Release date: 2024-11-08

Overview of main new features

Possibility to dump CM REST API requests and responses

It is now possible to enable requests and responses over the REST API to be saved to disk for help with troubleshooting. For more information, see “Message dump logs” in Logging in Protocol Gateway.

Enforce adequate officer roles to save an AWB object

An officer lacking the appropriate roles will be unable to save AWB objects. In addition to the "Use AWB" role, it is now required for the officer to possess the appropriate object related role in order to save objects. For example, "policy tasks" to save procedure objects.

CIL build improvements for segmented CILs

CM now fetches the CIL entries in batches when the CIL procedure is configured to utilize segments.

Delta CXL support in PGW Distribution Point

CM now supports downloading Delta CRL/CIL in dp.properties by configuring the delta parameter in the handler.

Added support for CRL based revocation time for Secunet publications

The 'Secunet OCSP Revocation' publication format now supports the parameter 'secunet.crlBasedRevocationTime'. This allows revocation information distributed to a Secunet OCSP responder to have a more accurate revocation time. This flag is deactivated by default.

Updated Nexus PKCS11 Cryptoki PKCS #11 version support to v3.00

The cryptographic component Nexus PKCS11 now supports Cryptoki PKCS #11 v3.00. Previously supported version was v2.40.

Chained AuditLog Signature Verification Tool

CM now provides a command line tool for verifying chained AuditLog signatures, which makes it possible to detect manipulation of the data of the (AuditLog) entries, adding and removal of entries.
The tool is included in the CM Tools which are installed together with CM. See CM Technical Description for more details.

Signing Authorities with ED25519 and ED448-based algorithms

It is now possible to set up a Signing Authority to use Ed25519 and ED448 based signature algorithms. See CM Technical Description chapter 9 for more details.

CM-SDK and PGW now supports configurable socket timeouts

The connection and read timeouts for the connecting sockets can now be configured in cmsdk.properties for CM-SDK and in cm-gateway.properties for PGW.

Bootstrap VRO

A new bootstrap officer has been added to facilitate easier setup of test environments. The officer is called boot_vro.p12 and is available in Soft Boot Officer.zip. The Bootstrap VRO is only allowed to perform client side requests, and may not use the AWB.

ACME revocation now supports the use of a publication procedure

acme.properties has been extended with a new parameter called 'publicationProcedure' allowing for a configurable publication procedure to be triggered when performing revocations through ACME.

WinEP - revocation over MS-CSRA

The WinEP functionality has been extended to support end user certificate revocation through the MS-CSRA (Certificate Services Remote Administration) Protocol in Microsoft Windows.
See WinEP - Revocation over MS-CSRA for more information.

WinEP - Requester's IP Address logging

WinEP now logs the IP addresses IPv4, IPv6 and the machine name of the client of a request in the Windows Event Viewer when log level is => 3. Machine name is added to the log regardless of whether IP addresses are known or unknown.

CM tenant domain logging in CM REST API

api.properties now supports a new handler parameter called 'showDomainInLogs', which allows CM REST API requests in PGW to show the CM tenant domain in the CM REST API logs for an officer.

Changed functionality

Removal of protocols EUI and AST

With the release of CM 8.11.0 the Enrollment User Interface (EUI) and Authenticated Soft Token (AST) protocols in Protocol Gateway has been removed.

New default wrapping algorithm for key generation in KAR use-case

To be compliant with newer versions of FIPS the wrapping algorithm used when extracting keys marked as sensitive from the HSM has been updated from 3DES to AES. The old behaviour can be achieved by setting the new parameter 'kar.common.token.<#>.use3des' in kar.conf.

Limit certificates to be used when creating an officer

In the AWB when creating an officer, certificates that have either key encipherment, data encipherment or key agreement without having digital signature or non-repudiation as key usages cannot be
used for officer creation. This is to help the user in not creating officers that cannot be used within the CM system because it contains invalid key usages combinations.

Signing Authority now compatible with OpenSSL

The Signing Authorities configured with format signing_pkcs7 now delivers a SignedData structure wrapped in a ContentInfo structure (as defined by rfc2315) to allow better compatibility with OpenSSL.

Latest CRL Number is now displayed in both decimal and hex in AWB

To facilitate easier comparison with external tools the AWB runtime information panel for CRL and CIL procedures now display the latest CRL number in both decimal and hex.

ACME Account inputview now shows connected KeyId

'General Purpose InputView 14 - Save and Search ACME Accounts' now shows the connected External Account Binding KeyId if it exists.

CRL Procedure correction regarding Delta Distribution Point

CRL Procedures configured to use Complete CRLs and Delta CRLs with the 'Delta DP to certificate' option selected, now requires that a dedicated 'Distribution Point' is set.

Added support for Microsoft SQL Server 2022

Support for Microsoft SQL Server database version 2022 has been added.

Changed default transaction isolation level on MariaDB and MySQL

Changed CM to use transaction isolation level READ-COMMITTED on all sessions towards MariaDB and MySQL, which is also the default on other database servers such as PostgreSQL.

Contact and support

For information regarding support, training, and other services in your area, visit www.nexusgroup.com/. Nexus offers maintenance and support services for components to customers and partners.

For more information, go to Nexus Technical Support or contact your local sales representative.