##################
1.4.0 (2016-09-09)
##################

* Make sure that Child CAs never expire after their parents. If the user specifies an expiry after
  that of the parent, it is silently changed to the parents expiry.
* Make sure that certificates never expire after their CAs. If the user specifies an expiry after
  that of the parent, throw an error.
* Rename the ``--days`` parameter of the ``sign_cert`` command to ``--expires`` to match what we
  use for ``init_ca``.
* Improve help-output of ``--init-ca`` and ``--sign-cert`` by further grouping arguments into
  argument groups.
* Add ability to add CRL-, OCSP- and Issuer-URLs when creating CAs using the ``--ca-*`` options.
* Add support for the ``nameConstraints`` X509 extension when creating CAs. The option to the
  ``init_ca`` command is ``--name-constraint`` and can be given multiple times to indicate multiple
  constraints.
* Add support for the ``tlsfeature`` extension, a.k.a. "TLS Must Staple". Since OpenSSL 1.1 is
  required for this extension, support is currently totally untested.