During the second half of 2024, the development of X-Road 8 “Spaceship” and X-Road 7 “Unicorn” has continued in parallel. Dividing the available development resources between two major versions isn't easy, but despite that, both versions have gained good progress. Also, some minor technical changes under the hood initially implemented for X-Road 8 have already been included in X-Road 7. Nevertheless, this blog post focuses on the latest changes in X-Road 7. Instead, there will be another blog post about the latest news regarding X-Road 8 soon.
X-Road version 7.6.0 is released in December 2024. Let’s see what the new version highlights are! The full release notes are available here.
Support for automatic renewal of authentication and sign certificates
Since version 7.5.0, automating the Security Server authentication and sign certificate management using the Automatic Certificate Management Environment (ACME) protocol has been possible. However, the initial support didn’t cover automatic certificate renewal, which has now been added to version 7.6.0.
Starting from version 7.6.0, authentication and sign certificates originally issued using ACME can be automatically renewed. Automatic renewal is enabled by default, but the Security Server administrator can turn it off.
The Security Server runs the renewal job regularly and tries to renew certificates ready for renewal. If the server supports the ACME ARI extension, the time when a certificate is ready for renewal is determined by the ACME server. Otherwise, the time is defined by a configuration property on the Security Server. The default value of the property is 14 days, which means that the Security Server starts trying to renew a certificate 14 days before it expires. The Security Server administrator can change the value.
After a certificate has been renewed, it still needs to be activated on the Security Server. The Security Server starts using the new certificate only after activation. In version 7.6.0, activating a certificate is a manual process that needs to be done by the Security Server administrator. Support for automatic activation will be added in version 7.7.0. Instead, the authentication certificate registration request is sent automatically when an authentication certificate is renewed using ACME. In this way, activating the certificate is the only manual step required after a successful certificate renewal. If email notifications are enabled, the administrator receives an email notification when a certificate is ready for activation.
More details are available in the Security Server User Guide.
Support for sending email notifications
Starting from version 7.6.0, the Security Server supports sending email notifications on ACME-related events. Notifications are sent in case of authentication and sign certificate renewal success and failure and authentication certificate registration success. They are sent to a member-specific email address defined by the Security Server administrator in a specific configuration file on the Security Server.
Success and failure notifications can be turned on and off separately with their configuration properties. By default, both notifications are enabled. However, for the email notifications to work, an external mail server needs to be configured, and the Security Server must be able to communicate with it. The configuration can be tested using the Security Server's Diagnostics view, which provides a feature for sending test emails. The configuration details are available in the Security Server User Guide.
Support for Elliptic Curve Cryptography (ECC)
Before version 7.6.0, X-Road only supported RSA cryptography for the Security Server authentication and sign keys, as well as for signing and verifying the global configuration. Starting from version 7.6.0, Elliptic Curve Cryptography (ECC) and ECDSA keys are also supported. To guarantee full backwards compatibility with the previous X-Road versions, support for ECC keys is disabled by default, and it must be enabled separately for different features, e.g., authentication keys, sign keys, and signing global configuration. More information about switching to ECC is available in the Security Server User Guide and Central Server User Guide.
Support for multiple languages
Over the years, support for additional languages besides English has been requested frequently. Starting from version 7.6.0, the Central Server and Security Server UIs support multiple languages. The default language is still English, but the user can select any available languages using the language menu in the UIs. The additional supported languages are Spanish for the Central Server and the Security Server, and Estonian for the Security Server. The technical implementation for the support and the additional languages were received as contributions from the community. Thank you to the contributors – your effort is highly appreciated!
Remove support for Ubuntu 20.04 LTS and Red Hat Enterprise Linux 7 (RHEL7)
Starting from version 7.6.0, the Central Server, Security Server, and Configuration Proxy support Ubuntu 22.04 LTS and 24.04 LTS, while support for Ubuntu 20.04 LTS has been dropped. Instead, the Security Server also supports RHEL8 and RHEL9, while support for RHEL7 has been dropped. If you need to upgrade from Ubuntu 20.04 LTS or RHEL7 to a newer OS version, the X-Road Knowledge Base provides multiple migration guides.
Other improvements and updates
Besides the already-mentioned features, version 7.6.0 includes many other minor improvements and updates. For example, support for collecting operational monitoring data on the REST endpoint level, showing more information about information system TLS certificates in the subsystem internal servers view on the Security Server, support for logging the Common Name (CN) field of the client certificate used by a consumer information system, and upgrade from Java 17 to Java 21.
In addition, version 7.6.0 adds support for verifying and logging messages with non-batch signatures, while batch signatures continue to be used by default. Instead, X-Road 8 will also support generating non-batch signatures, and therefore, being able to verify and log them is required for X-Road 7 to be interoperable with X-Road 8. In other words, based on current knowledge, X-Road 7 is interoperable with X-Road 8 starting from version 7.6.0.
To fully understand all the changes in version 7.6.0, please review the release notes document.
What’s next?
Version 7.7.0 will support automatic activation of authentication and sign certificates that have been renewed using ACME. Other changes that will be introduced in version 7.7.0 include but are not limited to, support for defining a full name for subsystems, support for removing HSM tokens using the Security Server UI and REST management API, support for disabling all subsystems of a Security Server together and putting a Security Server in a maintenance mode. Version 7.7.0 will be released during Q2 in 2025.
At the same time, when developing X-Road 7, NIIS continues to work on the next X-Road major version – X-Road 8 “Spaceship”. More news regarding X-Road 8 will be published regularly. Stay tuned!