Release Notes

The server starts up independently of whether CARA is available.

Several performance enhancements regarding the dashboards have been implemented.

The Realm Data section in dashboard has been removed in MTG-CLM UI. Also, the corresponding endpoint has been removed from MTG-CLM.

Resolved issues in dashboard of MTG-CLM UI.

Several performance enhancements have been realized.

Checking revocation of RA-mode certificate.

The JSON format of error messages has been changed to simple text.

Resolved an issue with preset search values when the lazy user search feature is enabled in MTG-CLM UI.

Added a button to the role details page in MTG-CLM UI to navigate to the role details in the Keycloak UI.

Attribute mail of AD is provided as property in the end-entity.

Checking revocation of client certificate, additionally in the authorization layer.

Endpoints /admin/import-provider-clients and /admin/import-provider-users have been renamed to /admin/sync-provider-clients and /admin/sync-provider-users, respectively. Additionally, keycloak clients that have been removed using keycloak UI are now gracefully handled when /admin/sync-provider-clients is invoked.

Added endpoints that return the roles that provide access to a provided end-entity, policy, certificate request or certificate and added section to display them in details page in MTG-CLM UI.

Endpoint /roles/users got replaced with /roles/users/assign and /roles/users/unassign, and /roles/api-clients with /roles/api-clients/assign and /roles/api-clients/unassign, respectively. Role actions were adjusted accordingly in MTG-CLM UI.

Added options in role details page to assign/unassign role to multiple users/API clients in MTG-CLM UI.

Naming method for default realm role has changed. It uses the name of the realm instead of the ID.

Introduced roles which substitute permissions set directly to user or API clients. In this version permissions are assigned to roles and roles are assigned to users or API clients. See Migration 4.3.0 to 4.4.0 for more details about the migration from the previous version.

Introduced realm default roles. See Migration 4.3.0 to 4.4.0 for more details.

Added buttons in API client details page for resetting secret and deleting API client in MTG-CLM UI.

Deleted deprecated and unused permissions.

CockroachDB is not supported anymore.

Added support for decrypting the client message with an RA certificate/private key rather than that of the CA. Also, the response can be signed with the RA certificate/private key.

The ScepPermission must be set at the application role of the CLM application in CARA, if it is not already set.

Several performance enhancements have been realized.

The Java built-in HTTP client is used as default instead of the Reactor Netty HTTP client.

Added option to opt-in java http client instead of reactor netty http client.

Added functionality to be able to configure the content of a password, for end-entities, API clients, and private keys.

Updates in MTG-CLM UI regarding the PSW - Public CAs certificate provider, to increase usability and user experience.

Fixed an issue when importing certificates with the same common name within the same PEM file.

Fixed an issue in MTG-CLM UI that prevented to set the active crypto module.

Added better error message when an already requested certificate is requested again.

Updated bom files to schema version 1.5.

Updated bom files to schema version 1.5.

SCEP requests can be logged. This is configurable.

Updated bom files to schema version 1.5.

Updated bom files to schema version 1.5.

Updated bom files to schema version 1.5.

Updated bom files to schema version 1.5.

Updated bom files to schema version 1.5.

Added new certificate provider PSW - Public CAs.

Removed UI-blocking elements in Dashboard page in MTG-CLM UI.

Introduced Crypto Modules used for encryption, decryption, and random number generation. See Migration of 3.10.0 to 4.0.0.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Added de-duplication of alerts in MTG-CLM UI.

The search filter in users table is not pre-filled by default, instead this behaviour can be configured in MTG-CLM UI.

Introduced allowWildcard parameter in CLM Policies to allow/restrict wildcards certificates.

Refactored statistics in new, separate API Endpoints.

Performance enhancement to Dashboard page in MTG-CLM UI.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Re-organized cryptographic restrictions section in policy creation/editing.

Issue with retrieving the certificate providers for users with non-admin permissions has been fixed.

Issue with empty subject distinguished name in certificate fixed.

Fixed issue during certificate creation of more than 10 end-entities. Added pagination at bulk creation.

When certificates are imported over MTG-CLM UI, then they are immediately created if the corresponding certificate request is in status APPROVED.

Renamed internal directory name of response artifact when multiple certificates are requested.

Added the X.509 certificate in the response artifact when multiple certificates with server-generated key are requested.

Additional data contained in the extensions of the PKCS#10 request can be used for issuing the certificate.

The shared.secret configuration parameter can be set also as a hexadecimal representation of the SHA-256 hash output of the plain value.

Added a new field to supply the name of the CA in a Microsoft CA certificate provider. This accelerates access to services of Microsoft CA.

Read access for CAs is not restricted to users with administrator rights anymore. Any authenticated user has read access.

Latest audit events are only fetched for selected realm.

The search filter in users table is pre-filled with the ID of the logged-in user. Additionally, users are not fetched after each keystroke, instead they are fetched after pressing Enter.

Extended mapping file to support permissions for the use of a template to issue a certificate.

Added new certificate provider Microsoft CA.

Download certificate key pair/private key is hidden when not available in MTG-CLM UI.

Policies' allowed cryptographic algorithms are restricted by selected certificate provider’s type.

Renamed some labels related to certificate providers in MTG-CLM UI.

Fixed an issue related to self-signed certificates batch creation.

Fixed certificates' search by expiration date.

Dashboard’s Certificates expiring shortly ~ View All in MTG-CLM UI navigates to all realm’s certificates expiring shortly instead of all certificates of the realm.

Add search for certificate request based on end-entity’s CN.

Added support for HTTP-based reverse proxying. AJP is still supported.

Configuration parameters have been added and one parameter has been renamed. Please consult the administration manual.

Added support for HTTP-based reverse proxying. AJP is still supported.

Configuration parameter has been renamed. Please consult the administration manual.

Server responses do not contain user provided secrets and sensitive data.

Thorough refactor of permission mechanism to increase performance of the application.

Added option to download certificate’s private key in PEM format.

Added column Created Date on certificate requests table in MTG-CLM UI.

Fixed issues regarding sorting in MTG-CLM UI.

Search for end-entities when the policy is provided in search filter have been refactored. Now, all end-entities are returned with an additional property. This property indicates whether the end-entity violates or not the constraints posed be the end-entity rules of the policy. In the MTG-CLM UI, if the end-entity violates the rules then it is displayed, but it cannot be selected.

Updated API endpoint that issues certificates from multiple certificate requests (api/v1/certificates/cert-requests) to handle all certificate requests (PKCS10, Public Key, Server Generated, Self-signed).

Updated API endpoint that issues certificates from multiple certificate requests (api/v1/certificates/cert-requests), added optional query parameter omitArtifacts with default value false. If set to true, then no artifacts are included in server response.

Updated API endpoint that issues certificates from multiple certificate requests (api/v1/certificates/cert-requests), artifacts are not flat into the zip file, but in a directory named after the corresponding certificate request ID.

The URLs that use the policy ID are changed, to be consistent to the RFC specification.

Added new application parameter to configure whether the complete chain is included in the SCEP-SuccessResponse.

Added new application parameter to configure whether the complete chain is included in the GetCACert response.

Fine-granular database transaction handling in challenge requests. This mitigates issues with deadlocks in MariaDB.

If the AD account is a computer, then the FQDN is set as CN.

Added Edwards-curve Digital Signature Algorithm (EdDSA) support for certificate requests.

Added new billing endpoints for active end-entities.

Added Edwards-curve Digital Signature Algorithm (EdDSA) support for PKCS10, public key, self-signed and server generated certificates.

Added signed audit logging for calls to the API.

Added policy and template handling to drop requirement on Windows Microsoft CA, CEP, and CES.

New parameter allows to configure the SASL protection modes.

More specific instead of a generic error on policy violation is sent to the client.

Default value has been provided for one configuration property.