EJBCA

A new CMP proxy module, improved transaction isolation and performance in CMP, the ability to enforce unique SubjectDN serial numbers and to validate the contents of end entity fields, supervision of the OCSP responder certificate validity in the standalone OCSP responder, and many minor bugfixes related to the big restructure in version 3.10.0.

New WS-API methods for renewing CAs. A new CMP proxy module letting you have a separate server terminating CMP connections and then forwarding them to the CA. The ability to renew CAs without activating new keys, enabling the CA to continue working until a new certificate is imported. Support for the SHA384WithECDSA signature algorithm. Deployment on JBoss EAP 5.0.0 has been fixed. An admin GUI bug with problems selecting privileges for RA administrators has been fixed. Some issues with the CLI and renewal of expired CAs have been fixed. A bug with the CLI for getting delta CRLs has been fixed. There are other minor bugfixes.

Restructuring and refactoring was undertaken to improve maintainability and prepare for the EJBCA 4 release and Common Criteria certification. A Web service method was provided for creating or updating a user and creating a certificate in a single transaction. Unique public keys and subject DNs are enforced. A new external RA API GUI was provided for browser enrollment without sending traffic to the CA. Support for Ingres 9.3 was added.

A minor performance regression for the OCSP service was fixed. A process time parameter was added to OCSP transaction logging. Usage of the optional IAIK PKCS#11 provider was fixed and improved. Sequence handling for EAC CVC CAs was improved. A bug when renewing CA keys on HSMs was fixed. A problem in which you could not use a dot in pre-set usernames in end entity profiles was fixed. The possibility to install directly with an external admin CA was added. The possibility to prompt for keystore password during install was added, so you never have to write it anywhere.

A bug where OCSP responder would not return correct status for archived (expired) certificates was fixed. A regression for the (deprecated) SafeNet JCE CA token was fixed. A regression where you could not renew expired CAs was fixed. It's not possible to renew soft ECC CA keys in the admin GUI. All language files are now encoded in UTF-8. Corner cases where bogus CRLs and certs could be published to LDAP were fixed.