diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 17a9ba2..94c9133 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -176,15 +176,6 @@ pilot:
       when: never
     - when: manual
 
-dev:
-  <<: *delivr-deploy
-  environment:
-    name: dev
-  rules:
-    - if: $CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"
-      when: never
-    - when: manual
-
 publish-to-github:
   stage: publish
   image: alpine:latest
diff --git a/build.gradle b/build.gradle
index 460d411..ed710f4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -34,6 +34,7 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
     implementation 'org.springframework.boot:spring-boot-starter-quartz'
     implementation 'org.springframework.boot:spring-boot-starter-security'
+    // for http client - we do not use reactive patterns in general
     implementation 'org.springframework.boot:spring-boot-starter-webflux'
     if (osdetector.os == "osx") {
         runtimeOnly "io.netty:netty-resolver-dns-native-macos:${managedVersions['io.netty:netty-resolver-dns-native-macos']}:osx-${osdetector.arch}"
diff --git a/hsm/build.gradle b/hsm/build.gradle
index f0f9b19..a04c869 100644
--- a/hsm/build.gradle
+++ b/hsm/build.gradle
@@ -31,9 +31,9 @@ dependencies {
         }
     }
     thalesImplementation "net.ripe.rpki:rpki-commons:$rpki_commons_version"
-    thalesImplementation 'com.thales.esecurity.asg.ripe.db-jceprovider:DBProvider:1.2'
+    thalesImplementation 'com.thales.esecurity.asg.ripe.db-jceprovider:DBProvider:1.4'
     // **When using JDK 11** make sure the matching version of nCipherKM is on classpath because DBProvider depends on it.
-    thalesImplementation 'com.ncipher.nfast:nCipherKM:12.81.2'
+    thalesImplementation 'com.ncipher.nfast:nCipherKM:13.4.5'
 
     thalesImplementation 'org.springframework:spring-context:5.3.27'
     // used in spring-context, but not exported.
diff --git a/src/main/java/net/ripe/rpki/domain/ManagedCertificateAuthority.java b/src/main/java/net/ripe/rpki/domain/ManagedCertificateAuthority.java
index c44ac57..2cc3344 100644
--- a/src/main/java/net/ripe/rpki/domain/ManagedCertificateAuthority.java
+++ b/src/main/java/net/ripe/rpki/domain/ManagedCertificateAuthority.java
@@ -215,7 +215,8 @@ private boolean resourcesChanged(CertificateIssuanceRequest request, OutgoingRes
             final ImmutableResourceSet removed = latestOutgoingCertificate.getResources().difference(request.getResourceExtension().getResources());
 
             log.info(
-                    "Current certificate for resource class {} of {} has different resources. Added resources: {}, removed resources: {}",
+                    "Current certificate at {} for resource class {} of {} has different resources. Added resources: {}, removed resources: {}",
+                    v("url", latestOutgoingCertificate.getPublicationUri()),
                     DEFAULT_RESOURCE_CLASS, v("subject", request.getSubjectDN()),
                     v("addedResources", added), v("removedResources", removed),
                     v("currentResources", latestOutgoingCertificate.getResources()), v("requestedResources", request.getResourceExtension())
@@ -291,12 +292,12 @@ private OutgoingResourceCertificate findOrIssueOutgoingResourceCertificate(Child
         }
 
         if (latestOutgoingCertificate == null) {
-            log.info("No current certificate for resource class {} and current key pair, requesting new certificate", DEFAULT_RESOURCE_CLASS);
+            log.info("No current certificate for resource class {} and current key pair for {}, requesting new certificate", DEFAULT_RESOURCE_CLASS, requestingCa.getName());
         }
 
         int count = resourceCertificateRepository.countNonExpiredOutgoingCertificates(request.getSubjectPublicKey(), getCurrentKeyPair());
         if (count >= issuedCertificatesPerSignedKeyLimit) {
-            throw new CertificationResourceLimitExceededException("number of issued certificates for public key exceeds the limit (" + count + " >= " + issuedCertificatesPerSignedKeyLimit + ")");
+            throw new CertificationResourceLimitExceededException("number of issued certificates for public key " + request.getSubjectPublicKey() + " of " + request.getSubjectDN() + " exceeds the limit (" + count + " >= " + issuedCertificatesPerSignedKeyLimit + ")");
         }
 
         return getCurrentKeyPair().processCertificateIssuanceRequest(requestingCa, request, validityPeriod, resourceCertificateRepository);
diff --git a/src/main/java/net/ripe/rpki/domain/manifest/ManifestEntity.java b/src/main/java/net/ripe/rpki/domain/manifest/ManifestEntity.java
index 98f8837..799e19c 100644
--- a/src/main/java/net/ripe/rpki/domain/manifest/ManifestEntity.java
+++ b/src/main/java/net/ripe/rpki/domain/manifest/ManifestEntity.java
@@ -74,6 +74,12 @@ public class ManifestEntity extends EntitySupport {
     @Column(name = "nextnumber", nullable = false)
     private long nextNumber;
 
+    /**
+     * Does the manifest need to be re-issued right now?
+     */
+    @Column(name = "needs_reissuance", nullable = false)
+    private boolean needsReissuance = false;
+
     @ManyToOne(optional = false)
     @JoinColumn(name = "keypair_id", nullable = false)
     private KeyPairEntity keyPair;
@@ -128,7 +134,8 @@ public boolean isUpdateNeeded(DateTime now, Collection<PublishedObject> manifest
         return cms == null
                 || isCloseToNextUpdateTime(now, cms)
                 || parentCertificatePublicationLocationChanged(cms, keyPair.getCurrentIncomingCertificate())
-                || !cms.matchesFiles(manifestEntries.stream().collect(Collectors.toMap(PublishedObject::getFilename, PublishedObject::getContent, (a, b) -> b)));
+                || !cms.matchesFiles(manifestEntries.stream().collect(Collectors.toMap(PublishedObject::getFilename, PublishedObject::getContent, (a, b) -> b)))
+                || needsReissuance;
     }
 
     public void update(OutgoingResourceCertificate eeCertificate,
@@ -157,6 +164,7 @@ public void update(OutgoingResourceCertificate eeCertificate,
         publishedObject = new PublishedObject(keyPair, keyPair.getManifestFilename(), manifestCms.getEncoded(), false, keyPair.getCertificateRepositoryLocation(), manifestCms.getValidityPeriod(), manifestCms.getSigningTime());
 
         this.nextNumber++;
+        this.needsReissuance = false;
     }
 
     private ManifestCms buildManifestCms(Collection<PublishedObject> manifestEntries, KeyPair eeKeyPair, String signatureProvider) {
diff --git a/src/main/java/net/ripe/rpki/services/impl/background/ResourceCacheService.java b/src/main/java/net/ripe/rpki/services/impl/background/ResourceCacheService.java
index d92e98c..f828447 100644
--- a/src/main/java/net/ripe/rpki/services/impl/background/ResourceCacheService.java
+++ b/src/main/java/net/ripe/rpki/services/impl/background/ResourceCacheService.java
@@ -401,7 +401,7 @@ private static Optional<Rejection> isAcceptableDiff(ResourceDiffStat diffStat) {
             return Optional.of(new Rejection(
                     String.format(
                             "The sum of all per-CA changes (%d) is too big, added %d prefixes, deleted %d prefixes",
-                            diffStat.totalAdded + diffStat.totalDeleted,
+                            diffStat.totalPerCaMutations(),
                             diffStat.totalAdded, diffStat.totalDeleted
                     ),
                     Optional.of(summary)
diff --git a/src/main/resources/db/migration/V129__manifest_force_reissuance.sql b/src/main/resources/db/migration/V129__manifest_force_reissuance.sql
new file mode 100644
index 0000000..c7f2573
--- /dev/null
+++ b/src/main/resources/db/migration/V129__manifest_force_reissuance.sql
@@ -0,0 +1 @@
+ALTER TABLE manifestentity ADD COLUMN needs_reissuance BOOLEAN DEFAULT FALSE;
\ No newline at end of file