• xipki-gateway
  • Harden ACME
• xipki-cli and xipki-mgmt-cli
  • Replace karaf with picocli + jline
• Dependencies
  • bc-fips: 2.0.1 -> 2.1.2
  • bcutil-fips: 2.0.5 -> 2.1.5
  • bcpkix-fips: 2.0.10 -> 2.1.10
  • karaf: removed
  • jline: 4.0.9 (new)
  • picocli: 4.7.7 (new)

• Added support of issuing certificate with ML-DSA signature.
• Added support of issuing certificate with composite ML-DSA signature (specified in draft-ietf-lamps-pq-composite-sigs).
• Added support of issuing certificate with ML-DSA, and ML-KEM public keys
• Added support of issuing certificate with composite MLDSA public keys (specified in draft-ietf-lamps-pq-composite-sigs)
• Added support of issuing certificate with composite MLKEM public keys (specified in draft-ietf-lamps-pq-composite-kem)
• Changed (simplified) the format of certificate profiles (v2). The old certificate profiles (v1) can still be used.
• Use own JSON and CBOR parser and writer
• Use own PKCS#11 JNI library.
• Update servlet from 3.1.0 to 5.0:
  • remove support of tomcat 8 and tomcat 9
• Dependencies Update
  • OSGi blueprint: removed
  • ipkcs11wrapper: removed
  • zip4j: removed
  • jackson: removed
  • log4j: removed
  • hikaricp: 4.0.3 -> 7.0.2
  • karaf: 4.4.4 -> 4.4.8
  • dnsjava: 3.5.3 -> 3.6.4
  • slf4j: 1.7.3 -> 2.0.17
  • jdbc drivers
    • mariadb: 3.3.0 -> 3.5.7
    • postgresql: 42.7.0 -> 42.7.10
    • h2: 2.2.224 -> 2.4.240
  • bouncycastle: 1.77 -> 2.73.10-lts and v2.0.x-fips

This is a version based on v5.3.15, with following changes:

• Update dependencies:
  • karaf (JDK8): 4.2.15 -> 4.2.16
  • karaf (JDK11+): 4.3.6 -> 4.3.10
  • bouncycastle: 1.70 -> 1.80
  • pkcs11wrapper: 1.4.9 -> 1.4.10
  • fastjson: 1.2.79 -> 1.2.83
  • tinylog: 2.3.2 -> 2.7.0
  • mariadb jdbc: 2.7.5 -> 3.5.2
  • postgresql jdbc: 42.2.24 -> 42.7.5
  • h2 jdbc: 1.4.200 -> 2.3.232

• Gateway
  • Bugfix: fixed bug "Cannot update an existing certificate over CMP"
  • Add new REST APIs to re-key certificates.
• MGMT-CLI (Management Client)
  • Check whether database for caconf is empty before importing.
• Dependencies
  • jackson: 2.16.0 -> 2.16.1
  • log4j: 2.20.0 -> 2.22.1
• The binary xipki-setup-6.5.3.zip can also be downloaded from the maven central repository
  • Directly via HTTP download
    https://repo.maven.apache.org/maven2/org/xipki/assembly/xipki-setup/6.5.3/xipki-setup-6.5.3.zip
  • Via the maven-dependency-plugin

    <artifactItem>
      <groupId>org.xipki.assembly</groupId>
      <artifactId>xipki-setup</artifactId>
      <version>6.5.3</version>
      <type>zip</type>
    </artifactItem>
    

• SHA256 Checksum
  • b60abff7004b8b0418df2ff025db0e6704a5c5d38b93042a6c21fc62603b6a56 xipki-setup-6.5.3.zip

• All Components
  • Add script to customize host and port of tomcat instances, passwords, etc.
  • Audit: use Map<String, String> instead String to configure audit.
• Gateway
  • Merge gateway wars to gateway.war.
• MGMT-CLI (Management Client)
  • Add demo scripts.
  • Command ca:ca-info prints also the associated publishers, profiles and requestors.
• Dependencies
  • dnsjava: 3.5.2 -> 3.5.3
• The binary xipki-setup-6.5.2.zip can also be downloaded from the maven central repository
  • Directly via HTTP download
    https://repo.maven.apache.org/maven2/org/xipki/assembly/xipki-setup/6.5.2/xipki-setup-6.5.2.zip
  • Via the maven-dependency-plugin

    <artifactItem>
      <groupId>org.xipki.assembly</groupId>
      <artifactId>xipki-setup</artifactId>
      <version>6.5.2</version>
      <type>zip</type>
    </artifactItem>
    

• SHA256 Checksum
  • 3889f86f97beb4e8099eedef5241ce6ba7ac5ff2bd892f2b08f7c6c658733125 xipki-setup-6.5.2.zip

• CA, OCSP, Gateway, HSM Proxy
  • Add scripts to copy files automatically.
• The binary xipki-setup-6.5.1.zip can also be downloaded from the maven central repository
  • Error in the INSTALL.md in the restored root folder
    • Script setup/provision-keycerts.sh does not exist, it has been merged to setup/generate-keycerts.sh.
  • Directly via HTTP download
    https://repo.maven.apache.org/maven2/org/xipki/assembly/xipki-setup/6.5.1/xipki-setup-6.5.1.zip
  • Via the maven-dependency-plugin

    <artifactItem>
      <groupId>org.xipki.assembly</groupId>
      <artifactId>xipki-setup</artifactId>
      <version>6.5.1</version>
      <type>zip</type>
    </artifactItem>
    

• SHA256 Checksum
  • e813c15120f1e7eca74a05362c11489069a3484834ede7f590c8753f44c211bd xipki-setup-6.5.1.zip

• All Components
  • No demo keys and certificates will be delivered.
  • Simplified password configuration.
• CA
  • Change the location of file 'calock'.
  • Add configuration of reverseProxyMode.
  • Add support of file-based CA configuraion.
  • Unified message format of CA configuration in CA management API and Database Ex-/Import.
  • Remove support of database with DBSCHEMA.VERSION <= 8 (XiPKI v6.3.0 and less).
    Use MGMT-CLI to export-then-import these databases.
• OCSP
  • Remove the management interface (not necessary)
• Gateway
  • Add configuration of reverseProxyMode.
• HSM Proxy
  • New component introduced in this version.
• Dependencies
  • xipki ipkics11wrapper: 1.0.7 -> 1.0.8
  • xipki commons: 6.3.1 -> 6.3.2
  • bouncycastle: 1.76 -> 1.77
  • jdbc driver postgresql: 42.6.0 -> 42.7.0
  • jdbc driver mariadb: 3.2.0 -> 3.3.0
  • jdbc driver h2: 2.2.220 -> 2.2.224
• The binary xipki-setup-6.5.0.zip can also be downloaded from the maven central repository
  • Directly via HTTP download
    https://repo.maven.apache.org/maven2/org/xipki/assembly/xipki-setup/6.5.0/xipki-setup-6.5.0.zip
  • Via the maven-dependency-plugin

    <artifactItem>
      <groupId>org.xipki.assembly</groupId>
      <artifactId>xipki-setup</artifactId>
      <version>6.5.0</version>
      <type>zip</type>
    </artifactItem>
    

• SHA256 Checksums
  • b4959fe68b87a1c20b56bed6767fdfe6831224459d399b58c8f2c94061536927 xipki-setup-6.5.0.zip

• CA
  • Feature: encode the requests and responses between gateway and ca-server in CBOR format (was JSON).
  • Feature: extend Properties to use the place-holder ${env:name} for environment and ${sys:name} for system property.
  • Feature: add limitation to the name of CA, publisher, requestor, cert profile, signer, and alias of CA.
  • Feature: add support of constant value of types PrintableString, UTF8String, INTEGER, BIT STRING and OCTET STRING.
  • Feature: add limitation to the name of CAs, signers, publishers, requestors, and certificate profiles.
  • Feature: allow the use of aliases for certificate profiles in a CA.
  • Add support of tomcat 10+
• OCSP
  • Feature: extend Properties to use the place-holder ${env:name} for environment and ${sys:name} for system property.
  • Add support of tomcat 10+
• Gateway
  • Feature: add support of ACME with challenge types dns-01, http-01 and tls-alpn-01
  • Feature: encode the requests and responses between gateway and ca-server in CBOR format (was JSON).
  • Feature: extend Properties to use the place-holder ${env:name} for environment and ${sys:name} for system property.
  • Feature: add support of short URLs in EST, REST and SCEP gateways.
  • Add support of tomcat 10+
• CLI
  • N/A
• MGMT-CLI (Management Client)
  • N/A
• Dependencies
  • Replace JSON parser gson with jackson.
  • Bouncycaste: 1.73 -> 1.76
  • ipkcs11wrapper: 1.0.5 -> 1.0.7
  • log4j: 2.19.0 -> 2.20.0
  • mariadb-java-client: 3.1.4 -> 3.2.0
  • slf4j: 1.7.32 -> 1.7.36
• SHA256 Checksum
  • 47e9a24a15e3352a6a172606efb56b824f0c37d477434ee7a13a8cffce7049ee xipki-setup-6.4.0.zip

• Release date: 2023/04/29
• CA
  • Do not check the uniqueness of serial number in database if it contains
    at least 95 random bits.
  • Fixed bug "the scheduled generation of CRLs does not work".
  • Split the database of CA to 2 databases: 1 only for the CA's
    configuration, and 1 for the generated certificates and CRLs.
    Note: software of this version works also with databases of versions
    between 6.0.0 and 6.2.x.
• OCSP
  • N/A
• Gateway
  • N/A
• CLI
  • N/A
• MGMT-CLI (Management Client)
  • N/A
• Dependencies
  • ipkcs11wrapper: 1.0.4 --> 1.0.5
  • bouncycastle: 1.72 --> 1.73
  • replace tinylog with log4j2 v2.19.0.
• Misc
  • Compared to 6.2.0, there is only one ZIP-file for all software components.
  • Source: the modules audit, audit-extra, datasource, password, security,
    shell-base, util, xipki-tomcat-password have beed moved to
    xipki/commons.
• SHA256 Checksum
  • 4db0e27eabc01f4cecc67d2eb5501556a7ee17b43a98e650bacd8c14030aea90 xipki-setup-6.3.0.zip

• Release date: March 26, 2023
• CA
  • Extend the entities to generate CRLs from master CAs to all CAs.
  • Rewritten the PKCS#11 code.
• (CA) Gateway
  • Rewritten the PKCS#11 code.
• OCSP
  • Rewritten the PKCS#11 code.
• CLI
  • Support PBE-encrypted password in the karaf shell.
  • Support PBE-encrypted password in the SSL configuration.
  • Rewritten the PKCS#11 code.
  • Add missing letters in SecurePasswordInputPanel.
• MGMT-CLI (Management Client)
  • Support PBE-encrypted password in the karaf shell.
  • Support PBE-encrypted password in the SSL configuration.
  • Rewritten the PKCS#11 code.
  • Add missing letters in SecurePasswordInputPanel.
• Dependencies
  • Replace jpkcs11wrapper v1.0.0 by ipkcs11wrapper v1.0.4.
  • tinylog: 2.6.0 --> 2.6.1
  • JDBC driver postgresql: 42.5.3 --> 42.6.0
  • JDBC driver mariadb: 3.1.2 --> 3.1.3
  • zip4j: 2.11.3 --> 2.11.5
• SHA256 Checksum
  • b6730e714559c6f39cf586088e90176130780800d1d41bc95a5ebf9c4baa8c36 xipki-ca-6.2.0.zip
  • e6d32b798366511ea1a52967c38047378f6b1f518a856e924a05a36261e18cb0 xipki-cli-6.2.0.tar.gz
  • 72dca9ab209e5e53d49848046f93636a5079ae115dd605528975f07826c9f1f5 xipki-gateway-6.2.0.zip
  • 39d00ab231c85deda2c77ce7900654681dbe02e6540ea6d036fe994f02fddd6e xipki-mgmt-cli-6.2.0.tar.gz
  • 4a40542221c49393e20e882cd779ea2cb9d9d1f903dfd235c140e57c26d3652c xipki-ocsp-6.2.0.zip