Skip to content

Release Notes v2.75

Jump to bottom
NeySlim edited this page Mar 15, 2026 · 1 revision

Release Notes - v2.75

Release Date: 2026-03-15
Previous Version: v2.69
Download: GitHub Releases

Highlights

  • 🔒 Delta CRL Support (RFC 5280 §5.2.4) — Incremental CRL updates with DeltaCRLIndicator, FreshestCRL, dedicated CDP endpoint, and scheduler
  • 🛡️ Comprehensive Security Audit — 76 findings across 6 phases, 38 fixed (3 CRITICAL, 6 HIGH, 29 MEDIUM)
  • 📄 PDF Report Templates — Generate professional PDF reports with custom builder and scheduling
  • 🔐 PKI Protocol Hardening — ACME JWS bypass closure, EST timing-safe auth, SCEP decrypt fix, crypto validation
  • 📊 Market Comparison Roadmap — Gap analysis vs EJBCA, Vault PKI, step-ca; 9-item roadmap added

Added

Delta CRL (RFC 5280 §5.2.4)

  • Delta CRL generation — Contains only revocations since the last base CRL, reducing download size
  • DeltaCRLIndicator extension (CRITICAL) per RFC 5280 — references the base CRL number
  • FreshestCRL extension on base CRLs — points clients to the delta CRL distribution point
  • Dedicated CDP endpoint: GET /cdp/{ca_id}-delta.crl for public delta CRL access
  • API endpoints: get delta CRL, force regeneration, configure enabled/interval
  • Scheduler auto-generation — configurable interval (1–168 hours, default 4h)
  • Frontend management — Toggle column in CRL/OCSP table, detail panel with stats and interval selector
  • Security hardening — Unique index on CRL numbers, rollback on failure, is_delta filter on base CRL queries
  • Cache headersCache-Control and Last-Modified on all CDP routes

PDF Report Templates

  • Grid card layout for PDF report templates (Executive, Compliance, Inventory)
  • Custom report builder with section selection
  • Purple icon differentiation for PDF vs raw reports
  • Schedule PDF report generation with email delivery

Roadmap

  • Added 9-item roadmap from market comparison gap analysis to README
  • Items: Delta CRL ✅, Key Archival, CMP, TSA, SSH Certificates, K8s/Helm, Code Signing, HA/Clustering, PQC

Fixed

Security (76 findings, 38 fixed)

CRITICAL (3):

  • Removed RSA-512/1024 key generation (minimum now RSA-2048)
  • Closed ACME JWS signature bypass via alg:none
  • Fixed XXE protection in certificate parsing

HIGH (6):

  • CSR signature verification before signing
  • Certificate validity clamping to CA expiry
  • EST reenroll subject-matching enforcement
  • SCEP decrypt cipher fix
  • RBAC operator permission trimming (38→23 permissions)
  • SSRF protection on OCSP/CRL URLs

MEDIUM (29):

  • Generic error messages (no str(e) leaks)
  • Timing-safe authentication on EST/SCEP
  • Atomic ACME nonce generation
  • Content-Disposition filename sanitization
  • Discovery scan rate limiting
  • Role escalation prevention
  • ARIA overlay accessibility
  • Dashboard valid certificate count
  • Pie chart backend data
  • i18n completeness across 9 locales
  • And more...

Protocol Hardening

  • ACME: Key-change authorization, JWS algorithm validation
  • EST: Timing-safe password comparison, reenroll subject check, serverkeygen fail-safe
  • SCEP: Decrypt AES-256 fix, serial number format fix, challenge password timing-safe
  • CRL: Base CRL queries now properly exclude delta CRLs

Frontend Quality

  • Barrel export for auth-methods service
  • Theme-safe color classes
  • Reports page centered layout matching Settings pattern
  • SAN field normalization (string + array)

Dependencies

  • Bumped black 26.1.0 → 26.3.1 (CVE-2026-32274)

API Changes

New Endpoints

Method Endpoint Permission Description
GET /api/v2/crl/{ca_id}/delta read:crl Get latest delta CRL
POST /api/v2/crl/{ca_id}/delta/regenerate write:crl Force delta CRL generation
POST /api/v2/crl/{ca_id}/delta-config write:crl Configure delta CRL settings

New CDP Route

Method URL Auth Description
GET /cdp/{ca_id}-delta.crl None Public delta CRL download (DER)

Modified Endpoints

  • GET /api/v2/crl — Now returns base CRL with attached delta_crl object when available
  • GET /api/v2/crl/{ca_id} — Explicitly returns base CRL (excludes delta)
  • GET /cdp/{ca_id}.crl — Now includes Cache-Control and Last-Modified headers

Database Changes

  • Migration 004: Adds delta CRL support
    • crl_metadata: is_delta (boolean), base_crl_number (integer)
    • certificate_authorities: delta_crl_enabled (boolean), delta_crl_interval (integer, default 4)
    • Unique index on (ca_id, crl_number) for race condition prevention
  • Auto-applied on startup — no manual steps

Upgrade Notes

  • No breaking API changes
  • Database migration auto-applied on restart
  • New features available immediately after upgrade
  • Clear browser cache after upgrade for updated frontend
  • Existing CRLs remain unchanged; delta CRL must be explicitly enabled per CA

← Back to Wiki Home | View on GitHub

Clone this wiki locally