Issues Resolved in 7.4.0
Released June 2020
New Features
ECA-4491 - Support Ed25519 and Ed448 (EdDSA) certificate issuance using soft crypto tokens
ECA-5333 - Ability to search for approval requests by part of Subject DN / or e-mail
ECA-6787 - Ability to specify Superadmin Validity during installation
ECA-6790 - Add "Enforce Key Renewal" Option
ECA-7162 - Add regex validation to usernames for EEP
ECA-8699 - Support encryption for SCEP in Azure Key Vault crypto token
ECA-8718 - Add test of "Enforce Key Renewal"
ECA-8781 - CLI command to import key recovery data for end entities
ECA-8848 - Database table for pre-produced OCSP responses
ECA-8849 - Service worker pre-produced OCSP responses
ECA-8850 - CA setting enabling pre-produced responses.
ECA-8852 - Publisher for OCSP Response Data
ECA-8866 - Create OCSP Cache for CA canned response setting
ECA-8878 - Session bean (interface etc) for OcspResponseData
ECA-8892 - Handling conflict between CA setting to pre-produce OCSP responses and OCSP Key binding nonce setting
ECA-8895 - Create indexes for the OCSPResponseData table
ECA-8899 - Approvals for SCEP RA mode
ECA-8913 - Support AWS KMS (Key Management Service, different from AWS CloudHSM)
ECA-8944 - Service worker UI for OCSP pre-production
ECA-8962 - Implement SCEP enrollment with approvals for already existing end entities
ECA-8990 - Update plugin sample to deploy cleanly
ECA-9051 - Shift the configuration of ExtendedUserDataHandlers (such as the UnidFnrHandler) from CMP configuration to CA configuration
ECA-9053 - Implement configuration of Request Processors in the CA
ECA-9057 - Implement a validator for the Google Safe Browsing API
ECA-9065 - Upgrade procedure after moving Request Processors from CMP to CA
ECA-9066 - Shift execution of Request Processors from CrmfRequestHandler into CertificateRequestSession
ECA-9072 - Service worker logic for final OCSP response
ECA-9074 - Support for CLI batch generation with EdDSA keys
ECA-9142 - Create a webservice call for creating an externally signed CA.
ECA-9163 - Add support for WS createExternallySignedCa command in clientToolBox
Tasks
ECA-7435 - Java 11: SOAP WS Client and Tests do not work
ECA-8212 - Batch enrollment GUI does not build under JDK11
ECA-8651 - Update resteasy jars used for junit testing
ECA-8695 - Security: Upgrade external dependency
ECA-8696 - Update db2jcc4.jar used for jenkins tests
ECA-8700 - Use reflection in CESeCoreUtils to support older version of Java
ECA-8717 - Java 11: ejbca-ws-cli uses endorsed.dirs which is not supported in java 11
ECA-8724 - Upgrade cert-cvc to 1.4.10
ECA-8727 - Documentation: Oracle JDK 8 not listed any longer in prerequisites
ECA-8730 - Fix JUnit, UserFulfillEndEntityProfileTest and CommandLibraryTest tests that fail on Java 11 (due to issues in tests)
ECA-8731 - Remove old commons-httpclient 3.1 and upgrade commons httcomponents to latest stable version
ECA-8733 - Update ConfigImport "known limitations"
ECA-8744 - FindBugs: fix warning about NP_NULL_PARAM_DEREF
ECA-8804 - Security: Upgrade external dependency
ECA-8807 - Change the copyright footer to 2020
ECA-8855 - Automate test ECAQA-128: End Entity Profile - Custom Validity
ECA-8898 - Document known issue related to approval requests after an upgrade to EJBCA 6
ECA-8918 - Documentation: Document support for Cloud HSMs
ECA-8980 - EJBCA Testing: ACME (Continued) Testing
ECA-9011 - Upgrade apache cfx
ECA-9049 - Investigate CRL-related test failures in Jenkins
ECA-9050 - Code cleanup: Remove dead encrypt/decrypt methods in CA
ECA-9079 - Add selecatable head banner with advisory notice and consent warning
ECA-9088 - Grab ClientToolBox test from Git
ECA-9089 - Learn how the current EJBCAClientToolBox test works.
ECA-9090 - Create/Extend JenkinsFile and DockerFile for EJBCAClientToolBox
ECA-9091 - Setup Jenkins Job to run EJBCA ClientToolBox
ECA-9100 - Documentation: update JBoss security about Diffie-Hellman keysize and datasource passords
ECA-9114 - Upgrade jackson databind
ECA-9168 - Regression Test & Automation EcaQa75
ECA-9187 - Add configuration steps for WildFly 18
ECA-9197 - Document how to limit length of DN fields using regexp validation
Improvements
ECA-1758 - Add system tests for caRenewCertRequest (WS)
ECA-4130 - Publishers: Show the publisher type next to the name in the Publishers page
ECA-5912 - Trim spaces and check syntax of CT URLs when they are added
ECA-6284 - Use something faster than java.beans.XMLEncoder/Decoder
ECA-6296 - Limit length of subject DN in RA GUI search results
ECA-6505 - Documentation: Add diagram how CA, CPs and EEPs are related
ECA-7064 - Disallow creation of Peer Connectors with the same name
ECA-7633 - New flag in 'ejbca.sh ca republish' command to list certificates instead of end entities
ECA-7722 - Minor usability improvements on Edit CA page
ECA-7819 - Remove old installation properties and ant targets
ECA-7959 - A user should be able to click a link to be returned to the previous page after error occurs
ECA-8157 - Add back the username field to EEP
ECA-8636 - CT systemtest - Publish precert
ECA-8670 - Allow selenium setup to run with different ManagementCA name
ECA-8672 - Fix trivial warnings in cesecore-common
ECA-8675 - Fix CryptoToken import in configdump
ECA-8694 - Automate ECAQA-155
ECA-8698 - Unclear UI messages for RA CA name in EST alias
ECA-8703 - Trim space for ACME Aliases Add function
ECA-8706 - Refactor CAInterfaceBean and related classes
ECA-8713 - Automate ECAQA-152
ECA-8715 - Optimize Azure Key Vault Crypto Token to not make unessecary REST calls when checking for status
ECA-8716 - Optimize PKCS11 Crypto Token to not make unessecary PKCS#11 calls on deactivated crypto tokens
ECA-8720 - Jenkins: upgrade powermock dependencies for JDK11+
ECA-8721 - Jenkins: EJBCA_JDK_DOCKERS
ECA-8722 - Update cert-cvc library to build with Java 11
ECA-8725 - Optimize render of created/edit CA page to not list all crypto token keys
ECA-8729 - ConfigImport Admin Roles import order
ECA-8738 - Make it possible to run tests within eclipse
ECA-8746 - Add small help text for subject DN field when creating a CA
ECA-8747 - Give error message when trying to import an IS certificate to a DVCA
ECA-8749 - ApprovalProfileSession.removeApprovalProfile throws exception when profile does not exist, does not follow javadoc contract
ECA-8754 - Optimize CaSessionBean.getCAIdToNameMap to use cache
ECA-8755 - Optmize CryptoTokenManagementSessionBean.getKeyPairInfo to not list all aliases
ECA-8758 - Sort "Extended Key Services Specification" dropdown
ECA-8765 - Document in Client Toolbox how to include CESeCoreUtils
ECA-8774 - Fix some NPEs in the log when accessing without proper session
ECA-8775 - Improve output format in CertDistServlet listcerts command
ECA-8783 - Add test case for va publisher data source (Selenium)
ECA-8788 - Inconsistent behaviour between CLI and AdminWeb created CA using CA defined AIA
ECA-8789 - Allow UNUSED data value in databaseprotection.properties
ECA-8793 - Add new HTTP security headers
ECA-8794 - Add HTTP security headers to CertDistServlet
ECA-8795 - Improve error handling in PublicWeb when entering invalid DN
ECA-8797 - The wrong path of a language configuration file in the document
ECA-8801 - Change text uses->allows in configuration checker message about ECC keys
ECA-8809 - Fix formating in CertStoreServletTest and CertFetchAndVerify
ECA-8813 - Show a warning when basic constraints are violated
ECA-8821 - Better error message when trying to sign with an inactive crypto token
ECA-8839 - Allow serial numbers to be entered with colon or spaces also
ECA-8863 - Jenkins jobs improvement
ECA-8865 - Selenium test constantly failing on RA-web
ECA-8872 - Documentation Clarify what multiple issuers in the CAA validator means
ECA-8879 - Create end entity based on UPN in certificate when running "importcertsms" CLI command
ECA-8882 - Improve Swedish translation of the RA web
ECA-8907 - Add validator for SAN field in Create CA page and improve error handling.
ECA-8908 - Update documentation for pre-produced OCSP responses
ECA-8911 - Ability to get version of clientToolBox
ECA-8921 - Automate ECAQA-113
ECA-8924 - Automate ECAQA-116
ECA-8926 - Add delete method in OcspDataSession bean.
ECA-8930 - The Save button in the RA web edit end entity page should be located at the bottom
ECA-8932 - Document improvement in CRL Behaviour after CA Revocation
ECA-8936 - Revise the OcspResponseData table and primary key.
ECA-8943 - Public key blacklist should handle Debian blacklist format
ECA-8958 - Modify CmpRAUnidTest to run without the Unid datasource
ECA-8961 - Improve debug logging for approvals to easily see type
ECA-8975 - Code cleanup: Encode EC keys generated by a Pkcs11NgCryptoToken without explicit params first
ECA-8977 - Add sample token properties to changecatoken CLI command to make it easier to use
ECA-8996 - Code cleanup: Azure crypto token
ECA-8997 - Code cleanup: AWS KMS crypto token
ECA-8999 - Add cabforganizationidentifier as argument to WS cli
ECA-9003 - Code cleanup: OidsObjectLinkedHashSetConverter and write unit test
ECA-9027 - Check that all certificate/end entity profile pairs have at least one usable CA
ECA-9032 - Configurable time before expire for Ocsp Response Presigner
ECA-9033 - Improve JPQL query for getting expired responses
ECA-9034 - Support SHA1 and SHA256 hashes for Pre-produced OCSP responses
ECA-9035 - Upgrade to BC 1.65
ECA-9036 - Increase column size of subject DN and subject email for MySQL/MariaDB
ECA-9041 - SCEP: Debug log message encryption algorithms
ECA-9045 - Enable legacy browser enrollment in IE11 on Windows 10
ECA-9058 - On-demand setting for OCSP pre-production
ECA-9067 - Improve CryptoToken Config: Verify Auto-Activation Codes
ECA-9070 - Add support for CAs using SHA256WithDSA
ECA-9096 - Peer publisher for OCSP response data
ECA-9097 - Show only relevant curves/key sizes on certificate profile page
ECA-9098 - Retrieving curves and algorithms on RA web needs to be optimized
ECA-9107 - Add peering configuration capability to CLI to support scripting external VA/RA
ECA-9113 - CLI ca importcertdir command should use random password
ECA-9123 - Don't check key length is we have allowed Ed25519 or Ed448
ECA-9124 - Add "Cache-control" header to HTTP POST OCSP responses.
ECA-9131 - Clean-up job for expired OCSP Responses
ECA-9132 - Support Archive Cutoff for pre-produced OCSP responses
ECA-9135 - Improve documentation about allow.external-dynamic.configuration in ejbca.properties and cesecore.properties
ECA-9139 - Trigger OCSP Response Publisher on generation
ECA-9160 - Allow CLI upgrade command to run post-upgrade automatically
ECA-9162 - Allow to store pre-produced OCSP responses in response to requests with Nonce, if response does not have Nonce
ECA-9186 - Make new XmlSerializer code locale insensitive and deterministic
ECA-9189 - Allow OCSP Response Pre-Signer to only do Final Responses
ECA-9208 - Don't render OCSP Pre Production in EJBCA CE
Bug Fixes
ECA-1691 - Reject issuance if both notBefore and notAfter are in the past
ECA-2052 - Country code in Subject DN of CVC CA is case sensitive
ECA-2068 - Export CA key Store with incorrect password shows an exception on the screen
ECA-4155 - Check if RoleMember matched by X.509 certificate has a plausible CA and certificate serial number combination
ECA-4363 - Use different return codes for importprofiles CLI command
ECA-4735 - Unify appearance in "Edit CA" page between "CA life cycle" and "Externally signed CA creation/renewal"
ECA-5704 - Extended Key Usages / Prevent user from adding same Label for different OIDs
ECA-5705 - Extended Key Usages / Adding new Label with an existing OID replaces the old one without any error
ECA-6113 - SAN with escaped commas (e.g. in directoryName) is not displayed correctly
ECA-6189 - Subject DN e-mail field and EE e-mail field conflated in the RA
ECA-6770 - Extra slashes introduced on links from some admin web pages
ECA-7060 - Handle invalid input on 'Approval Profiles' page
ECA-7072 - Long text input in field validation of Manage Data Source page causes crash
ECA-7299 - Unit tests require PKCS#11 "slot 1" to exist and do not work with SoftHSM
ECA-7333 - It is possible to add Internal Key Bindings without a name
ECA-7678 - 'Close' button not functioning under 'Roles and Access Rules' page
ECA-7733 - Security hardening
ECA-7739 - Using a certificate profile template does not select the correct fields
ECA-8049 - Treat Subject Directory Attributes the same way as Subject DN.
ECA-8146 - OCSP signer renewal via peers not working for throw-away CA
ECA-8233 - "invalid use of tag" warnings from Javadoc for WS exceptions on JDK 11
ECA-8237 - Getting "XML Parsing Error: no root element found" when clicking "View Older" in View Certificate popup
ECA-8376 - RA Web doesn't build in CE.
ECA-8496 - Document how to prevent BouncyCastle not being loaded by an EJBCA classloader
ECA-8659 - Error message is not displayed in Audit Log UI page when database protection fails to verify
ECA-8679 - Security issue
ECA-8680 - Index recommendation will not allow use of partitioned CRLs
ECA-8687 - Fix selenium test failures due to wrong Certificate Profile save message
ECA-8689 - Enable /administrator when granting access to the WS protocol over peers
ECA-8690 - Import of IKB doesn't set bound cert Id
ECA-8691 - Add upgrade notes for ECA-8679
ECA-8697 - Audit log menu item visible on some pages even if the audit log is disabled
ECA-8707 - Key sequence ignored when renewing CA
ECA-8711 - Regression: Cannot change "Signed by" option for CAs in Uninitialized state
ECA-8712 - No alias for key purpose 0 error when editing external CA
ECA-8714 - Use CRL partitions should not be rendered for External CAs
ECA-8719 - 'Make New Request' on 'RA Web' on 'Clean Installation' results in StackOverflowError
ECA-8723 - cert-cvc should use Bouncy Castle provider for verification of CVCAuthenticatedRequest
ECA-8728 - TestDatafields in cert-cvc fails if clock is 00:00-00:59
ECA-8734 - Incorrect warning of ConfigExport/Import SCP Publisher
ECA-8735 - Some system tests fail if ManagementCA is called something else
ECA-8736 - HealthCheckTest.testAuditLogHealthCheck does not restore databaseprotection.keyid.AuditRecordData
ECA-8737 - change/addUser should throw a proper error message instead of NPE when changing a user to a non-existing EE profile
ECA-8739 - NPE when importing brainpoolP256r1 DVCA certificate
ECA-8742 - Delete tests leave crypto tokens left behind by system tests
ECA-8743 - KeyGenParams is not serializeable
ECA-8752 - CA message handlers may throw NPE instead of CADoesntExistsException when CA does not exist
ECA-8756 - ClassCastException on Wildfly 14 when saving a certificate profile with "Subject DN Subset" enabled
ECA-8757 - CaImportCACommand doesn't activate KeyRecoveryCAServiceInfo
ECA-8759 - Unclear error message CA/B Forum Organization Identifier is blank or missing
ECA-8761 - Certificate Extensions not enabled in the Certificate Profile give no error
ECA-8766 - Certificate pinning for Authentication Key Bindings is not working if the pinned certificate is not in the database
ECA-8772 - Minor security issue
ECA-8773 - Security issue
ECA-8777 - Security issue
ECA-8778 - WS request with missing required extension field can still be issued
ECA-8779 - WS request with extension field that is in CP but not EEP can be issued
ECA-8780 - KeyRecoverySessionBean.addKeyRecoveryData does not return false is data already exists
ECA-8782 - ServiceSession logs incorrect administrator when editing a service
ECA-8785 - Statedump import fails when there is an unconfigured EST alias
ECA-8786 - Making a CVC WS request can fail if there is an unitialized CVCA
ECA-8791 - Cannot search by year 2020 in Admin Web
ECA-8796 - Sometimes wrong default setting for "Send notification" in the RA, when notifications are enabled
ECA-8799 - Regression: Wrong JKS is downloaded in the "CA Certificates & CRLs" page
ECA-8803 - NPE in Admin UI if script publisher configured and after that external scripts are disabled
ECA-8811 - CVCA link certificate has wrong validity
ECA-8816 - 'Remove from CRL' should be removed from 'Revocation Reason' list
ECA-8819 - Cannot use 7.x RA with 6.15 CA
ECA-8823 - Bad default CRL parameters when importing CA
ECA-8832 - Create button enabled while viewing CA non privileged.
ECA-8858 - Test failure in ConfigdumpCertificationAuthorityUnitTest
ECA-8859 - CA does not get selected on Add End Entity page load, test failure in EcaQa59_EEPHidden
ECA-8861 - Strip key alias when creating new keys
ECA-8864 - I cannot download generated certificate request as PEM or DER. An exception has occurred.Server returned: 500
ECA-8869 - Fix duplicate/ambiguous network name on old Jenkins jobs
ECA-8870 - Fix selenium tests jobs of Domain Blacklists on Jenkins
ECA-8871 - Test EcaQa5_AddEndUserEndEntity fails due to changing element IDs and incorrect profile
ECA-8873 - No certificate profile specified in EcaQa202_NegativeBlacklistExactMatch test
ECA-8874 - EcaQa77_EndEntitySearch is sensitive to the environment
ECA-8880 - UpdatePublicKeyBlacklistCommandTest contains empty folder in resources, which fails with GIT
ECA-8881 - Empty POST to /.well-known/est/simpleenroll results in NullPointerException
ECA-8884 - PKCS#11 CP5 Cryptotoken type displayed even if no libraries are configured
ECA-8885 - HealthCheckTest fails on Community Edition
ECA-8888 - Test failures in Selenium jobs due to port conflict
ECA-8890 - Certificate Validator ignores profile settings
ECA-8893 - ServiceLocatorException on approval/notification when mail is not configured
ECA-8900 - The wrong certificate profile is edited when opening two certificate profiles in different tabs/windows
ECA-8910 - Jenkins Oracle DB is missing indexes, which causes failures
ECA-8912 - No remote key bindings listed on CA when any keybinding references a non-existent key
ECA-8915 - Usability: Verify allowed characters in key aliases when generating keys in using Azure Key Vault REST API.
ECA-8916 - Fix Jenkins test failure in EcaQa76_AuditLogSearch
ECA-8917 - Pre-sign Certificate Validator gives error when using ECDSA and a CA using HSM
ECA-8925 - Fix timing sensitivity in CTLogTest
ECA-8942 - Web Services - DN Merge Issue with Multiple OU Fields
ECA-8948 - Avoid NPE when no CA configured in EST alias
ECA-8955 - SCEP renewal should give nice error message when renewal cert does not exist
ECA-8956 - SCEP RA mode should not log on error level for normal handled error cases
ECA-8957 - Fingerprints not normalized on public key blacklist import
ECA-8959 - Public EC keys generated by a Pkcs11NgCryptoToken are always using explicit EC parameters
ECA-8960 - Regression: throwing checked Exceptions from postConstruct is not allowed in JEE spec
ECA-8985 - Certutil dump file created in Windows cannot be read by 'ejbca.sh ca importcertsms'
ECA-8989 - Unable to upload a zip with custom CSS files
ECA-8993 - CMP response message with PBE protection does not include configured extra certs
ECA-9012 - 'General Settings' Help/Documentation link 'Edit Validator' page is broken
ECA-9015 - Import Help/Documentation is broken under System Configuration/Custom RA Styles
ECA-9024 - AJAX for associating an RA style with a role is broken
ECA-9025 - Weird error message when certificate profile cannot be removed
ECA-9028 - Validators Help/Documentation link is broken under Edit CA page
ECA-9029 - Approval request not done by cert authenticated admins shows blank in Requested By
ECA-9030 - Improve audit logging for custom RA styles
ECA-9038 - NPE clicking Receive Certificate Response in Edit CA screen, if nothing is uploaded
ECA-9048 - Some languages not working for subject DN when viewing certificates in CA GUI
ECA-9060 - Adding a new label with a existing OID does not give you any error/message.
ECA-9064 - Prevent inactive CmsCAService to try to load keystore
ECA-9069 - Some CA lists in services are not sorted
ECA-9071 - Regression - 2 Edit buttons displayed in RA Web End Entity Details page
ECA-9073 - Approvals can't be edited by admin
ECA-9078 - Documentation link for Enable End Entity Profile Limitations? is broken
ECA-9080 - Documentation link for 'Create Authenticated Certificate Signing Request' is broken
ECA-9082 - 'ETSI PSD2 QC Statement' Documentation link refers to the wrong page
ECA-9086 - Missing documentation for CA/Browser Forum Organization Identifier
ECA-9103 - Ed448 and Ed25519 not supported in RA UI and Public Web
ECA-9104 - Edit end entity can log the wrong changed DN if DN merge is used
ECA-9106 - Regression: Unable to submit to CT logs
ECA-9109 - Regression: RA GUI: Regardless of the format chosen the downloaded certificate is always a PKCS12 certificate.
ECA-9110 - EJBCA adminweb is not accessible after configuring "Custom Publisher"--An exception has occurred. For input string: "60000"
ECA-9111 - Regression: EJBCA CA key renewal service does not work on subCAs
ECA-9112 - Selenium Tests in Jenkins
ECA-9125 - Avoid that upgrade adds duplicate OCSP extension that already exists
ECA-9126 - Methods to delete Ocsp Responses fail
ECA-9128 - Regression: Peers cannot deserialize TreeMap
ECA-9129 - Custom extensions cannot be deserialized by EJBCA
ECA-9130 - Regression: can not change CVC terminal type in CA UI
ECA-9136 - RaMasterApi reports wrong API_VERSION
ECA-9137 - Regression: Not possible to activate rollover renewal, CA rollover cert activation is not rendered in Admin UI
ECA-9138 - Documentation link broken in Edit Publisher 'Publisher Queue' section
ECA-9143 - NPE editing SCEP alias after rename of end entity profile and SCEP alias list items are not sorted
ECA-9150 - Audit Log page error
ECA-9152 - Some certificates are missing when downloading a JKS chain
ECA-9153 - Always close SSH connections created by the SCP publisher
ECA-9154 - Regression: can't edit ICAO document type list in adminweb
ECA-9157 - OCSP audit and account logging does not work when serving pre-produced responses
ECA-9159 - NJI11ReleasebleSessionPrivateKey always assumes RSA
ECA-9166 - Class was not found on classpath
ECA-9167 - Typo error in ORM mapping for ApprovalData
ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6
ECA-9172 - Rollover of expired CA will not make it active due to CRL generation failure
ECA-9174 - NPE in configuration checker if certificate profile linked from end entity profile does not exist
ECA-9178 - HealthCheckServlet is trying to create a "filename.properties" with no path
ECA-9181 - Deleting token used for 'Force Local Key Generation' breaks Basic Configurations page
ECA-9188 - Don't persist responses with status 'Unknown'
ECA-9190 - NullPointerException in Statedump when a non-existent publisher is still in use
ECA-9192 - Not possible to add additional CA certificates to CMP response
ECA-9200 - Regression: Several ajax calls on certificate profile page broken
ECA-9202 - Statedump support for the Google Safe Browsing Validator
ECA-9204 - It is possible to rename a CA with no name
ECA-9205 - NPE when testing the connection of a VA Peer Publisher referencing non-existing peer system
ECA-9207 - Regression: Created CVC Authenticated requests can not be downloaded in Admin UI