github jeffcaldwellca/mkcertWeb v4.1.0
v4.1.0 — SCEP & settings security fixes
on GitHub

5 hours ago

Release Notes — Version 4.1.0

Release Date: 2026-06-11
Type: Security + bugfix release
Severity: High (SCEP)
Upgrade priority: Recommended (urgent if the SCEP endpoint is exposed)

TL;DR — what you must do on upgrade

  1. If you run the SCEP endpoint, upgrade promptly. Before this release,
    PKIOperation enrollment was unauthenticated whenever no challenge password
    had been issued (the state at every boot), so any client that could reach
    /scep could obtain a certificate signed by your local CA, for any hostname.
    After upgrading, enrollment requires a challenge password by default. To keep
    the old open-enrollment behavior, set SCEP_ALLOW_OPEN_ENROLLMENT=true
    (not recommended); to restrict which names the CA will sign, set
    SCEP_ALLOWED_DOMAINS (comma-separated domain suffixes).
  2. No data migration is required. All other changes are backward compatible.

Security fixes

  • SCEP enrollment fails closed. A valid challenge password is now always
    required unless SCEP_ALLOW_OPEN_ENROLLMENT is explicitly enabled.
  • SCEP CSR identity validation. Every CN/SAN must be a valid hostname or IP,
    and SCEP_ALLOWED_DOMAINS can restrict issuance to configured domain
    suffixes. The CA no longer signs for arbitrary subjects.
  • All settings secrets are masked in GET /api/settings, /running, and
    /export (previously ntfy.token, ntfy.password, and webhook.headers
    leaked).
  • Settings writes are allowlisted to the settings-form schema, blocking
    prototype pollution and arbitrary-key injection via POST /api/settings and
    /import.
  • /api/execute uninstall-ca now requires confirm: true and enabled
    authentication, matching /api/uninstall-ca.
  • Enterprise CA OpenSSL config injection via newline/metacharacters in
    CN/UPN/SAN is rejected.
  • SCEP GetCACaps no longer advertises weak SHA-1 / DES3.

Bug fixes

  • /api/execute no longer throws ReferenceError for install-ca,
    uninstall-ca, caroot, and list, and returns the real command output.
  • SCEP certificate generation no longer always throws (enterprise CA call
    signature fixed).
  • Test Email, Verify SMTP, Check Expiry, and Start/Stop Monitoring buttons now
    issue POST instead of GET and work again.
  • GET /api/certificates no longer merges same-named certificates from
    different folders into one entry.
  • GET /api/rate-limit/status no longer returns 500.
  • The FORCE_HTTPS redirect builds a correct target instead of string-replacing
    the port, and answers 400 (instead of crashing) on a missing Host header.
  • Certificate monitoring reports a real failure for an invalid cron expression
    instead of falsely reporting success; PUT /api/monitoring/config validates
    the cron expression before applying it.
  • validateRequest returns 400 (not 500) for non-string values; async route
    errors flow through the centralized error handler; the settings UI shows the
    real error message.

Added

  • A node:test suite (npm test) with 63 tests covering the fixes above.
  • SCEP_ALLOW_OPEN_ENROLLMENT and SCEP_ALLOWED_DOMAINS configuration.

Images

  • GHCR: ghcr.io/jeffcaldwellca/mkcertweb:4.1.0 (built automatically by CI on
    the v4.1.0 tag).
  • Docker Hub: jeffcaldwellca/mkcertweb:4.1.0 (published via
    ./docker-build-push.sh).
Check out latest releases or
releases around jeffcaldwellca/mkcertWeb v4.1.0

Don't miss a new mkcertWeb release

NewReleases is sending notifications on new releases.

Get notifications