 200 characters
                                [ECA-5044] - Security Improvement
                                [ECA-5047] - Improve pom.xml for cert-cvc
                                [ECA-5088] - Move all CRUD methods from ApprovalData into ApprovalSessionBean
                                [ECA-5106] - Add database column for subjectAltNames (SAN) in CertificateData
                                [ECA-5115] - Allow notifications to be sent when admin has an external certificate not available in the database
                                [ECA-5130] - Fix some resource leaks and thread locking issues in source
                                [ECA-5142] - Generalize and improve InternalKeyBindingProperty
                                [ECA-5147] - MS SQL server support in External RA build task
                                [ECA-5148] - Perform some cosmetic improvements to the approve action page
                                [ECA-5160] - Have externalized Approvals initialize their authentication tokens
                                [ECA-5168] - Improve system tests for application servers that enforce class loading
                                [ECA-5192] - Don't show admin roles that can't approve or view approvals
                                [ECA-5195] - RA Enrollment: Show password only with downloading keystore
                                [ECA-5196] - RA Enrollment: Provide user with more verbose error message during token creation
                                [ECA-5203] - RA enrollment: Add support for autogenerated passwords
                                [ECA-5212] - Sort Approvals by Request Date by default
                                [ECA-5214] - KaRA: creating end entity should set email notification when it is required
                                [ECA-5215] - KaRA: PRA Error handling when not unique subject DN or public key
                                [ECA-5226] - Improve exceptions handling over peers to support more than just a message
                                [ECA-5241] - Improve RA API exception handling
                                [ECA-5247] - Change which requests are shown under the Pending and Processed tabs
                                [ECA-5257] - RA enrollment: Download Token name should be CN value
                                [ECA-5273] - Query.toString() should output something readable
                                [ECA-5300] - Certificate Policies in the same order in certificate encoding as in the GUI
                                [ECA-5301] - Add instruction for upgrade
                                [ECA-5307] - PRA: Manage requests should show request ID
                                [ECA-5317] - Autogenerated EE usernames as configurable with EEP
                                [ECA-5318] - RA enrollment: Remove password fields with certificate creation if approval are not required
                                [ECA-5332] - Statedump import should skip revocation of end entities' certificates
                                [ECA-5343] - KaRA: AuthLoginException should contain error code, fix missing parameter to error messages
                                [ECA-5344] - KaRA: password should be called enrollment code
                                [ECA-5355] - KaRA: some reasons missing when explaining why admin can't approve a certain request
                                [ECA-5356] - Delete modules/dist directory on clean
                                [ECA-5357] - KaRA Usability: request form clearing and email
                                [ECA-5362] - KaRA Usability: Rename "Needs Approval" and "Pending Approval"
                                [ECA-5371] - KaRA Usability: more information when finalizing enrollment
                                [ECA-5377] - Improvements for Approval Profiles Documentation
                                [ECA-5393] - Log subject DN of cert failing validity check
                                [ECA-5400] - KaRA: Document authorization rules for RA User and RA Admin
                                [ECA-5405] - Security hardening
                                [ECA-5410] - Approval profile notifications ability to include admin who last approved request
                                [ECA-5418] - Show approval request type on the Manage Request page
                                [ECA-5421] - CA Token Properties upgrade should debug log and be case insensitive

                                Master Ticket
                                [ECA-5315] - KaRA Usability: improve usability of wording in KaRA

                                New Feature
                                [ECA-2277] - NetBeans IDE project
                                [ECA-2390] - Import CRL via the WebUI
                                [ECA-2842] - Add SAN SRVName OtherName for Service Name in Certificates (RFC 4985)
                                [ECA-2843] - Add SAN XmppAddr OtherName for XMPP Client certificates (RFC 6120)
                                [ECA-4379] - Add additional CVC OIDs for SHA512 and SHA384
                                [ECA-4473] - Shell script for running statedump tool
                                [ECA-4861] - Add Windows Certificate Autoenroll files as module
                                [ECA-4972] - GUI Support for PKI Disclosure Statements (PDS) QCStatement and QCType
                                [ECA-5111] - ID on SIM (RFC-4683) support in cesecore
                                [ECA-5145] - Internal profile support for eIDAS Qualified Extension types Type and PDS
                                [ECA-5264] - Make requestID available for end entity notifications when an Approval request to add end entity is created (waiting for approval)
                                [ECA-5265] - Configure WS genTokenCertificates and viewHardToken to use the new approval profiles
                                [ECA-5274] - Audit log approval profiles
                                [ECA-5279] - Support RegisteredID in subject alternative name
                                [ECA-5310] - Update SQL scripts for EJBCA 6.6.0 database schema changes
                                [ECA-5322] - Ability to use variables in email subject for email expiration service
                                [ECA-5412] - Add support for Services that run on all hosts to enable HSM Keepalive Service to run on all nodes in a cluster

                                [ECA-4782] - RA must be configurable to demand logged in users
                                [ECA-4784] - RA interface must handle certificate management tasks including requesting revocation
                                [ECA-4786] - RA must allow searching for End Entities
                                [ECA-4788] - All requests must be given a universal identifier so that they can be tracked through logs
                                [ECA-4796] - RA must handle certificate requests by manual CSRs
                                [ECA-4801] - RA Administrators must be able to be notified about user requests
                                [ECA-4804] - Notify other administrators about certificate issuances or revocations
                                [ECA-4805] - RA administrators must be able to edit user requests.
                                [ECA-4820] - RA users should be able to see the status of their requests
                                [ECA-4863] - Approvals should be partitioned
                                [ECA-4873] - PRA must allow searching for Certificates
                                [ECA-4895] - RA users will be able to request server side generated keystores
                                [ECA-4896] - Logged in RA users should see the certificate types types they're authorized to
                                [ECA-4979] - RA Interface should allow download of CA certificates and CRLs
                                [ECA-5153] - RA administrators must be able to create end entities from the PRA
                                [ECA-5336] - KaRA: As a RA User I have forgotten my requestID and need to finalize enrollment

                                [ECA-4868] - Security Issue
                                [ECA-5031] - Update cmp proxy web.xml to JEE6
                                [ECA-5209] - Remove additional left-over old generated web services sources
                                [ECA-5263] - Update the RA to handle partitioned approvals properly
                                [ECA-5348] - Add JUnit test for Certificate Profile extension
                                [ECA-5361] - Evaluate security test report
                                [ECA-5370] - KaRA usability: Rename Generate buttons to Download
                                [ECA-5408] - Add authorization checks when trying to edit a request
                                [ECA-5409] - Allow the Auditor role to see all RA pages except enrollment
                                [ECA-5413] - Update CT log documentation
                                [ECA-5437] - Document that Wildfly 10 config also applies to JBoss EAP 7.0.x
                                [ECA-5446] - Prevent locales used during development to be selected in RA

                                Technical Requirement
                                [ECA-4817] - An authentication token must travel in a nestled fashion from the RA to the CA, rights will be the intersection of all nestled tokens' rights
                                [ECA-4819] - CA->ERA/PRA should use Peers to establish their connection
                                [ECA-4826] - ERA/PRA must extract a subset of access rules from the CA
                                [ECA-4869] - Deployable Public RA interface (PRA) as part of the EJBCA EAR
                                [ECA-4917] - RA Proxy Authorization Cache

                                [ECA-4446] - Introduce typing for ListDataModel
                                [ECA-4800] - Support for request revocation of authorized certificates
                                [ECA-4867] - Long hanging peer connections for reverse calls
                                [ECA-4870] - Create a module for the Public RA interface and make sure it is deployed with the EJBCA EAR
                                [ECA-4874] - Add End Entity Profile ID column to CertificateData
                                [ECA-4875] - Create a basic PrimeKey branded CSS for the RA interface
                                [ECA-4879] - Create/modify an authentication token that handles nestled credentials
                                [ECA-4881] - Reverse calls should use AuthenticationToken with caller's server side TLS cert
                                [ECA-4898] - Create initial RA enrollment workflow
                                [ECA-4907] - Implement Approval Profiles and convert the old approvals to the appropriate profile.
                                [ECA-4908] - KaRA-Approvals: Handle approval request according to approval profiles
                                [ECA-4911] - KaRA-Approvals: Implement "Edit"
                                [ECA-4918] - Method to list access rules that the AuthenticationToken is authorized to
                                [ECA-4919] - Call RA peer when access rules change
                                [ECA-4920] - RaAccessBean on RA for checking authorization
                                [ECA-4922] - Introduce PublicAccessAuthenticationToken
                                [ECA-4927] - Improve logging and retries of peer connections
                                [ECA-4934] - Improve performance of LookAheadObjecInputStream tree
                                [ECA-4937] - Proper error handling
                                [ECA-4938] - Basic RA client HTTP session handling
                                [ECA-4940] - I18N: Handle right to left languages in RA
                                [ECA-4941] - I18N: Use UTF-8 in resource bundles and add fallback to default language
                                [ECA-4942] - Peer Connector config for long-handing RA threads
                                [ECA-4944] - Simplify authorization of server side TLS certificates for Peer RA
                                [ECA-4948] - Test required access rules for EJBCA WS keyRecovery operation
                                [ECA-4954] - Event driven throttle up of long hanging connections
                                [ECA-4962] - Per-AuthenticationToken cache for AccessSets
                                [ECA-4966] - Prevent race condition when app server is started and quickly shutdown
                                [ECA-4969] - Prevent HTTP session stealing for TLS authenticated clients
                                [ECA-4973] - Reloading the RA Authorization Cache instead of clearing it
                                [ECA-4975] - Improve RA JSF base according to best practices
                                [ECA-4977] - KaRA: Add OWASP ESAPI best practices
                                [ECA-4981] - KaRA Approvals: Create access rules to manage ApprovalProfiles
                                [ECA-4984] - RA page for CA certificate and CRL downloads
                                [ECA-4986] - Leave a database mark for EEP Id population when upgrading to 6.6.0
                                [ECA-4994] - Convert RaMasterApiProxy into a singleton
                                [ECA-4995] - Progressive Enhancement with KickAss RA
                                [ECA-5006] - Page to view/handle approval requests in the RA UI
                                [ECA-5011] - Create certificate search base page and basic API call to improve on
                                [ECA-5013] - Use RaAccessBean to limit displayed choices in the menu
                                [ECA-5016] - Use reflection Proxy for RaMasterApi mock objects in tests
                                [ECA-5018] - Detect if RFC4387 CRL store is enabled and adapt CRL download URLs
                                [ECA-5028] - Inform RA of latest authorization cache update number on reconnect
                                [ECA-5032] - Create end entity search base page and basic API call to improve on
                                [ECA-5040] - Test search functionality on large dataset and limit query database load when possible
                                [ECA-5042] - Override serialization of CertificateDataWrapper, to handle passing CertificateData between different versions
                                [ECA-5051] - KaRA-Approvals: Move method accessing the database to the session bean
                                [ECA-5052] - KaRA-Approvals: Replace the current cache with a @singleton bean
                                [ECA-5053] - KaRA-Approvals: Sort approval profiles in the AdminGUI
                                [ECA-5054] - Remove unused approvals code from UI
                                [ECA-5058] - Add Approval and Request Expiration periods options to Approval Profile
                                [ECA-5061] - KaRA-Approvals: Set the right approval profiles
                                [ECA-5064] - Change class name of ApprovalProfileNumberOfApprovals
                                [ECA-5067] - KaRA-Approvals: Approval Profile Cache should be cleared in the CLI too
                                [ECA-5068] - KaRA-Approvals: Update documentation about approvals
                                [ECA-5070] - Authorization rights for enrollment with new request
                                [ECA-5077] - KaRA-Approvals: ApprovalProfileTypes in ServiceLoader
                                [ECA-5082] - Maintain 100% uptime when upgrading Approvals
                                [ECA-5090] - Clean up test methods in RaMasterApi
                                [ECA-5092] - JUnit test for API design violations
                                [ECA-5097] - RA Certificate chain download as PKCS#7
                                [ECA-5100] - Certificate details view in RA
                                [ECA-5109] - Serialize exceptions from invocations
                                [ECA-5110] - Implement RA certificate search by Subject Alternative Name
                                [ECA-5113] - RA method to get approval request by hash (approvalId)
                                [ECA-5120] - Public Access token match either PLAIN or CONFIDENTIAL transport
                                [ECA-5121] - AccessMatchType.NONE should not requre a matchValue
                                [ECA-5123] - Admin should be able to see which admin an approval request is waiting for
                                [ECA-5125] - Log who edited an approval request
                                [ECA-5126] - Add notBefore column to CertificateData
                                [ECA-5127] - Implement RA certificate search by issuance date as advanced option
                                [ECA-5137] - Split generic search string into fields
                                [ECA-5143] - Add view functionality for EEs in RA
                                [ECA-5154] - Show preview of certificate during RA enrollment
                                [ECA-5157] - Update admin guide on Peer Systems with new RA functionality
                                [ECA-5159] - Invoke EEP's revoked notification when an individual certificate is revoked
                                [ECA-5162] - Add approval metadata to Partitioned Approval Profiles
                                [ECA-5163] - Add view rights to partitioned approval profiles
                                [ECA-5164] - Display completed steps as view only when performing approval (if view rights are held)
                                [ECA-5172] - Add an e-mail field to approval partitions
                                [ECA-5173] - Add notification evaluation to approval executions
                                [ECA-5177] - Refactor download credentials type during enrollment on PRA
                                [ECA-5180] - Show "certificate preview" during enrollment on PRA
                                [ECA-5182] - Enforce certificate profile algorightms for CSR during PRA enrollment
                                [ECA-5183] - Fix approvals in the RA GUI after the refactoring
                                [ECA-5186] - PRA enrollment: add support for the multiple non-modifiable values for EE fields
                                [ECA-5189] - Approval Profile page renderes non-JS button in view mode
                                [ECA-5200] - Add Web Designer styles and modifications, including mobile
                                [ECA-5201] - Add support for nesting of parameter type List<AuthenticationToken> in RaMasterApi
                                [ECA-5202] - Deserialized NestableAuthenticationTokens needs to be re-initialized within JVM
                                [ECA-5205] - Use certs-only PKCS#7 / CMS on RA
                                [ECA-5207] - Allow configuration of /ra_slave/manage from simplified peer auth view
                                [ECA-5208] - RA enrollment: Refactor the RA interface according to the synchup week 27
                                [ECA-5211] - Clean up GUI request authorization checks
                                [ECA-5218] - Use more efficient backend call for RaMasterApi.getApprovalDataByRequestHash
                                [ECA-5219] - Add buttons for changing step order in the approval profile UI
                                [ECA-5221] - Split generic search string into fields
                                [ECA-5222] - RA enrollment: Improve handling of NoJS buttons
                                [ECA-5225] - RA enrollment: Hide static fields by default
                                [ECA-5229] - Better handling of CSR upload during RA enrollment
                                [ECA-5231] - Remove the approvalprofileid column from ApprovalData
                                [ECA-5237] - Populate modifiable SAN fields from CSR during RA enrollment
                                [ECA-5243] - Enforce CSR or key spec in EndEntityInformation when issuing a certificate
                                [ECA-5248] - Don't localize logged messages using current users selected locale
                                [ECA-5313] - KaRA Usability: Start step with nr 1 instead of 0 in Approval Profiles in Admin GUI
                                [ECA-5314] - KaRA Usability: should be able to notify what partition (name) was performed
                                [ECA-5316] - KaRA Usability: rename the word Partition for appoval parts
                                [ECA-5340] - KaRA Usability: Shorten auto-generated username to 32 chars

                                EJBCA 6.5.5


                                [ECA-5495] - Update of imported CA certificate is not persisted to the CertificateData table

                                [ECA-5496] - IKB certificate import should not use the current CA certificate if public key does not match
                                [ECA-5501] - Don't initialize classes in ServiceManifestBuilder

                                EJBCA 6.5.4

                                [ECA-5206] - CMP revocation requests fails CA authorization if issuer CA has X.500 ordering
                                [ECA-5253] - NPE should be avoided when not receiving an OCSP response in CmpProxyServlet
                                [ECA-5305] - Regression: SecureXMLDecoder doesn't allow import of CTLog objects
                                [ECA-5323] - Client toolbox start script not working for p11 when JAVA_HOME is set
                                [ECA-5387] - Issuer Alternative Name not included in Root CA until it's renewed
                                [ECA-5440] - Verification of database protection not working for Custom Certificate extensions

                                New Feature
                                [ECA-5279] - Support RegisteredID in subject alternative name
                                [ECA-5322] - Ability to use variables in email subject for email expiration service

                                [ECA-5300] - Certificate Policies in the same order in certificate encoding as in the GUI
                                [ECA-5459] - Only regard revocation reasons *Compromise and unspecified as CA private key compromise in VA

                                EJBCA 6.5.3


                                [ECA-5085] - Regression: ca editca fails on an NPE if --fields parameter is missed.
                                [ECA-5089] - Security hardening
                                [ECA-5091] - Single Active Certificate Constraint does not cause publishing when called from CMP
                                [ECA-5129] - Security issue
                                [ECA-5144] - Regression: Bug in Key Recovery

                                [ECA-5038] - State more clearly in documentation that Peers is enterprise only
                                [ECA-5093] - Add debug logging when testing CT publisher connections
                                [ECA-5094] - Potential security issue
                                [ECA-5096] - In SCEP servlet don't info log auth failure that has already been audit logged
                                [ECA-5099] - Potential security issue
                                [ECA-5131] - Update Japanese Language Files
                                [ECA-5135] - ejbca-db-cli verify command should support individual table verification
                                [ECA-5158] - ejbca-db-cli "verify integrity protection" flag does not affect tables related to RoleData

                                New Feature
                                [ECA-5136] - CHR override for IS and DV certificates

                                EJBCA 6.5.2


                                [ECA-4684] - Possible to enter more pages than there are results in View Audit Logs page
                                [ECA-5020] - Statedump bash script is unintentionally included with release zip
                                [ECA-5021] - Regression: Statedump is no longer able to import crypto tokens without activating them
                                [ECA-5022] - CMP: Unable to find existing end entity profiles
                                [ECA-5030] - Can't select uninitialised root CA as signer for local uninitialised sub-CA
                                [ECA-5033] - Role display issue adding end entities
                                [ECA-5034] - Can't use negative values in FieldEditor / editcertificateprofile command
                                [ECA-5043] - If the folder defined by cmp.backend.extracertissuer does not exist, an NPE is thrown.
                                [ECA-5048] - Single Active Certificate Constraint does not cause publishing
                                [ECA-5069] - editca CLI command fails when renaming a CA
                                [ECA-5071] - NPE thrown when importing statedump with prefix for CA CN field in subject DN
                                [ECA-5073] - Security Issue
                                [ECA-5075] - Possible session caching issues on SCEP alias page
                                [ECA-5081] - Viewing deleted userdata may show session cached value of previously viewed user

                                [ECA-5007] - Use last full CRL generation date as input to certificate expiration
                                [ECA-5024] - Don't log error when cAId column does not exist in AdminGroupData
                                [ECA-5076] - Log as failed login event if certificate does not belong to any role

                                New Feature
                                [ECA-4610] - eIDAS: New ETSI DN attribute "organizationIdentifier"

                                EJBCA 6.5.1


                                [ECA-4549] - In Basic Access Rules, 'All' is listed last in the list of CAs
                                [ECA-4834] - Security hardening
                                [ECA-4856] - Security Hardening
                                [ECA-4858] - Confusing audit log message when reactivating a crypto token
                                [ECA-4860] - CryptoToken Id not updated when importing a statedump with the merge option
                                [ECA-4862] - CmpMessageHelper.createUnprotectedErrorMessage throws an NPE if a nonce is not included in the CMP message
                                [ECA-4872] - System configuration page broken in WildFly 10
                                [ECA-4882] - CMP Proxy: Message signer chain should have its own configuration key in cmpProxy.properties
                                [ECA-4883] - CMP Proxy: NPE when the right CA certificate is not found
                                [ECA-4884] - Reference to Hudson in code when deploying ant
                                [ECA-4885] - Key recovery requires 'Edit End Entities'-rights
                                [ECA-4889] - Change all references from "Enrolment" to "Enrollment"
                                [ECA-4892] - Clearing caches fails locally if clearing the cache on any clustered nodes fails as well.
                                [ECA-4893] - CMP Proxy: Revocation status cache is read incorrectly
                                [ECA-4923] - ClientToolBox is missing lib/ejbca-ws.jar dependency
                                [ECA-4925] - Old version of cert-cvc still under lib
                                [ECA-4928] - CMP Proxy Servlet doesn't properly handle messages with faulty ASN.1 syntax
                                [ECA-4931] - Minor security issue
                                [ECA-4945] - Edit admin entities broken in WildFly 10
                                [ECA-4955] - CMP Proxy swallows underlying error message when verifying certificate path
                                [ECA-4956] - Regression: Key alias in CMS CA service was changed so it can not be read after upgrade
                                [ECA-4974] - Regression: SecureXMLDecoder doesn't allow import of CertificatePolicy objects
                                [ECA-4988] - CMP Aliases can't handle that End Entity Profiles are renamed
                                [ECA-4990] - CMP aliases can't handle CA removal
                                [ECA-4992] - SHA256WithRSAAndMGF1 broken in some cases
                                [ECA-4996] - Editing a CMP configuration while having limited access leads to hidden aliases being deleted

                                [ECA-4673] - Downloading an non-existent delta-CRL on the public web leads to a 404
                                [ECA-4795] - External RA: NPE in external RA gui when externalra-gui.issuerchain points to a non existing file
                                [ECA-4906] - Limit OCSP Nonce to 32 bytes
                                [ECA-4932] - Exclude install properties files from ejbca.ear
                                [ECA-4947] - Resetting an end entity password after key recovery should not require 'Edit End Entities'-rights
                                [ECA-4963] - Certificate Profiles: Keep sorting, but sort default profile types first.
                                [ECA-4998] - Document that CMP Unid support currently isn't supported

                                New Feature
                                [ECA-4473] - Shell script for running statedump tool

                                [ECA-4868] - Security Issue



                                [ECA-5767] - Soft CA Token key alias set to wrong value in upgrade from 4.0
                                [ECA-5764] - Backport: Key alias in CMS CA service was changed so it can not be read after upgrade
                                [ECA-5784] - Legacy script based autoenrolment should not remove end entity profile
                                [ECA-5798] - Backport clientToolBox fix to EJBCA Community



                                [ECA-4872] - System configuration page broken in WildFly 10
                                [ECA-4945] - Edit admin entities broken in WildFly 10
                                [ECA-5687] - EJBCA 6.5.0 Community post-upgrade does not fail gracefully



                                [ECA-4931] - Minor security issue
                                [ECA-4955] - CMP Proxy swallows underlying error message when verifying certificate path



                                [ECA-4860] - CryptoToken Id not updated when importing a statedump with the merge option



                                [ECA-4862] - CmpMessageHelper.createUnprotectedErrorMessage throws an NPE if a nonce is not included in the CMP message

                                EJBCA 6.5.0


                                [ECA-2841] - Document Password Limitation in manuals and sample files.
                                [ECA-3600] - The /ca_functionality/edit_ca is missing from advanced Access Rules
                                [ECA-3859] - E-mail doesn't work in usernamemapping in self-registration
                                [ECA-4262] - Name constraints encoding incorrect in a certain case
                                [ECA-4310] - Certificate profile key length restriction ignored when creating CA
                                [ECA-4478] - Display "Base64 log ids" when listing CT logs
                                [ECA-4518] - Cloning a fixed hard token certificate profile leads to GUI bug
                                [ECA-4535] - ArrayIndexOutOfBounds when upgrading EJBCA 4 installations
                                [ECA-4546] - Regression: Approvals page ignores 'Expired' status
                                [ECA-4551] - Implement non-partitioned CRLs that will work with name-changed CSCA
                                [ECA-4579] - GUI: Some spaces added in original values in End Entity profile
                                [ECA-4582] - Regression: Edit end entity profile notifications bug
                                [ECA-4584] - GUI: Display problem of Extended Key Usages, in View Certificates
                                [ECA-4587] - Regression: test20MaliciousOcspRequest hangs forever on everything but Wildfly8
                                [ECA-4588] - "Renew Browser Certificate"-link in Public Web broken
                                [ECA-4602] - CMP: EEC authmodule - Checking for CA authorization does not work
                                [ECA-4613] - Don't allow deletion of CT logs that are still in use by a Certificate Profile
                                [ECA-4616] - Regression: EJBCA WS CLI shows a lot of warnings
                                [ECA-4623] - Handle CertificateCreateException with null ErrorCode in public web
                                [ECA-4626] - Duplicate DN values fail in the Self-Registration forms
                                [ECA-4627] - Security Hardening
                                [ECA-4628] - GUI: CA Structure & CRLs usability
                                [ECA-4631] - Security Issue
                                [ECA-4634] - The check whether Subject Directory Attributes fulfill profile always fails in Self-Registration
                                [ECA-4644] - Fix the jbosslogsigning target
                                [ECA-4656] - NPE on system configuration page if no other page has been loaded before it
                                [ECA-4662] - Test CrmfRAPbeRequestTest does not clean up correctly
                                [ECA-4663] - Regression: Standard superadmin shows up as 'Custom' in Basic Access Rules View
                                [ECA-4664] - CompressedCollection silently allows add() after closeForWrite()
                                [ECA-4666] - CmpTestCase can't be run against CmpProxy
                                [ECA-4669] - Revoking/Republishing certificate by selecting its serial number from audit log outputs NPE
                                [ECA-4671] - Possible infinite recursion, leading to OOM in intresources
                                [ECA-4677] - Audit log: Only show valid conditions for each search column
                                [ECA-4683] - Trying to view deleted end entity gives NPE
                                [ECA-4686] - Approval requests from Self Registration appear to originate from CLI
                                [ECA-4694] - CMP: EEC authmodule - Checking for CA authorization still does not work
                                [ECA-4700] - Fix bugs related to Auditor role
                                [ECA-4707] - PeerInternalKeyBindingUpdaterWorker should check status of CA's CryptoToken before trying renewal
                                [ECA-4709] - NPE when trying to display remote IKB where remote cert is not present on CA
                                [ECA-4714] - Security issue
                                [ECA-4718] - Regression: EndEntityManagementSessionTest.test07MergeWithWS fails on the community release
                                [ECA-4719] - ocsp.reqsigncertrevcachetime not defined in defaultvalues.properties
                                [ECA-4721] - Certificate Transparency tab in System Configuration shows up in Community Edition
                                [ECA-4733] - Security hardening of new Statedump GUI
                                [ECA-4736] - Handle changed Subject DN in statedump files
                                [ECA-4738] - Missing properties in cesecore-common library
                                [ECA-4740] - CmpProxyServlet doesn't calculate process time correctly
                                [ECA-4745] - Certificate Profile: Don't save values of disabled fields to make audit easier
                                [ECA-4747] - Imported certificate profile does not include AvailableCAs in the GUI
                                [ECA-4752] - Possible NPE in ConcurrentCache when using DEBUG logging
                                [ECA-4754] - ejbca.org index page broken in chromium
                                [ECA-4757] - Help reference not visible in services page
                                [ECA-4762] - RA Administrators (Pre-defined role template) privileges are missing
                                [ECA-4765] - GeneralPurposeCustomPublisher doesn't surround command arguments with quotes.
                                [ECA-4812] - Healthcheck of CAs get key count wrong and checks for previousCertSignKey
                                [ECA-4814] - SQL error in schema for Postgres databases
                                [ECA-4815] - Fix some JUnit test failures in JDK8
                                [ECA-4824] - Information leak in debug log
                                [ECA-4830] - Minor security hardening
                                [ECA-4832] - Security issue
                                [ECA-4839] - Certificate download redirect does not work with non-ASCII characters in the Subject DN
                                [ECA-4841] - Regression: Events are not shown in the 'View Log'
                                [ECA-4843] - Regression: ConfigurationHolder can no longer read built in properties
                                [ECA-4847] - Don't lock down statedump in fresh installations

                                [ECA-659] - Add restriction for key algorithm in certificate profiles
                                [ECA-1910] - CAs in alphabetic order in the CA Structure & CRLs page
                                [ECA-3204] - Re-factoring of P11Slot
                                [ECA-3780] - Split and kill the src-directory
                                [ECA-3929] - Improve rendering of crypto tokens on the CA Activation page.
                                [ECA-4075] - Document that naming in IS end entities should not be changed
                                [ECA-4237] - Peer connections should send full client certificate chain
                                [ECA-4274] - Eliminate redundant images from docs
                                [ECA-4393] - Reduce number of errors from the OCSP signing cache about expired CAs
                                [ECA-4401] - Can not read private key with alias containing åäö from keystore
                                [ECA-4403] - Parallel CT log submission
                                [ECA-4404] - TLS session re-use for CT submission
                                [ECA-4481] - Cache revocation status of request signers in OCSP responder
                                [ECA-4482] - Make new transaction log variable for ISSUER_NAME and REQ_NAME in original order
                                [ECA-4543] - Implement CSCA "CA Name Change" feature from ICAO 9303 7th part 12
                                [ECA-4552] - Allow statedump to merge existing CryptoTokens
                                [ECA-4562] - Make sure that there is only one set of code handling HSM keys.
                                [ECA-4563] - CMP: ResponseStatus in CmpErrorResponseMessage is not used and should be removed
                                [ECA-4564] - CMP: return message SYSTEM_UNAVAILABLE when profiles can not be read/found in RA mode
                                [ECA-4570] - Document validation error messages returned by CMP Proxy
                                [ECA-4574] - GUI: System Configuration sub-section order
                                [ECA-4575] - GUI: Better CryptoToken alias default value
                                [ECA-4576] - Several SAN DNSname in EMPTY profile
                                [ECA-4577] - GUI: SHA-256 by default in CA creation form
                                [ECA-4583] - GUI: CryptoToken page usability (private key export)
                                [ECA-4595] - GUI: CA creation form usability
                                [ECA-4598] - Make SecConst.MAXIMUM_QUERY_ROWCOUNT into a configurable value
                                [ECA-4599] - EndEntityManagementSessionBean.revokeCert needlessly tries to revoke all certificates
                                [ECA-4601] - Don't require "/ct/v1" in CT log URL
                                [ECA-4607] - Allow CT Log public keys to be uploaded in DER format
                                [ECA-4620] - Security issue
                                [ECA-4629] - General code improvement
                                [ECA-4633] - New RSA key sizes for the Extended Services in CAs
                                [ECA-4638] - Minor improvements to CT Logs timeouts
                                [ECA-4643] - Remove Dependency checker test.
                                [ECA-4648] - Better configuration default values for languages
                                [ECA-4668] - Proactive public web security hardening
                                [ECA-4672] - Change CMP errors codes, missing aliases and already revoked
                                [ECA-4674] - Proactive web security hardening
                                [ECA-4676] - Allow CMP Proxy server to use multiple CA keychains
                                [ECA-4696] - Add path to SafeNet Luna Client 6.1 to default PKCS11 libraries
                                [ECA-4697] - Add path to SoftHSM to default PKCS11 libraries
                                [ECA-4699] - Replace deprecated references CertTools methods
                                [ECA-4701] - Update XStream and limit classes that can be deserialized by Statedump
                                [ECA-4703] - Use newer BC pattern in CertTools to get rid of some warnings
                                [ECA-4704] - Upgrade BouncyCastle to 1.54
                                [ECA-4712] - Remove BaseCryptoToken.extractKey(String, String, String)
                                [ECA-4720] - Document that the site search uses Google
                                [ECA-4726] - Make "CA Name Change" configurable through Global Configuration
                                [ECA-4734] - Document getAuthorizedAvailableAccessRules better
                                [ECA-4737] - Combine the efforts of ECA-4566 and ECA-4568
                                [ECA-4742] - Clarify error message when admin certificate does not belong to a user
                                [ECA-4748] - cmpclient: Use SHA256 as signature algorithm
                                [ECA-4773] - Lock down statedump when upgrading
                                [ECA-4775] - Improve statedump CLI lockdown handling
                                [ECA-4827] - Default healthcheck.publisherconnections to 'false' as documented in the admin guide
                                [ECA-4845] - Improve error messages for approvals.

                                New Feature
                                [ECA-4164] - Support for importing DER-encoded CA certificate file via CLI command "ca importcacert"
                                [ECA-4177] - DER-encoded format as output option during enrollment via CSR
                                [ECA-4319] - Include information in key binding CSR when creating from CLI
                                [ECA-4474] - Prefix/override support for statedump during import
                                [ECA-4504] - Make sure that a signature algorithm supported by the HSM is used when the algorithm is not specified.
                                [ECA-4508] - Ability to define custom order of DN in issued certificates
                                [ECA-4561] - Add restriction for EC curve names in certificate profiles
                                [ECA-4566] - Add signature validation of signed requests in CmpProxy
                                [ECA-4567] - Add HMAC PBE validation of signed requests in CmpProxy
                                [ECA-4568] - Revocation checking of signature certificates in CMP Proxy
                                [ECA-4569] - Separate library for certificate path validation
                                [ECA-4600] - Add a CMP client for test purposes
                                [ECA-4608] - Add Bull HSM default options for GUI access
                                [ECA-4609] - GUI: Display the SHA-256 certificate fingerprint
                                [ECA-4640] - GUI enabled statedump import of uploaded file
                                [ECA-4641] - GUI enabled statedump import of bundled file
                                [ECA-4698] - Add generics to CertTools.getCertfromByteArray methods
                                [ECA-4761] - CA name should be displayed in the delete CA prompt

                                [ECA-4138] - Write complete system tests for ClientToolBox
                                [ECA-4497] - Remove .cvsignore files from SVN repository
                                [ECA-4498] - Remove the CESeCore backup/restore scripts from the release zips
                                [ECA-4618] - CMSIncrementalMode is deprecated in Java 8 and should be removed from our config
                                [ECA-4717] - Add systemd sample configuration for RHEL/CentOD
                                [ECA-4730] - Remove old install guides from doc/howto

                                EJBCA 6.4.2


                                [ECA-4555] - PKCS#11 credentials are displayed incorrectly when creating CryptoToken
                                [ECA-4646] - Clear caches failing with NPE in OcspExtensionsCache when an extension class is not found

                                [ECA-4463] - Add additional pages to Auditor Role
                                [ECA-4682] - Log X-Forwarded-For if present in OCSP requests

                                EJBCA 6.4.1

                                [ECA-4262] - Name constraints encoding incorrect in a certain case
                                [ECA-4535] - ArrayIndexOutOfBounds when upgrading EJBCA 4 installations
                                [ECA-4582] - Regression: Edit end entity profile notifications bug
                                [ECA-4592] - Approvals contains no relevant information
                                [ECA-4602] - CMP: EEC authmodule - Checking for CA authorization does not work
                                [ECA-4623] - Handle CertificateCreateException with null ErrorCode in public web
                                [ECA-4631] - Security Issue

                                [ECA-4574] - GUI: System Configuration sub-section order
                                [ECA-4575] - GUI: Better CryptoToken alias default value
                                [ECA-4576] - Several SAN DNSname in EMPTY profile
                                [ECA-4577] - GUI: SHA-256 by default in CA creation form
                                [ECA-4583] - GUI: CryptoToken page usability (private key export)
                                [ECA-4595] - GUI: CA creation form usability
                                [ECA-4612] - Security Issue

                                EJBCA 6.4.0


                                [ECA-3576] - 'Enforce unique DN' creates a stack trace in public web
                                [ECA-4016] - Unable to activate a crypto token imported by statedump after restarting JBoss
                                [ECA-4022] - Can not use Brainpool or explicit ECC curve in CLI (e.g. import CA certificate, list/export CA)
                                [ECA-4030] - "Key sequence" always set to 00000 when saving uninitialised CA with available crypto token
                                [ECA-4171] - Missing parameter for the --end-entity-password option does not cause statedump import command to fail immediately
                                [ECA-4172] - End entities inaccessible after changing the subject DN of an uninitialised CA
                                [ECA-4197] - Role access rules not updated when changing subject DN of an uninitialised CA
                                [ECA-4228] - Clean redundant method declaration in PublisherSession and PublisherSessionLocal
                                [ECA-4276] - External RA SCEP junit test broken after BC updates
                                [ECA-4283] - Warning about missing intresources running External RA SCEP
                                [ECA-4284] - Possible to create a rollover certificate for a CA waiting for CSR
                                [ECA-4286] - ClientToolBox PKCS11HSMKeyTool can no longer handle sun config file
                                [ECA-4288] - Change usage license info in csv_to_endentity.sh
                                [ECA-4295] - Incorrect documentation on "Finish User" setting.
                                [ECA-4296] - SCEP Client Certificate Renewal shouldn't demand a challenge password
                                [ECA-4298] - Probably wrong description of parameters in help for importcacert command
                                [ECA-4306] - Use UTF-8 in German Admin GUI translation
                                [ECA-4326] - CRLDownload service can't handle multiple revocation changes in a CRL
                                [ECA-4327] - Links from cert enrollment completed page for IE is broken
                                [ECA-4333] - Detect available EC curves in JDK by OID
                                [ECA-4339] - DirectoryName subjectAltName is not added
                                [ECA-4356] - Regression: Sorting of certificates has become random
                                [ECA-4357] - Regression: external-ra-gui doesn't deploy
                                [ECA-4364] - Regression: Error editing Publishers under CA Functions in Admin Web
                                [ECA-4367] - ejbca-ws-generate not run after the addition of CA rollover WS operations
                                [ECA-4368] - intresources missing in externalra-gui war file
                                [ECA-4369] - NPE when trying to create custom publisher that is not pre-edited
                                [ECA-4371] - SCEP Client Certificate Renewal allows renewal using expired certificates
                                [ECA-4381] - OCSP TransactionLogger prints SERIALNUMBER instead of SN for REQ_NAME
                                [ECA-4385] - Internal issue
                                [ECA-4397] - Include custpubl publishers in build
                                [ECA-4399] - System test auth token classes should be commonly accessible
                                [ECA-4400] - Security Issue
                                [ECA-4402] - Subject alternative names dropped when using "Allow merge DN Web Services"
                                [ECA-4405] - ra addendentity CLI command breaks when hard token issuers are enabled
                                [ECA-4414] - Typo error in System Configuration page
                                [ECA-4416] - Verification of CRLs on CAs using Brainpool ECC does not always work
                                [ECA-4418] - Expect OCSP signing if EKU in OCSP signing certificate is marked critical
                                [ECA-4419] - Statedump 6.3 can't import 6.2 dump because ValidationAuthorityPublisher in not on the classpath
                                [ECA-4435] - SCEP: Use empty content in CACert PKCS#7 messages
                                [ECA-4453] - Peerconnector tests and Statedump fails to start due to JNDI problems (NoInitialContextException)
                                [ECA-4457] - EjbcaWS.findCerts(username, isValid=true) should not fetch expired certificates from database
                                [ECA-4469] - 'Edit Service' page: uppercase/lowercase inconsistency in drop down menu
                                [ECA-4471] - Unable to view certificate with E field in issuer DN
                                [ECA-4472] - EJB CLI fails if standalone argument is used after a standalone-enabled switch
                                [ECA-4475] - Validation javascript on End Entity Profile page throws exception
                                [ECA-4479] - CMP RA requests with only notBefore requested does not work
                                [ECA-4483] - Remote EJB serialization of Collection<Certificate> hangs on JBoss 7.1.1.GA
                                [ECA-4484] - EjbcaEventTypes.CA_ROLLEDOVER is missing its language reference
                                [ECA-4489] - No checkbox "Renew keys” on 'Edit CA' page
                                [ECA-4492] - NPE during standard SCEP Certificate Renewal
                                [ECA-4494] - Single Active Certificate Constraint misses certificates due to subject DN differing between UserData and CertificateData
                                [ECA-4495] - NPE in EJBCA WS findCerts when no base64CertData is stored
                                [ECA-4503] - Test case in CertificateCreateSessionTest uses wrong status constants
                                [ECA-4510] - Can't delete admin in access role
                                [ECA-4513] - Unchecking auto-activate does not persist for auto-generated crypto tokens using default password
                                [ECA-4523] - Security Issue, information leak
                                [ECA-4525] - CustomCertExtensions and ExtendedKeyUsages are sorted alphabetically instead of numerically
                                [ECA-4536] - Regression: Approve Action Name not displayed
                                [ECA-4542] - 'List of End Entity Profiles' displays nothing in Auditor pre-defined role
                                [ECA-4554] - NPE in remote IKB page when multiple CA clusters connect to the same VA

                                [ECA-3418] - Optimize JBoss reload during install
                                [ECA-3815] - Improve batch command instructions
                                [ECA-4034] - Include end entities in statedump export by default
                                [ECA-4113] - Modify BatchCreateTool to allow easy cleanup of files from p12 directory
                                [ECA-4163] - Move ScepRequestGenerator out of general code
                                [ECA-4174] - PKCS#11 symmetric key unwrapping for KeyRecovery broken for some HSMs on JDK >= 1.7.0_75
                                [ECA-4248] - Swap username and serialnumber for PUBLISHER_STORE_CERTIFICATE audit event
                                [ECA-4254] - Document prerequisite for trusting external CA's leaf cert from IKB
                                [ECA-4273] - Cosmetic cleanup of IEjbcaWS
                                [ECA-4281] - GUI: Optimization of the header banner of Admin GUI
                                [ECA-4287] - Pre-emptive rewrite of CertificateProfile cache
                                [ECA-4291] - Add system tests for EjbcaWS.caCertResponseForRollover
                                [ECA-4300] - Convert System Configuration page to JSF
                                [ECA-4301] - Add tabs to System Configuration Page
                                [ECA-4304] - Allow prefix for self registered users
                                [ECA-4305] - Disable choice in self registration when referenced profile does not exist
                                [ECA-4313] - Allow help text for custom publishers in language file
                                [ECA-4317] - Document how to encrypt the datasource password in standalone.xml for JBoss EAP 6.4/JBoss AS 7.1
                                [ECA-4325] - Remove CertificateCreationException from code
                                [ECA-4330] - Backport ECA-2576 to 6.2
                                [ECA-4331] - Make the static values for revocation reasons into a new type.
                                [ECA-4342] - Have cryptotokens excluded from Clear All Caches by default.
                                [ECA-4351] - Lower log level of misconfigured CertificatePolicies to WARN
                                [ECA-4352] - Always use EC curves OID when possible for key generation
                                [ECA-4361] - Add logging of 'X-Forwarded-For' in OCSP transaction log
                                [ECA-4365] - Document that Healtch check can be enabled/disabled per CA
                                [ECA-4376] - Add "All CAs" option to Rollover Service worker.
                                [ECA-4390] - GUI: System Configuration page usability
                                [ECA-4406] - Improve how upgrade versions are read, making migration from 6.2.10+ to 6.3+ possible
                                [ECA-4407] - Clarify Illegal key length exception message as limitation by certificate policy
                                [ECA-4415] - GUI: Certificate Profiles page usability
                                [ECA-4430] - Bundle JEE6 API library to minimize appserver build time dependency
                                [ECA-4431] - Update XML schemas for JEE6
                                [ECA-4440] - Fix use of deprecated version of storeCertificateRemote in CertificateStoreSessionRemote
                                [ECA-4441] - Rewrite the ExternalRA GUI to use JSF 2.0 and CSS
                                [ECA-4449] - GUI: CryptoToken page usability
                                [ECA-4454] - Certificate Profiles: Sort Custom Certificate Extension and EKUs alphabetically by label.
                                [ECA-4455] - CustomCertExtensions: Remove limit on number of certificate extensions (was: Identify by OID instead of ID)
                                [ECA-4456] - Allow EjbcaWS.findCerts(usename, isValid) to work without UserData
                                [ECA-4458] - Improvements to Certificate Extensions overview page
                                [ECA-4460] - Extended Key Usages overview page should be sorted by OID.
                                [ECA-4461] - Add input validation control to SAN in EEP
                                [ECA-4462] - Minor improvements to Auditor role
                                [ECA-4465] - GUI: End-Entity Profile usability
                                [ECA-4470] - Document how EKUs and CCEs are imported in upgrade
                                [ECA-4480] - ExtRA GUI DB2 support
                                [ECA-4490] - Upgrade EJBCA to BC 1.53
                                [ECA-4515] - Remove translation of CustomCertExtension displayname into readable text
                                [ECA-4517] - Buttons for type of Certificate Profile etc. are confusing for new users
                                [ECA-4531] - ExtendedKeyUsages: remove deprecated method
                                [ECA-4537] - 'End Entity Profiles' are not displayed in Access Rules

                                New Feature
                                [ECA-3436] - Support WildFly 8
                                [ECA-4264] - Ability to generate link certificate from key on HSM
                                [ECA-4279] - Add ability to specify revocation reason and revocation date when importing certificates in the CLI
                                [ECA-4282] - Allow CMP Proxy to work with External RA backend
                                [ECA-4341] - Add CertificateProfileID to OCSP transaction logs
                                [ECA-4343] - Custom Certificate Extensions and EKUs without recompilation
                                [ECA-4344] - Introduce a Read-Only admin to EJBCA
                                [ECA-4345] - Granular control over elements of the DN in End Entity Profiles
                                [ECA-4360] - SCEP Client Certificate Renewal on a rollover CA
                                [ECA-4372] - New setting for specifying certificate chain order in the public web.
                                [ECA-4396] - Compile and deploy on WildFly 9
                                [ECA-4459] - Certificate Extensions should define their own property fields
                                [ECA-4502] - Improve upgrade procedure with database version detection.

                                [ECA-4289] - Remove outdated sample file change_p12_pwd.c
                                [ECA-4292] - Remove Support for XKMS
                                [ECA-4466] - AdminWeb CSS styles clean up
                                [ECA-4468] - Remove site:publish ant target

                                Master Ticket
                                [ECA-4432] - Remove JEE5 and JDK6 support
                                [ECA-4375] - Update documentation to reflect dropped JBoss5 and JDK6 support.
                                [ECA-4417] - Remove build and install script specifics for JEE5 app servers and JDK6.
                                [ECA-4433] - Get rid of Hibernate compatibility libs
                                [ECA-4437] - Update ExternalRA GUI to JEE6

                                EJBCA 6.3.2


                                [ECA-4198] - Regression: ScepServlet can't compile in CE
                                [ECA-4202] - Random failure in CMP stress test
                                [ECA-4236] - Peer connection are unable to verify server certificates with critical server auth EKU
                                [ECA-4258] - Table PeerData creation is missing from create-tables-ejbca-*.sql
                                [ECA-4259] - Scep Certificate Renewal is configurable in RA Mode

                                [ECA-4038] - Have EJBCA DB CLI fail nicely when built in Community Edition
                                [ECA-4186] - WS - Use the "isRunningEnterprise()" method in EjbcaWSTest
                                [ECA-4201] - SCEP test improvements
                                [ECA-4206] - Add documentation about new WS CLI commands
                                [ECA-4211] - Use ISO8601 date format for CA expiration in initialization log
                                [ECA-4245] - GUI: CA creation page usability
                                [ECA-4255] - Update EJBCA architecture diagrams
                                [ECA-4260] - Add flowchart of SCEP enrollment/renewal to admin docs
                                [ECA-4263] - Move static class load from CryptoTokenFactory singleton to init
                                [ECA-4265] - Small improvements of SCEP config JSF
                                [ECA-4268] - Improve build time
                                [ECA-4269] - Update CMP Proxy README

                                New Feature
                                [ECA-4168] - SCEP support for CA certificate rollover
                                [ECA-4178] - Admin GUI translated in Czech language
                                [ECA-4199] - Add Enterprise/Community identifier to internal.properties
                                [ECA-4205] - Add new WS CA Admin commands to the WS CLI

                                [ECA-4119] - Enterprise feature
                                [ECA-4120] - Enterprise feature

                                EJBCA 6.2.10

                                [ECA-2138] - External RA GUI cannot handle SubCA certificates with critical CDP
                                [ECA-2282] - Publishing certificate from certificate view GUI to queued publisher causes error message but publishing works anyway
                                [ECA-3789] - Stack trace if CAs in Certificate Profile and End Entity Profile don't match
                                [ECA-3887] - An NPE is thrown at user when submitting invalid CSR during enrollment
                                [ECA-3999] - Make healtcheck setting configurable for new CAs
                                [ECA-4104] - Removing PKCS#11 token makes Cypto Token GUI unusable
                                [ECA-4141] - Several issues regarding End Entity Rules in basic mode
                                [ECA-4147] - Review/fix usage of getAuthorizedEndEntityProfileIds
                                [ECA-4180] - Update FileUpload library used by ExternalRA GUI
                                [ECA-4195] - Ocsp key renewal timer not starting automatically
                                [ECA-4203] - "Check Certificate Status" reports incorrect/misleading status
                                [ECA-4209] - Regression: Ad hoc upgrade of OCSP might be broken by the CachingCryptoToken
                                [ECA-4232] - Regression: Certificate keyUsage invalid from CSR when using allowKeyUsage override
                                [ECA-4243] - POP is not verified properly on WS requests
                                [ECA-4246] - EJBCA Token Certificate Enrollment: Text differs from button name
                                [ECA-4249] - ClientToolBox OCSP test does not work with HTTP GET

                                [ECA-4081] - Remove name lookup done by OCSP responder
                                [ECA-4146] - Upgrade BouncyCastle to 1.52
                                [ECA-4157] - Allow import of certificates for non-revoked end entities using importcert command
                                [ECA-4191] - Upgrade cert-cvc project to BC 1.52
                                [ECA-4192] - Replace deprecated methods: constructor for AuthorityKeyIdentifier, and ECPoint.getX/getY
                                [ECA-4194] - Add possibility to prompt for password in CLI calls to setpwd
                                [ECA-4196] - Replace EJBCA logotypes in documentation
                                [ECA-4210] - Validate OCSP signing chain
                                [ECA-4223] - Add favicon to ExternalRA GUI
                                [ECA-4227] - Update EJBCA logo and favicon
                                [ECA-4231] - Change variable names in BaseCaAdminCommand.java
                                [ECA-4266] - Small documentation improvements

                                New Feature
                                [ECA-4214] - Ability to rename end entities
                                [ECA-4226] - CLI command to remove Publisher with dependencies
                                [ECA-4233] - Add Certificate Profiles setting to limit certificate storage
                                [ECA-4242] - Certificate Profile Setting for restricting certificate data being written to the CertificateData/Base64CertData tables



                                [ECA-4208] - OcspKeyBindings are not listed as available default responders
                                [ECA-4209] - Regression: Ad hoc upgrade of OCSP might be broken by the CachingCryptoToken

                                [ECA-4038] - Have EJBCA DB CLI fail nicely when built in Community Edition
                                [ECA-4245] - GUI: CA creation page usability
                                [ECA-4260] - Add flowchart of SCEP enrollment/renewal to admin docs

                                [ECA-4119] - Enterprise feature
                                [ECA-4120] - Enterprise feature
                                [ECA-4196] - Replace EJBCA logotypes in documentation
                                [ECA-4227] - Update EJBCA logo and favicon

                                EJBCA 6.3.1


                                [ECA-4044] - Ignore EJBCA test certificates from been published using the Peer connector
                                [ECA-4048] - Peer System: Failure to connect when list of trusted certs is empty
                                [ECA-4068] - Add PeerData to drop tables SQL script
                                [ECA-4073] - typo in exception 'Failed to write audit log...'

                                [ECA-3146] - Allow an renewal of an external CA certificate by import
                                [ECA-3951] - Add a column to InternalKeyBindingPage/CLI to warn for inactive certificate
                                [ECA-4033] - Do not include administrators registered via certificate serial numbers in statedump
                                [ECA-4092] - Create module for separate enterprise and community specific implementation
                                [ECA-4093] - Lower log-level of CmsCAService "KEYSTORE is null..." message
                                [ECA-4117] - CMPProxy not updated to work with different cmpalias

                                New Feature
                                [ECA-3581] - Single Active Certificate Constraint
                                [ECA-3754] - CLI: Create a table utility
                                [ECA-4062] - WS API support to create a new CA and Superadmin certificate
                                [ECA-4063] - WS APIs for monitoring certificate expiration
                                [ECA-4064] - SCEP support for Client Certificate Renewal
                                [ECA-4159] - Show what version documentation applies to at all times

                                [ECA-4145] - Document all audit log messages

                                EJBCA 6.2.9


                                [ECA-3619] - Wrong administrator removed from role when deleting at the same time with two separate CA admins
                                [ECA-3788] - CLI needs to set argument --password together with the value when setting it
                                [ECA-3879] - Fix logging of default OCSP responder properly
                                [ECA-4049] - Certificates of non-CAs are accepted when importing external CAs
                                [ECA-4071] - A base64 decoder exception is thrown when inspecting a specially-crafted CSR
                                [ECA-4122] - Typo in Crypto Token HSM Slot
                                [ECA-4148] - EJBCA WS Test test25CreateandGetCRL fails when delta CRLs are enabled
                                [ECA-4152] - "Renew Browser Certificate" should require notifications to be set.
                                [ECA-4156] - Regression: BaseCryptoToken has lost caching of keys since EJBCA4
                                [ECA-4160] - X509CertStoreSelector does not work as used in BC 1.51
                                [ECA-4173] - CLI command ca getcacert always outputs root CA certificate when using the -der option
                                [ECA-4179] - SCEP stress test regression
                                [ECA-4184] - WaitingForApprovalException declares property as public

                                [ECA-4128] - Replace references to deprecated class DiskFileUpload
                                [ECA-4137] - Test throw away CA issuance over web service interface
                                [ECA-4181] - Several EjbcaWS tests fail when EEP-limitations are enabled
                                [ECA-4182] - Replace deprecated classes: PEMWriter, DERObjectIdentifier and DERTags

                                [ECA-4090] - Remove broken NetID integration code

                                EJBCA 6.2.8


                                [ECA-3602] - jboss-cli.bat fails when called from jboss.xml on JDK >= 7.21
                                [ECA-3807] - Root CA key is always used when decrypting SCEP requests
                                [ECA-3963] - Save and Test Connection with CT publisher should fail if no CT logs are configured
                                [ECA-4043] - Timing issue in CaRenewCACommandTest
                                [ECA-4065] - "Renew" button still exists for a revoked CA, produces stacktrace
                                [ECA-4067] - Regression: Default RA Admin doesn't have access to the Add End Entity page
                                [ECA-4070] - External CAs turn up on the list of possible CAs when creating End Entities
                                [ECA-4074] - AlgorithmIdentifier of RFC 6960 id-pkix-ocsp-pref-sig-algs extension is not parsed correctly
                                [ECA-4083] - OCSP configuration per certificate profile id is used for CERTPROFILE_NO_PROFILE
                                [ECA-4094] - Remove extraneous authorization checks from PublisherDataHandler
                                [ECA-4095] - Incorrect log output in publisher authorization check
                                [ECA-4096] - Access rule /ca_functionality/edit_publishers does not allow role to edit publishers
                                [ECA-4101] - Security Issue
                                [ECA-4103] - References to deprecated rule '/super_administrator'
                                [ECA-4107] - Allow creation of non standard conformant RAW custom extension
                                [ECA-4110] - Approve Action - NPE after click on the username
                                [ECA-4112] - Regression: External CAs not listed as "Available CAs" in CLI when using addadmin
                                [ECA-4116] - Remove notes and test extension from certextensions.properties
                                [ECA-4131] - CT options can't be changed when using only publishing
                                [ECA-4136] - HardToken Certificate Profile Type has wrong label

                                [ECA-3831] - adminmenu.jsp still refers to legacy /superadmin rule
                                [ECA-4011] - Disable "Name Constraints" fields when External CA is selected
                                [ECA-4018] - Upgrade to BouncyCastle 1.51
                                [ECA-4039] - Improve HealthCheck free memory control
                                [ECA-4053] - Speed up HSMKeyTool stress test
                                [ECA-4087] - Update EJBCA copyright notice to match homepage
                                [ECA-4098] - Make sure sure that CAs in add/edit end entity screen are arrange alphabetically
                                [ECA-4108] - Possibility to disable CT submission for existing non-CT certificates
                                [ECA-4111] - Upgrade cert-cvc subproject to BC 1.51
                                [ECA-4114] - Sort CryptoTokens by name when creating a new Key Binding
                                [ECA-4139] - Editing CMP, SCEP and system configuration requires root privileges

                                Master Ticket
                                [ECA-3971] - Improve OCSP responder performance
                                [ECA-4054] - Reload CA certificate cache in the background
                                [ECA-4055] - Avoid unnecessary OCSP response signature checks
                                [ECA-4072] - Avoid interactions with AuditLogger and TransactionLogger when disabled
                                [ECA-4082] - Improve OcspServlet.addRfc5019CacheHeaders
                                [ECA-4084] - Improve OCSP HSM signing thread behaviour
                                [ECA-4085] - Additional caching of objects that are the same between multiple OCSP requests

                                New Feature
                                [ECA-3976] - Cache SCTs in OCSP responses
                                [ECA-4052] - Allow override of EJBCA's subject DN ordering in web service call for issuing certificate
                                [ECA-4106] - Allow to specify number of SCTs in OCSP responses

                                [ECA-4060] - Create a subtarget to ant ziprelease that creates a versioned zip of the statedump source.

                                EJBCA 6.3.0


                                [ECA-2478] - UnrevokeEndEntity unrevokes cert but not user
                                [ECA-3528] - GUI: Some messages not localized in Admin Web
                                [ECA-3590] - Cache the slot list
                                [ECA-3598] - Fix handling of invalid ZIP contents when importing certificate profiles
                                [ECA-3599] - Fix handling of invalid ZIP contents when importing end entity profiles
                                [ECA-3609] - Name constraints properties are duplicated in CLI editca command
                                [ECA-3631] - database valid connection sql for VA publisher is taken from database.properties instead of va-publisher.properties
                                [ECA-3634] - OCSP does not audit and transaction log UNAUTHORIZED messages
                                [ECA-3656] - Forbidden characters can be allowed
                                [ECA-3719] - GUI: Publisher page usability
                                [ECA-3745] - Some language have not the standard language code
                                [ECA-3797] - Statedump incorrectly tries to export full BasePublisher object
                                [ECA-3804] - httpsserver.an (altname) is ipaddress by default, and no dnsName matching CN
                                [ECA-3813] - GUIDGeneratorTest fails intermittently
                                [ECA-3841] - JAR file used by CT should be rebuilt for JDK6
                                [ECA-3849] - Admin must be authorized to all CAs to import keybinding certificate
                                [ECA-3855] - Loading saved CMP configuration referencing a deleted EEP results in NPE
                                [ECA-3892] - GUI: A lot of event messages not set in "View Log"
                                [ECA-3908] - Allow OcspKeyRenewalTest to run predictably on system with existing AuthenticationKeyBindings
                                [ECA-3949] - Status parameter in "keybind create" command shouldn't be case sensitive
                                [ECA-3960] - CaPKCS11SessionTest fails and never recovers if test is aborted
                                [ECA-3968] - Sort and count peer connectors correctly in statedump
                                [ECA-3993] - ejbca-db-cli does not work due to PeerConnector
                                [ECA-4003] - "CRL Updater" service doesn't update the CRL
                                [ECA-4012] - Reject IP addresses in dNSName name constraints
                                [ECA-4032] - Regression: Key Recoverable not set in EE when activated and required in profile

                                [ECA-2272] - Refactoring some DN attributes and Alternative names naming
                                [ECA-2340] - GUI: Audit Log usability
                                [ECA-2576] - New key sizes available in certificate profiles
                                [ECA-3043] - Document SameRequestRateLimiter better
                                [ECA-3256] - Split the va-war module into its logical parts
                                [ECA-3412] - Rework VA/OCSP documentation
                                [ECA-3414] - Clean up Exception handling in SignSessionBean
                                [ECA-3601] - Enterprise feature
                                [ECA-3654] - Enterprise feature
                                [ECA-3674] - Allow certificate validity before current date using end entity ExtendedInformation
                                [ECA-3720] - GUI: Certificate Profile page usability
                                [ECA-3726] - Make CertSafe implement CustomPublisherUiSupport
                                [ECA-3746] - GUI: Displaying the language name in configuration sections
                                [ECA-3753] - Add OpenSC PKCS#11 to default crypto token library path
                                [ECA-3769] - CryptoToken usage should also include internal key bindings
                                [ECA-3773] - Add NIST PIV Card Authentication extended key usage
                                [ECA-3809] - Improve the message for signed SubCAs regarding the need of *.pem or *chain.pem
                                [ECA-3824] - CertSafePublisher should use a dropdown pane for setting authentication keybindings
                                [ECA-3854] - Optimize Language tool
                                [ECA-3869] - Sort key aliases by name in InternalKeyBinding edit view
                                [ECA-3874] - RSA 4096 keys pre-selected in Crypto Token form
                                [ECA-3891] - GUI: Firefox CRLs direct import removed
                                [ECA-3930] - CryptoTokenManager: Add a column for auto-activation status.
                                [ECA-3955] - Add some missing OCSP system tests
                                [ECA-4051] - Correct documentation of CLI command when updating a CMP alias

                                Master Ticket
                                [ECA-3144] - Improved sub system integration (EJBCA Peer Systems)
                                [ECA-3652] - Create PeerMessage datatype, ORM and CRUD beans
                                [ECA-3653] - Create basic JSF pages for Peer mgmt
                                [ECA-3659] - Connect GUI with CRUD
                                [ECA-3671] - Add auth checks to CRUD bean
                                [ECA-3694] - Milestone: Make PingMessage work from a PeerConnector created in the GUI
                                [ECA-3699] - Outgoing TLS configuration as part AuthenticationKeyBinding
                                [ECA-3700] - Rename peerconnector-common to *-ejb and move common classes under ear/lib/..jar
                                [ECA-3702] - Basic publishing to peer system
                                [ECA-3704] - Framework for making custom publisher configuration nicer
                                [ECA-3710] - Do parallel publishing when the same thing is published to multiple targets
                                [ECA-3711] - Changes to publishing API for efficient publishing of full CertificateData (and Base64CertData)
                                [ECA-3712] - Efficient resynchronization of data between CA and Peer VA
                                [ECA-3715] - Requested capabilities should be saved when creating peer connector
                                [ECA-3722] - Create CLI support for PeerConnector
                                [ECA-3742] - Publish the same updateTime that is used in the CA's database
                                [ECA-3751] - Manual renewal of OcspKeyBinding at peer
                                [ECA-3752] - Behavioral configuration for PeerConnectors
                                [ECA-3756] - Make InternalKeyBinding access rules configurable
                                [ECA-3757] - Minor PeerConnector refactoring and documentation
                                [ECA-3759] - Service for automatic renewal of remote key bindings
                                [ECA-3762] - Documentation: Create a security model for PeerConnectors
                                [ECA-3770] - PeerConnector GUI improvements
                                [ECA-3775] - Forbid start and return error when background task with same id exist
                                [ECA-3777] - ListPeersCommand improvements
                                [ECA-3778] - Drop concept of capabilities and use regular access rules framework
                                [ECA-3781] - Improve peer message format
                                [ECA-3782] - Stop connection pool and prevent start when peer connector is disabled or URL changes
                                [ECA-3784] - More fine grained access rules for peer connectors
                                [ECA-3785] - Disable plain http connections for peers
                                [ECA-3786] - Shorten peer connector Servlet URL
                                [ECA-3787] - Option for synchronization dry run
                                [ECA-3803] - Peer connector system tests
                                [ECA-3805] - Propagation of peer connection errors to UI
                                [ECA-3806] - CLI for generic peer connection settings
                                [ECA-3810] - Minor PeerConnector GUI improvements
                                [ECA-3811] - Lookup authentication token at pool startup
                                [ECA-3825] - Allow one AuthenticationKeyBinding to be used per Peer Connector
                                [ECA-3833] - JEE5 support for enterprise edition only SSBs
                                [ECA-3839] - Use one connection pool per outgoing id instead of URL
                                [ECA-3840] - Cache PeerOutgoingInformation objects
                                [ECA-3846] - More fine grained errors than UnknownMessageTypeResponse without information leakage
                                [ECA-3850] - Use separate GlobalConfiguration for peer connections
                                [ECA-3867] - Correct peer module license headers
                                [ECA-3876] - Statedump support for peer connectors and configuration
                                [ECA-3881] - Improve error message when peer responds with an unknown or broken message
                                [ECA-3882] - PeerConnector: Ugly errors when using illegal characters in URL
                                [ECA-3898] - Adjust logging of handled failures during peer publishing
                                [ECA-3899] - Show mismatched access rules for incoming peer authorization instead of fixing it
                                [ECA-3923] - Handle additional server side certificate end entity alias from PeerConnectionsTest
                                [ECA-3928] - Rename Remote Systems menu item to "Peer System"

                                New Feature
                                [ECA-3705] - Create a plugin interface for rules
                                [ECA-3800] - get the certificate of an ocsp keybinding
                                [ECA-3885] - New signature algorithm SHA512withECDSA

                                [ECA-3962] - EJBCA Enterprise feature

                                EJBCA 6.2.7


                                [ECA-3902] - Update EJBCA user guide documentation
                                [ECA-3973] - OCSP key renewal for all keys leads to NPE when logging
                                [ECA-3977] - Regression: CMP algorithmId lacking DERNull when using PKCS#11
                                [ECA-3978] - End entities aren't sorted in statedump output
                                [ECA-3983] - External CAs turn up on the "CA Activation" list.
                                [ECA-3991] - CertTools.stringToBcX500Name fails for sn=#foo
                                [ECA-3994] - ejbca-db-cli copy command does not work due to invalid temp files
                                [ECA-3995] - Upgrade documentation for CMP has wrong ordering of arguments
                                [ECA-4000] - Potential security issue without known exploit
                                [ECA-4007] - "Certification Authorities" and "Publishers" missing from admin menu with access rule /ca_functionality (recursive, accept)
                                [ECA-4009] - Post upgrade fails when old admin groups don't exist
                                [ECA-4014] - CRL Downloader doesn't store empty CRLs
                                [ECA-4019] - Wrong error message for Name Constraint violations with short subject DNs

                                [ECA-3798] - Statedump: Incorrect number of end entity profiles are logged as exported
                                [ECA-3970] - Log in OCSPResponder when revoked OCSP certificates are read to the cache
                                [ECA-3984] - Debug log HTTP response body on CT log error
                                [ECA-3985] - Edit CA page load is slow with many keys in referenced Crypto Token
                                [ECA-3986] - Optimize CAToken.getTokenStatus
                                [ECA-3989] - Allow recovery from a bad upgrade of CA Tokens to CryptoTokens
                                [ECA-3992] - Remove critical BC warnings in order to upgrade BouncyCastle to version 1.51
                                [ECA-4008] - Port adjustable transaction timeouts to JBoss 7 / EAP 6
                                [ECA-4017] - Remove database lookups that can be read from cache
                                [ECA-4024] - Add a [?] link from the User Data Sources page to the admin guide

                                New Feature
                                [ECA-4006] - Add test for legacy subject encoding with override enabled via CMP



                                New Feature
                                [ECA-2842] - Add SAN SRVName OtherName for XMPP Client certificates (RFC 6120)
                                [ECA-2843] - Add SAN XmppAddr OtherName for XMPP Client certificates (RFC 6120)



                                New Feature
                                [ECA-5322] - Ability to use variables in email subject for email expiration service



                                New Feature
                                [ECA-5279] - Support RegisteredID in subject alternative name



                                [ECA-4947] - Resetting an end entity password after key recovery should not require 'Edit End Entities'-rights



                                [ECA-4885] - Key recovery requires 'Edit End Entities'-rights

                                EJBCA 6.2.6


                                [ECA-3608] - EJB CLI cryptotoken create command issues
                                [ECA-3828] - Regression: HttpMethodsTest and WebdistHttpTest test failures
                                [ECA-3862] - Security Issue
                                [ECA-3931] - Key recovery fails when user data has changed CA
                                [ECA-3933] - Symmetric keys in crypto token's HSM slot prevent listing of slot keys
                                [ECA-3935] - Regression: Wrong key length used when creating keystore from public web
                                [ECA-3936] - Extra space at end of line in transaction log.
                                [ECA-3937] - Result of stand-alone JUnit tests are discarded during ant test:run
                                [ECA-3943] - Fix ServiceManifestBuilderTest
                                [ECA-3944] - superadmin.cn value lacks quotes in cli.xml
                                [ECA-3948] - OCSP log values ISSUER_NAME_DN and SIGN_ISSUER_NAME_DN contain SERIALNUMBER= instead of SN=
                                [ECA-3958] - Cannot create new CertSafe publisher
                                [ECA-3969] - Default OCSP responder is not used for external CAs without OCSP key binding
                                [ECA-3972] - PKCS#11 keys aren't extractable when they should be

                                [ECA-3916] - WS: Return the EndEntity/Certificate profile of a specific profile ID
                                [ECA-3927] - Make systemtests.properties available to peer module and PKCS#11 system tests
                                [ECA-3938] - Add a regression test for ocsp.nonexistingisrevoked
                                [ECA-3942] - Improve logging of ServiceManifestBuilderTest failures
                                [ECA-3954] - Improve the properties output of InternalKeyBindingListCommand to show default property values
                                [ECA-3956] - OCSP response if the requested certificate is revoked is identical in logs to case where issuer of signing cert is revoked.
                                [ECA-3967] - Update httpclient and httpcore to latest version

                                New Feature
                                [ECA-3939] - Add EV Certificate specific DN components

                                EJBCA 6.2.5


                                [ECA-3901] - Possible NPE when debug is enabled
                                [ECA-3906] - Missing key in CryptoToken for mapped purpose in CAToken will hang healthcheck
                                [ECA-3907] - CAToken to CryptoToken upgrade failure
                                [ECA-3909] - InternalKeyBindingMgmtSessionBean.generateNextKeyPair fails if nextKey already exists

                                [ECA-3723] - Allow verbose preference for CLI
                                [ECA-3866] - JavaDoc CLI enums
                                [ECA-3905] - Add instructions how to import certificate profiles in GUI
                                [ECA-3915] - External RA GUI browser enroll does not work with FF 33 and later

                                New Feature
                                [ECA-3900] - Allow CT log publisher to use HTTP Proxy java system settings

                                EJBCA 6.2.4


                                [ECA-3633] - CMP response caPubs field contain entity certificate instead of CA certificate
                                [ECA-3657] - RA administrator, failure while Approvement
                                [ECA-3716] - Regression: Externally imported CAs appear in list of signers when creating a CA
                                [ECA-3718] - Fix using trusted certificates in Internal Key Binding
                                [ECA-3776] - Prevent API call from setting InternalKeyBinding status to "active" if there is no referenced certificate
                                [ECA-3814] - getcacert does not return CA Certificate
                                [ECA-3822] - CertSafePublisher.testConnection doesn't test URL properly
                                [ECA-3834] - CertSafePublisher does not work under JDK6
                                [ECA-3845] - Certificate Transparency, not selecting any CT log passes issuance even if Min SCTs is 1
                                [ECA-3853] - AKID is different from CA SKID in CRLs, if not using SHA1
                                [ECA-3868] - Attempting to use a non-ocsp certificate for an OCSPKeyBinding fails silently

                                [ECA-3826] - ant install shows annoying but harmless error messages
                                [ECA-3843] - Create a link from basic access rules page to documentation
                                [ECA-3848] - Shift GlobalConfiguration* to CESeCore, make plugin friendly
                                [ECA-3860] - New call to get registered global configuration types
                                [ECA-3889] - Allow more than one IKB renewal per second

                                New Feature
                                [ECA-3580] - Certificate Transparency: Private Domains
                                [ECA-3794] - Default OCSP responder improvements

                                [ECA-3801] - Enterprise feature

                                EJBCA 6.2.3


                                [ECA-3749] - Batch generation information for end entities in statedumps ignored during import
                                [ECA-3755] - Regression: Modifying approval settings when editing a certificate profile is broken
                                [ECA-3760] - Possible ClassCastException when using Subset of SubjectDN in Certificate Profile
                                [ECA-3763] - InternalKeyBinding.getListOfTrustedCertificates trusts everything if specified with a non existing certificate
                                [ECA-3765] - ca init command in cli.xml is missing two switches
                                [ECA-3779] - Values from first loaded certificate profile is shown and saved when editing other profiles
                                [ECA-3783] - Statedump can not export (custom)publisher where all classes are not on statedump classpath

                                New Feature
                                [ECA-3437] - Cert Safe Publisher for EJBCA

                                EJBCA 6.2.2


                                [ECA-3683] - Statedump: For an uninitialised CA, it appears in its own list of possible issuers.
                                [ECA-3687] - Error upgrading old installations to JBoss 7 (jboss serialization)
                                [ECA-3692] - Regression: Certificate and CRL store download pages empty after server restart
                                [ECA-3695] - 100% upgrade from EJBCA 4 to 6 fails on CertificatePolicy
                                [ECA-3696] - If there are Ocsp key binding with messed up certificate, you can get NPE
                                [ECA-3698] - Clear all caches makes crypto tokens off-line
                                [ECA-3714] - Authority Information Access is deselected in Certificate Profiles under some circumstances when upgrading from EJBCA 4 to EJBCA 6
                                [ECA-3721] - Import of internal key bindings via statedump requires crypto token to be online
                                [ECA-3725] - EJBCA CLI prompts twice for the CLI password when using -p
                                [ECA-3727] - Deprecated (null) extended key usages visible in Certificate profile
                                [ECA-3729] - Statedump: Properties object is copied the wrong way when generating cryptotoken keys from a template
                                [ECA-3730] - Not finding some OCSP request signer certificate in DB
                                [ECA-3732] - clientToolbox ocsp test was not updated after that the root certificate was removed from the certificate chain in the OCSP response.
                                [ECA-3733] - cryptotoken create command requires attr flag
                                [ECA-3735] - Statedumped end entities do not keep clear password settings
                                [ECA-3736] - Unable to "Save and Initialize" externally-signed sub-CA imported via statedump
                                [ECA-3744] - InternalKeyBindingCreateCommand misses a null check for missing cryptotokens

                                [ECA-3688] - "ant build" failes on JBoss EAP 6.2 installed via RPM package from Redhat repositories
                                [ECA-3690] - Possible information leakage
                                [ECA-3691] - Improve message when profile changes name during work in the GUI
                                [ECA-3707] - Do not generate non-active XKMS and CMS certificates as it can violate name constraints

                                New Feature
                                [ECA-3149] - OCSP responder support for CertId using SHA256 in OCSP requests

                                [ECA-3703] - Upgrade tomahawk to latest 1.1.14

                                EJBCA 6.2.1


                                [ECA-3589] - First CRL not created when initialising root CA after statedump import
                                [ECA-3613] - Regression: The CLI doesn't parse the value ca.name from install.properties if it contains spaces.
                                [ECA-3615] - SECURITY: Security issue
                                [ECA-3617] - Allow Enterprise Edition to run system tests sans Statedump
                                [ECA-3620] - Import/export profiles rendered during unrelated operations
                                [ECA-3621] - Can't save or initialize uninitialized (= statedump imported) externally-signed CA
                                [ECA-3635] - Regression: Missing user notice and CPS in certificate policy extensions
                                [ECA-3643] - Autoactivate switch in CryptoTokenCreateCommand is obfuscated
                                [ECA-3645] - CLI complaining about unknown CA with id 0 (Improve output for unbound admins)
                                [ECA-3648] - Importing certificate - no email specified error
                                [ECA-3650] - Changing the Subject DN on an uninitialized (=statedump-imported) CA causes all extended services to be lost
                                [ECA-3661] - Statedump can't import PKCS#11 cryptotokens with slots referenced by label
                                [ECA-3664] - Invalid key specification for uninitialised key after importing a statedump
                                [ECA-3670] - Fix exceptions when excluding system/cmp/admin config in statedump
                                [ECA-3675] - Not all defined external RA datasources added in persitence.xml
                                [ECA-3679] - Regression: CA soft keystore pwd is always default when creating CA using CLI
                                [ECA-3685] - Int to Long cast exception upgrading OCSP

                                [ECA-3501] - Create CryptoToken key aliases (needed for InternalKeyBindings) during statedump import
                                [ECA-3592] - Update CA IDs for uninitialised CAs when saving
                                [ECA-3606] - Make HSM system tests configurable
                                [ECA-3618] - Configurable environment for testAdminWebSecurityHeaders
                                [ECA-3622] - Fix cosmetic issues with statedump
                                [ECA-3624] - Hide Name Constraint textboxes for external CAs without keys
                                [ECA-3625] - Handle external CAs (=without keys) in Statedump
                                [ECA-3626] - Proper setup of environment for testAuthenticationWithMissingCertificate
                                [ECA-3630] - Allow importing Key Bindings in statedump even when key aliases are missing
                                [ECA-3638] - Don't include external CAs in statedump export by default
                                [ECA-3640] - Modifying uninitialised CAs (from statedump) even if keys are missing/crypto token is offline
                                [ECA-3662] - Don't export end-entity passwords from statedump
                                [ECA-3663] - Don't export crypto token auto-activation passwords in statedump
                                [ECA-3665] - Import all crypto tokens in inactive state during statedump import
                                [ECA-3666] - Better error message during statedump export if crypto token is offline
                                [ECA-3667] - Show warnings during statedump export for exclude patterns that did not match anything
                                [ECA-3668] - Improve options format of statedump tool
                                [ECA-3669] - Better warning/error output in statedump utility
                                [ECA-3677] - Do not allow export of CA keystores not protected by password
                                [ECA-3689] - Improve parameter naming per internal suggestions

                                New Feature
                                [ECA-3636] - Statedump CLI command to initialize statedump-imported CA
                                [ECA-3637] - Ability to limit what is exported in statedump
                                [ECA-3639] - Placeholders for keys in crypto tokens imported via statedump
                                [ECA-3642] - Include end entity information in statedump

                                EJBCA 6.2.0


                                [ECA-3216] - Return unsigned response "unauthorized" when no default responder configured, or wrongly configured
                                [ECA-3299] - OCSP request signer verification does an additional database lookup
                                [ECA-3454] - Inconsistent skip options for state dump import
                                [ECA-3481] - Minor security hardening
                                [ECA-3489] - Fail fast creating CVCCAs when unique certificatedata_idx12 is enabled
                                [ECA-3492] - renameRole() tries to change primary key and triggers a HibernateException
                                [ECA-3495] - The public part of a key is still on the P11 token after the private part is removed.
                                [ECA-3496] - java.lang.IndexOutOfBoundsException when selecting empty crypto token for internal key binding
                                [ECA-3499] - Overwriting a CA with StateDump can leave cert/ee profiles in an invisible state
                                [ECA-3506] - ejbca-ws-generate target missing dependencies
                                [ECA-3517] - "Lock wait timeout exceeded" when disabling multiple access rules with MariaDB Galera
                                [ECA-3518] - NPE if only period length is provided for private key usage period
                                [ECA-3521] - Certificate & End-Entity Profiles with missing CAs become invisible, even for superadmin
                                [ECA-3534] - NullPointerException when adding a user without password
                                [ECA-3535] - State dump unselects "Any CA" from profiles during import
                                [ECA-3536] - ejbca-db-cli does not work since change to use ServiceLocator
                                [ECA-3537] - Clean up exception handling in CertificateCreateSession
                                [ECA-3551] - Certificates are not submitted to CT when generated from CLI, etc.
                                [ECA-3582] - CMP can not handle some valid CSRs.
                                [ECA-3587] - Update default Modifiable Fields in User Data Sources
                                [ECA-3588] - Regression: PrintableString encoding for DNs does not work
                                [ECA-3594] - Security related
                                [ECA-3596] - Creating limited CertificateData fails with certain databases
                                [ECA-3605] - Error when trying to create authenticated CVC CSR

                                [ECA-631] - Enforce naming constraints present in CA-certificates
                                [ECA-2126] - Certificates that are issued in revoked state should never be active
                                [ECA-2690] - Create a CLI parameter handler
                                [ECA-3320] - Simpler format for specifying CA validity dates
                                [ECA-3468] - Implement statedump Subject DN renaming properly inside EJBCA
                                [ECA-3477] - Give focus to incorrectly marked fields in edit CA page
                                [ECA-3482] - Minor security hardening
                                [ECA-3483] - Minor security hardening
                                [ECA-3484] - Minor security hardening
                                [ECA-3490] - ICAO Master List Signer extended key usage
                                [ECA-3491] - Allow system tests to target non-localhost interface
                                [ECA-3494] - Suppress repeated OcspSigningCache warnings
                                [ECA-3502] - Allow system tests to use HSM when available
                                [ECA-3503] - SSB cached in CertificateCache
                                [ECA-3509] - ExternalRA: Oracle Database Support in database mapping setup
                                [ECA-3510] - Replace references to java.util.Vector
                                [ECA-3513] - Audit log when a CT pre-certificate is generated and sent to a log
                                [ECA-3515] - SCEP: Rewrite the configuration process to use one URL and multiple aliases
                                [ECA-3516] - SCEP: Implement configuring SCEP in the AdminGUI
                                [ECA-3519] - Minor security hardening
                                [ECA-3524] - Improve memory usage during CRL generation
                                [ECA-3525] - Do not use the HSM for hashing when signing data
                                [ECA-3531] - SCEP: Remove DefaultCA configuration
                                [ECA-3532] - Fix documentation of the command "ejbca.sh config cmp uploadfile"
                                [ECA-3538] - clientToolBox p11 test multiple times in same jvm, to test if objects on a p11 token can be updated from another application.
                                [ECA-3540] - External RA: Oracle Database mapping support in RA GUI
                                [ECA-3544] - Make error messages and success messages easier to distinguish
                                [ECA-3547] - GUI: Better item order for the System Functions menu
                                [ECA-3555] - CLI: able to list key bindings with non existing cryptotokens
                                [ECA-3557] - Add simplified CAInfo constructors
                                [ECA-3561] - Request subCA certificate from external CA without uploading the chain
                                [ECA-3565] - Rewrite Certificate Profile page in JSF
                                [ECA-3566] - Encapsulate HashID properly
                                [ECA-3569] - Effectivize the reloading of CaCertificateCache
                                [ECA-3572] - Use JavaScript for certificate installation redirect in public web
                                [ECA-3579] - Remove CERT_TEMP_REVOKED since it's not used

                                New Feature
                                [ECA-688] - Import / Export profiles from WebUI
                                [ECA-2114] - Rename EJB CLI for fetching CA certificates from getrootcert to getcacert
                                [ECA-3109] - Add native support for Name Constraints
                                [ECA-3123] - ICAO DocumentType List certificate extension
                                [ECA-3124] - Add the Issuer Alternative Name certificate extension to the GUI
                                [ECA-3530] - Ant targets for creating source and binary releases of CESeCore
                                [ECA-3542] - Support for IE11 in Public Web
                                [ECA-3543] - Support IE11 in External RA GUI
                                [ECA-3559] - Service for populating database with revocation status of certificates from CRL
                                [ECA-3584] - Choice of token type in Public Web self-registration page

                                [ECA-3394] - French language files updated for the new functionalities
                                [ECA-3419] - CAAdminSessionBean.exportCAKeyStore throws Exception
                                [ECA-3478] - Have all system tests write results to the same directory
                                [ECA-3546] - French language files updated for SCEP Configuration
                                [ECA-3420] - Convert all EJB CLI commands to the new standard

                                EJBCA 6.1.3


                                [ECA-3520] - CAs from statedump signed by external CA cannot be initialised
                                [ECA-3523] - Backport Statedump bug fixes to 6.1
                                [ECA-3526] - GUI: Missing l10n message keys in CMP Alias Edit page
                                [ECA-3527] - GUI: Misspelled DN attribute in CMP Alias Edit page

                                EJBCA 6.1.2

                                [ECA-3514] - Browser enrollment link is generated with incorrect encoding

                                EJBCA 6.1.1

                                [ECA-3479] - Regression: OCSPSigningCache debug causes an NPE for internal OCSP default responders
                                [ECA-3480] - Regression: Creating a CA in Adminweb issues Stacktrace
                                [ECA-3485] - Regression: Certificate Profiles with EAC 2.10 AT role doesn't work with database protection
                                [ECA-3487] - Regression: Unique certificatedata_idx12 is not detected

                                EJBCA 6.1.0

                                [ECA-3179] - Regression: NoTicket (r17302) introduced a dependency on EJBCA in a CESeCore test class
                                [ECA-3182] - Regression: ECA-2988 introduced a dependency on EJBCA in a CESeCore test class
                                [ECA-3427] - Syntax for jboss-cli.bat through ant targets fails in Win
                                [ECA-3432] - CertificateCreateException: java.lang.NumberFormatException: For input string: "LU002" when trying to create a foreign DVCA
                                [ECA-3433] - OcspResponseGeneratorSessionBean.init should not throw AuthDeniedException
                                [ECA-3435] - JUnit failure in PublisherTest when DB protection enabled, add subjectKeyId to CertificateInfo
                                [ECA-3439] - Creating a CA with DN: <anyfield>=, creates a StringIndexOutOfBoundsException
                                [ECA-3447] - Regression: serial numbers in administrator list are not clickable
                                [ECA-3452] - Make sure that decline+recursive rules aren't saved from the GUI
                                [ECA-3455] - Files missing from cesecore-common.jar
                                [ECA-3457] - Unnecessary WARN message
                                [ECA-3458] - Ant paths don't work Windows via jboss-cli
                                [ECA-3460] - State dump tool does not import any data with "-overwrite no"
                                [ECA-3467] - Mail from address is not configured
                                [ECA-3470] - SCEP operations may fail when using an HSM

                                [ECA-3348] - Add individual OCSP get cache settings for revoked, unknown and good responses
                                [ECA-3351] - OCSP: don't include root certificate in response certificate chain
                                [ECA-3411] - Use SHA256WithRSA as default for ManagementCA
                                [ECA-3429] - Compile on Glassfish 4
                                [ECA-3430] - Compile on WildFly 8
                                [ECA-3434] - Upgrade Guava library in order to deploy in JEE7 container
                                [ECA-3440] - Support running clientToolBox EjbcWsRaCli with IBM java
                                [ECA-3443] - Allow empty values for start and end time without printing 'invalid' when adding end entity
                                [ECA-3445] - Document how to use slotLabels with clientToolBox
                                [ECA-3461] - Add encryption key information to key recovery data in database
                                [ECA-3472] - Improve usability of edit CA page by marking required fields

                                New Feature
                                [ECA-3133] - Support RFC6960 extension for client requested algorithm selection
                                [ECA-3350] - OCSP: Add option to include signer certificate or not
                                [ECA-3415] - CVC access control template for additional DGs
                                [ECA-3444] - Allow longer certificate serial numbers than 64 bits
                                [ECA-3449] - Show issuer and seralNumber after public web enroll

                                [ECA-3450] - Update the Public Web logo filename for better integration

                                EJBCA 6.0.4

                                [ECA-3055] - Not authorized to edit publisher when publisher cache disabled
                                [ECA-3198] - Regression: ECA-2973 introduced a dependency on EJBCA in CESeCore test code
                                [ECA-3210] - CA upgrade when ExtRACAServiceWorker fails to persist
                                [ECA-3337] - KeyBind EJB CLI fingerprint reference is case sensitive
                                [ECA-3361] - Cannot deploy with web-services disabled
                                [ECA-3364] - ExternalRA: Allow SCEP GetCACaps without message parameter
                                [ECA-3366] - Syntax in jboss-cli.bat for passing commands fails in Win
                                [ECA-3372] - OCSP Archive Cutoff can give NPE
                                [ECA-3373] - init() method is not called on OCSP extensions
                                [ECA-3375] - CLI ca restorekeystore gives exception for soft ca
                                [ECA-3382] - Test files have lost character encoding, change source file encoding to UTF-8
                                [ECA-3383] - CertTools.genPKCS10CertificationRequest does not use the specified provider
                                [ECA-3386] - httpserver.external.privhttps default to 8443 even though httpserver.privhttps is set to something else
                                [ECA-3387] - Can not edit Sub CA signed by external CA
                                [ECA-3388] - editcapage.jsp contains a slightly confusing help text
                                [ECA-3389] - OCSP key binding properties visible for authentication key binding
                                [ECA-3392] - InternalKeyBindingDataSessionBean.getInternalKeyBindingForEdit(int) throws NPE if no value was found.
                                [ECA-3395] - Proper handling of certificate import/update when base64cert is not populated
                                [ECA-3396] - InternalKeyBinding error using Postgres 9
                                [ECA-3397] - Subject key ID not published by VA publisher
                                [ECA-3398] - java.lang.IllegalArgumentException thrown when importing OCSP key binding certificate
                                [ECA-3399] - Incorrect error message when editing uninitialised CAs if private keys are missing
                                [ECA-3401] - Can not generate keys on soft crypto token with allowExport=false
                                [ECA-3403] - Admin GUI create CRL fails with UTF-8 encoded CA DN
                                [ECA-3405] - StateDump test fails because of refactorization
                                [ECA-3406] - Trying to delete a non-existing keybinding causes NPE
                                [ECA-3408] - StateDump import overwrites CAs with the same name without asking
                                [ECA-3410] - StateDumpTest needs Hibernate compatibility jar
                                [ECA-3421] - Upgrade jar file
                                [ECA-3423] - Fix statedump overwrite response handling and test

                                [ECA-2828] - Document authorization rules in EJBCA
                                [ECA-2982] - Add option to 'bin/ejbca.sh ca republish' command to republish only CA certificate and CRL
                                [ECA-3081] - Improved error message during batch generate when using invalid key size
                                [ECA-3082] - Improve message about configuration during batch generate
                                [ECA-3150] - Remove scripts used on ejbca.org from bundled documentation.
                                [ECA-3169] - Improve wording of some options of "Externally signed CA"
                                [ECA-3290] - Cache headers still present for OCSP responses containing nonce
                                [ECA-3365] - Audit log Internal Key Binding operations
                                [ECA-3370] - Allow import of OCSP certificates with non-repudiation key usage
                                [ECA-3371] - Make JBoss EAP 6 specific physical file deployment of BC provider
                                [ECA-3374] - Add JUnit test for OCSPUnidExtension
                                [ECA-3384] - Add a password argument to CaImportCACommand
                                [ECA-3385] - Movie audit implementation classes to cesecore-ejb-interface
                                [ECA-3404] - StateDump test should run from test:runsys when availabe
                                [ECA-3407] - Optimize JBoss reload during deploy
                                [ECA-3409] - Sort XML in statedump exports in a deterministic order
                                [ECA-3424] - Regression: All cli commands prints out loading batch properties from default

                                Master Ticket
                                [ECA-3355] - Implement Certificate Transparency

                                [ECA-3368] - Deploy on JBoss EAP 6.2.0 has disabled datasource by default
                                [ECA-3380] - Move keybinding implementation classes from cesecore-ejb-interface to cesecore-common
                                [ECA-3400] - Shift OcspExtension* to cesecore-common from cesecore-ejb-interface

                                [ECA-3377] - Create unit tests for all CLI Commands

                                EJBCA 6.0.3

                                [ECA-3293] - Customer specific LDAP Publisher should use correct time in loginfo attribute
                                [ECA-3297] - Other Rules for Supervisor role is not cleared if previously selected for another role type
                                [ECA-3339] - Statedump doesn't delete certain .jar files on "ant clean"
                                [ECA-3341] - Creating internal key binding with CLI does not consider types for property values
                                [ECA-3344] - Regression: PKCS11 sun config does not work
                                [ECA-3345] - Regression: Max-Age and Response validity no longer visible/editable for ocsp key bindings
                                [ECA-3346] - CMP Config CLI command should use lazy instatiation of remote EJB
                                [ECA-3349] - EJBCA deployment not working in WINx64 due to PKCS11
                                [ECA-3360] - Ejbca deployment tries to use jboss-cli.sh instead of jboss-cli.bat on windows
                                [ECA-3367] - Editing Key binding integer/long value sin GUI removes the value (becomes default 0)

                                [ECA-3289] - Do not cache "Unknown" OCSP GET responses
                                [ECA-3347] - Modify EJB CLI to use ServiceLocator
                                [ECA-3352] - Faster CLI start, use lazy instantiation in EJB CLI
                                [ECA-3359] - Move authentication tokens from cesecore-interface to cesecore-common

                                New Feature
                                [ECA-3314] - OCSP Archive Cutoff
                                [ECA-3332] - Add Extended Revoked Definition OCSP extension when returning revoked for non existing certificate
                                [ECA-3335] - Create a standalone manifest builder tool

                                [ECA-3316] - Modularize EAC
                                [ECA-3338] - Modularize CMP vendor CA mode
                                [ECA-3340] - Modularize ValidationTool
                                [ECA-3342] - Make JUnit tests run for EJBCA Community

                                EJBCA 6.0.2

                                [ECA-2449] - Creating a CA without a valid SubjectDN causes double JS popups.
                                [ECA-3321] - Improve CMP configuration user interface
                                [ECA-3324] - Quote arguments of ca init during install
                                [ECA-3327] - SaferDailyRollingFileAppender extends wrong base class
                                [ECA-3328] - OCSP Signing cache should handle cache discrepancies gracefully
                                [ECA-3331] - EJBCA does not deploy without ejbca-db-cli sources available
                                [ECA-3334] - Change untilNextUpdate and maxAge properties in OcspKeyBinding from Integer to Long

                                [ECA-3132] - Support returning "revoked" for unknown certificates in line with RFC6960
                                [ECA-3309] - Some versions of MySQL picks bad index mixing OR and AND
                                [ECA-3318] - CMP: Include certificate chain in certificate responses
                                [ECA-3323] - Reload OCSP cache manually
                                [ECA-3325] - Minimize locking in audit log's sequence counter

                                EJBCA 6.0.1

                                [ECA-3302] - Escaping of user-provided data when no characters are forbidden
                                [ECA-3303] - SECURITY: XSS issue
                                [ECA-3306] - Leaving out "Validity" with Javascript disabled gives an exception
                                [ECA-3307] - Renamed CAs not be overwritten by statedump
                                [ECA-3308] - OCSP HealthCheck does not work with InternalKeyBindings
                                [ECA-3310] - Wrong items are selected in uninitialized CAs

                                [ECA-3295] - Allow editing most fields in uninitialized CAs
                                [ECA-3301] - Unify error messages for invalid username and pwd
                                [ECA-3312] - Can't create CAs with DSA extended services key
                                [ECA-3313] - Problems with extended services and uninitialized (statedumped) CAs
                                [ECA-3317] - Allow import even if not all files exist

                                Master Ticket
                                [ECA-3296] - Improve Statedump usability and fix bugs

                                New Feature
                                [ECA-3311] - Ability to choose names to not overwrite during statedump import

                                [ECA-3305] - Modularize database integrity protection and database cli

                                EJBCA 6.0.0


                                [ECA-1015] - A ' is valid in an email address - but gets stripped by EJBCA.
                                [ECA-1640] - Sample code for advanced custom extension missing some arguments
                                [ECA-1947] - LDAPPublisher have problems with comma in DN
                                [ECA-2144] - ExtRA PKCS10Request does not set user status to FAILED after failed requests
                                [ECA-2150] - SignSessionTest.test37privateKeyUsagePeriod_both fails randomly
                                [ECA-2159] - Password not cleared issuing keystores
                                [ECA-2200] - CA defined certificate policy ignored when renewing CA
                                [ECA-2330] - Build failure for External RA with OpenJDK if JavaScript is not available
                                [ECA-2365] - OCSPCAService upgrade on every startup
                                [ECA-2393] - Create Certificate Authority Page only gives blank page on wrong validity input
                                [ECA-2442] - Multiple selectable email addresses in rfc822 altName gives wrong display in edit end entity
                                [ECA-2477] - Import CA does not generate initial CRL
                                [ECA-2527] - Wrong exception thrown in HardTokenSessionBean for some errors.
                                [ECA-2534] - Regression: Not checking that the administrator has the role defined in the hard token issuer any more.
                                [ECA-2547] - clientToolBox StressTestCommand always logs an error when a certificate is returned
                                [ECA-2669] - Still possible to create DECLINE RECURSIVE rules in CLI
                                [ECA-2689] - Misleading error message in JBoss log while trying create a sub CA from the CLI when the root CA is offline.
                                [ECA-2719] - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames
                                [ECA-2734] - OCSP rekeying not implemented in trunk yet.
                                [ECA-2794] - EJB and WS CLI have bad type outputs
                                [ECA-2815] - OcspExtensionsCache should be made thread safe
                                [ECA-2834] - Unhelpful error message when changing permission rules for non-existing end entity profile in CLI
                                [ECA-2860] - Default CRL overlap time is set to 10 hours instead of 10 minutes for imported CA
                                [ECA-2863] - CMP FailInfo codes are sent as incorrect codes
                                [ECA-2865] - rfc822Name field can be edited when adding new end entity even if not marked as modifiable
                                [ECA-2877] - ant test:run breaks installation. Figure out why and fix
                                [ECA-2894] - Messing up the Validity field in Certificate Profiles gives no warning
                                [ECA-2905] - PrivateKeyUsagePeriod not matching notBefore of certificate when using validityOverride
                                [ECA-2914] - Filename of downloaded keystore file is truncated
                                [ECA-2918] - Clear all caches gives bad error message when host can not be reached
                                [ECA-2921] - Deprecate InitializeHardTokenIssuing
                                [ECA-2923] - JUnit class junit.framework.Assert has moved to org.junit.Assert
                                [ECA-2934] - Revoking a CA revokes all issued certificates, but with fixed reason
                                [ECA-2940] - Ant target test:runsys broken
                                [ECA-2952] - Update to new logo in renewal pages
                                [ECA-2958] - Wrong comments about PrimeCard
                                [ECA-2961] - Button for viewing CA certificate chain has incorrect text
                                [ECA-2964] - Native query mapping using MariaDB
                                [ECA-2977] - ProviderException not handled in BaseCryptoToken
                                [ECA-2989] - AccessTreeCacheTest can fail if reading the configuration takes too long time
                                [ECA-2994] - Broken property "xkms.response.causedforsigning" in defaultvalues.properties
                                [ECA-2996] - Update/set CryptoToken auto-activation PIN from EJB CLI
                                [ECA-3024] - Error during startup with integrity protected audit disabled
                                [ECA-3031] - Support EC key generation with ClientToolBox
                                [ECA-3035] - CA and CryptoToken creation not handled in a transaction.
                                [ECA-3036] - Cryptotoken prevents a CA to be created with the same name as a previous one.
                                [ECA-3046] - Help reference for Windows Autoenroll broken
                                [ECA-3052] - Minor authorization issue
                                [ECA-3054] - OcspResponseGeneratorSessionBean merely logs a failed signature attempt
                                [ECA-3056] - Issue PEM with full certificate chain from Public Web certificate request
                                [ECA-3057] - CryptoTokenManagement logs success deletion even if no crypto token is deleted
                                [ECA-3058] - CryptoTokenManagement logs success before action is tried
                                [ECA-3061] - Clean-up CAInterface bean and dependencies
                                [ECA-3065] - NPE: Inactive (including unsigned) CAs should be ignored by the OCSP Signing Cache
                                [ECA-3072] - Cmp default CA setting is DN in one place and CA name in another
                                [ECA-3074] - CMP TCP sets log level to FINEST for JBoss 7/EAP6
                                [ECA-3079] - Close all existent resource leaks
                                [ECA-3087] - 'bin/ejbca.sh ca info <unknownca>' tosses stacktrace instead of helpful error message
                                [ECA-3088] - Test missing for creating a subca from CLI
                                [ECA-3096] - 'ra finduser' command outputs password as 'null' if hidden.
                                [ECA-3098] - Regression: Home screen in Admin GUI shows online CAs to be offline for some roles.
                                [ECA-3101] - Regression: RequestMessage.getRequestX500Name returns SERIALNUMBER instead of SN
                                [ECA-3103] - Test failures because of left over stuff in database
                                [ECA-3107] - Investigate strange output from OCSP
                                [ECA-3111] - JBoss 7 / EAP 6 always binds to
                                [ECA-3113] - JBoss 7: Can't run ant install on HS with blank password
                                [ECA-3115] - JBoss EAP 6 freezes with WS stress test with 30 threads
                                [ECA-3117] - client toolbox p11 multi thread test fails when slot is given with TOKEN_LABEL.
                                [ECA-3121] - Regression: OCSP signing cache may fail to load on startup
                                [ECA-3129] - Keystore is used instead of truststore for validating client certificates
                                [ECA-3131] - Encode EC private keys in generated PKCS#12 keystores with NamedCurves
                                [ECA-3134] - JBOSS 7 / EAP 6 fails in deployment
                                [ECA-3138] - External RA IE cert enroll ignoring (override) of encryption provider selection
                                [ECA-3141] - Regression: ECA-3056 introduced a dependency on EJBCA in CESeCore code
                                [ECA-3142] - Regression: ECA-2973 introduced a dependency on EJBCA in CESeCore code
                                [ECA-3143] - Regression: ECA-3056 introduced an other dependency on EJBCA in CESeCore code
                                [ECA-3176] - Regression: Keys possible for CA renewal are only RSA
                                [ECA-3177] - Data is not validated before being passed to org.bouncycastle.util.encoders.Base64.decode in findActiveCertificatesByType
                                [ECA-3183] - Healthcheck failure when there are not active OcspKeyBindings
                                [ECA-3184] - JBOSS7 /EAP 6 fails in installation
                                [ECA-3186] - Regression: Custom certificate extensions added to certextensions.properties
                                [ECA-3188] - Document Internal Key Bindings
                                [ECA-3197] - ClientToolBox requires that CA certificate be included CSP response in order to verify
                                [ECA-3200] - Healthcheck status is enabled when editing a CA
                                [ECA-3203] - Disable of CryptoToken auto-activation takes token offline
                                [ECA-3207] - Regression: add-hoc upgrade of PKCS#11 keystore on VA responder not working
                                [ECA-3209] - Regression: OCSP default responder configuration uses subject instead of issuerDN
                                [ECA-3212] - Internal Key Binding certificate link has caid=0
                                [ECA-3213] - Regression: CA healthcheck does not check token status
                                [ECA-3215] - Roles renamed with RoleManagementSessionBean.renameRole get wrong primary keys
                                [ECA-3219] - OcspKeyBinding contains values that become cast to BigDecimals instead of Integers
                                [ECA-3220] - Regression: Reload OCSP signing cache uses wrong timer property, and a value of 0 makes timers go crazy
                                [ECA-3221] - Can't edit an OCSPKeyBinding without filling Serial Number (for Trusted Certificates) field.
                                [ECA-3223] - When new CA is generated with soft keys, unwanted warnings appear in jboss log
                                [ECA-3224] - Trying to create Internal Key Binding without crypto tokens gives NPE
                                [ECA-3227] - DirectoryCache should catch errors in initialization
                                [ECA-3234] - Hard Token Functionality header printed twice
                                [ECA-3235] - Unwanted warning in jboss-log when we create keys through AdminGUI
                                [ECA-3237] - cmpTcpProxy fails to start, missing defaultvalues.properties
                                [ECA-3239] - InternalKeyBindings with a deleted CryptoToken throw NPE when trying to view/edit
                                [ECA-3242] - Errors in jboss log when 'ca createcrl' and some CAs are not active
                                [ECA-3246] - Unwanted warning in jboss-log when running AuthenticationModulesTest
                                [ECA-3251] - Activating/deactivating CA logs as Crypto Token activated/de-activated
                                [ECA-3266] - EndEntityManagementSession.addUser throws a strange exception
                                [ECA-3269] - Unwanted warning in jboss-log when running XKMSKRSSTest
                                [ECA-3270] - Test 'testPublisherOperations' fails when running EjbcaWsCommonCriteriaTest
                                [ECA-3271] - External CESeCore configuration override is read from the wrong location
                                [ECA-3274] - Unwanted warnings in jboss-log when running RAApiTest
                                [ECA-3276] - Unwanted error in jboss-log when running CrmfRARequestTest
                                [ECA-3277] - Unwanted warning in jboss-log when running NestedMessageContentTest
                                [ECA-3279] - Fix issues in OCSP TransactionLogger
                                [ECA-3280] - Upgrade instructions need to be updated for JBoss 7 / EAP 6.1
                                [ECA-3281] - Fix upgrade message from 4.x to 6.0
                                [ECA-3284] - ValueExtractor fails for ApprovalId Integer in DB2
                                [ECA-3286] - Browser enroll Firefox does not take configured encoding into account
                                [ECA-3287] - OCSP signing exhausts threadpool after some time
                                [ECA-3288] - Saving "Other rules" when edit access rules does not work
                                [ECA-3294] - Security issue
                                [ECA-3300] - OCSP Transaction Logger outputs a newline between each log entry

                                [ECA-519] - Move configuration file from bin/ to conf/
                                [ECA-786] - Email notification cannot be edited correctly
                                [ECA-1010] - Simplify installation procedure
                                [ECA-1398] - Enforce PrivateKeyUsage period when CAs issue certificates
                                [ECA-1594] - HashCode of Subject/Issuer DN in a certificate is not always the same as CA Id
                                [ECA-1814] - Make non consecutive ID possible for Extended Key Usage
                                [ECA-2023] - Trim the values in catoken.properties when importing a CA from CLI
                                [ECA-2049] - Constants in CertificateHelper should be final
                                [ECA-2164] - test01PinServiceToNodesIncludingThis is failing randomly
                                [ECA-2208] - Move authorization for hard tokens into hard token session bean and remove authorization caching.
                                [ECA-2225] - server TLS for mail requires manual configuration
                                [ECA-2367] - Refactor CrlCreateSession for CRL publishing
                                [ECA-2492] - Improve mysql-privileges script to allow users at different hosts etc
                                [ECA-2500] - Upgrade to BC v1.47
                                [ECA-2510] - Move methods in PublisherQueueSessionBean to local only.
                                [ECA-2528] - Clean SecConst
                                [ECA-2540] - Improve support for ipv6 in subjectAltNames
                                [ECA-2545] - SCEP GetCaCert operation doesn't support empty message
                                [ECA-2554] - CMP: Need better error message when a request is not signed by the sender
                                [ECA-2558] - Improve the run times of some system tests
                                [ECA-2561] - CMP: Remove repeated code to return the value cmp.authenticationparameter
                                [ECA-2565] - Move CliAuthenticationToken to authentication component
                                [ECA-2566] - Disallow server generated tokens when user submits a CSR in public web
                                [ECA-2568] - CMP: improve ConfirmationMessageHandler
                                [ECA-2582] - Make an enum for end entity types
                                [ECA-2623] - Use new BC API for CRL creation.
                                [ECA-2628] - Use BC CMP classes instead of Novosec
                                [ECA-2641] - Use BC 1.47 OCSP classes
                                [ECA-2680] - Clean HardTokenSessionBean of unnecessary AuthenticationToken parameters.
                                [ECA-2683] - Clean authorization handling in AdminPreferenceSessionBean
                                [ECA-2684] - Clean authorization in CertReqHistorySession
                                [ECA-2685] - Clean authorization in KeyRecoverySessionBean
                                [ECA-2686] - Clean Authorization in ServiceSessonBean
                                [ECA-2692] - Handle HSM timeouts - handle timeouts elegantly.
                                [ECA-2725] - CAInfo.setValidity should have long parameter
                                [ECA-2752] - Deprecate and stop using UserDataConstants. Use EndEntityConstants instead
                                [ECA-2757] - Add more getters and setters and null checks, use Lists instead of Collections where needed.
                                [ECA-2793] - Improve javadoc for RoleManagementSession
                                [ECA-2800] - Move OCSPUnid* classes from org.ejbca.core.protocol.ocsp to org.ejbca.core.protocol.ocsp.extension.unid
                                [ECA-2807] - Remove PrimeCardHSM references from documentation
                                [ECA-2821] - Increase concurrency in stand alone tests
                                [ECA-2826] - RoleManagementSessionBean requires additional authorization checks
                                [ECA-2840] - ant javatruststore -Dtrust.keystore parameter is treated relative to the ejbca/bin/ directory
                                [ECA-2857] - EndEntityAccessSession.findUserBySubjectAndIssuerDN should return a List
                                [ECA-2864] - Change the wording for the E-mail Domain option in end entity profiles
                                [ECA-2879] - Add custom serialno test test that fails when there is no unique index
                                [ECA-2895] - Provide ability to provide the administrator password through file for new admins roles GUI with CLI user
                                [ECA-2903] - Simplify AuthenticationToken framework
                                [ECA-2908] - Support ECC for CMP signature protection
                                [ECA-2917] - Rename AdminCA1 to ManagementCA
                                [ECA-2941] - Unclear description of CRL publishing conditions in Validation Authority Publisher
                                [ECA-2943] - Modularize the CESeCore source tree
                                [ECA-2948] - Improve handling of default profiles when using CMP RA mode
                                [ECA-2957] - Add known PKCS#11 libraries as default available
                                [ECA-2965] - Allow password to be supplied via command line for clientToolBox PKCS11HSMKeyTool generate
                                [ECA-2970] - Log remote IP for ADMINISTRATOR_LOGGED_IN events and web service access
                                [ECA-2978] - Database connection problems can give stacktrace with no msg
                                [ECA-2986] - Property for hiding manual classpath entry from custom publishers and services
                                [ECA-2987] - Add debug logging in AccessTreeCacheTest
                                [ECA-3016] - Ugly errors creating CA with CLI when CryptoToken or CA already exists
                                [ECA-3018] - Exception classes should end with "Exception" not "Error"
                                [ECA-3020] - Fix tests using incorrect values for CRL settings
                                [ECA-3022] - Turn of autocompletion of password on public web
                                [ECA-3026] - Have parameters outputted from localized messages even if not found
                                [ECA-3027] - Improve CMP configurations possibilities
                                [ECA-3028] - Make possible using custom CMP configurations through alias in the URL
                                [ECA-3030] - Make possible to edit CMP configurations in the AdminGUI
                                [ECA-3033] - Upgrade BC from 1.49b01 to 1.49b15
                                [ECA-3062] - Simplify certificate enrollment page
                                [ECA-3064] - Disable CertReqHistory by default for new CAs
                                [ECA-3069] - Replace deprecated class org.bouncycastle.jce.PKCS10CertificationRequest with org.bouncycastle.pkcs.PKCS10CertificationRequest
                                [ECA-3091] - Detect browser directly instead of using of via the log-in page
                                [ECA-3093] - Re-sort menu options in Admin GUI alphabetically
                                [ECA-3094] - Update nomenclature in CLI
                                [ECA-3099] - Add a "result page" after certificate enrollment has been performed
                                [ECA-3102] - Public Web: rename password to enrollment code
                                [ECA-3104] - Default key length for batch generation should be 2048, not 1024
                                [ECA-3105] - Introduce ability of not having any QC statements in the QC extension in certificate profile configuration
                                [ECA-3106] - Keylength defaults should be 2048 not 1024
                                [ECA-3108] - Encoding of MS Certificate Template Name extension should be BMPString
                                [ECA-3112] - Limited admins in admin GUI spams with INFO logs
                                [ECA-3136] - Support listing of PKCS#11 slots in the AdminGUI by token label
                                [ECA-3145] - Clean up left overs of EJBCA OCSP code
                                [ECA-3166] - Use better wording for Certificate Request Data in Admin GUI
                                [ECA-3175] - Clear All Caches button should also clear GUI session cache
                                [ECA-3189] - CMP: Read the CA from the relevant End Entity instead of from the request or cmp.defaultca
                                [ECA-3190] - CMP: Enforce configuration of EndEntityCert authentication module for KeyUpdate request
                                [ECA-3191] - CMP: Improve the conditions and readability of CMP authentication modules
                                [ECA-3206] - CMP: Remove PBE authenticating of ConfirmMessage
                                [ECA-3218] - OCSP cache update logs access control
                                [ECA-3243] - Editing Internal Key Bindings is slow
                                [ECA-3244] - Error message about OCSP key renewal although renewal is disabled
                                [ECA-3245] - Clean up and format the UPGRADE document
                                [ECA-3247] - Unwanted warning in jboss-log when running CrmfRAPbeRequestTest
                                [ECA-3254] - Unwanted warning in jboss-log when running CmpRaThrowAwayTest
                                [ECA-3257] - Exception cancelling already cancelled OCSP renewal timers
                                [ECA-3259] - unwanted warning in jboss-log when running ProtocolOcspSignedHttpTest
                                [ECA-3262] - Make saving global and cmp configuration safe
                                [ECA-3263] - Allow AnyCA to be the only selected available CA in EEPs
                                [ECA-3285] - Datasources should have validate-on-match=true in order to reconnect from failures

                                Master Ticket
                                [ECA-3049] - Optimize trunk
                                [ECA-3116] - Possibility to Export/Import all CA configurations (a.k.a "The Great Dump")
                                [ECA-3252] - CMP log fixes for CC test plan
                                [ECA-3261] - Master ticket for OCSP log tickets

                                New Feature
                                [ECA-862] - Command for ascii/XML dump of CA installation
                                [ECA-1866] - WS-API to get last CRL for a CA
                                [ECA-1998] - Support for GOST R digital signature and hash algorithms
                                [ECA-2066] - Support for JBoss 7.1 and EAP 6
                                [ECA-2621] - cert-cvc: upgrade to work with BouncyCastle (BC) v1.47
                                [ECA-2691] - Handle HSM timeouts - allow creation of pure keepalive services from GUI/CLI
                                [ECA-2722] - Validation/conformance tool for certificates and OCSP responses
                                [ECA-2780] - Integration of DSTU4145-2002 in EJBCA
                                [ECA-2801] - Manage HSM keys from web GUI
                                [ECA-2881] - Ukrainian translation of admin GUI
                                [ECA-2926] - External RA GUI and SCEP deploy on JBoss 7
                                [ECA-2930] - SCEP RA mode for blind certificate issuance
                                [ECA-2936] - Support ECC for database integrity protection
                                [ECA-2972] - EJBCA support for South Slavic languages - Bosnian QA process
                                [ECA-2973] - Unified OCSP
                                [ECA-2974] - Use ServiceLoader for Publishers and Services
                                [ECA-2988] - Unified OCSP: In main build, merge Standalone and Integrated OCSP into a single SSB
                                [ECA-2992] - White listing of available CryptoToken PKCS#11 slots
                                [ECA-3092] - Make it possible to hide the menu in publicweb
                                [ECA-3095] - HSM slot label. Resolve existent issues from ECA-3071, add support for GUI/CLI/Upgrade
                                [ECA-3128] - Add support for slot labels to ca init command, database protection and ocsp

                                [ECA-2296] - Master Issue: Look over authorization in all session beans.
                                [ECA-2298] - Master issue: Unify all names in EJBCA
                                [ECA-2317] - Migrate OCSP functionality from CESeCore to EJBCA
                                [ECA-2350] - Add support to other match values than X500Principal based
                                [ECA-2445] - Rename all references to "Admin Groups" to "Roles"
                                [ECA-2462] - Rename RSASignSessionBean to SignSessionBean
                                [ECA-2464] - Change references from 'User' to EndEntity where appropriate. UserAdminSessionBean should be renamed EndEntityManagementSessionBean
                                [ECA-2488] - Remove all internal references to UserAdminSession.changeUser
                                [ECA-2498] - Go through build-dependencies.xml and search for and remove nonexisting files in classpaths and include tags
                                [ECA-2499] - Improve some @BeforeClass and @AfterClass in tests
                                [ECA-2521] - Merge changes from ECA-1978
                                [ECA-2522] - Merge changes from ECA-2094
                                [ECA-2523] - Merge changes from ECA-2157
                                [ECA-2524] - Merge changes from ECA-2468
                                [ECA-2525] - Merge changes from ECA-2504
                                [ECA-2526] - Merge changes from ECA-2518
                                [ECA-2531] - Remove org.ejbca.config.ExtendedKeyUsageConfiguration
                                [ECA-2541] - Replace the contents of EjbRemoteHelper with a clever datastructure
                                [ECA-2550] - Remove transient from PrePersist, PreUpdate and PostLoad annotation
                                [ECA-2555] - Merge changes from ECA-2454
                                [ECA-2556] - Make sure that EjbRemoteHelper is used instead of JndiHelper for retrieving remote interfaces
                                [ECA-2562] - CMP: More tests for the KeyUpdate request
                                [ECA-2581] - Eliminate the duplicate constants in SecConst and EndEntityConstants
                                [ECA-2596] - Merge changes from ECA-2580
                                [ECA-2597] - Merge changes from ECA-2585
                                [ECA-2605] - Merge changes from ECA-2575
                                [ECA-2611] - Merge changes from ECA-1979
                                [ECA-2619] - CliAuthenticationProviderSessionBean does not follow our naming standard
                                [ECA-2620] - Upgrade hibernate to latest version
                                [ECA-2622] - Merge changes from ECA-2583
                                [ECA-2630] - Reimplement OCSP HealthCheckServlet
                                [ECA-2631] - Merge changes from ECA-2579
                                [ECA-2635] - Merge changes from ECA-2627
                                [ECA-2637] - Merge changes from ECA-2634
                                [ECA-2640] - Merge changes from ECA-2633
                                [ECA-2646] - Merge changes from ECA-2584
                                [ECA-2651] - Merge changes from ECA-2577
                                [ECA-2688] - AccessRulesConstants.ROLE_SUPERADMINISTRATOR should be declared deprecated and removed internally
                                [ECA-2702] - EjbcaWebBean code cleanup
                                [ECA-2707] - Merge changes from ECA-2625
                                [ECA-2735] - Verify that the functionality of ECA-2069 is ok in trunk
                                [ECA-2744] - Merge changes from ECA-2624
                                [ECA-2748] - Merge changes from ECA-2745
                                [ECA-2751] - Merge changes from ECA-2750
                                [ECA-2754] - Merge changes from ECA-2753
                                [ECA-2756] - Merge changes from ECA-2755
                                [ECA-2767] - Merge changes from ECA-2759
                                [ECA-2772] - Merge changes from ECA-2769
                                [ECA-2803] - Merge changes from ECA-2746
                                [ECA-2831] - Merge changes from ECA-2829
                                [ECA-2850] - Merge changes from ECA-2802
                                [ECA-2898] - Merge changes from ECA-2897
                                [ECA-2900] - Merge changes from ECA-2890
                                [ECA-2902] - Merge changes from ECA-2899
                                [ECA-2925] - Upgrade to BouncyCastle 1.49b01
                                [ECA-2959] - UniqueSernoWSTest fails due to JBoss 7 classloader
                                [ECA-2979] - Unified OCSP: Move StandAlone OCSP files into main build
                                [ECA-3023] - Document JBoss 7 hardening
                                [ECA-3041] - Make sure EJBCA builds and deploy on JBoss 7.2 and EAP 6.1
                                [ECA-3044] - Use fast Random, instead of slow SecureRandom for GUID generation
                                [ECA-3048] - Upgrade BouncyCastle to 1.49 final
                                [ECA-3075] - XKMS KRSS tests not working on JBoss 7 / EAP6
                                [ECA-3084] - OCSP transaction logging and safer log4j not working
                                [ECA-3127] - External RA not working on JBoss 7
                                [ECA-3130] - Update Admin GUI HSM chapter with new Crypto Token GUI
                                [ECA-3148] - Rename the files under ejbca/doc/sql-scripts/ with the appropriate name (ejbca version)
                                [ECA-3193] - Sample custom publisher with UID=certificate serialNo in decimal
                                [ECA-3228] - Make sure that system tests clean up after themselves
                                [ECA-3229] - Remove unnecessary warnings during build and startup
                                [ECA-3241] - Eliminate deprecated values from ocsp.properties as far as possible and remove them from all but upgrade code.
                                [ECA-3291] - Access rules unclear

                                Technical task
                                [ECA-3152] - Possibility to Export/Import all CryptoTokens
                                [ECA-3153] - Possibility to Export/Import all CAs
                                [ECA-3154] - Possibility to Export/Import all Certificate Profiles
                                [ECA-3155] - Possibility to Export/Import all End Entity Profiles
                                [ECA-3156] - Possibility to Export/Import all Publishers
                                [ECA-3157] - Possibility to Export/Import all Services
                                [ECA-3158] - Possibility to Export/Import all Roles
                                [ECA-3159] - Possibility to Export/Import all CMP configuration
                                [ECA-3192] - Possibility to change Subject DN in dump files from CLI

                                EJBCA 5.0.14


                                [ECA-3469] - Problem adding several administrators
                                [ECA-3473] - Internal error when using default responder on standalone OCSP for X.500 issuer DN order

                                EJBCA 5.0.13


                                [ECA-3293] - Customer specific LDAP Publisher should use correct time in loginfo attribute
                                [ECA-3344] - Regression: PKCS11 sun config does not work
                                [ECA-3421] - Upgrade jar file

                                [ECA-3343] - Some versions of MySQL picks bad index mixing OR and AND

                                EJBCA 5.0.12


                                Security fixes

                                EJBCA 5.0.11


                                [ECA-2984] - ejbcaClientToolBox.sh CMPKeyUpdateStressTest works only with one thread
                                [ECA-3083] - SaferLog4j jar does not build correctly
                                [ECA-3211] - End entity username should be stripped when doing end entity look-up in CMP
                                [ECA-3217] - Nodes in cluster not database protection stable
                                [ECA-3268] - Inconsistent use of strip() and stripIncludingXss() methods

                                [ECA-2951] - Clean up CSS for new pages in 5.0 and 6.0 branches
                                [ECA-3037] - Support for multiple Vendor CA authentication certificates for CMP
                                [ECA-3050] - Base64CertData table
                                [ECA-3053] - Don't show password in build summary
                                [ECA-3066] - Support ECDSA for OCSP automatic key renewal
                                [ECA-3071] - Allow reference of PKCS#11 slots by token label
                                [ECA-3151] - Add hostname to startup log message
                                [ECA-3178] - Add configuration option for specifying non-allowed characters in subject DN

                                New Feature
                                [ECA-2990] - Customer specific LDAP publisher
                                [ECA-3025] - Built in profiling capabilities
                                [ECA-3070] - Add WS keyrecovery method for specified certificate
                                [ECA-3194] - Allow ejbca-db-cli to work on database with only AuditRecordData

                                EJBCA 5.0.10

                                [ECA-1872] - Batch Enrollment GUI can not use JKS as keystore
                                [ECA-2495] - Exception in view old log
                                [ECA-2968] - IE10 browser enrollment doesn't work
                                [ECA-3009] - Unhelpful error message when changing permission rules for non-existing end entity profile in CLI

                                [ECA-1826] - Possibility to create link certificates following the certificate profile
                                [ECA-2456] - Support other CMP signature algorithms than SHA1
                                [ECA-2944] - Remove one dependency from SignSessionBean on bean implementation in CeSeCore
                                [ECA-2966] - ClientToolBox batch functionality for certreq and installcert
                                [ECA-2976] - Debug log healthcheck message
                                [ECA-2983] - Add index on CertificateData.status to index sql script
                                [ECA-2997] - Make the CA certificate chain download provide better suggestion for file name to browser
                                [ECA-3005] - Backport CMP ECC improvements to 5.0
                                [ECA-3007] - Remove service execution audit events not needed
                                [ECA-3010] - Improve CLI support for editing certificate profiles and publishers
                                [ECA-3017] - Add parameter to ca init cli to use explicit ECC parameters

                                New Feature
                                [ECA-2241] - Support STARTTLS extension for the LDAP Publisher
                                [ECA-2985] - Add possibility to publish cert serial to LDAP custom schema
                                [ECA-3004] - Command Line Support to Create a SubCA signed by an External CA
                                [ECA-3006] - Add editca CLI command
                                [ECA-3019] - Manage Services from the CLI

                                EJBCA 5.0.9


                                [ECA-2915] - EJBCA DB CLI verify reports error if multiple nodes are logging
                                [ECA-2922] - Upgrade fails because not all aspects are migrated
                                [ECA-2929] - Revocation does not perform as expected in all circumstances
                                [ECA-2937] - Unable to create new CA with soft CA token without auto-activation
                                [ECA-2938] - Key renewal with soft CA token does not always persist the new keys
                                [ECA-2950] - Unsupported SubjectAltName object from a certificate request encoded to the string "null"
                                [ECA-2954] - lastUpdate and tryCounter columns in PublisherQueueData do not get updated in case of CRL publisher failures


                                [ECA-2859] - CMP end entity certificate authentication requires clear text password set for user
                                [ECA-2882] - Do not store active certificates in queue for ValidationAuthorityPublisher that only publish revoked
                                [ECA-2904] - Compile and run on JDK7
                                [ECA-2913] - CMP: Need better error message when a request is not signed by the sender
                                [ECA-2960] - ClientToolbox key generation enhancement.

                                New Feature

                                [ECA-2901] - CMP vendor certificate authorization
                                [ECA-2907] - Add cache for Publishers

                                EJBCA 5.0.8

                                [ECA-2376] - Republishing certificates to LDAP when multiple certificates per user are allowed fails if certificate is already present
                                [ECA-2710] - Last certificate gets republished twice when using '-all' in cli
                                [ECA-2781] - Searching by certificate serial number fails if certificate has same subject DN across multiple end entities
                                [ECA-2839] - CMP certificate authentication with KeyId for End Entity profile uses wrong string
                                [ECA-2845] - End entity presence (existing username) not checked properly during import
                                [ECA-2878] - Setting a certificate's status to CERT_NOTIFIEDABOUTEXPIRATION (21) locks out user from admin GUI

                                [ECA-2655] - Do not require private key to verify audit logs with ejbca-db-cli
                                [ECA-2708] - Can not revoke certificates that are on hold
                                [ECA-2824] - Not possible to obfuscate log signer key password.
                                [ECA-2846] - Make the bin/ejbca.sh ca importcertdir comand output filenames in case of errors
                                [ECA-2875] - Able to use unlimited no of arguments for clientToolBox on Windows

                                New Feature
                                [ECA-2847] - Add an option to 'bin/ejbca.sh ca importcertdir' command to ignore errors

                                [ECA-2869] - Ensure EJBCA builds with ant 1.7

                                EJBCA 5.0.7

                                [ECA-2822] - SECURITY: Minor administrator escalation issue

                                EJBCA 5.0.6

                                [ECA-2695] - Creating a CA via the CLI doesn't update the ca cache.
                                [ECA-2704] - Error in usage text for 'ejbca.sh ra listusers'
                                [ECA-2712] - Some properties in ejbca.properties are never read
                                [ECA-2713] - mail.contentencoding has wrong name in sample file
                                [ECA-2715] - VA health check no longer checks if database is available
                                [ECA-2719] - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames
                                [ECA-2721] - Hibernate generates different hash-names for foreign constraints than list in SQL scripts
                                [ECA-2733] - Can not edit key sequence for a CA
                                [ECA-2736] - Key Recovery does not work when CA is signed by an external CA
                                [ECA-2738] - NPE running EJBCA containing HSM CA when no PKCS11 provider is available
                                [ECA-2739] - Key recovery not working using some HSMs
                                [ECA-2743] - Can not have different database dialect for EJBCA and External RA service
                                [ECA-2758] - Re-activating suspended certificates does not work with VA-publisher
                                [ECA-2762] - Upgrade from v4 to v5 not working for "imported CA"
                                [ECA-2763] - User is loosing priviliges after upgrade from v4 to v5
                                [ECA-2764] - Multiple certificates with different subject DN for CA
                                [ECA-2765] - Revoke CLI can not revoke certificates for a user that is revoked
                                [ECA-2766] - setclearpwd from CLI with non-existing user
                                [ECA-2778] - Plus character in CA DN breaks Download of Certificates
                                [ECA-2789] - The method for creating primary keys for access user aspects is broken
                                [ECA-2790] - SECURITY: Fix minor privilege escalation issue
                                [ECA-2797] - Only possible to view the newest hard token for an end entity.
                                [ECA-2799] - Improve RFC 4387 feature documentation
                                [ECA-2809] - Unable to use "modified" at the "Search End Entities" page.

                                [ECA-1696] - CertTools.getCertsFromPEM(*) should declare it returns a List as the order of certificates are important
                                [ECA-2183] - There is a code which will be never executed for external SCEP
                                [ECA-2656] - Unable to receive certificates from external CA that has invalid algorithm id parameters
                                [ECA-2693] - Improve error message when providing invalid signature algorithm
                                [ECA-2700] - Rate limit health check
                                [ECA-2776] - Disable jasper compilation in default build

                                New Feature
                                [ECA-2727] - Self-registration with admin approval
                                [ECA-2740] - Ant target for renewing application server keystore
                                [ECA-2747] - Extended Key Usage for WiFi EAP authentication
                                [ECA-2788] - Support CertHash extension in OCSP responder

                                [ECA-2716] - Remove unused properties

                                EJBCA 5.0.5


                                [ECA-2650] - A few EJB methods do not log access control
                                [ECA-2662] - Strip whitespace from username entered in public web
                                [ECA-2667] - AllwaysAllowLocalAuthenticationToken can be denied access
                                [ECA-2673] - End entitiy profiles with AnyCA causes RA admins to not be able to add user
                                [ECA-2674] - Editing access rules gives exception
                                [ECA-2694] - Can not create CA with non default soft token pwd from CLI

                                [ECA-2382] - Performance improvements, profiling
                                [ECA-2529] - Don't use Security Audit Log when doing healthchecks
                                [ECA-2553] - Improve CRL generation memory requirements
                                [ECA-2572] - Update index recommendations
                                [ECA-2573] - Merge enforcement queries to save database round-trip
                                [ECA-2618] - Remove authentication checks on CertConf messages
                                [ECA-2632] - Internal resources speed optimizations
                                [ECA-2639] - Do not use unneeded access control for internal CAInfo lookups and avoid ee profile cloning when not needed
                                [ECA-2642] - Improve Tomcat configuration
                                [ECA-2643] - Authorization checks does not always have to start a new transaction
                                [ECA-2645] - Fix transaction management for background updates to CAData
                                [ECA-2648] - Optimize away redundant query in WS getAdmin
                                [ECA-2652] - Multiple authorization checks in a single access controls invocation.
                                [ECA-2657] - Merge two CA access control log entires into one
                                [ECA-2659] - Merge Admin GUI access controls and remove redundant checks
                                [ECA-2675] - JBOSS with APR makes EJBCA deploy fail
                                [ECA-2676] - Replace the string "/super_administrator" with the constant AccessRulesConstants.ROLE_SUPERADMINISTRATOR

                                New Feature
                                [ECA-2629] - Add Japanese language file
                                [ECA-2653] - Enforce issuerDN,serialNumber uniqueness with database query if no unique index is present
                                [ECA-2687] - Allow CVC CAs to be created from the CLI

                                EJBCA 5.0.4

                                New Feature
                                [ECA-2590] - Possibility to only publish revoked certificates to external VA DB
                                [ECA-2603] - "unknown is good" changed for some URLs used in the OCSP request.
                                [ECA-2612] - Add Kerberos PKINIT-related EKU's to default configuration file

                                [ECA-2588] - Missing run.bat in ejbca db cli
                                [ECA-2613] - Annotate @ApplicationException(rollback=true) in all exceptions thrown from log system

                                [ECA-2563] - CMP: clean up CMP tests
                                [ECA-2600] - Add possibility to specify certificate profile to ca init CLI command
                                [ECA-2602] - Do not allow creationg of CAs with weak key lengths
                                [ECA-2607] - clientToolBox OCSP only accepts 16 char hex serial numbers
                                [ECA-2614] - ClientToolBox OCSP starts slow

                                [ECA-2564] - CMP: Correct the CrmfKeyUpdateTest
                                [ECA-2589] - External RA Junit test target does not work on windows
                                [ECA-2591] - Regression: ExternalRA does not work
                                [ECA-2594] - XSS issues
                                [ECA-2595] - EndEntityInformation.getPrintUserData compares to EndEntityConstants.USER_SENDNOTIFICATION instead of EndEntityConstants.USER_PRINT
                                [ECA-2601] - Prevent possible SQL injection
                                [ECA-2604] - Importing end entity profiles with an unknown CAid in it causes error
                                [ECA-2608] - CMP revocation requests are sensitive about DN order
                                [ECA-2609] - Publisher logs success even if publisher returns false
                                [ECA-2610] - Certificate Profile GUI weirdness in MSIE

                                EJBCA 5.0.3

                                New Feature
                                [ECA-2539] - CMP: Get KeyUpdateRequest working even in RA mode

                                [ECA-2543] - We need a way to log CMP messages from CMPProxy

                                [ECA-2536] - Modify tests in CliCommandAuthenticationTest to play with Glassfish

                                [ECA-2261] - SenderKeyID does not need to be set in a CMP request
                                [ECA-2527] - Wrong exception thrown in HardTokenSessionBean for some errors.
                                [ECA-2534] - Regression: Not checking that the administrator has the role defined in the hard token issuer any more.
                                [ECA-2535] - Security Audit Log with a single empty "msg" gives NullPointerException in Admin GUI
                                [ECA-2538] - Creating certificates from CLI with approvals enabled does not work
                                [ECA-2544] - Upgrading Certificate Profiles can remove Authority Information access under certain conditions
                                [ECA-2548] - Error clicking some service buttons when no service selected
                                [ECA-2551] - test:runone does not work on windows
                                [ECA-2552] - CMP: Skip verifying CertificateConfirmationRequest if not required
                                [ECA-2567] - CMP: Should use EjbRemoteHelper in CrmfRARequestTest
                                [ECA-2574] - Minor XSS issue

                                EJBCA 5.0.2

                                [ECA-2118] - Regression: Bug in adding new End-Entity with fixed RFC822Name in profile
                                [ECA-2197] - VA build fails sometimes
                                [ECA-2206] - GlobalConfiguration needs to check authorization differently
                                [ECA-2373] - Unsafe parsing of externalra-caservice.signature.required
                                [ECA-2403] - Custom roles do not seem to work from Basic Mode
                                [ECA-2413] - Deleted End Entities still show up on the list of "Previously Added End Entities" in the "Add End Entities" screen
                                [ECA-2422] - Regression: Import of profiles fails as CA IDs are different
                                [ECA-2423] - Use selected as template changes CAs to "any CA" for certificate profiles
                                [ECA-2424] - Default value for cmp.tcp.logdir is /log and not ./log causing Exception at startup
                                [ECA-2425] - Can not use CLI to create admin roles
                                [ECA-2426] - Supervisor role does not work as expected
                                [ECA-2427] - CLI can't set role rules for rules from CESeCore
                                [ECA-2428] - Persistent NFE after setting admin rule with certSerialNumber=qwerty_1
                                [ECA-2429] - Inconsistency in VA health-check properties comment and used URL
                                [ECA-2432] - Regression: tests fail on glassfish v2
                                [ECA-2433] - Regression: Healthcheck does not give any output if not ALLOK
                                [ECA-2435] - Chinese characters doesn't work in "Edit End Entity Profles" for DN attributes
                                [ECA-2436] - Reading OCSP messages over http1.1 with chunked encoding can fail
                                [ECA-2438] - Check where CAAdminSession.getCAInfo is expected to return null, but it throws
                                [ECA-2440] - DB2 database schema test fails on CRLData
                                [ECA-2444] - CMP Revoke Response Message is unprotected sometimes
                                [ECA-2448] - Regression: Available languages only contains EN by default
                                [ECA-2455] - Erroneous log output when renaming a role
                                [ECA-2457] - Editing Access Rules doesn't log correctly
                                [ECA-2458] - Audit logging for End Entity Profiles needs to be more detailed
                                [ECA-2459] - Audit logging for Role Access Users needs to be more detailed
                                [ECA-2460] - Audit logging for Role Access Rules needs to be more detailed
                                [ECA-2472] - Failure to publish CRL do not audit log CRL_PUBLISH failure
                                [ECA-2476] - null pointer when trying to recover lost HSM in external OCSP
                                [ECA-2479] - Regression: admins addadmin/removeadmin command malfunctions with match_type
                                [ECA-2480] - Regression: HARDTOKEN_REMOVE is audit logged as HARDTOKEN_ADD
                                [ECA-2482] - Minor XSS issues
                                [ECA-2484] - Regression: NoClassDefFound trying to run ejbca-db-cli
                                [ECA-2502] - Token id not logged correctly when password testing fails for soft tokens
                                [ECA-2506] - Audit log verification prints lots of errors after 1 row failed
                                [ECA-2511] - Missing column in SQL table create scripts
                                [ECA-2512] - NPE in WS if admin cert revoked
                                [ECA-2516] - Not possible to view hard token in admin GUI.
                                [ECA-2519] - SuperAdmin default role created with incorrect rule

                                [ECA-2384] - Move EndEntityProfile authorization from gui code to session bean
                                [ECA-2420] - Document database and security audit integrity protection
                                [ECA-2437] - Improve the CMP KeyUpdate stress test in ClientToolBox
                                [ECA-2441] - Update to new EJBCA logo in public and admin webs
                                [ECA-2446] - Log details what changed when editing services
                                [ECA-2461] - User data source API improvements
                                [ECA-2465] - Hard token API improvements
                                [ECA-2469] - Audit logging for Admin Preferences needs to be more detailed
                                [ECA-2470] - UpgradeableDataHashMap.diff does not handle String arrays
                                [ECA-2471] - Audit log details of publisher change and don't audit log failures
                                [ECA-2497] - Unreadable code in VerifyPKIMessage
                                [ECA-2501] - More efficient CRL download
                                [ECA-2508] - Audit log the security audit protection during startup
                                [ECA-2515] - Possibility to define which symmetric encryption algorithm to use for clientToolBox HSM encrypt/decrypt

                                New Feature
                                [ECA-2430] - Plugin build system
                                [ECA-2434] - Add CMP KeyUpdate stress test in clientToolBox
                                [ECA-2505] - Scripts for backup and restore

                                [ECA-2348] - Replace org.cesecore.util.Tuplet with AbstractMap.SimpleEntry
                                [ECA-2352] - Move methods from ComplexAccessControlSessionBean and ComplexRoleManagementSessionBean which would rather be in CESeCore
                                [ECA-2408] - CESeCore and EJBCA have overlapping and redundant rules for viewing logs
                                [ECA-2415] - Move the method saveGlobalConfigurationRemote out of GlobalConfigurationSessionBean and into a test proxy
                                [ECA-2439] - Remove unused AuthenticationToken from EndEntityProfileSession.getEndEntityProfile
                                [ECA-2485] - ISaferAppenderListener, SaferDailyRollingFileAppender are duplicates
                                [ECA-2490] - Authentication Logging does not conform to CC demands
                                [ECA-2496] - Remove AuthenticationSessionBean

                                EJBCA 5.0.1

                                [ECA-2396] - More XSS issues
                                [ECA-2402] - Regression: Supervisor role does not authorize the admin to view the log
                                [ECA-2407] - CMP: Allow only NestedMessageContent when an authorized administrator is not required when sending a CMP request
                                [ECA-2414] - CMP: When checkAdminAuthorization is set to 'false', verifying the issuer of extraCert should not be done.
                                [ECA-2416] - CMP message handler tries to create unid req handler

                                [ECA-2342] - Check authorization and make methods local-only in UserAdminSession
                                [ECA-2400] - Split xdocs in two separate sites, ejbca.org site and documentation site
                                [ECA-2409] - ProfileDefault for cmp.ra.certificateprofile

                                New Feature
                                [ECA-1153] - Support for Permanent Identifiers (RFC 4043)
                                [ECA-2410] - Document EJBCA Djigzo integration
                                [ECA-2411] - Support for authorityInformationAccess in CRLs

                                [ECA-2210] - Verify no-cache settings for CMP over HTTP
                                [ECA-2404] - Add healthcheck doc to admin guide

                                EJBCA 5.0.0

                                [ECA-2035] - Document when Key Recovery checkbox can be used
                                [ECA-2163] - Webservice warning in boot.log on JBoss 6
                                [ECA-2201] - Mixed SSL and non-SSL cause warnings on the on-server documentation pages
                                [ECA-2235] - External VA doesn't correctly publish CRLs from CAs with X.509 naming order
                                [ECA-2244] - Build failure with OpenJDK if JavaScript is not available
                                [ECA-2248] - Fix circular dependencies so that EJBCA can install
                                [ECA-2249] - Fix all system tests so that they run in EJBCA 5.0
                                [ECA-2251] - CertificateData.findAllOnHold is missing a query parameter
                                [ECA-2260] - CRL file name returned from VA differs from public web, should be .crl
                                [ECA-2271] - Bug with DN State et DN Locality attributes
                                [ECA-2279] - Regression: Disable Command Line Interface doesn't seem to have any effect any more
                                [ECA-2294] - Use of CMS key to sign CSV/logfile export is not logged.
                                [ECA-2301] - Regression: Can not save access rules
                                [ECA-2303] - NPE when trying to change a role from CLI
                                [ECA-2310] - Regression: Can not rename Roles
                                [ECA-2311] - Regression: Edit access rules shows wrong Role Template
                                [ECA-2319] - Verify revocation status of internal certificates when external certificate authentication is enabled
                                [ECA-2323] - Regression: NPE when trying to view administrators
                                [ECA-2326] - Regression: Match type are not showing correctly
                                [ECA-2329] - Regression: datasource.jndi-name-prefix not changed when switching to GlassFish
                                [ECA-2331] - Regression: exception thrown if cmp.autenticationmodule is not set in cmp.properties
                                [ECA-2339] - Audit Log GUI messages
                                [ECA-2343] - Strange 'help' features in EJBCA CLI
                                [ECA-2344] - Regression: admin can not access "Basic Functions" page unless access to all CAs
                                [ECA-2349] - Regression: VA deployment fails as default config file can not be loaded
                                [ECA-2357] - Regression: Access rule templates cannot be applied
                                [ECA-2358] - Regression: Download audit as XML results in empty file because some properties are not included in zip or have defautl values
                                [ECA-2360] - Regression: "Basic functions" cannot be browsed after adding an HSM CA
                                [ECA-2362] - Sample value in install.properties.sample referes to pre-cesecore class names
                                [ECA-2363] - Regression: databaseprotection.properties not included when doing a zip release
                                [ECA-2366] - Regresssion: CRL not published after CRL creation
                                [ECA-2374] - Regression: NPE when using signed external RA messages
                                [ECA-2375] - CA expire time incorrectly shown in the CLI
                                [ECA-2377] - Regression: can not renew a CA after upgrade from v4 to v5
                                [ECA-2378] - Regression: upgrade CertificatePolicy of CAs after upgrade from v4 to v5

                                [ECA-2086] - Introduce tooltip or help-link for "Process Certificate Request" and "Sign Certificate Request" buttons in Admin GUI
                                [ECA-2149] - Add revocation reason capability to CRL import CLI command, and add JUnit testing
                                [ECA-2155] - UserAdminSessionBean.assertAuthorizedToEndEntityProfile() and UserAdminSessionBean.assertAuthorizedToCA () need tests.
                                [ECA-2162] - Move some methods from CAAdminSession to CASession and use cache
                                [ECA-2165] - Rename RaAdminSession to AdminPreferencesSession
                                [ECA-2173] - minor optimization to PublisherSession
                                [ECA-2177] - Constant for un-revoking not documented in extra.db.CertificateRequest
                                [ECA-2187] - Update pt_PT translation
                                [ECA-2203] - Make release zip 10MB smaller
                                [ECA-2207] - Publisher Queue session should not log to logSession
                                [ECA-2215] - Place .properties files in a jar under lib/ in the EAR
                                [ECA-2216] - Glassfish 3 needs public access modifier for access between .jars
                                [ECA-2217] - Dynamically loaded classes aren't found by Glassfish 3.1
                                [ECA-2218] - Handle endorsed .jars from Glassfish 3.1
                                [ECA-2226] - Bundle multiple ORM files with EJBCA
                                [ECA-2234] - Make EJBCA build in production mode by default.
                                [ECA-2246] - Upgrade system tests from Junit3.8 to Junit4
                                [ECA-2268] - Enable database integrity protection for all internal EJBCA tables
                                [ECA-2280] - Improve testing on CSRs
                                [ECA-2289] - Welcome screen - workflow for CRL creation on status
                                [ECA-2292] - Better error message when services are not running (XKMS, OCSP, CMS...)
                                [ECA-2295] - Add to the documentation an example verify/decode of the log file export
                                [ECA-2307] - Reduce memory consumption when using InternalResouces
                                [ECA-2322] - Add authorization and look over token usage in PublisherSession
                                [ECA-2333] - Support for none DN based match values in User Aspects
                                [ECA-2341] - CMP EECAuthenticationModule: The attached extraCert does not need to be in the database

                                New Feature
                                [ECA-2180] - Renew CA from CLI
                                [ECA-2193] - Ability to use extension override in Web Service call processCertReq
                                [ECA-2245] - Produce an authentication provider for web based requests
                                [ECA-2263] - Implement CLI authentication
                                [ECA-2273] - New CLI for direct database interactions
                                [ECA-2305] - Support for setting cardnumber from WS
                                [ECA-2306] - Integrate new CMP features in Ejbca 5
                                [ECA-2309] - CLI command to edit fields in publishers and certificate profiles

                                [ECA-1078] - Verify that the microsoft certificateprofile works with a windows 2008 server domain
                                [ECA-2170] - Migrate all classes from org.cesecore to org.ejbca
                                [ECA-2171] - Master Issue: Refactor classes from CESeCore into EJBCA
                                [ECA-2228] - Merge Security Audit from CESeCore 1.1.0 into EJBCA
                                [ECA-2229] - Create mock SSBs to allow for implementation of secure audit.
                                [ECA-2230] - Move org.cesecore.authentication and org.cesecore.authorization
                                [ECA-2232] - Restructure functional tests in EJBCA to use a deployable for remote EJB access.
                                [ECA-2236] - Remove references to EJBCA's authentication, authorization and admin groups and replace them with CESeCore equivalents.
                                [ECA-2238] - Remove all references of the old logger and replace it with Secure Audit
                                [ECA-2240] - Merge Certificates from CESecore 1.1.0 to EJBCA
                                [ECA-2247] - Fix EJBCA CLI to work with EJBCA 5.0
                                [ECA-2250] - Admin GUI to work with EJBCA 5.0
                                [ECA-2252] - Remove faulty EJBCA references from CESeCore code
                                [ECA-2255] - Migrate built in Extended CA services to separate classes
                                [ECA-2258] - Refactoring 'WITH' paramerters
                                [ECA-2262] - Move ConfigurationSessionBean into into system tests JAR
                                [ECA-2265] - Allow EjbcaConfigurationHolder to use defaultvalues.properties
                                [ECA-2274] - Create mock session bean for AccessControl and AuditLog to be used in standalone VA mode
                                [ECA-2281] - Removed unused Admin from UserAdminSessionBean.existsUser
                                [ECA-2284] - Unnerf AlwaysAllowLocalAuthenticationToken
                                [ECA-2304] - Master Issue: Merge all changes made during CESeCore 1.1.0 to 1.1.1
                                [ECA-2308] - Make CustomCertSerialnumberWSTest run even with no index in database
                                [ECA-2313] - Merge issues from CESECORE-108
                                [ECA-2315] - Merge changes from CESECORE-198
                                [ECA-2318] - Merge revision #1208 from CESECORE-266 into EJBCA
                                [ECA-2320] - Merge changes from CESECORE-197
                                [ECA-2324] - Merge changes from CESECORE-269 to EJBCA

                                EJBCA 4.0.16

                                [ECA-2495] - Exception in view old log
                                [ECA-3059] - Database rolled back for failed CRL publishings instead of put in queue

                                [ECA-3050] - Base64CertData table

                                EJBCA 4.0.15

                                [ECA-2991] - Add the missing variable ${user.C} for e-mails

                                [ECA-1826] - Possibility to create link certificates following the certificate profile
                                [ECA-2884] - Create the variable ${user.UID} for e-mails
                                [ECA-2976] - Debug log healthcheck message

                                New Feature
                                [ECA-2985] - Add possibility to publish cert serial to LDAP custom schema

                                EJBCA 4.0.14

                                [ECA-2897] - Wrong example of external SSL port number in web.properties

                                [ECA-2882] - Do not store active certificates in queue for ValidationAuthorityPublisher that only publish revoked
                                [ECA-2890] - GUI: Better link from Public Web to Administration Web, via reverse proxy
                                [ECA-2899] - Do not display passwords in stdout during build

                                New Feature
                                [ECA-2907] - Add cache for Publishers

                                EJBCA 4.0.13


                                [ECA-2376] - Republishing certificates to LDAP when multiple certificates per user are allowed fails if certificate is already present
                                [ECA-2704] - Error in usage text for 'ejbca.sh ra listusers'
                                [ECA-2710] - Last certificate gets republished twice when using '-all' in cli
                                [ECA-2745] - GUI: Request Browser Certificate Renewal page update
                                [ECA-2750] - GUI: Logout links miss on some Web Public pages
                                [ECA-2759] - Unexpected form closing, when editing Certificate Profile
                                [ECA-2761] - Downgraded EJBCA from 5 to 4 get NULL CA Token
                                [ECA-2778] - Plus character in CA DN breaks Download of Certificates
                                [ECA-2786] - GUI: Remove "OCSP" text in navigation menu of Public Web
                                [ECA-2809] - Unable to use "modified" at the "Search End Entities" page.

                                [ECA-2746] - Clean up message keys, and some titles
                                [ECA-2753] - GUI: Web Public pages improvement
                                [ECA-2755] - GUI: Administration pages improvement (adding home link)
                                [ECA-2769] - GUI: Key Usage form improvement
                                [ECA-2776] - Disable jasper compilation in default build
                                [ECA-2802] - Clean up message keys, and section titles
                                [ECA-2813] - Class RequestInstance should allow to provide a password
                                [ECA-2823] - Backport ECA-2244, don't require javascript to build
                                [ECA-2829] - GUI: Update Renew title in the Public Web navigation
                                [ECA-2832] - GUI: Fix 'Fetch CA certificate' title in the Public Web page
                                [ECA-2875] - Able to use unlimited no of arguments for clientToolBox on Windows

                                New Feature
                                [ECA-2727] - Self-registration with admin approval
                                [ECA-2740] - Ant target for renewing application server keystore
                                [ECA-2747] - Extended Key Usage for WiFi EAP authentication

                                [ECA-2624] - Clean up message keys

                                EJBCA 4.0.12

                                New Feature
                                [ECA-2705] - OCSP key renewal at absolute times
                                [ECA-2706] - Allow Certificate Expiration Notification Service to specify Certificate Profiles
                                [ECA-2709] - Publisher for sampling of issued certificates

                                [ECA-2069] - Better log message when querying for not existing CA and default responder CA does not exist
                                [ECA-2714] - Hide the HARDTOKEN profiles in "Certificate Expiration Checker" configuration if "Issue Hardware Tokens" hasn't been enabled
                                [ECA-2724] - When deleting a Certificate Profile, list which end entities/end entity profiles that use it.

                                [ECA-2077] - OCSP rekeying does not work on JBoss 6.1.0 and JBoss EAP5
                                [ECA-2719] - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames

                                [ECA-2625] - Language tool for developers and localizers

                                EJBCA 4.0.11

                                New Feature
                                [ECA-2629] - Add Japanese language file
                                [ECA-2696] - Custom revocation date in EJBCA

                                [ECA-2579] - Help message keys refactoring

                                [ECA-2662] - Strip whitespace from username entered in public web
                                [ECA-2664] - Cleartext links (http) in documentation
                                [ECA-2699] - ejbca.sh CLI exportprofiles function can't handle special characters in filename

                                [ECA-1979] - GUI: End-Entity (profile, add, edit) forms usability
                                [ECA-2577] - GUI: Configuration forms improvement
                                [ECA-2583] - GUI: LDAP Publishers form layout improvement
                                [ECA-2584] - GUI: Improvement of in-line help in all forms
                                [ECA-2627] - Process CA: forms layout improvement, and message keys refactoring
                                [ECA-2633] - GUI: Improve Services form
                                [ECA-2634] - GUI: View Certificate popup improvement
                                [ECA-2661] - Possible to use aliases for CRL Naming in RFC4387 CRL Store
                                [ECA-2675] - JBOSS with APR makes EJBCA deploy fail

                                EJBCA 4.0.10

                                New Feature
                                [ECA-2590] - Possibility to only publish revoked certificates to external VA DB
                                [ECA-2603] - "unknown is good" changed for some URLs used in the OCSP request.

                                [ECA-2564] - CMP: Correct the CrmfKeyUpdateTest
                                [ECA-2594] - XSS issues

                                [ECA-2563] - CMP: clean up CMP tests
                                [ECA-2575] - GUI: Administrator groups page headers improvement
                                [ECA-2580] - GUI: Improve View CA table layout (rows: header, sections, footer)
                                [ECA-2585] - GUI: Change Rename button in all Object lists

                                EJBCA 4.0.9

                                [ECA-2574] - Minor XSS issue

                                EJBCA 4.0.8, 2012-02-09
                                New Feature
                                [ECA-2539] - CMP: Get KeyUpdateRequest working even in RA mode

                                [ECA-2261] - SenderKeyID does not need to be set in a CMP request
                                [ECA-2476] - null pointer when trying to recover lost HSM in external OCSP
                                [ECA-2482] - Minor XSS issues
                                [ECA-2504] - Rename LIST button in Approve Actions section
                                [ECA-2544] - Upgrading Certificate Profiles can remove Authority Information access under certain conditions
                                [ECA-2552] - CMP: Skip verifying CertificateConfirmationRequest if not required
                                [ECA-2567] - CMP: Should use EjbRemoteHelper in CrmfRARequestTest

                                [ECA-1978] - Certificate Profile form improved
                                [ECA-2094] - Edit CA form improved
                                [ECA-2454] - Improve all table layout (rows: header, sections, footer)
                                [ECA-2468] - Formats and Units (GUI usability and keys refactoring)
                                [ECA-2497] - Unreadable code in VerifyPKIMessage
                                [ECA-2501] - More efficient CRL download
                                [ECA-2518] - Add link to Help page for ECDSA keys

                                [ECA-2157] - Clean up CSS code

                                EJBCA 4.0.7

                                New Feature
                                [ECA-2410] - Document EJBCA Djigzo intregration
                                [ECA-2430] - Plugin build system
                                [ECA-2434] - Add CMP KeyUpdate stress test in clientToolBox

                                [ECA-2197] - VA build fails sometimes
                                [ECA-2396] - More XSS issues
                                [ECA-2429] - Inconsistency in VA health-check properties comment and used URL
                                [ECA-2435] - Chinese charaters doesn't work in "Edit End Entity Profles" for DN attributes
                                [ECA-2436] - Reading OCSP messages over http1.1 with chunked encoding can fail
                                [ECA-2444] - CMP Revoke Response Message is unprotected sometimes

                                EJBCA 4.0.6


                                New Feature
                                [ECA-2368] - CMP, Implement message type KeyUpdateRequest

                                [ECA-2369] - NestedMessageContentTest does not clean up the test certificates it creates
                                [ECA-2380] - Minor XSS issue
                                [ECA-2383] - Cannot import empty CRL via CLI

                                EJBCA 4.0.5


                                New Feature
                                [ECA-2332] - Admin GUI ServletFilter for client certificate emulation

                                [ECA-2325] - Add custom cert serno and extension parsing the generatenewuser WS command

                                [ECA-2297] - NestedMessageContent implements version RFC2510 instead of RFC4210
                                [ECA-2302] - Publishing Queue Fails on slow publishers
                                [ECA-2338] - CMP End entity certificate authentication module does not work in client mode
                                [ECA-2346] - Certificate issuance verification does not detect when CAs public key (in HSM) does not match CA certificate
                                [ECA-2354] - Should not be possible to run service initialization after start

                                EJBCA 4.0.4

                                New Feature
                                [ECA-2105] - Add support for Signature protection of CMP confirm messages
                                [ECA-2161] - EJBCA add-on build option
                                [ECA-2194] - Add CMP Client mode using HMAC protection for user pwd
                                [ECA-2195] - Add modular authentication facility for CMP
                                [ECA-2196] - Add certificate authentication, by external cert, to CMP client mode
                                [ECA-2202] - Certreq WS CLI command support for altName
                                [ECA-2209] - Add new CMP client mode authentication methods
                                [ECA-2242] - Add certificate authentication, by external cert, to CMP RA mode
                                [ECA-2243] - Support multiple protection in CMP RA mode
                                [ECA-2264] - Support for certificate extensions with raw and/or dynamic value
                                [ECA-2267] - Support for adding/editing certificate extension data for an end entity in Admin Web
                                [ECA-2269] - Certificate extension value from WS and WSCLI. Certificate serial number from WSCLI.
                                [ECA-2275] - Add CMP tests in ClientToolBox

                                [ECA-2192] - Support other than DN in CMP recipient field
                                [ECA-2205] - Link to French installation guide contributed by asyd
                                [ECA-2285] - Allow getCA from CaSessionBean without requiring a transaction

                                [ECA-2253] - Add classes from cesecore to EJBCA sources to allow downgrade from 5.0 to 4.0

                                [ECA-2145] - EJBCA is not prepared to receive signature protected CMP Confirm messages
                                [ECA-2199] - Certreq WS CLI command ignores outputpath
                                [ECA-2213] - Enforce unique subject DN does not work with unused fields in EE profile
                                [ECA-2224] - Create Browser Certificate, Create Keystore pages have incorrect titles
                                [ECA-2231] - SCEP enrollment with CA-name containing spaces fails
                                [ECA-2235] - External VA doesn't correctly publish CRLs from CAs with X.509 naming order
                                [ECA-2254] - Way to indicate that a certificate should not be generated and stored on a HW token
                                [ECA-2256] - cmpHttpProxy does not build
                                [ECA-2257] - When a certificate is revoked and this certificate is not in LDAP it is logged as an error that the cert can not be removed and a task to remove is queued.
                                [ECA-2260] - CRL file name returned from VA differs from public web, should be .crl
                                [ECA-2270] - MSIE enrollment fails under certain conditions
                                [ECA-2276] - Approvals are denied because requestAdmin is not local admin token
                                [ECA-2278] - Finding free ids checks the id incorrectly
                                [ECA-2283] - Hard tokens are listed in wrong order in the GUI
                                [ECA-2286] - The VA page listing URLs to to CA certificates and the VA page listing URLs to CRLs is blank for some installations.
                                [ECA-2299] - Reading CMP messages over http1/1 with chunked encoding can fail

                                EJBCA 3.11.5

                                [ECA-2594] - Fixed some XSS issues.

                                EJBCA 3.11.4

                                [ECA-2557] - Minor XSS issues: merge bugfix from ECA-2482

                                EJBCA 3.11.3

                                [ECA-2065] - Certificate enrollment using OS X 10.6 and Safari 5.0.3
                                [ECA-2152] - Certificate not published to OCSP when reactivating after jboss restart.
                                [ECA-2212] - Problem between 'ant install' and 'ant deploy' on JBoss EAP 5.1.

                                EJBCA 4.0.3

                                [ECA-2188] - CMP improvements and minor bug fixes
                                [ECA-2189] - Fetch CMP regToken Control from CertRequest as well as CertReqMsg

                                [ECA-2101] - CMP error parsing POP signing key from BC1.46 clients
                                [ECA-2104] - CMP protection using digital signatures is missing DERNull for RSA AlgorithmParameters
                                [ECA-2181] - Exception deleting end entity profiles, AccessRulesData.findCountByCustomQuery does not use valuextractor
                                [ECA-2190] - POPO verification fails for BC1.46 signed CMP messages

                                EJBCA 4.0.2

                                New Feature
                                [ECA-1405] - Support for adding PrivateKeyUsagePeriod certificate extension
                                [ECA-1678] - Support Public Web enrollment in Chrome
                                [ECA-2172] - Storing of a secret not allowed to be in certificate in a DB with mapping to a fieald in the certificate.

                                [ECA-1827] - Optimize unique subject DN check
                                [ECA-1909] - End-Entity popups layout improved
                                [ECA-1959] - Public web layout improved
                                [ECA-1975] - View Log layout improved
                                [ECA-1976] - Fix PMD warnings
                                [ECA-2075] - Use ISO 8601 date format for absolute CertificateValidity, LogjDevice and in interfaces
                                [ECA-2076] - Change label 'CRL Publishers' to 'Publishers' for CAs
                                [ECA-2081] - Optimize EJBCA
                                [ECA-2084] - Create combined JDK patch for SHA224WithECDSA and RSAWithMGF1
                                [ECA-2097] - End-Entity Search form usability
                                [ECA-2100] - Make the number of BCrypt rounds configurable
                                [ECA-2106] - Improve CertificateProfileCache and EndEntityProfileCache
                                [ECA-2107] - Use getResultList instead of getSingleResult for JPA queries
                                [ECA-2110] - Improve log error message when CMP RA CA does not exist
                                [ECA-2111] - View History popup improved
                                [ECA-2115] - Use StringBuilder instead of StringBuffer where thread safety isn't required
                                [ECA-2119] - Optimize DNFieldsUtil
                                [ECA-2125] - GUI usability: History navigation in popups

                                [ECA-2006] - Certain hexadecimal values of the Validity field on the Edit CA page are parsed incorrectly
                                [ECA-2065] - Certificate enrollment using OS X 10.6 and Safari 5.0.3
                                [ECA-2085] - During install asked twice to input password
                                [ECA-2098] - Check for unique index on (certificate serialNumber, issuerDN) does not work as expected
                                [ECA-2108] - Property for custom available access rules miss-spelled
                                [ECA-2113] - CA Tokentype ignored during installation
                                [ECA-2132] - Start and end time displaying bugged in View EE popup
                                [ECA-2133] - DN displaying bugged in View Certificate popup
                                [ECA-2136] - Displaying of DN attributes which contains several spaces
                                [ECA-2137] - Fix EJBCA Web Configuration layout
                                [ECA-2143] - External RA PKCS12 request gives NPE
                                [ECA-2152] - Certificate not published to OCSP when reactivating after jboss restart.
                                [ECA-2153] - Error serial number start with 0
                                [ECA-2154] - Cert-cvc date decoding does not take timezone into consideration
                                [ECA-2158] - Export log as CSV does not work
                                [ECA-2166] - CertificateExpireTest does not remove the test CA
                                [ECA-2168] - If ServicetimerSessionBean.timeoutHandler throws exception multiple timers are created
                                [ECA-2169] - Possible too much logging when violating unique user public key and/or DN
                                [ECA-2176] - Deploying XKMS on JBoss 6 downloads dtd from w3c

                                [ECA-2073] - Update generated documentation
                                [ECA-2091] - Upgrade Extended CA services to include implementation classpath
                                [ECA-2147] - Clean up HTML code
                                [ECA-2148] - Message keys refactoring

                                EJBCA 3.11.2

                                [ECA-1981] - End Entity History: Administrator is not listed right (NullPointerException)
                                [ECA-1996] - NPE in approvals page when logged in as RA Admin without End Entity Profiles access rights
                                [ECA-2008] - Date in certificate profile decreased by one if different daylight savings time
                                [ECA-2024] - External CAs are set to expired, and treated as normal CAs giving exceptions in log
                                [ECA-2037] - Compilations fails on JDK 5
                                [ECA-2092] - Not possible to revoke some certificate after upgrading from 3.4.x to 3.11.1
                                [ECA-2102] - Some WS calls do not write the DN and issuer DN of the client making the call to the WS transaction log.
                                [ECA-2120] - External OCSP does not deploy on JBoss 5.1
                                [ECA-2127] - Republishing a revoked certificate to VA does not work
                                [ECA-2131] - Republish button in Admin GUI's view certificate page will not work when CertReqHistory isn't present for the certificate.
                                [ECA-2135] - Republish button in Admin GUI does not work for special characters

                                [ECA-2012] - Support named curves for Brainpool ECC in PKCS11 HSMs
                                [ECA-2082] - Add note about potential future error in fresh installations on EJBCA 3.11.0 and 3.11.1 on MySQL.

                                New Feature
                                [ECA-2009] - Add GlassFish database schema for Oracle
                                [ECA-2013] - Support SHA224WithECDSA on PKCS11 HSMs
                                [ECA-2014] - Support signing with SHA256WithRSAandMGF1 on PKCS11 HSMs
                                [ECA-2018] - Possibility to disable command line interface
                                [ECA-2021] - WS Call for retrieving CA path
                                [ECA-2022] - Add Web Service RA standalone application
                                [ECA-2083] - Add Import CRL to the EJBCA CLI
                                [ECA-2093] - CA CLI: Add import certificates from a directory of PEM files
                                [ECA-2112] - Web service operation issuing certificate from public key
                                [ECA-2141] - ExtRA certificate request that also edit user and sets serial number

                                EJBCA 4.0.1

                                [ECA-2090] - Can not browser enroll with IE

                                EJBCA 4.0.0

                                New Feature
                                [ECA-200] - Serialized database object not compatible between different app servers
                                [ECA-1286] - Additional notification template tag requestAdmin.CN
                                [ECA-1348] - Update user's SubjectDN from EJB CLI
                                [ECA-1516] - Possibility to revoke a certificate with the ejbca.sh tools (using the serial number)
                                [ECA-1522] - EJBCA CLI command to list lastUpdate and nextUpdate for each CA's last CRL
                                [ECA-1595] - Add Adobe PDF Signature extended key usage
                                [ECA-1700] - Add customLog WS CLI command
                                [ECA-1867] - Perform ampersand escaping for XML-based database sources
                                [ECA-1875] - New JUnit test for parsing Glassfish's JEE standard validation
                                [ECA-1905] - Function in public web to dump/inspect contents of certificates/CSRs
                                [ECA-2000] - Add SPOC PKI, CSN369791, extended key usages
                                [ECA-2013] - Support SHA224WithECDSA on PKCS11 HSMs
                                [ECA-2014] - Support signing with SHA256WithRSAandMGF1 on PKCS11 HSMs
                                [ECA-2021] - WS Call for retrieving CA path
                                [ECA-2022] - Add Web Service RA standalone application
                                [ECA-2072] - Handle database with case sensitive column names

                                [ECA-687] - WebService API does not work on Weblogic
                                [ECA-735] - Additional default 'chain' link on the public CRL/CA page
                                [ECA-852] - Improve handling of error in WS-API for unknown errors like underlying SQLExceptions.
                                [ECA-899] - Specify min password length in Bits - regardless of method used to express them
                                [ECA-964] - Change all "revokation" to "revocation" and "revoce" to "revoke" throughout the sourcecode
                                [ECA-1064] - Simplify configuration depending on appserver.type
                                [ECA-1099] - PMD Warnings
                                [ECA-1378] - Don't display Log4jLogDevice in View log function in admin-GUI
                                [ECA-1511] - Make EJBCA JBoss 6.0 compliant
                                [ECA-1528] - Remove CRL number from Publisher.storeCRL method
                                [ECA-1586] - Possible to prompt for passwords during install and don't display on screen
                                [ECA-1601] - GeneralPurposeCustomPublisher should have parameter for deltaCRL
                                [ECA-1623] - Refactor unit tests to comply to JUnit3 standard
                                [ECA-1648] - Date format of the setStartTime and setEndTime WS functions
                                [ECA-1656] - Adapt ProtocolOcspHttpTest to Windows
                                [ECA-1667] - E-mail template: use an e-mail address from SAN or entity account
                                [ECA-1750] - The Elimination of TestTools
                                [ECA-1755] - Replace usage of SimpleDateFormat with commons.lang FastDateFormat
                                [ECA-1786] - Get all tests up and running post EJB3-conversion
                                [ECA-1833] - Log devices that use the database should be responsible for creating new transactions
                                [ECA-1839] - Remove JNDI lookup for local interfaces and replace with proper injection wherever possible.
                                [ECA-1840] - Move CMP TCP Service to a separate appserver independent module
                                [ECA-1843] - Move configuration from ejb-jar.xml to Commons Config read property files
                                [ECA-1849] - Refactor HealthCheck component to allow for injection of local interfaces.
                                [ECA-1852] - Change Log4J property file bundled with EJBCA on non-JBoss application servers to XML format
                                [ECA-1863] - Make org.cesecore.core.ejb.ca.store.CertificateProfileSessionBean from CertificateStoreSessionBean
                                [ECA-1868] - Extract EndEntityProfileSession from RaAdminSession in preparation for CESeCore.
                                [ECA-1878] - Improve speed of HttpMethodsTest
                                [ECA-1880] - Run unit JUnit tests in parallel
                                [ECA-1886] - Add new authorization check to internal getCA method
                                [ECA-1888] - Move detection of referenced publishers and CAs to CertificateProfileSessionBean
                                [ECA-1890] - AuthorizationSessionBean tosses AuthorizationDeniedException for unexceptional conditions.
                                [ECA-1896] - Remove unused methods in CreateCRLSession
                                [ECA-1899] - Support for RSA CAs with SHA384 and SHA512 in admin GUI
                                [ECA-1900] - Replace Class.forName(SomeClass.class.getName()) with SomeClass.class
                                [ECA-1929] - Convert CertificateDataUtil to abstract base class for CertificateStoreSessionBean and CertificateStoreOnlyDataSessionBean
                                [ECA-1943] - Only merge ejbca-custom once per build
                                [ECA-1970] - Simplify query for batch users
                                [ECA-1989] - Mildly confusing message during default install "Generating for all FAILED."
                                [ECA-1991] - Change references to ejb-interface_ejb3 to just ejb-interface
                                [ECA-1993] - Migrate EJBCA from junit3 to junit4
                                [ECA-2011] - Improve build scripts
                                [ECA-2016] - Improvement of CA Administrators access rules
                                [ECA-2019] - Update generated documentation
                                [ECA-2030] - Use atomic update of LogConfigurationData.logEntryRowNumber
                                [ECA-2033] - Use @Override on all EJB methods
                                [ECA-2064] - Ugly exception in cli trying to set pwd for non existing used
                                [ECA-2088] - Remove CertificateData created during test for index certificatedata_idx1

                                [ECA-1319] - Upgrade apache beanutils to > 1.8
                                [ECA-1671] - CAInfo.setincludeInHealthCheck misspelled
                                [ECA-1716] - Migrate from J2EE to JEE5
                                [ECA-1717] - Drop support for JDK 1.5
                                [ECA-1718] - Convert EJB 2.1 interfaces to their EJB 3.0 counterpart
                                [ECA-1719] - Update EJBCA WS and XKMS
                                [ECA-1720] - Migrate Entity Beans to JPA 1.0
                                [ECA-1721] - Migrate all Stateless Session Beans from EJB 2.1 to EJB 3.0
                                [ECA-1722] - Use JPA QL instead of JDBC
                                [ECA-1723] - Remove XDoclet
                                [ECA-1728] - Refactor Admin GUI as self contained module depending on EJB interfaces
                                [ECA-1730] - Refactor Public Web components as self contained modules depending on EJB interfaces
                                [ECA-1777] - Add the unit test for CMP extractUsernameComponent created in ECA-1736 to EJBCA4
                                [ECA-1832] - Remove ProtectedLog
                                [ECA-1851] - Remove support for OC4J
                                [ECA-1854] - Enterprise bean class must declare all class static fields as final
                                [ECA-1879] - Extract AdminEntity and AdminGroup handling from AuthorizationSession in order to comply with the CeSeCore spec.
                                [ECA-1884] - Drop Jasper reports
                                [ECA-1892] - Remove unused methods in SignSession
                                [ECA-1894] - With caching EJBCA should recover from a database failure
                                [ECA-1903] - Remove myfaces jars
                                [ECA-1904] - Extract CRUD operations from CreateCrlSession into a new bean
                                [ECA-1907] - Extract some CRUD operations for CAs from CaAdminSessionBean to new SSB
                                [ECA-1913] - Message keys refactoring
                                [ECA-1920] - Move configuration of inistial administration CA to install.properties
                                [ECA-1922] - Remove TableProtect mechanism
                                [ECA-1926] - Move Log4J JBoss appenders to separate module
                                [ECA-1927] - Upgrade commons-configuration to latest version (1.6)
                                [ECA-1928] - Upgrade commons-lang to latest version (2.5)
                                [ECA-1940] - Upgrade commons-logging to latest version (1.1.1)
                                [ECA-1942] - Upgrade log4j to latest version (1.2.16)
                                [ECA-1944] - Merge ECA-1853 and ECA-1931 to trunk
                                [ECA-1971] - HTML/CSS compliance and code cleaning
                                [ECA-1974] - Document current state of Test EJBCA 4 on WebLogic AS 10.3.4
                                [ECA-1977] - Remove deprecated methods from BasePublisher and update ICustomPublisher to match.
                                [ECA-1984] - Remove deprecated methods from CertificateProfile
                                [ECA-1986] - Remove deprecated certtools.dnorderreverse
                                [ECA-1987] - Document current state of EJBCA 4 on WebSphere AS 7
                                [ECA-1992] - Remove unused env entries from CMP WAR's web.xml
                                [ECA-2036] - Test for CVE-2010-4476

                                [ECA-579] - Log queries for administrator data are incorrect
                                [ECA-1151] - startTime/endTime format in end entity profile incoherence
                                [ECA-1212] - Edit administrator groups does not work on Weblogic 9/10
                                [ECA-1327] - Creating CA from CLI using a certificate profile not derivative of ROOTCA or SUBCA causes a NullPointerException.
                                [ECA-1352] - The CA DN is not the CA displayed in CA certificate view
                                [ECA-1397] - postalAddress DN component is has wrong encoding
                                [ECA-1515] - ejbca.sh ca listexpired return revoked certificates
                                [ECA-1591] - External OCSP tests in TestPublisher fails on Postgres
                                [ECA-1604] - Trying to create a CVCA with incomplete SubjectDN results in NullPointerException
                                [ECA-1615] - Forgetting to define key encryption key in hard token results in NullPointerException on certificate creation with CSR
                                [ECA-1624] - Test test06RequestCounter in UserDataTest system test apparently does not clean up after itself
                                [ECA-1647] - ServiceTimerSession does not loop through the correct timers in case of exception
                                [ECA-1650] - JUnit tests cannot handle EndOfLine characters on Windows
                                [ECA-1673] - OCSP Service Locator URI fills in default value even if we want to have it empty
                                [ECA-1686] - CertificateStoreSessionBean.findCertificatesByXX inconsistent behavior when user does not exist
                                [ECA-1689] - Possible NullpointerException in admin GUI if ee profile is removed in database
                                [ECA-1695] - EjbcaWS.getAvailableCertificateProfiles and getAvailableCAsInProfile throws NullPointerException if profile does not exist
                                [ECA-1697] - Possible NPE when merging WS DN
                                [ECA-1699] - X.500 DN order with multiple attributes (e.g. DC, OU)
                                [ECA-1753] - externalra-gui does not work with jBoss 5.1.0.GA.
                                [ECA-1767] - Subject DN field with only the space character leads to Exception
                                [ECA-1799] - notSerializableException running userquerywith remote EJBs
                                [ECA-1806] - Get timers working again in EJBCA4
                                [ECA-1809] - Services based on EJB Timer service does not work on Weblogic Server 10.0
                                [ECA-1829] - XKMSKISSTest fails due to inproper matching och SubjectDNs
                                [ECA-1841] - Error adding end entity with several required and non required OUs
                                [ECA-1861] - Batch generation does not work when there are lots of new users with empty passwords in database
                                [ECA-1864] - CATokenOfflineException is converted to CADoesntExistsException
                                [ECA-1887] - Redeployment on Glassfish 2.1.1 does not work
                                [ECA-1919] - EndEntityProfileSessionBean.findFreeEndEntityProfileId may fail and loop
                                [ECA-1951] - Can't add admin groups when logged in as SuperAdmin
                                [ECA-1956] - EJBCA doesn't handle well SCEP request with multivalue relative distinguishable name with a space in it
                                [ECA-1973] - Certificate archiving does not work when creating CRLs using WS (4.0 dev regression only)
                                [ECA-1980] - Unable to delete end entity profile
                                [ECA-1981] - End Entity History: Administrator is not listed right (NullPointerException)
                                [ECA-1982] - External OCSP responder does not work with ECC algorithm
                                [ECA-1988] - WARs depend on classes from ejbca-ejb.jar and not only EAR bundled libs
                                [ECA-1994] - Arrays.asList does not like an empty array of Integer
                                [ECA-1995] - NullPointerException creating request if cachain is null
                                [ECA-1996] - NPE in approvals page when logged in as RA Admin without End Entity Profiles access rights
                                [ECA-1999] - SECURITY: Replace simple password hasing with BCrypt salted password hasing
                                [ECA-2002] - CRLs must be published when they are created
                                [ECA-2004] - The Edit CA form is submitted even when an error in the input is detected
                                [ECA-2005] - Catch NoResultException for javax.persistence.Query.getSingleResult
                                [ECA-2007] - Always check for null before trying to remove something with entityManager
                                [ECA-2008] - Date in certificate profile decreased by one if different daylight savings time
                                [ECA-2010] - Wrong menu displaying according to Admin access rules
                                [ECA-2024] - External CAs are set to expired, and treated as normal CAs giving exceptions in log
                                [ECA-2025] - Download of certificates via ejbca/adminweb/ca/endentitycert does not work
                                [ECA-2028] - Build script error for WS
                                [ECA-2031] - WebdistHttpTest use case sensitive check for HTTP header
                                [ECA-2045] - CAActivation page requires wrong permission to view
                                [ECA-2055] - Reactivation is no longer possible in Admin GUI when viewing certificate
                                [ECA-2057] - CertificateData.findUsernamesByExpireTimeWithLimit's query is missing IS keyword.
                                [ECA-2059] - Random hickups with services
                                [ECA-2060] - CARepublishCommand has might publish CRL with wrong CRLNumber
                                [ECA-2061] - CaRepublishCommand throws exception publishing server certificates
                                [ECA-2062] - CRLs are not always created in a new transaction
                                [ECA-2071] - AccessRuleData matching for CAs and EndEntityProfiles
                                [ECA-2089] - ExternaRAServiceWorker cannot access external database in container managed transaction

                                EJBCA 3.11.1

                                [ECA-1908] - Certificate popup layout improved
                                [ECA-1952] - Add favicon to public and admin web
                                [ECA-1958] - Add message "Integrated by"
                                [ECA-1961] - Header, Footer, and global layout improved
                                [ECA-1972] - CA information popup layout improved

                                [ECA-1946] - cert-cvc 1.2.12 maven pom still has version tag 1.2.11
                                [ECA-1948] - MySQL mapping for KeyRecoveryData.certSN is incorrect
                                [ECA-1949] - MySQL mapping for UserData.cardNumber is inconsistent in in SQL create script and mapping files.
                                [ECA-1950] - ETSI QC value limit can not have 0 value
                                [ECA-1953] - Sybase ServiceData.nextRunTimeStamp and runTimeStamp was inconsistent compared with other long fields
                                [ECA-1955] - Error upgrading from EJBCA 3.6.x to 3.11.x
                                [ECA-1962] - Editing certificate profile, session information spills over to other edits when using the "Back to certificate profiles" link
                                [ECA-1963] - Trying to use Cardnumber in EE profile gives error about missing UNSTRUCTUREDADDRESS
                                [ECA-1964] - Ugly NPE in log for field error during add end entity
                                [ECA-1965] - UserDoesntFullfillEndEntityProfile is wrapped twice in LocalUserAdminSessionBean
                                [ECA-1966] - Add end entity modifies cached end entity profiles
                                [ECA-1985] - UnstructuredAddress dn field does not work

                                EJBCA 3.11.0

                                New Feature
                                [ECA-63] - Implement RFC4387, cert store access via http
                                [ECA-1264] - Add extended information to edit user WS-API.
                                [ECA-1711] - GUI application for batch-enrollment from CSR:s
                                [ECA-1784] - Add version column to database tables
                                [ECA-1842] - Be able to separate log files depending on CA
                                [ECA-1844] - Function to fluch caches across a cluster from admin GUI
                                [ECA-1850] - ClientToolBox command for db managemnt in a generic ways.
                                [ECA-1853] - External OCSP responder also a CRL Distribution point
                                [ECA-1885] - Options to issue certificates without database storage
                                [ECA-1893] - Supply custom certificate serial number over CMP in RA mode
                                [ECA-1901] - Support one CMP RA secret per CA
                                [ECA-1938] - Database mapping for Oracle on GlassFish
                                [ECA-1859] - Add SSH extended key usages
                                [ECA-1860] - Add MS Code Signing extended key usages

                                [ECA-1712] - Add End-Entity forms usability
                                [ECA-1765] - Possibility to pin a service to specific cluster nodes
                                [ECA-1768] - Make Ubuntu quick start guide doc
                                [ECA-1816] - Forms layout improved
                                [ECA-1819] - Make nextRunTimeStamp a column in database to avoid updating long column
                                [ECA-1837] - Optimize use of ExtendedInformation to not store anything if not used
                                [ECA-1847] - Make data types consistent across all databases
                                [ECA-1848] - Only log CA expired warnings to server.log
                                [ECA-1857] - End-Entity Profile form improved
                                [ECA-1858] - Certificate Authority form improved
                                [ECA-1862] - Optimize creation of User and Certificate objects in database
                                [ECA-1877] - SPOC interop requires "unusual" countries which the CVC library does not permit
                                [ECA-1895] - Set correct port in administration link in public web
                                [ECA-1897] - Improve error message for violating unique subject DN
                                [ECA-1912] - Add new RSA key sizes: 1536 bits, 8192 bits
                                [ECA-1921] - Search End Entities layout improved
                                [ECA-1935] - Use random password for autogenerated passwords in WS-API certificateRequest
                                [ECA-1937] - New RSA 1536 Bit for Hard Token Profiles

                                [ECA-1923] - Deprecate TableProtect mechanism
                                [ECA-1924] - Introduce new (unused) database column for future integrity protection

                                [ECA-1841] - Error adding end entity with several required and non required OUs
                                [ECA-1845] - Wrong reference in on line doc link for renew ca
                                [ECA-1871] - It's possible to change the value of 'OCSP Service Locator URI' when 'Use Authority Information Access' is turned on
                                [ECA-1914] - Import of certfificate profiles referring to CVC CAs failed i CLI
                                [ECA-1915] - TestCustomCertSerialnumberWS not compilable without JBoss
                                [ECA-1917] - Class not found during marshalling when running tests on GlassFish
                                [ECA-1918] - Web services tests fails on GlassFish
                                [ECA-1930] - Error using creatcrl cli on Glassfish
                                [ECA-1931] - NPE in OCSP at load
                                [ECA-1934] - Standalone VA/OCSP missing jar when deploying on GlassFish
                                [ECA-1936] - Some characters double encoded in admin GUI
                                [ECA-1939] - XMLEncoding/decoding of ExtendedInformation complains about BigInteger
                                [ECA-1945] - Username not displayed in popups

                                EJBCA 3.10.6

                                New Feature
                                [ECA-1264] - Add extended information to edit user WS-API.

                                [ECA-1877] - SPOC interop requires "unusual" countries which the CVC library does not permit

                                [ECA-1841] - Error adding end entity with several required and non required OUs
                                [ECA-1845] - Wrong reference in on line doc link for renew ca
                                [ECA-1914] - Import of certificate profiles referring to CVC CAs failed i CLI

                                EJBCA 3.10.5

                                New Feature
                                [ECA-1791] - Logging the certificate SubjectDN when an admin logs in with an external cert and displaying this info in Log View
                                [ECA-1822] - Command line to clear internal caches

                                [ECA-1663] - Option to specify CRL Expire Period fields etc. in months
                                [ECA-1741] - Clean authentication session bean
                                [ECA-1756] - Configurable cache for end entity profiles
                                [ECA-1795] - It should be possible to run the CMP TCP Proxy as a Windows service
                                [ECA-1797] - Page sub-titles harmonized
                                [ECA-1800] - Name as a word, name as a DN attribute
                                [ECA-1802] - Improve CAInfo cache to use configurable time
                                [ECA-1805] - Configurable cache for certificate profiles
                                [ECA-1807] - Document 'Finish User' CA config
                                [ECA-1811] - Improve caching of global configuration and authorization data
                                [ECA-1813] - Re-order all the Extended Key Usage
                                [ECA-1816] - Forms layout improved
                                [ECA-1818] - Make log configuration cache time configurable
                                [ECA-1823] - HSM p11 key attribute test and default.
                                [ECA-1824] - New "fixed" username generation scheme in CMP RA mode
                                [ECA-1831] - Lower log level from info to debug for expired CA warnings
                                [ECA-1834] - Use only fingerprint index to check for unique cert serialnumber

                                [ECA-1745] - Can not re-publish a certificate when CertReqHistory is not used
                                [ECA-1780] - Doc update CMP over TCP not supported on Glassfish
                                [ECA-1830] - Update german language file

                                [ECA-1739] - Unique subjectDN serialnumber cannot be edited.
                                [ECA-1747] - Change how an approval administrator is identified, approval does not work with external administrators
                                [ECA-1759] - Admin GUI crashes with a stacktrace when accessed by unauthrized user cert, on JBoss 5
                                [ECA-1779] - Error when clicking on the Adminstrator in "View Log"
                                [ECA-1790] - Unable to choose event in Advanced Filter Mode in View Log
                                [ECA-1793] - Mitigate Cross Site Scripting (XSS) in the Admin GUI
                                [ECA-1794] - Admin GUI errors on JBoss 5
                                [ECA-1804] - ProfileMappings update and fixes, for messages
                                [ECA-1808] - WS CLI does not support unrevocation
                                [ECA-1812] - Activation failure when EJBCA is started at high load
                                [ECA-1817] - EJBCA fail to install, if application server is installed in the root directory.
                                [ECA-1820] - Certificate related events in the View Log does not display the certificate in question
                                [ECA-1821] - NullPointerException when filling certing fields in View Log
                                [ECA-1825] - Create CA with SerialNumber in DN regression with CLI
                                [ECA-1836] - Use CertReqHistory should be active by default

                                EJBCA 3.10.4

                                New Feature
                                [ECA-1727] - User defined serial number using UserDataVO
                                [ECA-1733] - Possible to configure CA to not use Certificate Request History
                                [ECA-1735] - Add configuration to fully cache CA objects, to minimize database roundtrips

                                [ECA-1729] - EJBCA on Glassfish with MySQL
                                [ECA-1734] - Add throws clause for CADoesntExistException to add/change user in user admin session bean, and optimize away one read of CA info in cert req session
                                [ECA-1743] - Improve file log for parsing, prefix dn and quote it in log
                                [ECA-1752] - Harmonized themes for home page
                                [ECA-1757] - Harmonized themes for CA Activation page
                                [ECA-1762] - Harmonized GUI for all pages
                                [ECA-1763] - Make country DV renewals optionally take CVCA certificate from the EJBCA store
                                [ECA-1783] - CertTools.checkValidity should not log with error when a CVC certificate has expired

                                [ECA-1725] - Make test34CaRenewCertRequest JUnit test also for ECC keys

                                [ECA-1321] - Single-qoute bug when creating CRL from Admin GUI
                                [ECA-1710] - Certrequest session (and now CMP) requires ee profile to use 'Batch', i.e. clear pwd
                                [ECA-1724] - Mitigate Cross Site Scripting (XSS) in the Admin GUI
                                [ECA-1731] - EJBCA WS KeyRevocerNewest always returns 0 as approval Id in WaitingForApprovalException
                                [ECA-1736] - extractUsernameComponent in CMP client mode broken
                                [ECA-1737] - Error while setup admin permissions for superadmin when superadmin.cn contains a space
                                [ECA-1738] - Nullpointer exception editing end entity profiles when printer is null
                                [ECA-1746] - EjbcaWS does not work with external admin certificates
                                [ECA-1761] - Error parsing certificate serialnumber
                                [ECA-1778] - webconfiguraiton.jspf displays HTML
                                [ECA-1785] - Error when filling the Subject Directory Attribute Fields
                                [ECA-1789] - ocsphealthcheck does not deploy on JBoss 5

                                EJBCA 3.10.3

                                [ECA-1709] - Typo in ejbca-ws-cli

                                [ECA-1704] - Tomcat's server.xml must have URIEncoding also for port 8080
                                [ECA-1710] - Certrequest session (and now CMP) requires ee profile to use 'Batch', i.e. clear pwd
                                [ECA-1713] - Mitigate Cross Site Scripting (XSS) in the error page of Admin GUI
                                [ECA-1714] - Issuer CA DN is HTML escaped when revoking through Admin GUI
                                [ECA-1715] - Error creating DVs using ECC

                                EJBCA 3.10.2

                                New Feature
                                [ECA-1622] - CMP Proxy
                                [ECA-1677] - Enforce unique SubjectDN Serial Number
                                [ECA-1693] - Validate content of End Entity Fields
                                [ECA-1705] - Support MySQL 5.1 Cluster 7
                                [ECA-1707] - Display a search-link when trying to add a user that already exists.

                                [ECA-714] - Document how ROOT CA revocation works, and what to do
                                [ECA-1655] - Restrict http methods other than get and post
                                [ECA-1674] - Output the servers time to the first page of the Admin GUI.
                                [ECA-1682] - Allow multiple CA policy OIDs and URLs when creating a CA from the EJB CLI
                                [ECA-1683] - Use CertificateRequestSessionBean for CMP to make it transaction safe
                                [ECA-1685] - Look over exception handling in UserAdminSessionBean findUser and optimize usage to existsUser where possible
                                [ECA-1687] - LocalUserAdminSessionBean.findAllUsersByCaId method declares throws FinderException that it does not throw
                                [ECA-1690] - Possible to define custom CN of superadmin on install
                                [ECA-1658] - Supervision of the validity time of the signing certificates for the OCSP responder

                                [ECA-1631] - Update pre-defined windows smart card logon profiles

                                [ECA-715] - Possible to issue certificates from a revoked CA
                                [ECA-1266] - Upgrade may cause "use authority information access" to be enabled though it was not before in certificate profile
                                [ECA-1639] - The CAR of a CV Certificate can hold an incorrect sequence number (which makes the CAR incorrect)
                                [ECA-1645] - Exception in CertTools parsing CRL Distribution Point with name but no URI
                                [ECA-1646] - class isolation does not work with JBoss AS 4.2.3 GA : unable to "ant install" successfully
                                [ECA-1651] - Some cli commands does not work on JBoss 5
                                [ECA-1652] - Trying to use plus sign in DN with WS-API results in double escaping
                                [ECA-1653] - Trying to get delta CRL when none exists with cli gives ugly error message
                                [ECA-1654] - Perform check for illegal SQL query characters from LocalUserAdminSession.query
                                [ECA-1657] - export profiles cli gives error for CA certificate profiles
                                [ECA-1660] - Visiting adminweb using port 442 for the first time gives NPE
                                [ECA-1661] - Adding a CA with PKCS11 token but without HSM installed gives NPE
                                [ECA-1662] - Password masking in "ant install" not working on Windows Server 2008
                                [ECA-1666] - Not possible to use subject DN EMAIL field when creating certificate with CMP.
                                [ECA-1668] - Tooltip title missing in Edit Administrator Privileges
                                [ECA-1670] - Upgrade of existing CA should set EnforceUniqueDistinguishedName and PublicKey to false
                                [ECA-1672] - /log_functionality/log_custom_events authorization not verified in WS API
                                [ECA-1675] - Download CRL from Basic functions give ugly filename with space in CN
                                [ECA-1676] - Error downloading certificate request created by X509 CA
                                [ECA-1679] - Can not create a new certificate request from a CVC CA with no previous signing key
                                [ECA-1680] - When superadmin.dn is modified, authentication on adminweb is impossible
                                [ECA-1681] - MakeRequest button when SignedBy=External CA is not enabled

                                EJBCA 3.10.1

                                New Feature
                                [ECA-1542] - New WS API methods for caRenewCertRequest and caCertResponse
                                [ECA-1622] - CMP Proxy
                                [ECA-1630] - Support SHA384withECDSA signature algorithm

                                [ECA-958] - Allow DVCA renewal of keys without activating them immediately
                                [ECA-1585] - Renew CA signed by external does not accept binary CA certificate input
                                [ECA-1616] - cvcRequest gives unclear error message when the exact same request is passed
                                [ECA-1618] - OCSP responder, log startup, with version, and shutdown
                                [ECA-1627] - Support DSA keys in ejbca.sh batch.
                                [ECA-1635] - Specify a ca certificate profile when creating a ca with CLI

                                [ECA-1346] - Write version information etc in ejbca-util.jar's manifest file
                                [ECA-1529] - Remove the SafeNetLuna JCE CA token
                                [ECA-1563] - EJBCA does not deploy on JBoss EAP 5.0.0.GA

                                [ECA-1058] - Multiple DCs in CA's sujectDN break CRL generation when LDAP DN order switched off
                                [ECA-1072] - Got exception when adding an end entity from ejbcarawscli.sh when approval is enabled
                                [ECA-1136] - User interface does not update correctly when changing Admingroup privileges
                                [ECA-1189] - Error saving RA Admin access rules, End Entity Rules
                                [ECA-1197] - Mail notifications does not work for CA's about to expire.
                                [ECA-1541] - CMP servlet does not verify input length
                                [ECA-1587] - CLI for getting delta CRL does not work
                                [ECA-1602] - A Root CA can not renew certificate of an External CA
                                [ECA-1603] - Approval Notifications gives nullpointerexception
                                [ECA-1608] - Approval notification does not include requestAdmin
                                [ECA-1609] - A new CRL is not created when a CA is renewed.
                                [ECA-1610] - An error is logged when publishing CRL for a CA not using delta CRL.
                                [ECA-1614] - ERROR logged erroneous when renewing root CA
                                [ECA-1617] - Process time in OCSP logging fails when request fails
                                [ECA-1619] - "CA issuer URI" can not be deleted on the "Edit Certificate Profile" page if the string start or ends with space.
                                [ECA-1620] - Listing end entities with expiring certificates generates Exception
                                [ECA-1626] - addUser ejb method does not always throw DuplicateKeyException if user exists
                                [ECA-1629] - Error saving RA Admin access rules, Other Rules
                                [ECA-1633] - document boolean usepreviouskey in X509CA.signRequest better
                                [ECA-1638] - activateca cli does not work for expired CAs
                                [ECA-1641] - Expired CAs makes CA cert download from public web fail
                                [ECA-1644] - ejbca.sh listcas does not work with CVCAs

                                EJBCA 3.10.0

                                New Feature
                                [ECA-1530] - Support signing NewWithOld after CA key rollover
                                [ECA-1557] - Enforcement of Unique Public keys
                                [ECA-1566] - External RA: Web based GUI for enrolling entites
                                [ECA-1567] - Enforcement of Unique Distinguished Name
                                [ECA-1589] - Support for Ingres 9.3

                                [ECA-1465] - Preparations for EJBCA 4
                                [ECA-1466] - Build ejbca-util with a minimal number of classes
                                [ECA-1467] - Move the ejbca-ws build to modules
                                [ECA-1468] - Move the ejbca-xkms build to modules
                                [ECA-1470] - Deprecate ProtectedLog
                                [ECA-1476] - Move external RA to modules
                                [ECA-1482] - Update JavaDoc build
                                [ECA-1484] - Disable XKMS service by default
                                [ECA-1531] - Restructure documentation into separate admin and user guides
                                [ECA-1550] - Internal OCSP responder should always use the CA signing certificate to sign responses
                                [ECA-1582] - Upgrade bouncycastle to 1.45

                                [ECA-668] - Possibility to change keyStorePassword in an already installed setup
                                [ECA-892] - WS-cli should work with pkcs12 file as well in addition to jks files.
                                [ECA-1237] - External RA: possibility to deploy to other deploy directory
                                [ECA-1239] - Build ClientToolBox without application server present
                                [ECA-1251] - Name returned certificates from public web after the username
                                [ECA-1336] - Add Spanish commonly used OID's NIF/CIF
                                [ECA-1380] - Use commons configuration for all configuration
                                [ECA-1381] - Use JPA in ExtRA client library
                                [ECA-1383] - Separate system and functional JUnit tests
                                [ECA-1396] - Create new WS and bean method that creates/edits user and issues a certificate in a single transaction
                                [ECA-1428] - More effective stress test.
                                [ECA-1432] - Refactor and create new module for EJBCA's remote EJB CLI
                                [ECA-1469] - Rename LogEntryDataBean comment and comment_ column to logComment for all database types
                                [ECA-1488] - Property in mail.properties for setting SMTP port missing
                                [ECA-1495] - Enforce dependency check for all components of the EJBCA core and improve structure
                                [ECA-1505] - Optimize isRevoked method in CertificateStoreSessionbean
                                [ECA-1537] - Display min and max time for stress test jobs
                                [ECA-1575] - Get length of message from ASN1 length value.
                                [ECA-1576] - Default certificate profile should not allow key usage override
                                [ECA-1596] - Possibility to run SCEPTest directly against EJBCA.
                                [ECA-1599] - EJBCA EJB CLI subcommand 'encryptpwd' should not echo password

                                [ECA-1050] - Revoke and renew button on OCSP/XKMS/CMS extended services only revokes and does not renew
                                [ECA-1536] - Extra test client does not compile with JBoss 5
                                [ECA-1578] - Use of DN from CA data when searching for last CRL number.
                                [ECA-1579] - Root CA certificate could have different subject and issuer DN.
                                [ECA-1583] - EJBCA EJB CLI is not working with JBoss 5
                                [ECA-1584] - PublisherQueue process service does not work in PostgreSQL
                                [ECA-1590] - Hash of a CA certificates can not be used to get "CA" if the subject DN of the certificate is not the same as the subject DN of the CA data.

                                EJBCA 3.9.10

                                [ECA-1699] - X.500 DN order with multiple attributes (e.g. DC, OU)

                                EJBCA 3.9.9

                                New Feature
                                [ECA-1264] - Add extended information to edit user WS-API.

                                [ECA-1704] - Tomcat's server.xml must have URIEncoding also for port 8080
                                [ECA-1714] - Issuer CA DN is HTML escaped when revoking through Admin GUI
                                [ECA-1773] - Using multiple of the same Custom OID field for OtherName in Subject Alternative Names results in double values
                                [ECA-1841] - Error adding end entity with several required and non required OUs

                                EJBCA 3.9.8

                                [ECA-1658] - Supervision of the validity time of the signing certificates for the OCSP responder

                                [ECA-1266] - Upgrade may cause "use authority information access" to be enabled though it was not before in certificate profile
                                [ECA-1639] - The CAR of a CV Certificate can hold an incorrect sequence number (which makes the CAR incorrect)

                                EJBCA 3.9.7

                                [ECA-1616] - cvcRequest gives unclear error message when the exact same request is passed
                                [ECA-1618] - OCSP responder, log startup, with version, and shutdown

                                [ECA-1636] - Error creating DVs signed by external CVCAs
                                [ECA-1643] - Possible NullpointerException in EjbcaWS.getAvailableCertificateProfiles

                                EJBCA 3.9.6

                                New Feature
                                [ECA-1542] - New WS API methods for caRenewCertRequest and caCertResponse

                                [ECA-958] - Allow DVCA renewal of keys without activating them immediately
                                [ECA-1585] - Renew CA signed by external does not accept binary CA certificate input

                                [ECA-1587] - CLI for getting delta CRL does not work
                                [ECA-1602] - A Root CA can not renew certificate of an External CA
                                [ECA-1603] - Approval Notifications gives nullpointerexception
                                [ECA-1608] - Approval notification does not include requestAdmin

                                EJBCA 3.9.5


                                [ECA-1523] - Display and accessibility of CA status table on home page
                                [ECA-1538] - OCSP service closes ServletInputStream uneccesarily
                                [ECA-1539] - When downloading a CVC certificate or request the name of the downloaded file should contain the CAR and the CHR (certificates only)
                                [ECA-1543] - Remove hardcoded paths in CertReqServlet.java for OpenVPN installer creation
                                [ECA-1547] - Add processtime variable to OCSP transaction logging
                                [ECA-1574] - Possibility to prompt for password in install and ca init cli
                                [ECA-1577] - Possibility to initilize authorization module when importing CA certificate of external CA

                                [ECA-1479] - relative path to the catoken.properties file in conf/ejbca.properties not working
                                [ECA-1533] - EracomCAToken (old deprecated) uses sSlotLabel before it has been set
                                [ECA-1534] - generation of new HSM keys does not update keyStrings in BaseCAToken
                                [ECA-1540] - When generating new keys using a hard token the new key label is generated incorrectly, if the old sequence contained non numeric characters
                                [ECA-1544] - Compile error in jsp in some cases
                                [ECA-1545] - External OCSP signing is failing at the period of re-keying.
                                [ECA-1546] - The key sequence is incremented decimal when renewing a key, but it could be incremented alphanumeric
                                [ECA-1548] - OCSP responder performance drop i 3.9.4
                                [ECA-1549] - mTransactionID in OCSPServletBase may not be thread safe
                                [ECA-1552] - Iaik provider not working
                                [ECA-1554] - PKCS11HSMKeyTool fails test command using IAIK provider in some cases
                                [ECA-1555] - Can not use . (dot) in username when editing end entity profiles
                                [ECA-1558] - Can not view log when using cvc sequences in alfanumeric form
                                [ECA-1560] - No default value for ca.name
                                [ECA-1562] - ejbca-mail-service is overridden by default mailservice in JBoss 5
                                [ECA-1572] - clientToolBox not configuring logging on windows
                                [ECA-1573] - Charcters in German languagefile causes JavaScript errors in adminweb

                                EJBCA 3.9.4

                                [ECA-1518] - Language files encoded in UTF-8

                                [ECA-1521] - Document how to use of Brainpool curves for EAC

                                [ECA-1441] - Old CA cert published to LDAP after CA renewal.
                                [ECA-1443] - Bogus CRL published to LDAP at some occations.
                                [ECA-1471] - Don't publish certificates for inactive CA services
                                [ECA-1514] - CMP requests with DN characters requiring escaping fails
                                [ECA-1519] - Not possible to renew soft CA ECC CA keys
                                [ECA-1524] - Unable to renew expired CAs (regression)
                                [ECA-1525] - SafeNetLunaCAToken (old class) does not work
                                [ECA-1526] - SecConst.CERT_EXPIRED, should not be used, Import cert cli uses EXPIRED instead of ARCHIVED.
                                [ECA-1527] - OCSP responder returns good for expired and archived certificates

                                EJBCA 3.9.3

                                New Feature
                                [ECA-1389] - Make it possible to add several notifications for expiring certificates.
                                [ECA-1439] - End date for certificate profile and CA.
                                [ECA-1480] - Possible to generate EC certificate requests with explicit parameters
                                [ECA-1492] - Add configuration of allowed signing algorithms to certificate profiles

                                [ECA-1312] - Test browser enrollment with Windows 7
                                [ECA-1483] - Update database schema at ejbca.org

                                [ECA-1386] - Generate new keys on HSM in Admin GUI does not support ECC
                                [ECA-1400] - New navigation menu GUI
                                [ECA-1401] - GUI improvement with IE fixes CSS
                                [ECA-1417] - name CV certificates .cvcert instead of .crt when downloading from public web
                                [ECA-1440] - Configureable error output on admin gui error page.
                                [ECA-1449] - Rename "Download to Internet Explorer" to "Download binary/to IE"
                                [ECA-1451] - Display EC public key in view certificate pop-up
                                [ECA-1453] - WS command to get length of queue for an issuer.
                                [ECA-1455] - Possibility to change DN of superadmin user created by 'ant install'
                                [ECA-1456] - clientToolBox createCertReq should handle ECC keys as well
                                [ECA-1493] - Possibility to use part of user data in LDAP DN but not in certificate DN when publishing certificate to LDAP


                                [ECA-1429] - Renewing keys on a CA in admin GUI forces reload of all CAs
                                [ECA-1436] - Export CA keystore, download issues with IE
                                [ECA-1442] - Mail Expiration Checker cannot send mail for user SYSTEMCERT
                                [ECA-1444] - CertificateExpirationWorker does not work with CV certificates
                                [ECA-1445] - Java 5's XMLEncoder breaks when using Collections.EMPTY_LIST
                                [ECA-1447] - InvalidKeyException för HSM during deploy or startup under load
                                [ECA-1448] - When issuing certificates, sometimes it is not checked if CA is off-line, only CA token
                                [ECA-1450] - NullpointerException making CA offline if CAToken can not be created
                                [ECA-1454] - p11slot keeps adding numerous tokens
                                [ECA-1457] - ECC brainpool curves does not work due to Sun certificate provider
                                [ECA-1458] - Can not import exported ECC CVCA
                                [ECA-1460] - Approval and finishuser settings missing from CVC CA configuration
                                [ECA-1461] - Exception on import CA keystore
                                [ECA-1463] - ca info cli command does not work for cvc CAs
                                [ECA-1464] - Having a trailing '\' at the end of a field (e.g. username) gives a StringIndexOutOfBoundsException on search
                                [ECA-1471] - Don't publish certificates for inactive services
                                [ECA-1473] - CAFingerprint in database not set correctly for SubCAs
                                [ECA-1475] - OutOfMemory when failing to publish large CRLs with connection closed error
                                [ECA-1481] - Not possible to get PUK from issued card of the type "turkish profile" with WS
                                [ECA-1485] - Remove StdErr logging when editing approvals in certificate profiles
                                [ECA-1496] - End Entity Profile check fails for CMP requests with E in subject DN
                                [ECA-1502] - Remove ocsp from bin/ejbca.sh
                                [ECA-1504] - clientToolBox.bat does not work with space in path
                                [ECA-1509] - cert-cvc: ECPoint can be wrongly encoded in 1 out of 2^16 keys
                                [ECA-1517] - Notification status interferes with "Search/edit end entities"

                                EJBCA 3.9.2

                                New Feature
                                [ECA-1377] - Sign and verify of files with clientToolBox when the private key is stored on a HSM.
                                [ECA-1390] - Possible to limit signing keys for an external OCSP responder to keys within a set of key aliases.
                                [ECA-1412] - Add support for the TSL signer extended key usage

                                [ECA-1360] - use improved validity period parsing in Certificate Profiles
                                [ECA-1364] - Deleting certificate profiles in large database slow, new index
                                [ECA-1366] - Improve debug logging in ProtectedLog
                                [ECA-1369] - Add command to cli to sign specified nodeGUID
                                [ECA-1384] - Property in mail.properties for sending start TLS
                                [ECA-1385] - PKCS11HSMKeyTool test does not work with ECC keys
                                [ECA-1426] - Rename keystore password to authentication code in admin GUI to make it consistent.
                                [ECA-1427] - remove ocsp client
                                [ECA-1433] - Add option to use publisher queue or not for CRLs and certificates

                                [ECA-1359] - Upgrade commons-upload jar.
                                [ECA-1399] - Add debug logging of keys and signature when testing CA token keys
                                [ECA-1425] - Document MS application policies extension

                                [ECA-1361] - Wrong default value listed for "build.compiler" property in "ejbca.properties.sample"
                                [ECA-1363] - CA de-activation can give NPE if CA in some conditions
                                [ECA-1368] - Setting nodeIP in protectedlog.properties does not work
                                [ECA-1371] - Revocation is very slow if a user have many certificates. Remove side-effect of revoking user from revokeCert method.
                                [ECA-1373] - ejbca.sh log accept or log does not increase the counter
                                [ECA-1379] - ejbcaClientToolBox.bat only accepts 9 parameters
                                [ECA-1392] - Fix potential NPE with extendedInformation
                                [ECA-1393] - Handle database exceptions properly for CMP
                                [ECA-1394] - Error adding end entity does not log username
                                [ECA-1395] - Error using IAIK provider with several CAs
                                [ECA-1403] - cert-cvc: bad encoding of EC points in certificates in rare cases where affineX and affineY is not same size.
                                [ECA-1404] - ClientToolBox PKCS11 key test gives NullPointerException if there are symmetrci keys in the slot
                                [ECA-1406] - Autoactivation PIN is showed in clear in debug log file
                                [ECA-1410] - Ldap publisher may "hang" if LDAP server hangs during operations
                                [ECA-1414] - FNR from UNID not working
                                [ECA-1415] - Strange errors when reading keys in external OCSP responder
                                [ECA-1416] - FNR lookup stress test
                                [ECA-1419] - CRL service may stop running if database is stopped for some period
                                [ECA-1420] - Check of ProbeableErrorHandler for OCSP audit/transaction log always return false
                                [ECA-1421] - AdminCA1 does not get a CMS certificate during installation
                                [ECA-1423] - cert-cvc: getting expiration date returns 00.00 hours but it means it's valid the whole day
                                [ECA-1430] - Publish CRLs may fail to keep in publisher queue if publish fails
                                [ECA-1431] - ejbcaClientToolBox.bat does not work
                                [ECA-1434] - cert-cvc: OIDField.getEncoded() works only for values < 128
                                [ECA-1437] - Issuing Distribution Point on CRLs is default in CA configuration

                                EJBCA 3.9.1

                                New Feature
                                [ECA-1275] - Corporate User Requests User Cert
                                [ECA-1276] - Non-corporate User Requests Cert
                                [ECA-1277] - User (corporate or non corporate user) Requests Certificate Renewal
                                [ECA-1287] - Configurable List of extKeyUsage OIDs in certificate profiles
                                [ECA-1299] - Transacion log for web service certificate issuance
                                [ECA-1309] - Ability to specify approvals on certificate profiles
                                [ECA-1334] - Run single JUnit test from CLI
                                [ECA-1337] - Removal of SoftCA key and possibility to import it back again
                                [ECA-1344] - Fixed absolute date for latest certificate expire
                                [ECA-1347] - Ability to set max-age and next update values on a per certificate profile basis.

                                [ECA-1354] - ExtRA: update BC jars to match version in EJCBA 3.9.1

                                [ECA-967] - Add CVC WS CLI to client toolbox
                                [ECA-1073] - Possible to schedule CRLs more often than hourly
                                [ECA-1180] - Be able to specify Any CA in end entity profiles
                                [ECA-1270] - create support for clover coverage testing
                                [ECA-1298] - Dynamic update of max-age and nextUpdate for OCSP responders
                                [ECA-1302] - Optimize republishing performance to use less queries during publish
                                [ECA-1307] - do not create new P11 provider when reloading
                                [ECA-1308] - Display the key instead of "not text available" for missing language strings
                                [ECA-1310] - View end entity profile id in edit window
                                [ECA-1315] - Allow null debug object to disable debugging in RequestHelper
                                [ECA-1320] - Options which CA to generate CRLs for in CRL update service
                                [ECA-1324] - Bad error message in adduser cli when type is not a number
                                [ECA-1331] - Improve error message in GUI when HSM activation fails
                                [ECA-1335] - Support for CRL distribution points with URI:s containing semicolon
                                [ECA-1338] - Remove passwords from properties files
                                [ECA-1341] - Change publishing message to say that it is "queued" instead of "published"
                                [ECA-1342] - Improved error message when trying to create CA with incompatible key/signing algorithm
                                [ECA-1343] - CA certificate validity in years
                                [ECA-1345] - More userfriendly error messages instead of only stacktrace for instance when DB connection is down

                                [ECA-1295] - Error making advanced log search for CA on DB2
                                [ECA-1300] - Nullpointer exception editing end entity profiles when printer has no name
                                [ECA-1303] - Runtime exception when uplaoding a certificate response and no certificate chain exists
                                [ECA-1304] - ca listexpired cli command prints certificaste serialnumber in decimal instead of hex
                                [ECA-1305] - Serching for end entities by certificate serial no does not find all if DN changed
                                [ECA-1306] - external OCSP responder healt check not checking keys.
                                [ECA-1313] - Error creating CRL publisher on DB2
                                [ECA-1314] - Key could be used at same time as the rekeying is generating new cert.
                                [ECA-1322] - Mixing EJBs and PreparedStatement gives NullpointerException in Glassfish
                                [ECA-1323] - Import of entity profiles removes certificate profile links from the profile
                                [ECA-1325] - Log Configuration : message keys missing
                                [ECA-1340] - ejbca.cmd requires additional libraries in classpath
                                [ECA-1355] - Revoke user does not work if a certificate is already revoked
                                [ECA-1356] - JPA entity CertificateData does not set certificateProfileId when adding new certificate
                                [ECA-1357] - create CA with initial deltaCRL does not work on glassfish
                                [ECA-1358] - getCertSignatureAlgorithmAsString does not work for SHA256WithECDSA on java 5

                                EJBCA 3.9.0

                                New Feature
                                [ECA-648] - Add a configurable revocation status to end entity profiles
                                [ECA-877] - Patch level showing
                                [ECA-987] - Add cli command for processing certificate requests in ejbca.sh
                                [ECA-1054] - User Certificate Validity Start/End Time as a editUser Web Service parameter
                                [ECA-1076] - CMP stress test
                                [ECA-1093] - Support for static custom enroll forms
                                [ECA-1100] - CAs using DSA algorithm
                                [ECA-1172] - Validity override in certificate profiles should be able to override startdate to set earlier start than "now"
                                [ECA-1188] - Permit to install on JBOSS with Tomcat Native Connector
                                [ECA-1202] - Implement extension override for PKCS#10 requests
                                [ECA-1203] - Allow DN override from requests
                                [ECA-1207] - Option in OCSP publisher to only use queue and not publish directly
                                [ECA-1213] - Display length of publisher queue in external OCSP GUI
                                [ECA-1218] - Stand-alone monitoring tool for comparing CA and OCSP databases
                                [ECA-1219] - Add CA status overview portal on first page of admin GUI
                                [ECA-1220] - Show certificate profile id in admin GUI
                                [ECA-1222] - Show CA id in Admin GUI
                                [ECA-1242] - Configurable to show CA status on front page
                                [ECA-1263] - Add new WS stress-test to test behaviour when there are many certificates per user

                                [ECA-550] - Bad error message when receiving PEM files from external CA
                                [ECA-603] - Add a property to specify the module to use when using nCipher HSM
                                [ECA-857] - Improve error message "Error occured when receiving file, are you sure it is valid and in PEM encoding."
                                [ECA-878] - Start up welcome page(s) admin and normal one
                                [ECA-965] - Hide CRL-related fields when creating a CVC CA
                                [ECA-988] - Document database privileges
                                [ECA-1003] - EJBCA CLI requires APPSRV_HOME
                                [ECA-1008] - A CA could be activated with any password (PIN) after it has been deactivated
                                [ECA-1011] - Output time of successful ant commands often used in development
                                [ECA-1041] - Errormessage "User xxxx has status '40', NEW, FAILED or INPROCESS required" could be improved
                                [ECA-1067] - JavaScript "Enabled" test
                                [ECA-1074] - Add Name DN attribute to supported attributes
                                [ECA-1094] - CN for httpsserver.dn property can be inherited from httpsserver.hostname
                                [ECA-1101] - ExtRA: Make RA CA service as an EJBCA service and make clusterable and support multiple RAs
                                [ECA-1129] - use same functionality in the OCSP respnder as in the CA to handle P11 HSMs
                                [ECA-1131] - Filter what is published to CertificateData on standalone OCSP
                                [ECA-1139] - Use Commons Configuration for OCSP config
                                [ECA-1163] - Save/cancel certificate profiles should bring you back to profiles list
                                [ECA-1165] - required and modifyable checkboxes for username in entity profiles not needed
                                [ECA-1166] - Rename mozilla/netscape to firefox
                                [ECA-1167] - activatecas cli command should be able to prompt for activation code
                                [ECA-1168] - Don't display the password user types in import CA command.
                                [ECA-1170] - Display signature algorithm with providers text in view certiifcate
                                [ECA-1175] - Improve default DB2 CMP mapping
                                [ECA-1176] - Add cvcwscli.cmd for windows
                                [ECA-1178] - Add issuerDN to edit CA page
                                [ECA-1179] - Possible to specify multiple parameters in cmp.ra.namegenerationparameters
                                [ECA-1180] - Be able to specify Any CA in end entity profiles
                                [ECA-1196] - Change ERROR to INFO message for mail notifications
                                [ECA-1198] - Implement robust re-publishing if publishing fails
                                [ECA-1199] - Don't log error for missconfigured service that is not active
                                [ECA-1200] - GUI for the External OCSP Publisher
                                [ECA-1208] - Log4jLogDevice logs INFO exceptions as ERROR
                                [ECA-1209] - Upgrade certificateProfileId to new server profile during 'ant upgrade' to avoid problems on SSL certificate renewal.
                                [ECA-1215] - Don't set start and end time for end entity if not entered
                                [ECA-1221] - Ugly error message in LDAP publisher if no certificate to remove exists
                                [ECA-1231] - Optimize performace of getCertificateInfo
                                [ECA-1233] - Prevent accidental runs of JUnit tests and deploy/ocsp-deploy in production environment
                                [ECA-1235] - No point in swapping identical times
                                [ECA-1240] - Remove error log for cases where CVC sequence is not numerical, we handle it gracefully.
                                [ECA-1249] - ClientToolBox PKCS11 operations echoes the password back to the user
                                [ECA-1255] - AdminGroupData etc should be marked as read-only for get methods
                                [ECA-1256] - Optimize authorization to lower number of SQL queries for AuthorizationTreeUpdateData
                                [ECA-1259] - Rename List button to Search
                                [ECA-1260] - Rename "Create Server Certificate" to "Create Certificate from CSR"
                                [ECA-1261] - improve behaviour of External CAs
                                [ECA-1265] - Error messages that we handle when editing users should be info
                                [ECA-1267] - Inherit getCATokenStatus() from BaseCAToken on SafeNetLunaCAToken
                                [ECA-1269] - Improve performance by caching common database queries
                                [ECA-1271] - ca init cli commands should be able to create sub CAs
                                [ECA-1290] - Don't log error creating CRLs when a CA is offline
                                [ECA-1291] - CRL service should not try to create CRLs for external CAs

                                [ECA-1116] - Avoid usage of class strings
                                [ECA-1173] - Drop upgrade support for EJBCA 3.1.x
                                [ECA-1195] - Upgrade to BC 1.43
                                [ECA-1205] - Create new tag-field for CertificateData to be able to distinguish between different certificate types in database queries
                                [ECA-1214] - Ask for algorithm before key size in installation script
                                [ECA-1247] - Add KCA-EJBCA migration guide to docs
                                [ECA-1297] - Warnings about incorrect JSF navigation rules during startup

                                [ECA-632] - Path length constraints not selectable in cert profile
                                [ECA-922] - DBCHANGE: Particular Log query with ProtectedLog fails on Derby
                                [ECA-1077] - Not possible to get algorithm name from OID for CMP with latest BC
                                [ECA-1085] - Email notifications may not treat foreign characters correct
                                [ECA-1109] - Rare threading issues in OCSP certificate cache
                                [ECA-1110] - XKMS only works with JDK 1.5
                                [ECA-1122] - Cancel button on Edit Certificate Profiles page doesn't work.
                                [ECA-1135] - Do not issue CRLs for expired CAs
                                [ECA-1137] - Serialnumbers starting with 0 do not behave properly
                                [ECA-1138] - nCipherHSM script with preload is broken
                                [ECA-1142] - First delta CRL is not issued when a CA is created
                                [ECA-1147] - NullpointerException in ProtectedLog
                                [ECA-1156] - OCSP ClientToolBox test failing when CA key is signing the OCSP response.
                                [ECA-1157] - NullPointerException when invoking createcrl CLI with bad CA name
                                [ECA-1160] - When a fast HSM is used then OCSP responder is not as fast as it should be.
                                [ECA-1162] - external OCSP responder freezing after HSM failure.
                                [ECA-1164] - Hex serial number for admin certificates in admin groups should not be limited to only 16 char hex strings
                                [ECA-1169] - Error verifying JCE using pkcs12req WS cli
                                [ECA-1171] - Possible to change OCSP signing keys in a running external OCSP responder.
                                [ECA-1174] - Can not batch generate users using SHA256WithRSAAndMGF1
                                [ECA-1186] - Batch generation set user status to generated even if request counter exists
                                [ECA-1187] - no such provider BC when EJBCA starts when protected log is enabled
                                [ECA-1191] - Unable to deploy on PostgreSQL + Glassfish combination
                                [ECA-1193] - cli.xml ejbca:noprompt missing ca.signaturealgorithm property
                                [ECA-1194] - "ejbca.sh ca info" fails for ECDSA CA
                                [ECA-1201] - Incorrect display of HTML escaped characters on Access Rules comboboxes
                                [ECA-1216] - Add userPassword in LDAP should only happen if addNonExisting or modifyExisting is checked
                                [ECA-1217] - Possible extensive CPU usage for crafted messages to CMP RA service (not default config)
                                [ECA-1223] - NullpointerException in CMP when unknown keyId is sent
                                [ECA-1224] - CertTools.getCertfromByteArray never throws CertificateException as the JavaDoc says but can return null
                                [ECA-1225] - Freshest CRL extension (aka Delta CRL Distribution Point) on a CRL must not be critical
                                [ECA-1227] - AccessRules link for admin privileges does not work on weblogic or oracle
                                [ECA-1229] - Internalresources may fail in rare contidtions
                                [ECA-1234] - Error message is shown when editing end entity profiles when no printers are defined
                                [ECA-1245] - CRL reason entry extensions in CMP revocation requests are not read
                                [ECA-1246] - Deadlock when load testing CMP with same user
                                [ECA-1248] - Cannot unselect last Custom Certificate Extension in Certificate Profile
                                [ECA-1254] - ProtectedLog reloading CA token unnessecarily
                                [ECA-1257] - Importing wrong certificate using PKCS11 will make the key unavailable on nCipher netHSM
                                [ECA-1258] - cursor:hand style on links should be cursor:pointer
                                [ECA-1266] - Upgrade may cause "use authority information access" to be enabled though it was not before in certificate profile
                                [ECA-1268] - Missing Exception handling for super.deactivate() calls on SafeNetLunaCAToken
                                [ECA-1272] - Authorization issue during stress test
                                [ECA-1273] - Services will stop running if database goes down
                                [ECA-1293] - ProtectedLog on idling system warns about missing log rows if protectionIntensity > 0
                                [ECA-1294] - Issuing certificate with + sign does not work in cmp requests
                                [ECA-1295] - Error making advanced log search for CA on DB2
                                [ECA-1296] - Fetching cert or keystore from Public Web generates an error when cert-profile is the default in UserData

                                EJBCA 3.8.3

                                [ECA-1221] - Ugly error message in LDAP publisher if no certificate to remove exists

                                [ECA-1191] - Unable to deploy on PostgreSQL + Glassfish combination
                                [ECA-1217] - Possible extensive CPU usage for crafted messages to CMP RA service (not default config)

                                EJBCA 3.8.2

                                New Feature
                                [ECA-552] - Add support for nextUpdate, thisUpdate and producedAt in OCSP responses
                                [ECA-1124] - Configurable to use HTTP headers for standalone OCSP
                                [ECA-1053] - Pseudonym as a subject DN attribute
                                [ECA-1133] - Configurable in ExternalOCSPPublisher to only publish certificates with and OCSP URI extension.

                                [ECA-1123] - Create dummy object for TransactionLogger and AuditLogger
                                [ECA-1088] - Default public exponent for lunaHSM.sh should be 65537 (0x1001)
                                [ECA-1055] - Support OCSP by HTTP GET
                                [ECA-1117] - Use info instead of error messages in Standalone OCSP Responder.
                                [ECA-1144] - Add "userPassword" attribute in LDAP publisher
                                [ECA-1114] - Add street DN component
                                [ECA-1096] - Improve handling of invalid requests and streams in OCSP responder
                                [ECA-1146] - Stress Test does not print out no of failed tests
                                [ECA-748] - Order certificates in view certificates with newest first
                                [ECA-1121] - Unnecessary signing operations
                                [ECA-1158] - CA-certificate, but no signing key from a CA on the external OCSP generates an Exception
                                [ECA-1141] - CRL Distribution Point in CRLs must be encapsulated into an Issuing Distribution Point
                                [ECA-1092] - Code not thread-safe in certificate-request Servlet
                                [ECA-1154] - Concurrency issue when reloading soft keys for external OCSP responder
                                [ECA-1113] - JCE error on JBoss 5 on some platforms
                                [ECA-1148] - ServiceData cached in bean making synchronization between cluster nodes fail.
                                [ECA-1090] - Wrong encoding of issuer DN on retrieval public web pages
                                [ECA-1150] - Wrong language tag for "Certificate Validity End Time" in viewendentity.jsp
                                [ECA-1095] - Allow comma in directoryName subject alt names
                                [ECA-1145] - CvcRequestMessage not serializable
                                [ECA-1143] - Freshest CRL is lost when creating a new CA

                                EJBCA 3.8.1

                                [ECA-966] - NPE when using a non-existing ECC algorithm during CVC CA creation
                                [ECA-983] - Allow logging of REPLY_TIME in both audit and transaction logs
                                [ECA-1006] - Database index script fails for MySQL using UTF-8
                                [ECA-1057] - Run EJBCA in JBoss 5.0
                                [ECA-1059] - Fix ipv6 altname ipaddress and allow it in admin-GUI
                                [ECA-1060] - Throw CertificateExpiredException when certificate used to verify cvc request has expired
                                [ECA-1070] - Windows .BAT file for using clientToolBox
                                [ECA-1080] - Option to set internally used password in CMP
                                [ECA-1081] - Improve support for Weblogic 10.3
                                [ECA-1086] - Allow to set null password in WS cli editUser call
                                [ECA-1087] - Increase timeout for CRL generation transaction on JBoss and document how it could be done

                                [ECA-984] - ejbca.cmd does not work with spaces in JBoss path
                                [ECA-1039] - CVC certificate requests with error leaves user status as new
                                [ECA-1040] - cvcgetchain does not return latest cert
                                [ECA-1056] - REQUIREDCARDNUMBER language string missing
                                [ECA-1061] - Wrong header displayed for different groups of access rules
                                [ECA-1062] - Verifying OCSP requests can throw InvalidKeyException which is not caught
                                [ECA-1063] - Not working on Glassfish
                                [ECA-1068] - CMP tcp service does not work on JBoss 5
                                [ECA-1069] - Wrong errormessage in checkValidity when endDate is wrong
                                [ECA-1071] - OCSP responder does not handle TelephoneNumber, PostalAddress and PostalCode in DN
                                [ECA-1079] - KeyId decoding in CMP uses platform charset
                                [ECA-1084] - External RA: SCEP enrollment from Cisco IOS gets wrong DN

                                EJBCA 3.8.0

                                New Feature
                                [ECA-904] - Add a CLI subcommand to add an administrator in an admin group using the serial number
                                [ECA-935] - Restructure administrator validation to allow admins using externally issued certificates
                                [ECA-953] - List objects in Luna HSM partition
                                [ECA-969] - Possible to generate CA PKCS#10 request without giving CA certificate
                                [ECA-993] - Add KRB5PrincipalName subjectAltName
                                [ECA-1000] - Sign releases and deployed code
                                [ECA-1007] - Enhanced basic certificate extensions
                                [ECA-1033] - Possible to enroll for CV certificates on public web
                                [ECA-1051] - Possibility give a user defined DN to a new certificate request for an HSM

                                [ECA-917] - Allow to use inverse LDAP order in DN for end entities
                                [ECA-918] - Handle web service error code when CA is down
                                [ECA-936] - Drop administrator flag in end entities
                                [ECA-937] - Allow use of emailAddress in Admin interface
                                [ECA-963] - Ability to distinguish between non-existing CA and authorization problems through WS
                                [ECA-990] - Allow auto-activation of CAs dispite not having strong crypto policy installed
                                [ECA-1001] - tool to change key alias
                                [ECA-1012] - Option to enter email manually for import cert cli command
                                [ECA-1014] - Display ejbca version in startup log message
                                [ECA-1016] - Make error messages from CertReqServlet localizeable
                                [ECA-1034] - Use TRACE logging for certain debug log
                                [ECA-1038] - Use Commons Configuration for CMP service
                                [ECA-1043] - Upload of binary certificate requests in public web enrol
                                [ECA-1045] - Add support for SEIS Card Number extension in certificates
                                [ECA-1049] - CMP raVerified can sometimes by zero bytes DEROctetString instead of DERNUll

                                [ECA-971] - ExtRA: upgrade to commons-lang 2.4 and commons-collections 3.2
                                [ECA-1013] - Upgrade BC to 1.41

                                [ECA-664] - Adding Administrator Access rule; username with not-allowed character is possible
                                [ECA-782] - Listing user certificates from the public web fails if the serial number of the cert begins with "0"
                                [ECA-882] - Add Administrator - cert serial number not checked
                                [ECA-968] - Key length changes when editing CA in admin-GUI
                                [ECA-970] - LdapPublisher searches for old objects on certDN instead of Ldap DN
                                [ECA-972] - Merge on DN - Problems with rfc822name and email
                                [ECA-992] - Cannot add "OtherName" SubjectAltName in end entity profile
                                [ECA-996] - Merge of DN doesn't work properly
                                [ECA-1046] - view certificate on Public web gives error for CVC certificates
                                [ECA-1048] - Can not install with initial CA with space in name

                                EJBCA 3.7.5

                                New Feature
                                [ECA-1035] - Add Brazilian Portuguese Translation

                                [ECA-983] - Allow logging of REPLY_TIME in both audit and transaction logs
                                [ECA-1031] - Get server certificate in public web shoud not show password
                                [ECA-1032] - Add cli command to convert cvc certificates between binary and pem
                                [ECA-1036] - Hide keytool-errors during install.
                                [ECA-1060] - Throw CertificateExpiredException when certificate used to verify cvc request has expired

                                [ECA-244] - Problem during installation with schema: DC=bigcorp,DC=com
                                [ECA-1037] - CLI for fetching user certificate fails
                                [ECA-1039] - CVC certificate requests with error leaves user status as new
                                [ECA-1040] - cvcgetchain does not return latest cert
                                [ECA-1042] - LdapPublisher does not work with CVC certificates
                                [ECA-1044] - Nullpointer in BasicFunctions when admin not authorized to CA
                                [ECA-1046] - view certificate on Public web gives error for CVC certificates
                                [ECA-1065] - Password needed to update CVC certificate with WS-API
                                [ECA-1069] - Wrong errormessage in checkValidity when endDate is wrong

                                EJBCA 3.7.4

                                New Feature
                                [ECA-1024] - Substitute email from- and to- as well in user notifications

                                [ECA-1021] - Fix the default ENDUSER Certificate Profile
                                [ECA-1026] - Create a built-in Server certificate profile

                                [ECA-1023] - External RA SCEP service fails on cisco message with wrongly encoded request extension
                                [ECA-1025] - Missing ErrorCode class in ejbca-util.jar
                                [ECA-1027] - OCSP should not respond with responseBytes when an error code is sent
                                [ECA-1029] - OCSP responder should answer with OCSP error MalformedRequest when a badly encoded request is received

                                EJBCA 3.7.3

                                New Feature
                                [ECA-1022] - Glassfish support for PostgreSQL

                                [ECA-1020] - External RA, clarify documentation about signing and encrypting using Scep RA
                                [ECA-1021] - Fix the default ENDUSER Certificate Profile (broken patch, EJBCA 3.7.3 withdrawn)

                                [ECA-1017] - Build on Glassfish broken
                                [ECA-1018] - Missing language string in intresources

                                EJBCA 3.7.2

                                New Feature
                                [ECA-974] - Add Intel AMT extended key usage
                                [ECA-1005] - Give OCSP error if audit or transaction logging fails

                                [ECA-950] - Optimize OCSP servlet
                                [ECA-973] - external OCSP responder: trying to reload the p11 provider when the HSM removed/disconnected.
                                [ECA-976] - WS-API, make mathtype contains with with matchwith username
                                [ECA-982] - Explicitly close maintenance file in health check
                                [ECA-989] - add cmd=deltacrl command on CertDistServlet (with patch)

                                [ECA-957] - ocspclient.jar cannot handle answers with responderID of type Name.
                                [ECA-959] - Public web can give NPE in rare conditions
                                [ECA-960] - reference to "bin/ejbca.sh ca processreq" in manual
                                [ECA-968] - Key length changes when editing CA in admin-GUI
                                [ECA-970] - LdapPublisher searches for old objects on certDN instead of Ldap DN
                                [ECA-975] - CA certificates with SerialNumber in DN does not work with External OCSP
                                [ECA-977] - Error editing RenewCAWorker if CA has been removed
                                [ECA-978] - NullPointerException using WS-API to revoke non-existing certificate
                                [ECA-979] - The transactionlogger and auditlogger set incorrect CERT_STATUS and STATUS
                                [ECA-985] - Wrong default value for OCSP helathcheck database query
                                [ECA-986] - Can't run ejbca.sh from $EJBCA_HOME/bin
                                [ECA-995] - getAuthorityInformationAccessOcspUrl in CertTools fails to retrieve OCSP Locator url from AIA for cert with mutliple AIA points
                                [ECA-997] - Error publishing deltaCRL to LDAP
                                [ECA-999] - CRLIssuer can not be removed in CDP
                                [ECA-1009] - Validity of certificates in signed OCSP requests not checked for expiration

                                EJBCA 3.7.1


                                New Feature
                                [ECA-896] - CVC support for EC keys
                                [ECA-925] - Import of external CA certificates
                                [ECA-940] - possibility to use an EC key stored on a HSM

                                [ECA-748] - Order certificates in view certificates with newest first
                                [ECA-927] - CVC requests should not include CARef if null
                                [ECA-928] - cvcprint cli command should handle verification of authenticated requests
                                [ECA-934] - Possible to authenticate CVC request by outer CA signature
                                [ECA-941] - Possible to download CA certrequests and certs as binary
                                [ECA-942] - possible to receive certiifcate requests and certs in binary format
                                [ECA-946] - Not possible to create CVC link certificates with soft CA tokens
                                [ECA-947] - Making certificate request from a CA should ask for CA cert of target CA
                                [ECA-948] - cvcrequest cli command should not automatically add end entities
                                [ECA-951] - Possible to set sequence of catoken manually

                                [ECA-926] - CVC requests can be assigned to wrong CA when sequence is same
                                [ECA-930] - cert-cvc: authenticated requests does not include CARef in TBS
                                [ECA-931] - getrootcert cli command does not work for CVC certificates
                                [ECA-932] - CVC requests from SubCAs does not have the target CA as CARef
                                [ECA-939] - Upgrade 3.6 to 3.7 cases error when autogenerated password are used
                                [ECA-943] - NullPointer when clicking Sign Certificate Request
                                [ECA-944] - Import soft CVCA does not set sequence
                                [ECA-945] - Not possible to delete admin entities with ' in name
                                [ECA-949] - Make certificate request button should not be available for external CAs
                                [ECA-956] - NullPointerException in LdapPublisher when base node does not exist

                                EJBCA 3.7.0

                                New Feature
                                [ECA-792] - Support for CV Certificates (CVC) for EU EAC ePassports
                                [ECA-811] - Possible to create certificate request from any CA
                                [ECA-825] - WS-API call to get users last cert and chain
                                [ECA-827] - Service to renew CAs
                                [ECA-830] - Possible to use IAIK PKCS#11 provider instead of Sun
                                [ECA-920] - Client tool box.

                                [ECA-819] - New WS-API call to get EJBCA version
                                [ECA-871] - Enhance error management in EJBCA web services.
                                [ECA-893] - Able to use TelephoneNumber and PostalAddress in DN and publish to LDAP attributes
                                [ECA-915] - Display hostname on admin-GUI
                                [ECA-923] - Use of EEP informations when using WS editUser.
                                [ECA-929] - Handle error code if certificate revocation has been invoked twice.

                                [ECA-813] - Upgraded profiles not saved until edited
                                [ECA-829] - Advanced mode for log viewer is not working
                                [ECA-832] - syscheck script sc_08_crl_from_web.sh shell problem
                                [ECA-839] - Problem activating CA tokens for expired CAs
                                [ECA-879] - Failure to create a new CA due to CRL creation failure
                                [ECA-921] - EjbcaHealthCheck does not work on OC4J
                                [ECA-924] - Language variable misspelled (name="UTF8")

                                EJBCA 3.6.4

                                [ECA-921] - EjbcaHealthCheck does not work on OC4J

                                EJBCA 3.6.3

                                [ECA-952] - Entity Profile : the text "Use entity e-mail field" is not localizable
                                [ECA-954] - TestProtectedLog fails if ProtectedLogDevice is not enabled in configuration
                                [ECA-955] - PKCS11 support problem on OCSP responder
                                [ECA-957] - ocspclient.jar cannot handle answers with responderID of type Name.
                                [ECA-968] - Key length changes when editing CA in admin-GUI
                                [ECA-970] - LdapPublisher searches for old objects on certDN instead of Ldap DN

                                EJBCA 3.6.2

                                New Feature
                                [ECA-348] - Option to generate non-exportable private keys in IE
                                [ECA-739] - Accounting log on OCSP responder
                                [ECA-740] - When requiring signed OCSP request, configure allowed issuers
                                [ECA-865] - Add tool for importing certificates from a MS CA
                                [ECA-876] - Generated documentation should be reachable from within the EJBCA Web GUI
                                [ECA-908] - Support MS document signing extended key usage
                                [ECA-914] - Configure if OCSP responses should use KeyId or Name as ResponderId

                                [ECA-390] - Make it possible to select password generation parameters for autogenerated user password
                                [ECA-547] - Send custom certificate publisher information found in certificate or CRL.
                                [ECA-640] - Popup window with valid ${Foo} variables near any field in which they can be used
                                [ECA-657] - Import and export of end entity profiles should not have to depend on existing CAs.
                                [ECA-696] - Import profiles improvement.
                                [ECA-760] - Relocate 'p12' to 'ejbca-custom' if/when present (by default)
                                [ECA-765] - Log whenever an attempt to activate a CA with the wrong activation code is made
                                [ECA-789] - Display issuer in listcas cli command
                                [ECA-790] - ejbcarawscli should print error message if it can not find the admin keystore
                                [ECA-795] - Notifications are not editable, but looks editable.
                                [ECA-810] - Make advanced search for ProtectedLog available
                                [ECA-822] - Default healthcheck db query causes table scan
                                [ECA-826] - EjbcaWsHelper makes double allocations when looking up remote beans
                                [ECA-833] - Simple LDAPPublisher failover
                                [ECA-854] - Remove confusing error message about not finding ejbca-custom directory when running ant
                                [ECA-859] - Delta CRL generation message
                                [ECA-870] - Accept PEM certificates with BEGIN TRUSTED CERTIFICATE
                                [ECA-872] - Improve public page for CA certificate retrieval
                                [ECA-874] - General JUint test improvements
                                [ECA-880] - Better defaults and help for Freshest CRL Extension / DeltaCRLs
                                [ECA-881] - Be able to drop the 0, O, l and 1 from the auto generated passwords
                                [ECA-884] - Add approvalDN variables to add/edit end entity notifications
                                [ECA-885] - Add email variables where possible for use in notifications
                                [ECA-887] - Document how validity is assigned for a CA
                                [ECA-913] - Configure if OCSP responses should include whoe cert chain or only signer

                                [ECA-702] - JDK 1.6 u4 causes EjbcaWS to stop working
                                [ECA-796] - Add documentation on how to use EJBCA with GemSAFE Toolbox
                                [ECA-805] - Update German translation

                                [ECA-496] - When using a fixed Certificate Profile as template, the FIXED property is inherited.
                                [ECA-682] - WS Cli error message is not good when it cannot find the .jks file
                                [ECA-770] - Protected Log Device always sends 'missing row' email alerts when it shouldn't with MySQL using InnoDB
                                [ECA-783] - During the last step if IE enroll, the URL-path is missing the "ejbca"-part.
                                [ECA-788] - Bull TrustWay support
                                [ECA-793] - Using of module protected keys with netHSM-500 failed
                                [ECA-797] - Cannot activate a CA with a Safenet Luna SA Token.
                                [ECA-798] - A card key or a soft key must be defined in order to run the P11 external OCSP responder.
                                [ECA-802] - Exception when approving KeyRecovery
                                [ECA-803] - PKCS10 requests from OCSP responder uses null attributes
                                [ECA-806] - Equal error code contants in OCSPUnidResponse
                                [ECA-809] - ocsp cli client can not sign requests
                                [ECA-812] - EJBCA 3.6 does not deploy on Glassfish
                                [ECA-815] - NullpointerException downloading CA certificated without CN
                                [ECA-817] - Possible NullpointerException when no extended information exists for user
                                [ECA-820] - Signing CMP responses does not work with most PKCS#11 HSMs
                                [ECA-823] - Deadlock in ProtectedLogData with stresstest
                                [ECA-824] - CA activation page does not display correct for Expired CAs
                                [ECA-831] - High load on ProtectedLog might generate false alarm on MySQL
                                [ECA-836] - Email notifications are not able to handle autogenerated passwords.
                                [ECA-837] - PKCS10 with no attributes causes NullPointer exception
                                [ECA-841] - ExtRA PKCS12 request does not work with approvals
                                [ECA-843] - Some words not localizables in CA Activation
                                [ECA-850] - CN name like 'Graham O'Regan' cannot be entered case sensitive in the 'Add Administrator'
                                [ECA-851] - No messages are created during CA Activation
                                [ECA-861] - Misdirected error output from "ra listusers" CLI to standard output
                                [ECA-866] - Import of externally chained PEM failes
                                [ECA-875] - Trying to reset Subject AltName or Email for a end entity fails
                                [ECA-888] - Profiles allow you to enter things like 'Peter & Partners' in the O and OU field - but a 'Add Entity' will fail
                                [ECA-889] - NPE when running TestEjbcaWS
                                [ECA-895] - Batch generation doesn't work on initial user creation (WebUI / profiles)
                                [ECA-898] - Incorrect initialization of NumberArray in EndEntityProfile causes annoying log output
                                [ECA-901] - email modified in LDAP even if attributes should not be modified
                                [ECA-902] - LdapSearchPublisher can not modify attributes
                                [ECA-903] - LdapSearchPublisher uses Ldap DN instead of Cert DN to search
                                [ECA-905] - java.lang.NullPointerException when creating new end entity with only end time, with end entity profile limitations enabled
                                [ECA-909] - OCSP responder not working on Weblogic
                                [ECA-911] - OCSP not responding for CAs that have been notified about expiration
                                [ECA-912] - NPE on Glassfish on error.jsp in publiweb

                                EJBCA 3.6.1

                                [ECA-554] - nCipherHSM asks for password which is shown in plain text

                                [ECA-771] - Update french translation

                                [ECA-540] - Exception if you try to issue a certificate from public web with a CA that is offline
                                [ECA-779] - Cannot enroll with end entities created with CAs with approval setting active
                                [ECA-780] - Index collision in profilemappings.properties.

                                EJBCA 3.6.0

                                New Feature
                                [ECA-257] - Support for IBM Websphere
                                [ECA-515] - Autoenroll certificates for Microsoft systems.
                                [ECA-564] - Support for DB2 database
                                [ECA-595] - Issuance of delta CRL
                                [ECA-596] - Add Freshest CRL extension
                                [ECA-597] - Support for multiple policy statements
                                [ECA-598] - Add support for id-pkix-ocsp-nocheck extension
                                [ECA-619] - Ability to create intermediate LDAP nodes
                                [ECA-624] - New EJBCA WS calls for listing CAs and profiles
                                [ECA-633] - Log signing with real signature keys and row chaining
                                [ECA-635] - Request multiple certificates for a user
                                [ECA-649] - Service to expire user passwords
                                [ECA-651] - Support for Oracle application server
                                [ECA-661] - KeyRecoverNewest command in Ejbca WS API
                                [ECA-662] - Email notifications to admin when user enrols
                                [ECA-665] - Plug-in mechanism for user notification recipient email
                                [ECA-669] - ExtRA SCEP, possible to use pre-registered users and verify their passwords
                                [ECA-673] - Add support for id-ad-caIssuers (authority information access)
                                [ECA-679] - New EJBCA WS calls for CRL generation and CRMF requests
                                [ECA-684] - Allow setting and overriding any extension from a CRMF request
                                [ECA-697] - Support $UID as replacement variable in LdapSearchPublisher
                                [ECA-703] - Possible to use 32 bit serial numbers in cert, instead of 64 bit.
                                [ECA-721] - PKCS#11 HSM support on external OCSP responder
                                [ECA-723] - Option in OCSP to return good status for certificates not in database
                                [ECA-727] - Extended key usages for SCVP
                                [ECA-737] - Allow hexencoded DERObject in custom certificate extensions.
                                [ECA-747] - CLI command to change certificate profile of a CA
                                [ECA-759] - Add ETSI retention period to QC extension

                                [ECA-698] - Remove deprecated JBoss mbean create crl service
                                [ECA-706] - Create instructions for setting up an Apache web server as a proxy in front of EJBCA.

                                [ECA-477] - OCSP responder require that signed request are issued by a known CA
                                [ECA-478] - If a signed OCSP request is received, info-log which certificate the request was signed by
                                [ECA-485] - If requiring signed OCSP requests, the responder should return "signature required" for unsigned requests
                                [ECA-617] - External RA SCEP module only returns RA certificate in cert reply, not CA certificate
                                [ECA-637] - Possible to use email for search in Ldap Search Publisher
                                [ECA-645] - Make all default values visible when creating a CA and add a default CRL expiration interval.
                                [ECA-656] - Option to override KeyUsage with key usage from CMP request
                                [ECA-658] - CLI possible to get CRL in PEM format
                                [ECA-663] - Allow @ in username
                                [ECA-671] - Handle SCEP messages where client does not properly encode plus sign in HTTP GET url
                                [ECA-672] - SCEP pending message should have an empty content
                                [ECA-677] - Use CRL Distribution Point On CRL
                                [ECA-678] - Change default CA's LDAP object class to certificationAuthority-V2
                                [ECA-683] - Improve internal code for certificate extensions
                                [ECA-685] - Easy configuration if OCSP requires signature on requests
                                [ECA-689] - Display a "BUILD FAILED" message during the install phase if no superadmin.p12 is created.
                                [ECA-694] - EFS certificates support
                                [ECA-695] - Using PrimeCardHSM on install it does not have enough time to poll readers
                                [ECA-700] - Improve LdapPublisher with option to not update attributes
                                [ECA-704] - better P11 support for nCipher
                                [ECA-705] - Make UTF-8 default encoding for web
                                [ECA-707] - Extra: make configuration of scep ra easier
                                [ECA-708] - Generating module protected JCA keys for nCipher should be simplier.
                                [ECA-712] - Support creation of externally signed EC CAs and handling certificate requests signed by EC key.
                                [ECA-716] - Confirmation when reomving a CA
                                [ECA-720] - Publish attributes postalcode and businesscategory in LDAP
                                [ECA-725] - Improve translations
                                [ECA-726] - Remove obsoleted extended key usages for ipsec, add ipsecIKE
                                [ECA-731] - Increase maximum validity of SubCA profile to 25 years
                                [ECA-738] - Checks for max request size and no of reqs in an OCSP req
                                [ECA-741] - Update pt_PT translation
                                [ECA-752] - Make the description of a publisher readable from custom publisher implementations
                                [ECA-754] - For Oracle db change LONG to CLOB

                                [ECA-606] - ExtRA SCEP servlet should init directly at startup
                                [ECA-643] - Error with weblogic and 4096 bit CA
                                [ECA-652] - findbyApprovalIdNonExpired searches for expired instead of rejected
                                [ECA-670] - ExtRA SCEP, GetCACertChain return wrong content type
                                [ECA-674] - LdapSearchPublisher should not change other attributes
                                [ECA-680] - Derby database does not work with large 4096 bit CAs
                                [ECA-681] - Null Pointer Exception throught editUser when CANAME is invalid
                                [ECA-686] - Overflow causing archiving of non-expired certificates when CRLPeriod is very large
                                [ECA-690] - EJBCA uses sun internal java class
                                [ECA-692] - Removal of CA generates database exception under DB2
                                [ECA-699] - Generating browser certificate failed; user still in 'new' status
                                [ECA-701] - Sorting of approvals in Admin GUI does not work.
                                [ECA-709] - Errors in upgrade scripts for MS-SQL
                                [ECA-710] - bin/pkcs11HSM.cmd not working
                                [ECA-711] - EJBCA WS Cli does not handle number of arguments correctly
                                [ECA-713] - the keys can not be used in EJBCA for some HSMs
                                [ECA-717] - SCEP does not work with Luna SHM
                                [ECA-724] - CertificateExpirationNotifier service not working on Weblogic-Oracle
                                [ECA-728] - Lockdown of an enduser profile to fill out to just a CN only not possible
                                [ECA-729] - ArrayIndexOutOfBoundsException on Approval Page
                                [ECA-730] - SCEP to CA signed by some External CAs fail
                                [ECA-734] - Not working on Sybase
                                [ECA-742] - ant javatruststore does not work for CA names with space
                                [ECA-745] - EJB REF to "ejb/RaAdminSessionLocal" has wrong case in glassfish deployment file "ejbca_3_6_b1/src/publicweb/publicweb/WEB-INF/sun-web.xml"
                                [ECA-746] - Not possible to renew CA that does not use default keystore pwd or autoaactivation.
                                [ECA-758] - Under some conditions it's not possible to edit rfc822name altname field for user in admin-gui
                                [ECA-766] - Error saving CRL Service on Weblogic 10

                                EJBCA 3.5.12

                                [ECA-1111] - Optimize performance of findCerts WS call
                                [ECA-1112] - Create a new ant target similar to create-lot-of-users, but creates fewer users with many certs per user

                                [ECA-1091] - Serious bug in UserDataSource Authorization

                                EJBCA 3.5.11

                                [ECA-778] - change genTokenCertificates WS call behavior to not temporary revoke certificates for MS logon

                                [ECA-1052] - Error in EJBCAWS.genTokenCertificate temporary cards aren't revoked properly

                                EJBCA 3.5.10

                                [ECA-724] - CertificateExpirationNotifier service not working on Weblogic-Oracle

                                EJBCA 3.5.9

                                [ECA-891] - Avoid unnecessary database searches during HealthCheck

                                [ECA-886] - Upgrade fails to set internal state of CA expire time for externally signed CAs
                                [ECA-906] - EjbcaHealthCheck may use same session bean object for concurrent accesses
                                [ECA-968] - Key length changes when editing CA in admin-GUI

                                EJBCA 3.5.8

                                [ECA-845] - Attempt to revoke a certificate.user that is already revoked generates an error
                                [ECA-847] - Option to Health Check to perform sign test on CA token

                                EJBCA 3.5.7

                                [ECA-808] - Errors that should not be errors but info messages

                                [ECA-799] - Deadlock when running stress test that is revoking certificates
                                [ECA-800] - Importing certificate to CA with off-line token causes status to be wrong
                                [ECA-801] - CRL generation for CAs waiting for certificate response throws excepton
                                [ECA-807] - Error enrolling though SSL with client cert
                                [ECA-818] - NPE when issuing sparecard with cert without extended keyusage through HTMF

                                EJBCA 3.5.6

                                New Feature
                                [ECA-768] - Create mechanism for Health Check to report nodes as Down for maintenance
                                [ECA-769] - Activation Page. Create an easy access page for activating many CA's. The current function in the admin-GUI requires a lot of clicking to activate many CA's. Combine with one page access to configure monitoring of CA's

                                [ECA-756] - CRLUpdateWorkers may run in same vm in parallel if too slow
                                [ECA-773] - Add distingushable string to health check return to know which test failed
                                [ECA-774] - Make CRL generation be in one transaction for each CA
                                [ECA-775] - Introduce a random add-on to the service interval
                                [ECA-778] - change genTokenCertificates WS call behaivor to not temporary revoke ceritificates for MS logon
                                [ECA-784] - Improve lunahsm shell script

                                [ECA-743] - GenerateToken And ViewHardTokenData approvalIds was not calculated correctly
                                [ECA-744] - Wrong DN was used in non-admin generate spacecard pages.
                                [ECA-751] - DemoCertReqServlet gets reference to old template file
                                [ECA-753] - CMP only working with DEBUG log enabled
                                [ECA-755] - Listing log entries does not show the latest when limiting on too many rows
                                [ECA-763] - Listing end entities query displays wrong values
                                [ECA-764] - Under some circumstances two CRLs with the same CRLNumber is stored in the db
                                [ECA-772] - External OCSP publisher does not work on oracle DB
                                [ECA-777] - External OCSP health check not working

                                EJBCA 3.5.5

                                New Feature
                                [ECA-718] - Add Approval option for activation of CAToken

                                [ECA-719] - Add support for the fields PostalCode and BusinessCategory, now natively supported by BouncyCastle.

                                [ECA-736] - LDAPPublisher initialized the fakeCRL incorrectly

                                EJBCA 3.5.4

                                New Feature
                                [ECA-691] - A preference file that could specify custom attributes for keys generated by pkcs11HSM.sh

                                [ECA-693] - Potential Duplicate Key exception on old logging system when log-method is executed simultaneously.

                                EJBCA 3.5.3

                                New Feature
                                [ECA-676] - A stress test is needed to test EJBCA certificate signing performance when access though https

                                [ECA-666] - NullPointerException in LogEntryDataBean
                                [ECA-667] - pkcs11HSM.sh does not run
                                [ECA-675] - Generated keys on some P11 HSMs (AEP Keyper) can not be used for decryption.

                                EJBCA 3.5.2

                                New Feature
                                [ECA-530] - Debian package for EJBCA-MySQL
                                [ECA-599] - Add pt_PT l10n

                                [ECA-529] - Pass extra parameters to JBoss through nCipherJBoss.sh/cmd
                                [ECA-580] - Optimize CRL generation for large CRLs (>100.000 revoked)
                                [ECA-618] - External RA SCEP module should include ip and dns altNames from request
                                [ECA-623] - Possible to use an internal CA as external
                                [ECA-625] - Add the missing text label along with the message "Text not available"
                                [ECA-626] - ExtRA, possible to require SCEP password
                                [ECA-642] - In lunaHSM.sh warn i EJBCA_HOME is not set

                                [ECA-541] - Null pointer exception when you enter wrong values or forget to enter values in "Hard CA token properties".
                                [ECA-543] - It should be possible to run ejbca.sh from any directory in the file system.
                                [ECA-590] - unconsistent labels in publisher (:)
                                [ECA-605] - Wrong parameter name in ca republish
                                [ECA-608] - Luna HSM support broken
                                [ECA-609] - XKMS cli not working
                                [ECA-612] - Can not run Glassfish off-line
                                [ECA-614] - Ugly error when entering non hex encoded serial number in check status on public web
                                [ECA-615] - Java exception when editing an external CA
                                [ECA-616] - Can't fetch the certificate of external CA after signing it
                                [ECA-620] - PKCS10 requests to external CA can not be PrintableString encoded
                                [ECA-621] - Error creating a external OCSP-responder on JBoss 4.2.x
                                [ECA-627] - Large comments and CA Subject DNs generates SQL exceptions.
                                [ECA-629] - When you create a new soft CA and enter an "Authentication Code" you get null pointer exception.
                                [ECA-646] - ExtRA CA service throws exception when RAIssuer is signed by external CA

                                EJBCA 3.5.1

                                [ECA-593] - Tool for checking translation files for missing tags
                                [ECA-602] - Enable use of multiple CRL Distribution points by changing GUI length constraints

                                [ECA-592] - Update french language file

                                [ECA-445] - JBoss deadlock problems
                                [ECA-542] - Null pointer exception when you run "$EJBCA_HOME/bin/ejbca.sh ca republish -all"
                                [ECA-591] - Install does not work unless web.properties is defined
                                [ECA-594] - Certificate enrollment on card does not work using https only http
                                [ECA-600] - Removing certificates from LDAP does not work using LDAP search publisher and username match
                                [ECA-601] - checkCertificateStatus for certificates that doesn't exists in database throws a Nullpointer exception
                                [ECA-604] - Advanced Access Rules visual bug, End entity profiles rule haven't the id to name replaced correctly

                                EJBCA 3.5.0

                                New Feature
                                [ECA-81] - Editing validity per End Entity
                                [ECA-115] - Serial Number Check
                                [ECA-138] - HardToken PIN data should be encrypted in database
                                [ECA-249] - Possible to configure specific validity dates in certificate profiles
                                [ECA-398] - Support multiple email altnames in admin-GUI
                                [ECA-414] - Possibility to choose reverse DN for a CA
                                [ECA-419] - Improve CA softs security to use individual passwords
                                [ECA-470] - PKCS11 tokens for new CA and support for Utimaco CryptoServer (using pkcs11)
                                [ECA-472] - Custom Logging
                                [ECA-480] - Import Hard Token Data in CLI
                                [ECA-489] - New ant argument that outputs the version number of the EJBCA installation.
                                [ECA-505] - Enable download of CA certificate as jks-file from Basic Functions in Admin GUI.
                                [ECA-516] - Present warning in the Admin GUI when JCE Unlimited Strength Jurisdiction Policy Files isn't used.
                                [ECA-520] - Experimental reporting functionality using JasperReports
                                [ECA-526] - Possible to install with initial AdminCA on HSM
                                [ECA-527] - Possible to retrieve entity certs with CLI
                                [ECA-545] - Allow initial superadmin enroll on smartcard
                                [ECA-573] - Root-less install, use custom SSL truststore for JBoss/Tomcat

                                [ECA-35] - make better looking public enroll pages
                                [ECA-232] - When listing administrators in access rights, make the link clickable
                                [ECA-291] - Option to specify certificate validity begin time drift
                                [ECA-331] - Hide HardToken Puk Data in View HardToken page
                                [ECA-426] - Include nonce in requests from OCSP client
                                [ECA-461] - Build script does not check for actual version of java that is used.
                                [ECA-462] - Possible to keep configuration/modifications in an external directory
                                [ECA-465] - Possible to use different profiles in CMP RA mode
                                [ECA-468] - Create a PKCS7 with the web service interface to import it in IE
                                [ECA-471] - New Calls in the EJBCA Web Services interface
                                [ECA-473] - Interface of UserDataSources improved for support of UserData Deletion
                                [ECA-475] - Improved functionality in Extended CMS Service
                                [ECA-482] - Move scep servlet to its own web application
                                [ECA-494] - Better default datasource for ScepRAServer in External RA
                                [ECA-495] - ScepRAServer in External RA will process the same message until it is approved
                                [ECA-502] - build.xml should use $JAVA_HOME/bin/keytool instead of first one in path, if available.
                                [ECA-507] - Add description on UPN field.
                                [ECA-508] - When using Validity Override, don't allow validity to start before current time.
                                [ECA-509] - When using Validity Override, don't allow validity to to extend beyond the validity of the certificate profile
                                [ECA-510] - AD Publisher should use different container for certificateRevocationList
                                [ECA-513] - Not consequent text in profiles menu choices
                                [ECA-514] - Java exception when removing newly added service
                                [ECA-518] - Support new key purpose CAKEYPURPOSE_HARDTOKENENCRYPT
                                [ECA-531] - Improve Approvals with multiple steps of non-executable approvals
                                [ECA-532] - Support Approvals for the getHardTokenData and genTokenCertificates call
                                [ECA-536] - Import CA function supports HSM CAs
                                [ECA-537] - Require approvals for revocation
                                [ECA-572] - Confusing text in conf/ejbca.properties.sample
                                [ECA-581] - Bad presentation of approvalId, sometimes it is displayed with - sign in notification
                                [ECA-584] - Not possible to use comma in CA DN when creating CA

                                [ECA-412] - Try to create service after re-deploy gives exception
                                [ECA-413] - When choosing "Hard Token Type", all previously made "Settings" are deleted.
                                [ECA-443] - If you execute ./ejbca.sh batch in "ejbca/bin" the script creates ejbca/bin/p12 and puts the new p12:s in there instad of ejbca/p12
                                [ECA-460] - Get certificate chain link in public enroll pages does not work when CA is signed by external Root.
                                [ECA-467] - Private EC keys report different algorithm after application server restart
                                [ECA-501] - Weblogic throws TransactionRolledBackLocalException on duplicate log lines
                                [ECA-512] - Java exception when editing services
                                [ECA-525] - ExtRATestClient not working according to doc
                                [ECA-539] - Removing any but last of dynamic fields in an End Entity Profile generates errors when creating an end entity.
                                [ECA-548] - Automatic token activation fails when using nCipher HSM
                                [ECA-549] - No space triming in DN of a CA
                                [ECA-556] - Security: XSS possibility on public web
                                [ECA-559] - Autoactivate of Hard CA tokens does not show as active in Admin-GUI
                                [ECA-560] - Renew of keys for soft token CA must not regenerate encryption keys
                                [ECA-561] - CA levels displayed incorrectly in Basic Functions at depth > 2
                                [ECA-571] - PKCS#11 times out after some time on Utimaco
                                [ECA-574] - Wrong validity of created CAs, maximum two years
                                [ECA-583] - Bug in advances access rules view, UserDataSources displayed id instead of name i rule

                                [ECA-491] - Remove support for JDK 1.4
                                [ECA-538] - Remove CA import restrictions depending on keyusage field in CA-cert.
                                [ECA-576] - Remove support for JBoss < 4.0

                                EJBCA 3.4.5

                                [ECA-567] - XKMS register operation fails when user's token is JKS or PEM.
                                [ECA-568] - Parsing of some DERBitStrings in custom certfificate extensions.
                                [ECA-569] - If KeyIdentifiers from ExternalCAs are not standard format, key identifieres will missmatch
                                [ECA-570] - Approvalqueries can fail in some circumstances

                                [ECA-524] - Configurable which interface tomcat listens on

                                EJBCA 3.4.4

                                [ECA-486] - Can't activate a (nethsm) hard CA where cardset is not protected
                                [ECA-544] - Servlet is not able to return Open VPN Installer executable.
                                [ECA-553] - CRLUpdate worker not working with TableProtection enabled on JBoss 4.2.0

                                [ECA-555] - Add instructions for using module protected keys with EJBCA and nCipher to User Guide.

                                EJBCA 3.4.3

                                New Feature
                                [ECA-484] - Support for JavaDb/Derby

                                [ECA-500] - Support for JBoss 4.2.0
                                [ECA-522] - XKMS/WS does not work on JBoss 4.2.0

                                [ECA-474] - Support RSASHA256WithRSAAndMGF1 again
                                [ECA-504] - possible to specify keystore name to ant javatruststore
                                [ECA-511] - Spelling errors

                                [ECA-360] - End entity details fails to display in log
                                [ECA-479] - invalid error message when i create an external ac
                                [ECA-483] - cli: ./bin/ejbca.sh ra unrevoke dont set a correct userstatus
                                [ECA-487] - Exception on glassfish when removing and adding a CA with same DN
                                [ECA-488] - ejbca.sh may fail to find weblogic/glassfish if jars are not executable
                                [ECA-497] - LdapSearchPublisher not working
                                [ECA-498] - LdapSearchPublisher does not publish to old entry if search returns more than one entry
                                [ECA-499] - ./bin/ejbca.sh ca importca gives exception
                                [ECA-503] - No good error message when using non existing alias for keystore in the encryption decryption CLI

                                EJBCA 3.4.2

                                New Feature
                                [ECA-41] - Export soft CA token to pkcs12 file
                                [ECA-338] - EJBCA deploys and runs on Glassfish
                                [ECA-425] - Support for MD5withRSA as signature algorithm for CAs
                                [ECA-434] - CLI to automatically add HW token CA.
                                [ECA-435] - simple CLI to be able to use nCipher HSM to encrypt and decrypt
                                [ECA-444] - JSF admin pages work on Glassfish
                                [ECA-452] - Publish CRL with user defined script
                                [ECA-464] - Scep RA functionality in ExtRA API

                                [ECA-429] - Public web link from admin-GUI should open in new window/tab
                                [ECA-431] - Better support for customized extention when processing external CAs
                                [ECA-432] - Possiblity to store customized data in ExtendedInformation
                                [ECA-457] - New logo for admin-GUI
                                [ECA-458] - Basic custom extension support for asn.1 IA5String
                                [ECA-463] - Publish cert and revokation with user defined script
                                [ECA-481] - Remove track-statements config in JBoss to enhance performance

                                [ECA-410] - Oracle JDBC does not support ResultSet.relative
                                [ECA-411] - Support for JSF in Weblogic
                                [ECA-450] - Update german language file
                                [ECA-454] - Include dncomponents.properties and profilemappings.properties in ejbca-util jar

                                [ECA-374] - ServiceTimer Startup throws exception on startup on Glassfish
                                [ECA-421] - Certificate Enrollment Internet Explorer 7 Windows VISTA
                                [ECA-424] - Ocspclient stopped working
                                [ECA-427] - Bug showing fixed OCSPSIGNER certificate profile when adding end entities
                                [ECA-428] - XKMS key recovery issue on platforms not using ISO8859-1 language encoding
                                [ECA-430] - Upgrade XKMS external service for External CAs give NPE
                                [ECA-433] - Impossoble to remove CAs with customly defied profiles
                                [ECA-437] - Missing property YOUCANTADDFIXEDCERT in language files
                                [ECA-438] - When X is enabled on server, Edit end entity profiles gives sun.print.CUPSPrinter exception
                                [ECA-439] - Renew Root CA does not give new validity period
                                [ECA-440] - Renew Root CA might give different encoding for subject and issuer
                                [ECA-446] - Not possible to use | in DirectoryName, altname and email not stripped
                                [ECA-447] - Downloading certs on public web gives no file extension when filename contains space
                                [ECA-449] - CRLUpdateWorker not working, missing reference to CRLSession bean
                                [ECA-451] - Service timer runs amok on Weblogic
                                [ECA-453] - nCipherHSM.sh runs out of memory for large backups.
                                [ECA-455] - Public web pages not working in Weblogic
                                [ECA-459] - Be able to use email in LDAP dn

                                EJBCA 3.4.1

                                [ECA-417] - Cli throws exception on windows
                                [ECA-422] - OCSP not working in Mozilla

                                EJBCA 3.4.0

                                New Feature
                                [ECA-97] - Possibility to dynamically configure new OtherNames in subjectAltName.
                                [ECA-99] - Suport for CMP (rfc 4210)
                                [ECA-251] - Email for certificate expiration warning
                                [ECA-296] - New access rule to delete generated
                                [ECA-297] - Simple approval function for RA
                                [ECA-332] - Inital EJBCA WebService interface
                                [ECA-346] - Monitoring Services Framework, mail on certificate expire
                                [ECA-349] - Support custom OID fields in subject alternative names
                                [ECA-359] - Allow validity override from requests
                                [ECA-362] - Support for ECDSA signature keys
                                [ECA-371] - Support CRLIssuer in crl distribution point
                                [ECA-381] - Make DN components configurable, support custom OIDs
                                [ECA-393] - CSV export of log entries from admin-GUI
                                [ECA-394] - XKMS v2 Service
                                [ECA-400] - Custom Certificate Extension framework

                                [ECA-30] - Unify DN and AltName handling
                                [ECA-304] - Mail notification of new passwords without re-setting status
                                [ECA-330] - Add access rule to access system configuration
                                [ECA-333] - Improve Batch Tool functionality
                                [ECA-335] - Printing of new and edited userdata
                                [ECA-337] - Make reverse dn ordering easy configurable
                                [ECA-339] - Move ejbca.properties to conf subdirectory to be able to split up different part in different files
                                [ECA-341] - Approval Email notification
                                [ECA-342] - Internal log and exception localization
                                [ECA-343] - Key recovery should be approvable
                                [ECA-344] - Deploy CRL creation service by setting a simple property
                                [ECA-345] - Cache CA objects to avoid loading keystores often
                                [ECA-355] - implement the withlimit flag in useradminsession.query
                                [ECA-368] - Configurable order of unknown DN oids
                                [ECA-372] - Allow multiple policy oids in certificates
                                [ECA-377] - possibility to store certs on the card with Mozilla braowser
                                [ECA-379] - Add dnQualifier as a DN component
                                [ECA-382] - possibility to set public exponent when generating RSA keys for nCipher.
                                [ECA-388] - Possibility to retrieve PKCS7 response in ExtRA API
                                [ECA-391] - Release zip-file should unpack in directory with version number
                                [ECA-392] - Improve Weblogic support for Weblogic 9.x.
                                [ECA-396] - Support multiple email altnames using CLI
                                [ECA-399] - Calculate certtype automatically in publishCACertificate

                                [ECA-327] - Make UTF8 encoding default in DNs (for new CAs)
                                [ECA-351] - Upgrade XDoclet jars
                                [ECA-401] - Change default java version to 1.5 when building EJBCA

                                [ECA-299] - Changing CPS in profile does not save always
                                [ECA-336] - Using reversed DN makes DN wrong in some places
                                [ECA-352] - Language files must be placed under /tmp in Weblogic
                                [ECA-386] - Not possible to revoke external CAs
                                [ECA-406] - Changing log configuration gives NullpointerException when using other languages

                                EJBCA 3.3.3


                                [ECA-347] - Sun One Directory Server doesn't understand the gn attribute, it wait for givenName
                                [ECA-370] - CRLs are generated with default DN encoding, not the same as issuer in ca certificate
                                [ECA-373] - Typo in ejbca.properties.sample


                                [ECA-376] - Include serialNumber LDAP attribute if selected in DN
                                [ECA-383] - Option to remove entity in LDAP when cert revoked

                                EJBCA 3.3.2


                                [ECA-328] - EJBCA requires Myfaces in appserver to deploy admin-GUI
                                [ECA-350] - Errors deploying on Weblogic
                                [ECA-357] - OCSP with lookup test not workin. ocspclient.jar
                                [ECA-363] - EJBCA does not work with Oracle DB


                                [ECA-353] - Automatic column name change for logentrydata.comment in Weblogic/Oracle
                                [ECA-356] - ant javatruststore should be able to install any CAs certificate
                                [ECA-365] - Turkish profile


                                [ECA-358] - Upgrade to latest log4j jar

                                EJBCA 3.3.1


                                [ECA-326] - Use MySQL specific command in ExternalOCSPPublisher.java
                                [ECA-334] - Not possible to activate a Luna HSM CA
                                [ECA-340] - Some errors in deployment descriptors (not noticable in JBoss)

                                EJBCA 3.3.0

                                New Feature

                                [ECA-98] - Commands and status for certificate suspend
                                [ECA-143] - Option to generate new keys when renewing a CA
                                [ECA-215] - Loadbalancer Health Check Servlet
                                [ECA-234] - Support for directoryName in SubjectAltNames
                                [ECA-238] - Generate OpenVPN install packages for token enrollment
                                [ECA-248] - External RA API and service
                                [ECA-268] - Revoke certificate in Ldap search publisher
                                [ECA-271] - Option in publishers to not remove certificate when revoked
                                [ECA-272] - Configurable CRL overlap time
                                [ECA-274] - Support Subject Directory Attributes extension
                                [ECA-275] - Support Custom UTF8String QC Statement
                                [ECA-276] - Asn1dump cli command
                                [ECA-281] - Option to specify UTF8String for all subject DNs
                                [ECA-289] - Possibility to use smart card HSM on external OCSP responder
                                [ECA-290] - Basic signing function to verify the integrity of audit logs
                                [ECA-306] - Inital Framwork for User Data Sources
                                [ECA-314] - Inital Approval implementation
                                [ECA-316] - Basic integrity protection of external OCSP database
                                [ECA-321] - k/n operator card authentication when enabling nCipher keys in nCipher cards
                                [ECA-322] - Support for German in admin-GUI


                                [ECA-84] - Add UserNotice and CPS url to certificate policy extension
                                [ECA-166] - Request to external CA gives bad error messages
                                [ECA-187] - Better sizing of the 'View Certificates' windows
                                [ECA-255] - Templates for Hard Token Profile printouts
                                [ECA-266] - Issue CRLs periodically before CRL expire date
                                [ECA-279] - Added new classes to ejbca-util.jar to compile with timestamp server
                                [ECA-280] - Support of Safe Net Luna HSM
                                [ECA-285] - If possible it should be possible to define the auth code of the HSM when configuring the CA.
                                [ECA-294] - Limit user cert validity to CAs validity
                                [ECA-309] - Healthcheck servlet for the External OCSP Service
                                [ECA-310] - Simplified EJBCA healthcheck deployment
                                [ECA-312] - Option in cli to re-publish all certificates, not only latest
                                [ECA-320] - Authorization denied displays as error 500 in IE
                                [ECA-324] - ant task to add ca-certificate to java truststore


                                [ECA-174] - Publish (optionally) multiple certificate values in LDAP
                                [ECA-207] - Remove redundant code from Profiles
                                [ECA-298] - Latest version (1.33) of bouncycastle jars


                                [ECA-57] - I18N issues with resource bundle
                                [ECA-150] - Can get user certificate from another CA than the user is registered for
                                [ECA-189] - LogSession can miss to log events under multithreaded heavy load
                                [ECA-236] - Internationalize webconfiguration.jspf
                                [ECA-250] - Error in default PIN envelope for hard tokens
                                [ECA-258] - JBoss hangs when deleting publisher used in CA
                                [ECA-262] - You cannot leave out defaultKey in nfast ca token configuration
                                [ECA-267] - Bug in searching for certificates for user that have been removed
                                [ECA-284] - Wrong exception thrown in EracomCAToken.
                                [ECA-287] - It is only possbile to use one key for each CA with Eracom HSM.
                                [ECA-292] - Creating CA with national chars in DN fails for some encodings
                                [ECA-300] - "Hard CA Token Properties" not stored permanently after editing.
                                [ECA-301] - External OCSP responder doesn't work with jboss-4.0.4
                                [ECA-302] - In the Edit End Entity Page it not possible to set a user back to genereated if it have been set to new by mistake
                                [ECA-303] - ant ocsp-deploy does not work without tomcat.jks file
                                [ECA-305] - Wrong responderId in response from OCSP responder when not using CA-signing
                                [ECA-307] - Custom Publishers doesn't reload after save of properties
                                [ECA-308] - Exception is thrown when trying to republish to external OCSP publisher
                                [ECA-311] - Re-publish should not add revoked certificates in LDAP
                                [ECA-313] - BC provider can be missing if running multiple apps simultaneously (rare)
                                [ECA-315] - Many calls to internal OCSP responder can give 'Reentrant method call detected' error
                                [ECA-317] - ca republish cli command uses wrong username for CA
                                [ECA-318] - Scep only works against RootCAs, not SubCAs
                                [ECA-319] - Surname and Givenname is always added as attriubtes in LDAP even if not required
                                [ECA-323] - Html encoded characters not displayed correctly on jsf pages
                                [ECA-325] - CRL Issue interval overflows when too large value entered

                                EJBCA 3.2.2


                                [ECA-282] - Distribute files with stricter permissions
                                [ECA-286] - Remove logging in publisher.getAuthorizedPublisher calls
                                [ECA-295] - Allow dot in username


                                [ECA-202] - Too long primary keys when using UTF-8 encoding in MySQL
                                [ECA-277] - Error deploying on MS-SQL and Sybase
                                [ECA-278] - SQLException on MS-SQL
                                [ECA-283] - Web enrollment with Eracom HSM fails

                                EJBCA 3.2.1

                                New Feature

                                [ECA-263] - Alternitive way of checking end entity profile data


                                [ECA-139] - It is not possible to use a HSM to sign a pkcs10 req to an external root CA.
                                [ECA-259] - Exception when importing certificate signed by external CA
                                [ECA-264] - Remove field restrictions for QC statement
                                [ECA-273] - Jboss 4.0.4 throws tomcat clustering exceptions with distributable tag in web.xml


                                [ECA-265] - Allow ':' in username and DN
                                [ECA-269] - Web-encoded characters in spanish language file
                                [ECA-270] - Public web cert dist sensitive to DN order

                                EJBCA 3.2.0

                                New Feature

                                [ECA-89] - New LdapSearchPublisher, obtain LDAP DN from directory server, using UID attribute, with LdapPublisher
                                [ECA-179] - Support Qualified Certificate Statement (RFC3739)
                                [ECA-190] - LDAP search cababilities in AD Publisher
                                [ECA-192] - Support for Eracom HSM (now SafeNet)
                                [ECA-208] - Swedish Translation of Admin-GUI
                                [ECA-220] - OCSP extension mechanism
                                [ECA-221] - Possibility to run OCSP responder(s) separated from CA
                                [ECA-224] - Support for Informix 9.2 database
                                [ECA-225] - Chinese translation of Admin-GUI
                                [ECA-228] - Key Recovery of soft tokens should support reuse of certificates
                                [ECA-229] - Make OCSPSignerCertificateProfile Visible
                                [ECA-239] - possible to select if a printout should be "scaled to page" or not.
                                [ECA-245] - Utility script to initialize creation of administrator token
                                [ECA-195] - CLI function to activate HSM CAs
                                [ECA-216] - CRL in PEM format since OpenVPN requires PEM format


                                [ECA-66] - Certificate fingerprint (hex encoding)
                                [ECA-134] - Not possible to select 'no value' when a dn value is set in entity profile
                                [ECA-137] - AdminGUI not working on different machines in a multi-machine environment
                                [ECA-152] - ejbca-ejb.jar contains web.xmls
                                [ECA-164] - Spelling error in language file
                                [ECA-184] - EJBCA changed the order of issuer's subject DN when creating a certificate
                                [ECA-202] - Too long primary keys when using UTF-8 encoding in MySQL
                                [ECA-203] - Exception when accesing adminGUI due to duplicate log entries
                                [ECA-205] - server.xml contains some static fields that should be taken form ejbca.properties
                                [ECA-209] - Weblogic/Oracle needs special deployment descriptors for LONG columns
                                [ECA-210] - In edit CA page will 'Edit' and 'Delete' action generate nullpointer when spacevalue is selected
                                [ECA-223] - Links not URLEncoded on public page for downloading CA-cert
                                [ECA-227] - Testscript causes OutOfMemory exception
                                [ECA-230] - After enabling "issue hardware token" in sys config you need to manually reload menu-frame
                                [ECA-231] - Edit hardwaretoken is broken
                                [ECA-235] - ant deploywithjbossservices messes up EJBCA
                                [ECA-237] - Generate CRL on off-line CA gives exception
                                [ECA-240] - All hard token CAs are displayed as online after ejbca start
                                [ECA-241] - Userdefined text in enhanced eid hard token profile misspelled
                                [ECA-242] - getAllCACertificates fails when there are external CAs waiting for certificate
                                [ECA-243] - Install script error when JBoss runs on nonstandard ports
                                [ECA-247] - ejbca does not set a CA to offline when the HW has been reseted.


                                [ECA-83] - Upgrade to the lastest ldap.jar
                                [ECA-212] - Make database upgrade script for EJBCA 3.1.x to 3.2.x


                                [ECA-60] - Move CDP to CA.jsp page instead of Certificate Profile
                                [ECA-85] - Restructure source tree
                                [ECA-93] - link from admin-GUI to public index page
                                [ECA-158] - Wrong default CRL distribution point
                                [ECA-206] - Remove internal implementation of Hex and use only bouncycastle
                                [ECA-214] - Refactor addUser, changeUser to take UserDataVO as parameter
                                [ECA-217] - Change column type for extendedInformationData in UserDataBean table
                                [ECA-218] - Make pageEncoding in JSP pages same as web.contentencoding
                                [ECA-219] - Change BaseURL behaviour to work with multi-machine setups
                                [ECA-246] - Small fix to UserMatch, possible to search for subjectDN contains data from future webservice interface.

                                EJBCA 3.1.4


                                [ECA-193] - reentrant property of Entity beans is "false" instead of "False", breaks Weblogic
                                [ECA-194] - Fix deployment descriptors to work with Weblogic 8.1
                                [ECA-196] - wrong size of some PrimeCard printouts
                                [ECA-198] - Private fields in CMP beans are not cached in Weblogic
                                [ECA-199] - Weblogic/Oracle can not use DISTINCT in SQL with LONG columns
                                [ECA-201] - DataSource jndi name must be EjbcaDS not java:/EjbcaDS in Weblogic
                                [ECA-211] - Unable to reload existing session


                                [ECA-197] - Some entity beans does not define transacton settings in ejb-jar.xml
                                [ECA-204] - possibility to include classes for HW token in the ear file
                                [ECA-222] - Make installation done with ealy pre-release of nCipher support work out-of-the-box
                                [ECA-226] - Improved error logging for nCipher HSMs

                                EJBCA 3.1.3

                                [ECA-75] - SCEP not working with Hard token CAs (HSMs)
                                [ECA-107] - can't view logs using oracle due to column 'comment'
                                [ECA-139] - It is not possible to use a HSM to sign a pkcs10 req to an external root CA.
                                [ECA-141] - Unstable default idle-timeout for datasource
                                [ECA-144] - Scep not working with Cryptlib
                                [ECA-145] - Bug in hard token profile pages, Nullpointer when changing profile type or saving new pages
                                [ECA-147] - Star (*) not working in subject alt names
                                [ECA-148] - Scep not working with Cisco PIX
                                [ECA-149] - unstructuredName/address in DN does not work
                                [ECA-153] - cli not working on windows when java_home contains space char
                                [ECA-154] - install does not work when JAVA_HOME contain space char
                                [ECA-155] - OCSP using CA key does not work with HSMs
                                [ECA-156] - binary chars in ejbca-mail-service.xml
                                [ECA-160] - display of mail.smtp.host during ant deploy is wrong (cosmetic)
                                [ECA-165] - Not possible to remove UnstructuredName from entity profile
                                [ECA-167] - CN Postfix doesn't work if UID have the same value or DN is reversed
                                [ECA-168] - Hard Token SN search doesn't work with primecard 1.3 >
                                [ECA-169] - Hard Token Profiles cannot be cloned
                                [ECA-170] - Malformed SVG Template craches the Hard Token Profile pages
                                [ECA-171] - Typo in language file
                                [ECA-176] - Method CertUtil.getEMailAddress(X509Certificate certificate) hangs jboss
                                [ECA-177] - SCEP not working with Netscreen/Juniper boxes
                                [ECA-180] - Select, unselect javascript features doesn't work anymort

                                New Feature
                                [ECA-109] - Support RSASSA-PSS signatures
                                [ECA-140] - Add $UID as a variable to the SVG templates
                                [ECA-181] - Javascript checks use unicode for internationlized chars
                                [ECA-182] - Possible to select a subset of fields in DN and Subject AltNames in the certificate profiles
                                [ECA-186] - Possibility to specify the BasicConstraint path length

                                [ECA-127] - Add references of installations to EJBCA home page

                                [ECA-146] - Device schema for sun directory server missing X-ORIGIN
                                [ECA-159] - Not possible to view historical data in CertReqHistory
                                [ECA-161] - easy configuration of smtp auth
                                [ECA-163] - Describe how to install com.mysql.jdbc.Driver in the documentation
                                [ECA-178] - Better error messages when HSM provider not found
                                [ECA-183] - Possible to configure for different JBoss targets
                                [ECA-185] - new version of batik lib

                                EJBCA 3.1.2

                                New Feature
                                [ECA-46] - multiple instances of altNames in certificates
                                [ECA-130] - Implement new Scep mode using POST
                                [ECA-118] - Imported OpenSSL CA not working
                                [ECA-121] - Can not publish certificate with comma in DN to LDAP
                                [ECA-123] - Dash not allowed in username
                                [ECA-124] - User passwords leak into debug log
                                [ECA-125] - Admiweb too restrictive for estonian chars.
                                [ECA-126] - Some imported CA certificate contains the field "friendlyName" in PKCS#12 twice
                                [ECA-131] - Problem with certificate import CLI command
                                [ECA-133] - Single quote in DN does not work
                                [ECA-136] - senderNonce in returned SCEP messages longer than 16 bytes
                                [ECA-108] - Add changelog to ejbca web site

                                EJBCA 3.1.1

                                [ECA-113] - key Ids looks critical when editing certificate profiles
                                [ECA-111] - Remove obsolete cli commands
                                [ECA-114] - add CA id to 'ca info' cli command
                                [ECA-116] - Added caid to create certificate method

                                EJBCA 3.1.0

                                General (not from Jira):
                                - Usage of XDoclet to generate ejb interfaces and deployment descriptors. Lots of XDoclet tagging to simplify development and deployment.
                                - Changed packaging to avoid classes duplication between jars.
                                - Much improved configuration, installation and deployment, now there is a single point of configuration using a config file.
                                - Added French, Italian and spanish translations for the admin-GUI.
                                - Add parameter for jboss/weblogic to install.
                                - Changed database configuration to make it more flexible for deployment.
                                - BatchMake has been changed to support a dir (directory attribute). Default is still 'p12'.
                                - LDAP object classes for devices.
                                - New structure for the cli, it now lives in the bin subdirectory.
                                - Reorganization of documentation tree, new xml based web site for http://ejbca.sf.net/.
                                - New version, 1.28, of bouncycatle provider.
                                - Lots of minor and structural changes.
                                New features:
                                * [ECA-6] - Download certificate link in 'View Certificate' window
                                * [ECA-12] - CA keystore randomizer in the ant script
                                * [ECA-19] - Create Servlet for initial installation
                                * [ECA-45] - Add SHA256WithRSA as signature algorithm for certs
                                * [ECA-62] - Add Receipt and address templates
                                * [ECA-67] - Republish button in view certificate window
                                * [ECA-68] - CN Postfix in certificate profile
                                * [ECA-69] - Only domain used for UPN in End Entity Profile
                                * [ECA-70] - Key Recover button in view hard token window
                                * [ECA-86] - Javascript changed so all new small windows automatically gets focused.
                                * [ECA-87] - Added a new getCATokenStatus method in the IHardCAToken interface
                                * [ECA-90] - Support for nCipher HSM (sponsored by Linagora)
                                * [ECA-96] - Add importcert cli function
                                * [ECA-48] - make web page encoding selectable by parameter
                                * [ECA-56] - Bad error message when authorization fails
                                * [ECA-61] - Enable Advanced Profiles
                                * [ECA-73] - Add more information regarding Critical Extension
                                * [ECA-76] - Installation on JBoss 4.0.2
                                * [ECA-82] - Available languages (EN, FR, IT, ES) selectable by default in admin-GUI.
                                * [ECA-88] - Added a 'reuse old certificate' flag to the hard token profiles
                                Bugs fixed:
                                * [ECA-13] - Exception after editing entity profile
                                * [ECA-28] - RA Admin privileges don't work
                                * [ECA-34] - Multiple bugs in Hard Token Issuing handling.
                                * [ECA-38] - register users with int'l characters in dn does not work
                                * [ECA-39] - HTML error in view end entity jsp page when displaying subjectDN
                                * [ECA-43] - exception during CRL generation
                                * [ECA-44] - no key length selection for p12 generated server certs
                                * [ECA-55] - export/import profiles does not ignore fixed HARDTOKEN profiles
                                * [ECA-71] - CRL creation in batch mode is not possible if a CA is not active
                                * [ECA-72] - cmd-line not working
                                * [ECA-74] - CRLCreateService not working
                                * [ECA-77] - bug when signing certificate with "card CA token"
                                * [ECA-78] - CRLCreatService has no overlap
                                * [ECA-79] - View ocsp certificate not working (exception)
                                * [ECA-80] - wrong PIN type is stored in DB
                                * [ECA-91] - Bug in base64 decoder
                                * [ECA-92] - UserGenerated Certificates doesn't work with enhanced EID hard tokens and IE
                                * [ECA-100] - Subject DN with "'" (ASCII 27) displays as "\" in admin GUI.
                                * [ECA-102] - missing break; causes IllegalKeystoreException
                                * [ECA-104] - Handle language encodings in demo servlet
                                * [ECA-106] - non-superadmin cannot press cancel in my_preferences page

                                EJBCA 3.0.7

                                * [ECA-54] - HardCATokens goes off-line when bean gets passivated
                                * [ECA-49] - saving of generated request from CA fails on IE
                                * [ECA-50] - Key Recovery status and change password in Edit End Entity doesn't work
                                * [ECA-52] - In Create CA page should the CAToken authentication info be a password field instead

                                EJBCA 3.0.6

                                * [ECA-40] - defined hardtoken issuer and profiles disapears after some time
                                * [ECA-42] - <enterpris-beans> tag missing in xml fil

                                EJBCA 3.0.5

                                Added support for activation of hardcatokens in View CA Info page.
                                Added MS Template for DomainController functionallity.
                                Fixed Certificate upgrade problems.
                                SECURITY: Add checks in adminweb for illegal SQL chars in advanced modes in list end entities and view log.
                                Weblogic xml files for WLS 8.1 (still needs patch for complete function).
                                Possibility to set 2048 bit keys in Swedish hardtoken profile.
                                Changed error message when unlimithed strengh policy files not installed during install.
                                Handle double type encoding in install.en.properties for other languages.
                                Tested with JBoss 4.0.1.
                                Support for PostgreSQL 8.0 on JBoss 4.
                                Fix for 'rule' column name in config for MS SQL server 2000.
                                Fixed problem where requiring RFC822Name caused error when editing end entity.
                                Fixed bug with extra commas in publishers when selected DN components don't exist in DN.
                                Changed 'Batch' text in adminweb to be more descriptive.
                                Changed 'Use fields in DN' in adminweb to be more descriptive.
                                Added StaticRegistering to CA hard token manager.
                                Fixed error during install when CA-cert does not exist in java truststore.
                                Fixed weblink to force a browser type when using an unknown browser.
                                Added cli method to re-publish a CA and all it's users to ldap.
                                Fixed so EMPTY profile is not selectable for admin groups not authorized to it.
                                Fixed sending of notification messages not working on certain occasions.
                                Fixed cache control issues with download of ca cert and CRL from admin pages to IE.

                                EJBCA 3.0.4

                                Fixed integer overflow when setting CRLPeriod longer than 596 hours.
                                CLI command to import a CA from an existing PKCS12 file (openssl CA).
                                Fixed bug where own fp instead of CA fp was written to the database.
                                Fixed bug where an administrator could not use the admin GUI if signed by a CA using multiple DC attributes.
                                Fixed bugs with AD publishing, useraccountcontrol temporarly removed.
                                Changed the default extended keyusages for hard token profiles.

                                EJBCA 3.0.3

                                Fixed wrong encoding of BasicConstraints when false.
                                Fixed bug in CA functions page viewing certificates with intl chars.
                                Fixed bugg in the publisher page where the top publisher wasn't shown.
                                Fixed bugg in adduser page where email address wasn't saved when user existed.
                                Fixed bugg where IPADDRESS and GUID subject altname wasn't shown in certificate view.
                                Fixed email field check bugg in add and edit user jsp pages.
                                Fixed bugg in certificate profiles jsp page where critical extended keyusade couldn't be unchecked.
                                Added missing class in admin.jar for 'ca processreq'.
                                Fixes to demo servlet.
                                Fixed error message when enrolling with un-allowed keysize from browser.
                                Fixed minor error in authorization log text.
                                Fixed error for DATE var in notifications.
                                Fixed bug adding email and uid attributes in LDAP.
                                Added more extra attributes to LDAP publisher.
                                Make o,ou,st selectable as 'Use Fields in DN' for publishers.
                                Fixed publishing of CA certificates and CRLs.
                                Works with Java 1.5 and 4096 bit keys.
                                Fixed bug in webpage checking for revocation.
                                Added pageEncoding for jsp pages and removed explicit encoding tag in meta-inf for adminpages.
                                Fixed bug with republishing CA certificates.
                                Check execute permission on batch.sh from install script.
                                Many clarifications in docs.
                                Tested on MacOSX.

                                EJBCA 3.0.2

                                Removed writing of testfile foo.crt.
                                Changed version in web-GUI.

                                EJBCA 3.0.1

                                Fixed subject DN field removal bugg of UNSTRUCTURED IPADDRESS and UNSTRUCTURED NAME
                                Fixed bugg where PKCS7 header and footer always was generated when using manual pkcs10
                                Fixed warning in SSL deployment with JBoss 3.2.4.
                                Long timeout for ca creation in JBoss 3.2.4.
                                Fix for keystore path in Tomcat41-JBoss32.
                                Some doc and xml fixes.

                                EJBCA 3.0

                                Added unstructuredname, unstructuredaddress to subjectdn.
                                Cleaned system.out debug logs.
                                Digital signature in default key usage to make ocsp work out of the box.
                                Added support for iPAddress alternative name.
                                Added support for MS GUID alternative name.
                                Better check on altnames when adding user with cli.
                                Fix CRL import in Mozilla.
                                Allow . in usernames i webGUI.
                                SCEP GetCRL method implemented.
                                Fixed minor errors in deployment descriptors.

                                EJBCA 3.0 beta 3

                                Upgrade function from ejbca2 with MySQL.
                                Added password and extendedinformation to publisher interface.
                                Fixed CA renew bugg where new certificates wasn't published to publishers.
                                Fixed Hard Token Issuer authorization bug.
                                Fixed Hard Token Profile authorization bug when logging in as CA Administrator.
                                Fixed Authorizer.java so it doesn't throw NullPointerException.
                                Added initial support for HSM plug-ins.
                                Fixed install script freeze when installing adminweb. Added -noprompt.
                                Added Sybase as target for 'ant replaceDS'.
                                Support for JBoss3.2.4/Tomcat5.0.
                                Fixed bugg in Administrative deligations where a CA administrator could edit an superadmin group.
                                Changed so 'enable end entity limitations' is enabled by default.
                                Strip DN when creating new CAs.
                                Added test if strong crypto is installed in the install script.

                                EJBCA 3.0 beta 2

                                Made SUN specific algorithms and providers configurable, to be able to use other jvm.
                                Fixed serious bug that caused certs to be signed by wrong CA after ejbPassivate.
                                Made DN order configurable with switch in source.
                                Alias in PKCS12 is now CN by default and username if CN does not exist.
                                Added possibility to configure publishers (LDAP, AD) through administrative web interface.
                                Implemented more SCEP functions, tested with Cisco VPN client.
                                Compound primary key for HardTokenPropertyBean.
                                Added junit tests of entity beans

                                EJBCA 3.0 beta 1

                                Virtual CAs, run a complete hierarchy (or several) in one instance of EJBCA.
                                Easier installation and configuration with new install script.
                                Complete support for OCSP.
                                Added 'Authority Information Access' extension for OCSP service URL in certificates.
                                LDAP schema now correctly follows RFC 2256 and works with OpenLDAP 2.2.
                                LDAP Publishing controlled from certificate profiles.
                                Possible to configure autogenerated passwords in admin web gui.
                                Improved support for keyrecovery.
                                Improved configuration of administrative privileges.
                                Many minor fixes and enhancements.

                                EJBCA 2.1.3

                                Fixed a bug when applying with IE, wrong csp could be used.

                                EJBCA 2.1.2

                                LDAP schema now correctly follows RFC 2256 and works with OpenLDAP 2.2.

                                EJBCA 2.1.1

                                Improved error handing for batch generation.
                                Fixed some SQL for PostgreSQL.
                                Set Content-Type on OCSP responses.
                                Setup-adminweb supports JBoss 3.2.3.
                                For for internatinalization of admin-web with non ISO chars.
                                Minor debug cleanups.

                                EJBCA 2.1

                                Initial SCEP support.
                                Initial OCSP support.
                                Support for multiple CDPs separated by ';'
                                Removed unneded debug output of cert during creation
                                Fixed bug in setup-adminweb.sh
                                Fixed missing submit button with PEM/P12 users
                                New cmd line command to export/import profiles to XML files
                                Fixed bug in 'ca makereq' when rootCA has no CN
                                Added encoding=iso8859-1 to javac to fix compile on strange locales
                                Fixed API for active directory publisher
                                Support for more than two levels of CAs
                                Fixed small bug if using null revocation date
                                Default revocation reason to new reason NOT_REVOKED
                                Fixed utitlity method that returned wrong subject key id
                                Getroot cert in PEM or DER format
                                Fixed bug when saving system configuration in admin-GUI.

                                EJBCA 2.0.1

                                Java 1.4.x is now required.
                                Support for JBoss_Jetty and JBoss 3.2.x.
                                Microsoft UPN altName and smart card logon extended key usage.
                                Enrollment page can now handle both patched and unpatched IE

                                EJBCA 2.0


                                Added Hard Token funtionallity, EJBCA can now store store
                                pin/puk data in
                                Added email notification to added end entities.
                                Added Key Recover funtionallity.
                                Changed initial temporary super administrator from "CN=Walter"
                                to "CN=
                                Removed CA and ROOTCA types in "ra adduser" cmd, from now on use
                                Added allowOverrideKeyUsage in certificate profiles.
                                New fields in DN, givenname, surname, initials.
                                ExtendedKeyUsage extension (for use in OutLook).
                                New servlet in adminweb, AdminCertReqServlet that creates users
                                out of PKCS10-
                                Moved batch and deploy scripts into build.xml.
                                Moved external jars into ear-file.
                                Tested on Weblogic 7.1.
                                Lots of bugfixes and cleanups.

                                EJBCA 2.0b1

                                Moved to EJB 2.0 (JBoss 3 now required).
                                Enhanced database schema, for EJB 2.0 and the many new features.
                                Web GUI for administration using SSL.
                                Improved speed using EJB 2.0.
                                Type of signing device completely soft configurable.
                                New access control on method invocation.
                                Option to generate JKS or PEM keystores.
                                Added CertificatePolicies extension.
                                Return PKCS7 with full path to browsers.
                                New configurable certificate profiles.
                                More alternative names.
                                User profiles for administrators of different groups.
                                Improved serial number generation,
                                New logging mechanism.
                                Many small improvements.
                                Many bugfixes, and new bugs.

                                EJBCA 1.4

                                Fixed bug with case-sensitivity for column names in Sybase.
                                Fixed bug when rolling over subCAs without subjectKeyId in cert.
                                Fixed bug with using country=CN in DN.
                                Fixed encoding bug in CRL distribution points.
                                Fixed LDAP issue with email address.
                                Added method for easily getting certificates with different
                                Better separated and better looking web pages.
                                Deployed with EAR-files.
                                Architectural changes.
                                New version of Log4j, 1.2.
                                Tested with Orion app-server.

                                EJBCA 1.3.2

                                Fixed compilation error with JDK1.3.
                                Fixed bug where order in IssuerDN could be wrong.
                                Fixed typo in deploy.cmd/sh.

                                EJBCA 1.3.1

                                Fixed wrong template path for IE certificate enrollment.

                                EJBCA 1.3

                                Configuration howto/support for Oracle.
                                Tested on Weblogic.
                                Function to batch-generate PEM-files for Apache etc.
                                Function to rollover subCA with same key pair in ca.sh/cmd.
                                Function to change password for user.
                                Function to list certificates about to expire.
                                New version (112) of BC JCE-provider.
                                Architectural overview in documentation.
                                Better deployment scripts.
                                Sample Linux firewall script.
                                Added demo accept-all authentication module,
                                CA-certs can now be downloaded from webdist.
                                Lots of minor cosmetic, architectural, installation and GUI

                                EJBCA 1.2

                                Command for batch processing, and other batch fixes.
                                Better error messages when user applies for cert with browser.
                                Fixed bug where NextUpdate in CRLs were incorrect.
                                Fixed problem receiving certificate replies for subCAs.
                                Function to rollover Root CA with same key pair in ca.sh/cmd.
                                Listusers function in ra.sh/cmd.
                                Info function in ca.sh/cmd.
                                Minor improvements and bugfixes.

                                EJBCA 1.1

                                Tested with additional databases (mySQL, PostgreSQL).
                                The Datasource used is configurable.
                                New architecture for Publishers where certificates can be
                                published in addition
                                to the main database.
                                Change DN order to match RFC1779. WARNING! See doc/RELEASE_NOTES
                                for information
                                about upgrading from v1.0.
                                LDAP Publisher to store for certificates and CRLs in LDAP
                                Minor bugfixes.

                                EJBCA 1.0

                                Fixed bug with not returning correct content-length to browser
                                when returning
                                New version of BouncyCastle provider with minor PKCS12 fix.
                                Updated docs.
                                Added FAQ.

                                EJBCA 1.0b2

                                New version of Bouncycastle JCE provider.
                                Added and clarified some documentation.
                                New version of BC provider fixed compatibility of PKCS10
                                requests with KeyTool
                                and MS CA.
                                Fixed process of PKCS10 request from KeyTool (they use different
                                Fixed bug during key generation of CA that always generated 1024
                                bit keys.
                                Creates p12-files during test in real temporary dir.

                                EJBCA 1.0b1

                                Initial releaseEJBCA