EJBCA 4.0.2 released

We are proud to release EJBCA 4.0.2. This release brings many optimizations and improvements to EJBCA 4.0. We regard this as the best version of EJBCA to date, setting new performance records as well as improving on the already extensive feature set. A thorough time for QA also assures that this should be one of the most stable releases in production for the coming months.

In all 44 issues have been resolved.

Noteworthy changes:

• Internal optimizations makes this the fastest version of EJBCA ever, capable of issuing > 400 certificates/second (depending on configuration).
• Certificate enrollment now works also with Safari and Chrome browsers and Android 2.3.4.
• Support for PrivateKeyUsagePeriod certificate extension.
• Fixed a time zone bug issuing CVC certificates where the date was encoded using local timezone instead of GMT in certificates.
• More admin console and public web improvements from David Carella of Linagora.
• Now uses ISO8601 date format consistently when entering dates in admin console.
• Automatic generation of Norwegian UNID numbers from CMP requests.
• Many small bug fixes and improvements.

The ISO8601 date format (yyyy-MM-dd HH:mm:ssZZ) is used in the Admin GUI and EJBCA WS interface,
so clients no longer have to be aware of in what time zone the CA servers are located.
The old format (in US Locale) will still work for incoming requests in the WS, but any returned
UserDataVOWS containing custom start and end date will use the new format.

Read the full Changelog for details.

Regards,
The PrimeKey EJBCA Team

EJCBA 3.11.2 released

The PrimeKey EJBCA team is happy to announce that EJBCA 3.11.2 has been released! This is a maintenance release – 23 issues have been resolved. The most noteworthy changes can be seen below.
EJBCA 3.11.2 is a maintenance release in the 3.11 branch of EJBCA. The main release branch of EJBCA is the 4.0 branch, where 4.0.1 has been released, and 4.0.2 is upcoming.

EJBCA 3.11.2 Release Notes

Improvements and new features:

• Increased algorithm support on PKCS11 HSMs.
• Added a webservice based RA written by Daniel Horn.
• It is now possible to disable the command line interface.
• There are new commands to import CRLs and certificates which are useful when migrating to EJBCA.
• Documented the fact that External OCSP does not run on JBoss 5.x.
• Added GlassFish database schema for Oracle.
• Added a webservice call for retrieving CA path.

Bug fixes:

• Removed some unelegant error messages from the GUI.
• Removed a bug that sometimes caused a day longer validity of certificates due to day light savings.
• Fixed bug which prevented revokation after upgrading from EJBCA 3.4.x.
• Fixed a bug causing some information to not be logged during WS calls.
• Fixed a bug preventing revoked certificates to be republished to the VA server.
• Republish button now works with special characters and without certificate request history.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 3.11.3 or later releases.

More information is available at the project web site and the complete changelog can be viewed in the issue tracker.

EJBCA 4.0.0 released

The PrimeKey EJBCA team is happy to announce that a new generation of EJBCA is finally here. As always, you can download the release from SourceForge.

In this release, the underlying framework has changed from Java Enterprise Edition 2, to 5. EJBCA 4 will constitute the solid base for EJBCA for the coming years. Together with major refactoring, the Java Enterprise upgrade significantly improves the quality of the EJBCA code and internal architecture, allowing for faster development time. The technology upgrades also make way for the development of a new Administration GUI and the integration with CESeCore.

164 issues have been resolved for this release. The most noteworthy changes can be seen below.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 4.0.1 or later releases.

More information is available at the project web site and the complete change log can be viewed in the issue tracker.

EJBCA 4.0.0 Release Notes:
New features:
- Framework changed to Java Enterprise Edition (JEE) 5.
- Well defined database schema for all supported application servers and databases. You are now able to switch application server.
- Support for the Ingres database without patching.
- Numerous features and improvements to the Administration GUI, command line interface and core functionality.

Bug fixes:
- Improved reliability of EJBCA services.
- Many small bug fixes and stabilizations.

For more information, please contact:
Tomas Gustavsson, CTO, PrimeKey Solutions AB,
tel: +46(0)707 42 10 96, e-mail: tomas at primekey dot se

Smart cards working with OpenSC/Linux/Firefox

I just tested the Aventra MyEID smart card with the latest opensc (trunk). Works like a charm.

You need OpenSSL development libs to build the pkcs15-init tool in opensc, for Ubuntu this means installing the libss-dev package.

sudo apt-get install libssl-dev autoconf libtool
sudo apt-get install pkg-config libpcsclite-dev
svn co http://www.opensc-project.org/svn/opensc/trunk opensc
cd opensc
./bootstrap
./configure --prefix=/usr
make
sudo make install
pkcs15-init -E
pkcs15-init -C --pin foo123 --puk foo123
(or just 'pkcs15-init -C' but you have to enter pin code about 20 times)
pkcs15-init -P -a 01 -l test01
pkcs15-init -F

After this is done, you need to add the /usr/lib/opensc-pkcs11.so as a Security Device in Firefox. To enroll, simply add a new user in EJBCA, go to Public Web and do a browser enrollment. I used Medium Security in order to get 1024 bit RSA keys, that I know works with my cardreader that does not have Extended APDU using CCID.
Browser enrollment will generate a new key on the smart card, get a certificate from EJBCA and store the certificate on the smart card.

With this test we now know about three cards that works well to do browser enrollment with FireFox.

• SafeSign from AET
  
• MyEID from Aventra
  
• Feitian from Gooze
  

Also see the old blog post about using openssl enging to make certificate requests and import certificates to the smart card.

New WebServiceRA Application

PrimeKey is pleased to announce the availability of WebServiceRA , an RA (Registration Authority) Administration application.
WebServiceRA is a functioning Java application that communicates with EJBCA certificate authorities using EJBCA web services.

In addition to providing many Java code examples of using the EjbcaWS web service interface, this program provides a simple UI for creating and querying end entities, as well as generating certificates (as either P12 or JKS files).

The source code and instructions for building and running this application may be downloaded from Sourceforge

EJBCA 4.0 alpha1 released

Hi everybody!

Eagerly waiting for the next major version of the best PKI software in the world? Now is your chance to try it out.

EJBCA 4 uses Java Enterprise Edition 5 (JEE5) instead of J2EE. This is a major improvement of the core, modularization, portability and packaging, but you will not notice many functional differences.

What else?

• The database schema is fully defined through the Java Persistence API and table create scripts are provided for all the supported databases.


• Many bugs have been corrected. For example EJBCA Services will run more stable in a clustered environment.


• The Ingres database can now be used with EJBCA without patching the code.


• A JEE5 compliant application server, Java 1.6 and Ant 1.7.1 or higher is required from this version on.

Since this is and alpha release, you can expect a few rough edges. Have in mind that there will not necessarily be an upgrade path from this release to EJBCA 4.0.0.

Download!
Submit bug reports!

Happy holidays and testing,
The PrimeKey EJBCA Team

EJBCA 3.11.1 released

Today PrimeKey has released EJBCA 3.11.1.

This is a maintenance release – 16 issues have been resolved. Only fixes
and layout improvements, no new features.
This release fixes an upgrade issue from 3.6.x to 3.11.x and also a
MySQL/MyISAM related issue in the 3.11.0 release.
A few uncaught regressions from 3.10.x and 3.11.0 were fixed, and as
usual David Carella of Linagora added some Admin GUI layout improvements.

Noteworthy changes:

• It is now possible to easily upgrade from EJBCA 3.6.x to 3.11.x.


• Fixed a MySQL mapping that did not work when using the MyISAM storage engine and UTF-8 encoding.


• ETSI QC value limit can now have the value zero.


• Admin GUI improvements from David Carella of Linagora.


• Added a favicon to the EJBCA web interfaces.


• Fixed an issue causing cached end entity profiles (not default) to be changed for some actions in the admin GUI.


• Fixed an issue where session information spilled over to other edits when using the "Back to certificate profiles" link.


• Fixed an issue where using the required flag on Cardnumber in a end entity profile gave error about missing unstructured address. This also resolved an issue where the DN field Unstructured Address did not work.

You can read the full changelog in the EJBCA Jira.

In addition to making EJBCA available as full open source software, PrimeKey also supplies support services and training for EJBCA.