Release note Certificate Manager 8.9

Java 17 is required

Certificate Manager is now using Java version 17. CM is verified to work with both Oracle Java 17 and with OpenJDK 17. However, the CM SDK supports Java version 11 and Java 17.

AUTH Servlet

Added support for the Authentication Servlet that will be used with the upcoming CM WEB UI.

RAPCACS (V2X) heartbeat file

RAPCACS for v1 and v2 now support a heartbeat file for easier monitoring.

Override Ed25519 algorithm parameter in CIS device

To support import of keys which need a custom algorithm parameter OID for Ed25519 keys, it is now possible to configure CIS devices to override the standard Ed25519 algorithm parameter OID with a configurable one in cis.conf. See parameter "ed25519Override" in the Technical Description section 3.3.3.1.9.

CMP raVerified

The CMP servlet in PGW now supports CMP requests with raVerified Proof-Of-Possession. See PGW documentation for more information.

Importing of a EC keypair from a p12 file with HWSetup tool

With the HWSetup tool it is now possible to import an EC keypair from a p12 file, previously only RSA and DSA keys was supported.

Importing of a wrapped private key with HWSetup tool

The new unwrap command in HWSetup tool makes it possible to import a wrapped EC/ED/RSA/DSA private key.

Tomcat 10.1 required for PGW

The PGW of CM 8.9.0 requires Tomcat 10.1.

CM SDK statistics

The CM SDK now supports requests for statistics using the GetStatisticsRequest class.

CM REST API statistics

The CM REST API now supports requests for statistics using the /statistics/* endpoints.

CM REST API supports downloading multiple certificates in a zip

The CM REST API now supports requests to download multiple certificates in a single .zip file using the new /certificates/download endpoint.

CM REST API procedures listing for other types

The CM REST API endpoint "/procedures" now filters and displays other types than the default pkcs10. Use the new request parameter "mediaType" set to "pkcs10", "pkcs12", "smartcard" or "attributecertificate" to choose which type to show.

CM SDK certificate search sort order

The CM SDK now supports sorting in ListCardRequest and ListCertificateRequest. See CertificateSearchCriteria.setOrderBy() in CM SDK JavaDoc.

CM REST API certificate listing sort order

The CM REST API endpoints "/certificates" now supports sorting using the parameters "orderBy" and "orderDescending".

CM REST API procedures details

The CM REST API now contains a new endpoint "/procedures/{procid}/details" that returns detailed information about the specified procedure.

Protocol Gateway with PKCS#11 keystores

There is now documentation on how to use PKCS#11 keystores with Protocol Gateway for officer and RA tokens. See the Installation and Configuration Guide for Protocol Gateway.

AuthorityKeyIdentifier in non-self-signed CA certificate formats

The AuthorityKeyIdentifier has been added to all non-self-signed CA certificate formats to be compliant with RFC 5280. Affected formats:

• rfc5280CA
• iot-ca

SCEP NDES Challenge page encoding option

Adds the ndesChallengeEncoding option in scep.properties. Allows the encoding of the NDES Challenge webpage to be configurable. The default encoding remains as UTF-8.

The option -gencert from HWSetup tool is removed

The option -gencert from HWSetup tool has been removed. Instead a certificate should be created outside of the HWSetup tool and then imported with the -setcert option.