- when using an NSS database, skip loading the module database (#743042)
- when using an NSS database, skip loading root certs
- generate SPKAC values when generating CSRs, though we don't do anything with SPKAC values yet
- internally maintain and use challenge passwords, if we have them
- behave better when certificates have shorter lifetimes
- add/recognize/handle notification type "none"
- getcert: error out when "list -c" finds no matching CA (#743488)
- getcert: error out when "list -i" finds no matching request (#743485)
- don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated array (#742348)
- getcert: distinguish between {stat() succeeds but isn't a directory} and {stat() failed} when printing an error message (#739903)
- getcert resubmit/start-tracking: when we're looking for an existing request by ID, and we don't find one, note that specifically (#741262)
- fix validation check on EKU OIDs in getcert (#691351)
- get session bus mode sorted
- add a list of recognized EKU values to the getcert-request man page
- be more careful about checking if we can read a PIN file successfully
before we even call an API that might need us to try (#688229)
- fix strict aliasing warnings
- fix some use-after-free bugs in the daemon (#689776)
- fix a copy/paste error in certmonger-ipa-submit(8)
- getcert now suppresses error details when not given its new -v option
(#683926, more of #681641/#652047)
- updated translations
- de, es, pl, ru, uk
- indonesian translation is now for "id" rather than "in"
- when canceling a submission request that's being handled by a helper,
reap the child process's status after killing it (#624120)
- update to 0.25
- new translations
- in by Okta Purnama Rahadian!
- fix detection of cases where we can't access a private key in an NSS
database because we don't have the PIN
- teach '*getcert start-tracking' about the -p and -P options which the
'*getcert request' commands already understand (#621670), and also
the -U, -K, -E, and -D flags
- double-check that the nicknames of keys we get back from
PK11_ListPrivKeysInSlot() match the desired nickname before accepting
them as matches, so that our tests won't all blow up on EL5
- fix dynamic addition and removal of CAs implemented through helpers
- init script: ensure that the subsys lock is created whenever we're called to
"start" when we're already running (even more of #596719)
- more gracefully handle manual daemon startups and cleaning up of unexpected
crashes (still more of #596719)
- don't create the daemon pidfile until after we've connected to the D-Bus
(still more of #596719)
- keep the lock on the pid file, if we have one, when we fork, and cancel
daemon startup if we can't gain ownership of the lock (the rest of
#596719)
- make the man pages note which external configuration files we consult
when submitting requests to certmaster and ipa CAs
- new translations
- de by Fabian Affolter!
- certmaster-submit: don't fall over when we can't find a certmaster.conf
or a minion.conf (i.e., certmaster isn't installed) (#588932)
- when reading extension values from certificates, prune out duplicate
principal names, email addresses, and hostnames
- getcert/*-getcert: relay the desired CA to the local service, whether
specified on the command line (in getcert) or as a built-in hard-wired
default (in *-getcert) (#584983)
- flesh out the default certmonger.conf so that people can get a feel for
the expected formatting (Jenny Galipeau)
- correctly parse certificate validity periods given in years (spotted by
Stephen Gallagher)
- setup for translation
- es by Héctor Daniel Cabrera!
- ru by Yulia Poyarkova!
- uk by Yuri Chornoivan!
- fix unpreprocessed defaults in certmonger.conf's man page
- tweak the IPA-specific message that indicates a principal name also needs
to be specified if we're not using the default subject name (#579542)
- make the validity period of self-signed certificates into a configuration
setting and not a piece of the state information we track about the
signer
- init script: exit with status 2 instead of 1 when invoked with an
unrecognized argument (#584517)
- add support for using encrypted storage for keys, using PIN values
supplied directly or read from files whose names are supplied
- don't choke on NSS database locations that use the "sql:" or "dbm:"
prefix
