CM service release 8.10.9

Enforce adequate officer roles to save an AWB object

An officer lacking the appropriate roles will be unable to save AWB objects. In addition to the "Use AWB" role, it is essential for the officer to possess the "CA and key tasks" role in order to save CA:s and CaKey:s, as well as to manage policy, officer profile, and officer objects. Currently, the "Use AWB" role is restricted to view-only access for AWB objects.

Two-step signing improvement

The two-step signing process in AWB has been improved to ensure that two different CM officers are always displayed on the signed object.

CM service release 8.10.8

Incorrect import of cross-signed CA with custom algorithm in AWB

Resolves a bug affecting CA cross-signing where a cross-signed subordinate CA with a custom key algorithm was not mapped correctly to the CA object when importing the certificate in AWB.

CM service release 8.10.7

CM clients

Unable to modify officer objects in AWB without SA license

Resolves an issue where the new Signing Authority roles were loaded even when the clients did not have a license for the Signing Authority feature. This caused officer objects to no longer be created or modified, and has now been resolved.

CM service release 8.10.6

Regular installation

Signing Authority now compatible with OpenSSL

The Signing Authorities configured with format signing_pkcs7 now delivers a SignedData structure wrapped in a ContentInfo structure (as defined by rfc2315).

Reuse HSM sessions

Fixes a problem introduced with CM 8.10.3 which caused opening of new sessions to HSMs, instead of reusing existing ones. The problem caused operations towards HSM to take longer time than necessary, thus degrading performance.

Podman installation

Changes to CF server image 8.10.6-1

Updated Java version

The bundled java version has been updated from 17.0.11_9 to 17.0.12_7.

Changes to PGW image 8.10.6-1

Updated java version

The bundled java version has been updated from 17.0.11_9 to 17.0.12_7.

Updated tomcat version

The bundled tomcat version has been updated from 10.1.25 to 10.1.28.

CM service release 8.10.5

CM clients

Fixes Authority hierarchy in AWB

Fixes an issue in the AWB which caused CA certificates containing path length constraint = 0 to be displayed incorrectly in the Authority hierarchy. It also caused problems when importing CA certificates with AKI = NULL.

CM service release 8.10.4

Regular installation

Inactive Signing Authorities could still be used

Closed, revoked or expired SA now correctly denies incoming signing requests.

Signing Procedures could be used when closed

Closed Signing Procedures now correctly denies incoming signing requests.

Produced incorrect signatures for SA with EC based key

Corrects an issue where an invalid signature was applied to signing requests against a Signing Procedure using the signing_digest format with an EC based Signing Authority.

Podman installation

Changes to CF server image 8.10.4-1

Base image for CF server is changed to "scratch". A strippedJRE based on Adoptium Temurin JDK 17 is used as the CM runtime.

Changes to PGW image 8.10.4-1

Base image for CF server is changed to "scratch". A stripped JRE based on Adoptium Temurin JDK 17 is used as the CM runtime.

CM service release 8.10.3

Regular installation

Periodic delta CRL included entries of the full CRL

Fixes a bug which caused the periodic delta CRLs to include the CRL entries of the full CRL which it references.

CM clients

Fixes signing error in AWB for co-signer with IDPrime MD cards

Resolves an issue with IDPrime MD840 and MD940 cards where the co-signer could only sign once per login. This fix needs to be applied together with a configuration change in Personal.cfg when using IDPrime MD cards.
Configuration changes to be apply to Personal.cfg:
[CSP_PKCS11]
P11_LogoutAfterSign=1

Fixes wrong automatic role selection in AWB

Resolves an issue where the 'Use AWB' role was automatically selected when selecting the role 'Signing Authority Requests'. The correct 'Use Client' role is now automatically selected instead, if not already selected.

CM service release 8.10.2

Regular installation

Fixes issue when using SA with EC based keys with signing_pkcs7

Corrects an error regarding invalid signing algorithm when requesting a signature against a Signing Procedure using the signing_pkcs7 format with an EC based Signing Authority.

CM service release 8.10.1

Regular installation

Support for CRL based revocation time for Secunet publications

The 'Secunet OCSP Revocation' publication format now supports the parameter 'secunet.crlBasedRevocationTime'. This allows revocation information distributed to a Secunet OCSP responder to have a more accurate revocation time. This flag is deactivated by default.

Activate the 'secunet.crlBasedRevocationTime' flag by navigating to the publication procedure in AWB that is using the publication format 'Secunet OCSP Revocation' and modifying the format with the 'advanced' button.