Release Notes

This page provides the latest information about the HID Validation Authority.

What's New

  • Rebranding Update: ActivID Validation Authority is now HID Validation Authority

    ActivID Validation Authority has been officially rebranded as HID Validation Authority. The core functionality, reliability and support remain the same.

  • Support for 3072-bit Asymmetric Key

    The Asymmetric Signature Key, Asymmetric Audit Log Key, and Asymmetric SSL Key can now be configured to use a 3072-bit. For more details on regenerating keys and which keys to regenerate, refer to Configuring the Keystore.

  • Email Logging Configuration

    Email logging has been enhanced in HID Validation Authority, allowing automated alerts to be triggered based on severity levels such as INFO, DEBUG, TRACE, WARN, ERROR, and FATAL. This improvement provides greater flexibility in monitoring system events and ensures timely responses to operational issues. By default, Validation Authority is configured to send email alerts for ERROR and FATAL events, helping to focus on critical issues. For more details, refer to Configure System Settings - Logging.

  • Asymmetric SSL Key Renewal

    In alignment with the CA/B Forum’s upcoming reduction of SSL/TLS certificate lifespans to 47 days by 2029, HID Validation Authority now supports automated Asymmetric SSL Key renewal at scheduled intervals. This enhancement ensures continuous compliance with industry standards while reducing manual certificate management effort. For more details, refer to Configure Asymmetric SSL Key Renewal.

  • Asymmetric Audit Log Key Renewal

    HID Validation Authority now supports automated Asymmetric Audit Log Key renewal at scheduled intervals. This enhancement ensures continuous compliance with industry standards while reducing manual certificate management effort. For more details, refer to Configure Asymmetric Audit Log Key Renewal.

  • Certificate Authority

    HID Validation Authority now supports Microsoft Windows Server 2022 Certificate Authority.

  • Platform and Software Upgrades

    HID Validation Authority now supports the following:

    • Oracle JDK 11.0.26/17.0.12

    • OpenJDK 11.0.2/17.0.2 (from OpenJDK.org)

    • Microsoft Windows Server 2025

    • PostgreSQL 17 Database

    • Tomcat minor version upgrade

  • Empty CRLs Management

    ActivID Validation Authority now supports managing empty CRLs. This will help validate the certificate status when the CRL is empty.

  • Notification for Maximum Proof list entries

    ActivID Validation Authority now can be configured to get an email notification whenever the proof list entries in the proof file reaches 90% of the configured “Maximum proof list entries” value.

  • HSM Product name Changes

    HSM product names in the keystore configuration page are changed to align with the HSM vendor name changes.

    • Gemalto SafeNet Luna is changed to Thales Luna

    • Thales nShield is changed to Entrust nShield

  • Platform and Software Upgrades

    ActivID Validation Authority now supports the following:

    • OpenJDK 11.0.2/15.0.2/17.0.2 (from OpenJDK.org)

    • Oracle JDK 11.0.12/15.0.2/17.0.2

    • Microsoft® Windows Server 2022

    • Microsoft Windows Server 2019 Certificate Authority

    • PostgreSQL 15 Database

    • Tomcat minor version upgrade

    • Log4j2 version upgrade

  • Advanced Logging

    ActivID Validation Authority now provides advance logging capabilities through Log4j2. Now users can configure log retention periods and log files can be configured to, labeled, zipped and stored at different locations automatically.

  • Include Issuer's SKI

    ActivID Validation Authority now provides configurable option to include issuer's SKI in each of proof file name regardless of issuer holds single certificate or multiple certificates.

  • Status Page for Direct OCSP

    ActivID Validation Authority now allows you to view the status reports of Direct OCSP requests served by the Validation Authority. It provides information about total number of OCSP requests with its request resolution (success/error), recent OCSP requests, and generated proof files.

  • Enable Printable String for DN

    ActivID Validation Authority now provides configurable option to generate CSR with encoding of DN as PrintableString format rather than the default UTF8String format.

  • ECDSA Algorithm for SSL Key

    ActivID Validation Authority now supports EC and DSA algorithm for SSL key with Oracle Keystore.

  • RESTful APIs

    In order to support eIDAS requirements OCSP responses can only answer with a valid response if the certificate information exists in the database. ActivID Validation Authority can now allow certificate import, update existing certificate status and request current status through REST APIs.

  • PKI Logon

    ActivID Validation Authority now supports PKI logon to support Homeland Security Presidential Directive HSPD-12 to implement two-factor authentication.

  • Automatic Key Renewal

    ActivID Validation Authority now supports automatic replacement of Asymmetric Signature Key which is used for signing OCSP responses.

  • nextUpdate field for Expiring Certificates

    ActivID Validation Authority now supports the "nextUpdate" field set to "99991231235959Z" as it referred in EN 319 411-1 (section 6.3.10: CSS-6.3.10-11).

    To enable this feature, enter the positive integer value in the Issuer Certificate Expiry duration field, the entered value specifies the number of days prior to the certificate expiry, from which the nextUpdate field will change in the OCSP response.

  • Archive Cutoff Date

    ActivID Validation Authority now allows to add archive cutoff date in the OCSP responses as referred in the IETF RFC6960[i.9]. To enable archiveCutOff date field in OCSP response, a positive integer value in the Retention Period field. System will subtract produced at time from the entered value and show archiveCutoff date. If the desired behavior is to have archiveCutoff date as same as issuer's valid from date then select the Issuer's notBefore check box.

  • Latest Environment Support

    ActivID Validation Authority now supports Microsoft SQL Server 2019, Postgre SQL 9 and 12, Oracle 12c R1, R2 and 19c. It also leverages the latest Apache Tomcat® 9.

List of Tested Configuration

For this release, HID Global has tested the following configurations on the listed operating systems. For details, see the environment information listed in the Configuration Requirements section.

Operating System Java Version Database HSM
Windows Server 2016 Oracle JDK 11.0.26

PostgreSQL 15

SQL Server 2019

Oracle SunJCE keystore (Soft HSM)

Thales Luna HSM with firmware 7.0.3, software 7.8.4-254, and client version 10.7.2-16
Windows Server 2019 OracleJDK 11.0.12 PostgresSQL 17 Thales T7 HSM with firmware 7.11.2, software 7.11.1, and client version 7.13.2-1
Windows Server 2022

Oracle JDK 17.0.12

OpenJDK 17.0.2

PostgreSQL 15/17

Oracle 19c

Oracle SunJCE keystore (Soft HSM),

Entrust nCipher with firmware 12.72.1 and client version 13.3.2
Windows Server 2025 Oracle JDK 17.0.12 PostgreSQL 17

Oracle SunJCE keystore (Soft HSM),

Thales T7 HSM with firmware 7.11.2, software 7.11.1, and client version 7.13.2-1
RHEL 8

Oracle JDK 11.0.26/17.0.12

OpenJDK 11.0.2/17.0.2

SQL Server 2019

Oracle 19c

Oracle SunJCE keystore (Soft HSM)

Thales Luna HSM with firmware 7.0.3, software 7.8.4-254, and client version 10.7.2-16

Special Notes for HSM Users

For HSM-specific client configuration, please carefully read the appropriate section corresponding to your HSM type in the Installation and Configuration section.

  • Thales Luna HSM (formerly Gemalto/SafeNet LunaSA) and Luna PCIe

    • Tested on Luna K7 with firmware 7.0.3 and software 7.8.4-254, client version 10.7.2-16

      Note: Using firmware version 7.0.3, SSL handshakes do not work. Use the Oracle SunJCE keystore (software-only keystore) for SSL keys.

  • Entrust nCipher (formerly Thales nShield) Connect, Connect+, Connect XC, Solo and Solo+

    • Tested with firmware 12.72.1 and client version 13.3.2

  • Thales T7 HSM (LunaSA 7.11.0)

    • Tested with firmware 7.11.2 and software 7.11.1 and client version 7.13.2-1.

SSL Ciphers

Validation Authority is configured by default with the following list of ciphers – used with TLS 1.2 protocol.

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA

HID Global has tested the following browsers using Entrust nShield (formerly Thales nShield) Connect XC HSM:

  • Google® Chrome

  • Firefox®

  • Microsoft Edge®

Read carefully the previous section “Special Notes for HSM Users”, as each HSM provider has issues in implementing SSL ciphers.

Consider using the Oracle SunJCE keystore (software-only key store) for SSL keys if the HSM of your choice does not support ciphers of your interest.

Note: You might need to adjust the cipher list during the configuration to make sure SSL handshake negotiations end up with the cipher of your choice.

Known Problems and Limitations

  • HID Validation Authority does not support EC algorithm for SSL key with HSMs.

  • JDK 17 is not supported on Thales T7 HSM. Please refer to the List of Tested Configuration table for compatible combinations.