Stream 2.1.0 release notes

Here are the release notes for EverTrust Stream v2.1.0, released on 2025-04-30.

For the installation and upgrade procedure, please refer to the Installation and Upgrade guide.

The Akka framework has been replaced by Pekko. It can lead to configuration changes if you manually manage the Stream configuration.

1. New Features

  • [STM-772] - Added support for MLDSA and hybrid certificates (Catalyst / Chimera / AltPubKey)

  • [STM-378] - Introduced support for SSH certificates

  • [STM-919] - Implemented keystore health checks. Status can now be used to influence readiness in HA environments. Learn more …​

2. Enhancements

  • [STM-896] - Reorganized technical configuration parameters for improved structure and clarity. Learn more …​

  • [STM-842] - A description can now be added on Certificate Authorities

  • [STM-890] - Enabled notifications on CRL Sync Error

  • [STM-1053] - Added support for the Title RDN attribute

  • [STM-782] - Changed database driver. Stream Mongo URI can now be used with mongosh.

Some connection options in Mongo URI are no longer available: keyStore, keyStorePassword, keyStoreType. If these are used, please contact the EVERTRUST support for migration steps.

3. Bug Fixes

  • [STM-592] - Available dynamic attributes on RL Storages are now properly displayed

  • [STM-893] - Stream RL Storage now correctly updates nextRefresh when using lazy CRL generation

  • [STM-921] - Fixed an issue where DN elements had to be capitalized in notification dynamic attributes and RL storage configurations

  • [STM-1131] - Resolved a bug that prevented authorizations containing a / from opening in the Web UI

  • [STM-1154] - Fixed an issue where DN elements with trailing spaces could not be enrolled correctly

4. Known Defects

  • [STM-1174] - AWS SDK now enforces checksum by default, which may not yet be supported by S3 providers other than AWS. To fix the issue, env variables AWS_REQUEST_CHECKSUM_CALCULATION=when_required and AWS_RESPONSE_CHECKSUM_CALCULATION=when_required must be set. This behavior will be configurable for each S3 in future releases

  • [STM-1207] - Lifecycle permissions on all Certificate authorities (lifecycle:*:…​) are not migrated correctly and lead to invalid permissions, that can result in denied requests. To fix this issue, you will need to delete the old permission and replace it with the new permission lifecycle:x509:*

  • [STM-1229] - Updating a PKCS#11 keystore can result in an application crash

  • [STM-1231] - RPM upgrade logs errors due to an error in mongo url automatic migration. If your uri does not contain specific options, it will not have any impact

5. API Modifications

  • [STM-772] - The description field in a PrivateKey object (to create a key, or returned from keystore list operations) is now a string enum instead of an object