Skip to content

Release Notes v2.153

Jump to bottom
NeySlim edited this page May 11, 2026 · 1 revision

Release Notes — v2.153

Stable release (2026-05-10). CA offline mode — take a root or intermediate CA offline to block signing while keeping the public certificate usable for chain validation, CDP and OCSP.

Smoke-tested 6/6 on SQLite and PostgreSQL across Debian (DEB), RHEL/Fedora (RPM), and Docker.

For the previous releases see Release Notes v2.152 and the full CHANGELOG.

Highlights

  • CA offline mode — two modes (password-protected and file-exported) to safely decommission CA private keys while retaining the public cert.
  • Signing gate — all signing paths (CSR, CA child, CRL, OCSP) block when CA is offline.
  • Write-protected flag — only dedicated take-offline / restore endpoints can flip the offline flag.
  • Migration 034_add_ca_offline.py adds offline, offline_reason, offline_mode columns.

CA Offline Mode

What it does

Takes a CA "offline" — the private key is either re-wrapped with a user-supplied password or exported and removed from the database. The public certificate remains usable for:

  • Chain validation
  • CDP (CRL Distribution Point)
  • OCSP responder

All signing operations are blocked:

  • CSR signing
  • CA child signing
  • CRL generation
  • OCSP signing

Two modes

Mode Key handling Restore requires
Password-protected Key re-wrapped with PKCS#8 password on top of master-key encryption Password only
File-exported Key returned as password-encrypted PKCS#8 PEM, removed from DB Re-upload PEM file + password

API endpoints

POST /api/v2/cas/<id>/take-offline   — Take CA offline
POST /api/v2/cas/<id>/restore        — Restore CA online

Frontend

  • TakeOfflineModal and RestoreModal components
  • Offline-aware StatusBadge + dedicated OfflineBadge across all CA views
  • Action buttons in CADetailsPanel and floating detail window

Audit actions

ca.offline.password_protected, ca.offline.file_exported, ca.restore.password_protected, ca.restore.file_exported

Schema changes

Migration 034_add_ca_offline.py:

  • certificate_authorities.offline (BOOLEAN)
  • certificate_authorities.offline_reason (TEXT)
  • certificate_authorities.offline_mode (TEXT)

Upgrade

Drop-in replacement for v2.152. One migration (034) runs automatically at first boot.

  • Docker Hub: docker pull neyslim/ultimate-ca-manager:2.153
  • DEB: wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.153/ucm_2.153_all.deb
  • RPM: wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.153/ucm-2.153-1.fc43.noarch.rpm

Clone this wiki locally