2021-12-20 new version 1.8.4 released
Bug fixes:
- Apply patch from mshedsilegx to fix RHEL8 gcc 10 linker errors on multiple definitions of error_str, github issue #3
- refactor strncpy into memcpy with dedicated string termination to eliminate two gcc warnings for -Wstringop-truncation
2021-06-12 new version 1.8.3 released
New functionality:
- Adding "List Revoked" to display the full list of revoked certs
Bug fixes:
- certsearch.cgi - Search by DN returned no data
- certsearch.cgi - "too many open files" error
2021-06-05 new version 1.8.2 released
Bug fixes:
- Set the generated certificate signing request version as '1' (0x0)
- Review and correct code for gcc v9 compiler warnings
- Embed the dependend CGIC library
- Add the Github compile check workflow
2019-03-17 new version 1.8.0 released
New functionality:
- Webcert has been updated to work with the latest versions of OpenSSL 1.1.x
- Minor UI design CSS style update
2017-08-19 new version 1.7.9 released
New functionality:
- Webcert now manages a certificate revocation list (CRL) and allows revoking certs
2016-01-24 new version 1.7.8 released
New functionality:
- A PKCS12 converter tool allows to create, analyze and extract PKCS12 files online.
- The certificate renewal function called from Certstore easily allows to re-sign existing cert data.
- All signing algorithms are now standardized on SHA-2, the strength is now selectable for CSR and certs.
- The cert display function now universally shows the new enhanced display format.
- Upgraded Root CA to 4096 bit RSA with SHA-512 signature, retiring the old 2007 Root CA certificate.
Bug fixes:
- Certs with very long extension data caused a display window overlap in the verification screen
- Web server headers now enforce that cert file download links prompt for download
- DSA signature algorithm evp_dss is obsolete
- Certificate verification tool does not always include server-side intermediate certs in validation
2015-01-18 new version 1.7.7 released
New functionality:
- Because SHA1 is widely phased out, WebCert changed the CSR and certificate generation signing to SHA256.
- WebCert now handles Elliptic Curve Cryptography (ECC) for certificates and requests. Certificate requests can be build using the most common ECC key types secp224r1, secp256k1, secp384r1 and secp521r1.
- Certificate requests now display the signature algorithm and data.
- The default key size has been raised to 2048 bit, and the key rating has been updated to reflect that 1024bit keys are below par.
2013-02-28 new version 1.7.6 released
New functionality:
- Set specific certificate start and end dates: The certificate validity, in addition to being set as days valid from "now", can now also be set for specific start and end dates. This allows the creation of certs with a lifetime of minutes, create certs for future dates, etc.
- Overhaul of display functions: cert requests and certificate data will now be available in both text and PEM format on one, single page. A simple Javascript function will do the switching at the (browser) client side.
-
Update of the certificate validations page:
The validation of remote servers will be able to display the details of remotely received certificate chains, i.e. the intermediate and root certificates.
- A javascript print button for certificate requests, certificates and validation results has been added. A stylesheet and icons clean-up now provides a decent print image with "background" printing enabled.
- For the online certificate request generation, expand the number of SubjectAltNames from two to four.
- Documentation update: The "Help" section should get the missing instructions for the cert validation function. The "Installation" page is going to be updated as well.
- Updating the HTML code to validate as "XHTML v1.0 transitional".
Bug fixes:
- Fixing several bugs in the results list navigation of certsearch.cgi.
- Update of time protection for the year 2038 integer overflow on 32bit systems.
- Do not create duplicate extensions:
I.e. Java keytool-generated CRS's already contain the "subject Key Identifier" extension
2012-10-08 new version 1.7.5 released
New functionality:
- New certificate validation function certvalidate.cgi allows the analysis of the signing chain.
- Implementation of SubjectAltNames for creating multi-purpose certificates.
- The obsolete "Netscape Comment" extension for server certificates has been removed.
- Submitted certificate requests are now signed including their requested extensions.
2011-06-20 new version 1.7.4 released
New functionality:
- A html graphics layout overhaul has been done to better utilise external stylesheets.
- Improved cross-browser compatibility: Internet Explorer, Firefox, Safari, Chrome
- Existing certificate request files can now be uploaded, in addition to copy and paste.
2010-11-10 new version 1.7.3 released
New functionality:
Implementation of "Extended Key Usage" parameter to allow the creation of certificates that require it. I needed it to generate certificates for Microsoft Windows to enable the active directory LDAPS function by adding the "SSL/TLS Web Server Authentication" extended key usage. At this time, only the extension values below have been implemented:
- serverAuth, SSL/TLS Web Server Authentication OID=1.3.6.1.5.5.7.3.1
- clientAuth, SSL/TLS Web Client Authentication OID=1.3.6.1.5.5.7.3.2
- codeSigning, Code signing OID=1.3.6.1.5.5.7.3.3
- emailProtection, E-mail Protection (S/MIME) OID=1.3.6.1.5.5.7.3.4
- timeStamping, Trusted Timestamping OID=1.3.6.1.5.5.7.3.8
- ocspSigning, Online Cert Status Protocol signing OID=1.3.6.1.5.5.7.3.9
I did not implement the OID's 1.3.6.1.5.5.7.3.5-7. They belong to id-kp-ipsecEndSystem, id-kp-ipsecTunnel and id-kp-ipsecUser and are reported to be obsolete as per RFC 4945 section 5.1.3.12, "ExtendedKeyUsage".
Regardless what the certificate request contains, the extended key usage must be always explicitly set at the request verification screen to be included in the certificate. Even if a externally generated request did not add this attribute, it can be set additionally with WebCert.
2008-03-20 new version 1.7.2 released
Bug fix only:
- The nasty P12 export function still created a empty zero byte p12 file in cases when no private key was paste'd at all. I also added an extra comment that the private key file is really needed for pkcs12 export.
2007-12-20 new version 1.7.1 released
Bug fix only:
- The P12 export function failed when a private key was paste'd with multiple trailing empty lines, creating a empty zero byte p12 file.
- A link to a S/Mime certificate creation How-To was added to the help section.
2007-12-15 new version 1.7.0 released
New functionality:
- Full support for generation of S/MIME certificates:
the new certexport.cgi convienently converts a existing PEM certificate into either DER or PKCS12 format. The files are copied into the export directory of the webcert web application. In the case of PKCS12, the private key must be supplied in PEM format (cut&paste), together with a passphrase for protection.
- the certsearch.cgi function has been expanded to filter certificates by their serial number
Bug fixes:
- The [Go Back] button in genrequest.cgi was pointing to certrequest.cgi instead of refering back to buildrequest.cgi.
- The latest CGI definitions were missing in the top level Makefile
- The REQLEN parameter was to small for certificates with a 4096 bit key
- getcert.cgi had a minor display bug in the HTML table
2007-10-15 new version 1.6.0 released
New functionality:
- New certificate search function:
To find particular certificates, the new certsearch.cgi can filter the cert store per subject field, validation or expiration date. This helps to identify certificates that are about to expire, and renew them before they become invalid.
- For consistem look&feel accross CGI's, the font has been set to Arial in all CGI's (certverify.cgi and genrequest.cgi)
2007-07-01 new version 1.5.0 released
New functionality:
- Certificate Store display enhancements:
certstore.cgi gets a new "Expiration" column, displaying how long the certificate is still valid. It is shown in days remaining and as a pseudo-graphical bar representing the percentage of time left, compared to the certificate lifetime. The selection to display a certificate either in PEM or TXT format has been added to certstore.cgi for quicker access.
Bug fixes:
- The certstore.cgi display fails to sort correctly if store has more then 255 certificate files because alphasort fails when the .pem filename gets the next 2 digits added after FF.pem is reached (255). I wrote the hexsort function to correct that.
- I fixed a minor display bug on the control panel in certstore.cgi, which is visible in Konqueror. Improved pixel count for displaying the bar.
- Wrong page count for certstore.cgi: When the number of certs is divisible through the max. entries per page without remainder, meaning that all pages are filled to the max, a extra empty page was generated.
- Compiler warnings complain about pointer targets differ in signedness: new compilers are so picky and warn about implicit data type promotion. I added explicit casting to avoid these errors.
2006-02-10 new version 1.4.0 released
New functionality:
- Certificate key usage extensions can be set:
The correct combination is enabled by setting the certificate purpose: Client, Server, Signing, E-Mail
- The certificate expiration can now be set:
Expiration is a most convenient feature. Usually certificates are valid several years. IF you want to experiment with short validity, set valid days to 1.
Further visions: Imagine you want to give access to a resource using a client certificate that should expire with the end of a contract at a certain date. How about being able to enter a start and end date similar to 'openssl ca -startdate -enddate'?
- Display expired certificates in certstore.cgi list:
Expired certificates are marked red in the list by comparing their expiration date to the date of the webcert host.
- WebCert has been verified to work with openssl-0.9.8a
2005-06-25 new version 1.3.0 released
New functionality:
- Implementation of the serial number management:
This is the base for further improvements. Now, certificates are not only displayed, but also saved in the /certs directory. The serial number serves as the file name in tradition with identical OpenSSL behaviour.
- New forms for online certificate request generation:
New certificate requests are generated with buildrequest.cgi and genrequest.cgi, then forwarded for immediate signing. The form buildrequest.cgi is became the new entry page, while certrequest.cgi which handles the copy&paste of existing PEM requests, got a new menu item on the top menu.
- Re-design of certstore.cgi:
The certificate store CGI has been re-written to display the certificates sorted by creation time. Latest certs now appear first by default, and it can be switched to show oldest first, also.
Bug Fixes:
- certstore.cgi fails when certs are available in the certs directory, but the webserver has no rights to read it. Fix: When a cert is not readable, it is marked as not readable in the list.
- Having a extra newline at the end of a cut&paste certificate request results in a BEGIN/END lines error. Now the additional newline will be stripped off in certverify.cgi and certsign.cgi.
Please send requests, bug reports and comments as usual to: support[at]frank4dd.com
2004-03-09 new version 1.2.0 released
New functionality:
- Webcert has been re-written in 'C' for performance and portability:
WebCert is now using the OpenSSL library API instead of being a front-end to the commandline tool. This radical design change supports future extension.
2003-06-30 new version 1.0.0 released
New functionality:
- Webcert has been written to provide a easy way for creating certificates:
Perl CGI's provide a web interface to take PEM-encoded certificate requests and return a signed certificate, using our newly created, internal OpenSSL CA.