Release Notes v2.1.0
Release Date: July 2025
Type: Major Feature Release
- Consolidated API routes: removed
features/module, all routes underapi/v2/(34 blueprints) - Consolidated models: removed
models/features/, moved tomodels/ - Removed Pro/Community distinction: all features are core
- JWT removal: session cookies + API keys only (reduced attack surface)
- AKI/SKI Chain Matching - Cryptographic chain validation replacing DN-based matching
- Chain Repair Scheduler - Hourly backfill, re-chain, and deduplication task
- Chain Repair Widget - Visual progress on CAs page with manual run
- Smart Import Dedup - Prevent duplicate CAs via SKI matching
- Click any table row to open a draggable, resizable detail window
- Embedded content with action bar: Export (PEM, DER, PKCS#12, chain), Renew, Revoke, Delete
- Window manager in footer: stack/tile, same-window, close-on-navigate
- Deep-link support for certificates, CAs, and trust store items
- Chain validation with visual status (complete/partial/incomplete)
- Export bundle (PEM), expiration alerts widget
- Add certificates from managed CAs (backend + UI)
- Auto-add issuer to trust store from certificate details
- Unified Import, Export, and Bulk Actions under a single sidebar page
- Smart Import with automatic format detection + OPNsense sync
- Export action cards per resource type with PEM and P7B download
- Bulk Actions with resource type chips, inline search, status/CA filters
- 30s countdown before reconnection attempts
- Health endpoint includes WebSocket readiness status (
/api/v2/health) - Automatic redirect to login page after service restart
- Browser cache invalidation on reconnect
- Floating contextual help panel on every page
- Draggable, resizable, with mobile bottom-sheet mode
- Tips, warnings, and related page links
- Dashboard: redesigned header with logo, diversified widget colors, donut chart with gradient/shadow effects
- Dashboard mobile: compact header with watermark logo, no redundancy with navbar
- New logo: shield outline, larger on dashboard, smaller in sidebar
- Themes simplified: 3 themes (Gray, Purple, Sunset)
- Tables: proportional column sizing, actions moved to detail windows
- Status footer bar with window management controls
- Mobile navbar: user dropdown menu with account, settings, language selector, logout
- Mobile nav grid: short i18n labels for compact 5-column layout
- Reconnect overlay with circular countdown ring
- 9 languages: EN, FR, DE, ES, IT, PT, UK, ZH, JA
- 2273+ translation keys per language, 0 missing
- Short mobile labels: 16
*Shortkeys per language for compact navigation - New namespaces:
reconnect.*,table.*,windows.*
- Unified ExportModal with tabbed interface (PEM, DER, PKCS#12, Chain PEM)
- RBAC permission guards on private key access
- Certificate, CA, and Trust Store export from detail windows and floating windows
- Certificate Activity chart with Issued/Expired/Revoked series
- Day selector (7d/15d/30d) with optimized grouped SQL queries
- Status distribution pie chart
- Draggable grid layout with persistent positions
- SSO settings restructured with collapsible sections per provider type
- LDAP: Connection → User Search → Groups & Role Mapping → Provisioning
- OAuth2: Provider Preset (Azure/Google/GitHub) → Connection → Attribute Mapping → Provisioning
- SAML: Identity Provider → SP Endpoints → Attribute Mapping → Provisioning
- Test Connection and Test Mapping buttons for LDAP validation
- OAuth2 presets auto-fill URLs for Microsoft Entra, Google, GitHub
- 1 provider per type limit with 3-card layout: LDAP, OAuth2, SAML
- Login page: SSO buttons shown first with "or sign in locally" separator
- Fix: LDAP group filter with special characters in user DN
- 4 system roles: Admin, Operator, Auditor (new), Viewer (renamed from User)
- Auditor: read-only access to all operational data except settings/users
- Viewer: restricted to certificates, CAs, CSRs, templates, truststore
- Orange badge for auditor role across all UI views
- Migration 036 auto-renames existing roles for seamless upgrade
- Scheduled compliance reports with certificate inventory
- Certificate policies with key usage and validity constraints
- Approval workflows for certificate issuance
- Default admin password
changeme123with force password change on first login - cryptography upgraded to 46.0.5 (CVE-2026-26007)
- RBAC with custom roles and granular permissions (read/write/delete/admin per resource)
- Auto-update DEB postinst fix: updater systemd units
- ESLint (frontend) + Ruff (backend) linters added to CI pipeline
- 17 bugs found and fixed by linters
- Login method persistence across sessions
- SAML SP certificate selector for multi-cert environments
- LDAP directory presets (Active Directory, OpenLDAP, FreeIPA)
- CSRF token fix for multi-method login (password + SSO)
- Backup v2.0 - Complete backup/restore for all database tables
- File Regeneration - Startup service regenerates missing cert/key files from database
-
Human-Readable File Names -
{cn-slug}-{refid}.extinstead of UUID-only - SoftHSM Integration - Automatic SoftHSM2 setup across DEB, RPM, Docker
- Webhooks - Management in Settings for CRUD, test, and event filtering
- ACME Multi-CA - Let's Encrypt, ZeroSSL, Buypass, custom ACME servers
- Template Duplication - Clone endpoint: POST /templates/{id}/duplicate
- Settings About - Version, system info, uptime, memory, links
- Health endpoint consolidated under
/api/v2/health(backward-compatible) - ACME account delete: cascade cleanup (challenges→authorizations→orders)
- FloatingHelpPanel: missing SOFT_MAX_W constant
- Dashboard charts: fixed width/height(-1) errors with absolute positioning
- Dashboard donut: fixed gradient IDs using translated names (SVG invalid refs)
- Dashboard: react-grid-layout v2.2.2 API compatibility
- OPNsense: wrapped password inputs in form element (DOM warning)
- Toast notifications: stack vertically
- Radix Select: filter empty value options
- Truststore delete: returns 200 instead of broken 204
- CRL: returns null data instead of 404 when not yet generated
- UTC timezone handling: API timestamps include 'Z' suffix
- Reports page: fixed infinite loop caused by unstable useCallback deps
- Z-index hierarchy: confirm/prompt dialogs now render above floating windows
- Table refresh: data reloads after floating window actions (revoke/renew/delete)
- Chart labels: readable X-axis with dynamic interval, solid line styles
- Force password change: fixed flag not being set in database_health.py admin creation
- LDAP group filter: escape special characters in user DN for group membership queries
| Page | Screenshot |
|---|---|
| Dashboard |  |
| Certificate Detail |  |
| CA Detail |  |
| SSO Settings |  |
| RBAC Roles |  |
| Policies |  |
| Reports |  |
| Operations |  |
| Trust Store |  |
| Settings |  |
- Operations page replaces the old Import/Export page
- Themes reduced from 6 to 3 color schemes
- JWT authentication removed (session cookies + API keys only)
- Existing installations: database migrations run automatically at startup
- Migration 036 renames the "User" role to "Viewer" and creates the "Auditor" role automatically
- The default password change only affects new installations
- All existing user passwords remain unchanged
- Health endpoint available at both
/api/v2/healthand/api/health - SSO configurations are preserved; the new collapsible layout activates on first load