EJBCA 9.0 Release Notes
OCTOBER 2024
The EJBCA team is pleased to announce the release of EJBCA 9.
EJBCA 9 introduces a new technology stack as well as S/MIME CAA validation support. The release also includes other improvements as well as error corrections.
The EJBCA 9.0 release is exclusively available for software and container-based deployments. For available deployment options and associated versions, refer to Supported Versions.
Highlights
Upgraded Technology Stack
EJBCA 9 introduces support for running on an upgraded technology stack. As of version 9.0, the deployment prerequisites now include WildFly 32 or JBoss EAP 8 as the supported application servers, and Java 17 as the required runtime environment. While Java 17 is required for this release, Java 21 is planned for a future update in a later EJBCA 9 release.
Due to changes in recent WildFly versions and JBoss EAP 8, which are not backward compatible with WildFly 26 and JBoss 7.4, the upgrade from EJBCA 8 to EJBCA 9 requires a complete technology stack upgrade.
S/MIME CAA Validation Support
EJBCA 9 supports validating email addresses included in certificate subjects against DNS issuemail
rules, in accordance with the S/MIME Baseline Requirements (S/MIME BR) and RFC 9495: Certification Authority Authorization (CAA) Processing for Email Addresses.
To enable a Certification Authority (CA) to validate against a DNS for S/MIME, the following prerequisites must be met:
“Email Protection” must be enabled in the certificate profile.
A Certification Authority Authorization (CAA) Validator with one or more issuers must be added to the CA.
When these conditions are met, the validator will query the DNS(s) to verify if the issuers are permitted to use the email domains specified in the Subject Alternative Name fields. For instance, for a certificate request with a subject alternative name like:
rfc822Name=john@example.com
the validator will check if the configured issuer(s) are allowed to issue certificates for emails including the example.com
domain by querying the configured DNS(s).
Archive of EJBCA security issues
Keyfactor is strongly committed to responsible reporting and disclosure of security-related issues. As part of that commitment, we maintain a historical list of issues that have been fixed and submitted as CVEs (Common Vulnerabilities and Exposures), see Archive of EJBCA security issues.
Upgrade Information
Review the EJBCA 9.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
Change Log: Resolved Issues
The following lists implemented features and fixed issues in EJBCA 9.0.
Issues Resolved in 9.0
Released October 2024
New Features
ECA-12286 Allow ACME dns-01 challenge with IPv6
ECA-12460 Add support for "issuemail" property tag in CAA Validator
ECA-12493 Add SDN support for Mark Certificates
ECA-12545 Implement check for close primes in RSA key validator
Improvements
ECA-10173 'mappedName' in annotations is not supported
ECA-11888 Ability to not read certificates on some P11NG crypto tokens \(CloudHSM\), use heuristic attribute buffer size when reading CKAs
ECA-12262 Replicated Database in CA
ECA-12365 Allow multiple EST templates to enroll using a Keyfactor Enroll CA
ECA-12395 "cryptotoken setpin" command should prompt twice for new password for confirmation
ECA-12401 Update cryptotoken libs
ECA-12408 Upgrade jee-api
ECA-12412 Specify version of the NGINX sidecar
ECA-12418 Use the CA certificate uploaded in EJBCA for Keyfactor Enrollment CA during EST getcacert
ECA-12436 Fix compilation error in Gradle \(after Jakarta 10 upgrade\)
ECA-12443 Upgrade xmlns to Jakarta EE version \(xhtml pages\)
ECA-12455 Convert view ee page to JSF
ECA-12470 Convert Edit EE page to JSF
ECA-12476 Reject issuance if using CAA with both serverAuth and emailProtection in profile
ECA-12483 Add support for S/MIME CAA lookups on ejbca-caa-cli
ECA-12484 Add support for port and protocol ejbca-caa-cli
ECA-12489 Migrate EST list of aliases page from JSF to primefaces
ECA-12490 Migrate My preferences page from JSF to primefaces
ECA-12500 Rewrite CAA Test to use the Test DNS Container
ECA-12524 MSAE LDAP connections should go through RA to outside world.
ECA-12550 Implement and document multiple TLS certifcate support in NGINX sidecar
ECA-12559 Fix typo in javadoc in EndEntityCertificateAuthenticationModule
ECA-12587 VA Peer Publisher throws NPE if CertificateData.base64cert is null.
ECA-12589 L10n: Admin GUI language fix \(ACME\)
ECA-12590 L10n: RA GUI French update \(based on 8.3.2\)
ECA-12591 L10n: Admin GUI French update \(based on 8.3.2\) Fully translated
ECA-12592 Fix help text for removeadmin CLI command
ECA-12593 Fix code typos paramter to parameter
ECA-12594 Fix typo in findendentity cli help
ECA-12619 Upgrade Apache CXF to 4.0.5
ECA-12624 Improve RA GUI layout
ECA-12629 Upgrade dnsjava to 3.6.1
ECA-12631 Upgrade undertow-core to 2.3.16/17
ECA-12632 Upgrade xnio-\* to 3.8.16
ECA-12647 Update CONTRIBUTING.md with test instructions
ECA-12648 Change doc link to new url
ECA-12672 L10n: French GUI fix \(Peer Systems\)
Bug Fixes
ECA-11540 "CMP Authentication Secret" field on Edit CA page gets auto-completed
ECA-12075 Add ACME Alias overwrites the old one if the same name is used
ECA-12288 Admin Web - Search End Entities - multi selection possible, but not working
ECA-12289 Admin Web - Search End Entities - Buttons are activated only after clicking on checkbox
ECA-12309 Admin Web - Certification Authority - Cannot download binary file of certificate request
ECA-12323 Invalid SQL for PostgreSQL when dropping index in UpgradeSessionBean
ECA-12359 Fix RSA-PSS on Windows in p11ng and update p11ng
ECA-12402 Bump Ingress max request body size
ECA-12422 External RA Cannot Query Peered CA Certificate Profiles
ECA-12425 Regression: KEC cache exception when clearing cache on Community
ECA-12428 Upgrade JDBC drivers used by EJBCA containers
ECA-12432 Output proper error message to CMP client when validation fails
ECA-12437 Importing a krb5.conf file for an MSAE alias erases all user input not stored
ECA-12438 CertificateRequest REST API fails after issuing certificate for invalid CA name
ECA-12440 SSH REST certificaterequest adds source\_address only if critical\_option is present
ECA-12459 Configdump - importing SSH CA does not allow CA healthcheck field to be specified
ECA-12461 Cannot create hybrid CA certificate with non-default CA certificate profiles
ECA-12463 UI Exception: javax.faces.Integer
ECA-12466 Certificate enrollment with the RA web inserts the e-mail into the RFC822name if checkbox is disabled
ECA-12468 REST API deployment issue with javassist lib
ECA-12469 A missing certificate lets EJBCA fail to startup if DEBUG / TRACE logging is enabled
ECA-12478 Get certificate profiles over peers in MSAE CESService
ECA-12487 Regression: Configdump - creating crypto token and soft keys
ECA-12488 Remove comma after CA name in Certification Authorities page
ECA-12492 Fix issues with addoauthprovider and oauthproviderkey CLI commands
ECA-12497 RA Web - Make Request - UI got deformed when too many SDN fields are used
ECA-12504 Table already exists warning with EJBCA 9
ECA-12508 Log reloaded properties on server log
ECA-12517 Regression: Download for CSR of newly created External CA fails with error 404
ECA-12518 Regression: p11ng-cli commands gives CRYPTOKI\_NOT\_INITIALIZED or CKR\_DEVICE\_ERROR
ECA-12519 clientToolBox does not work with edward curves
ECA-12549 Cannot delete oAuth configuration
ECA-12551 Resolve SLF4J logger warnings
ECA-12554 Database CLI is broken
ECA-12561 Cannot select ECC key in keyEncryptKey dropdown with p11ng crypto token
ECA-12580 Regression in username validation
ECA-12586 End entity list option is not sorted
ECA-12588 L10n: RA GUI English fix back \(regression\)
ECA-12596 RA Web - View EE displays link to certificates with adjacent username
ECA-12600 EST RA mode settings show up in client mode
ECA-12612 Incorrect CAA Validator message when issuance is prohibited
ECA-12622 Post-upgrade hangs when crldata\_idx3 or crldata\_idx4 exist
ECA-12626 EJBCA errors when deleting keys from a cloudshm v5 HSM
ECA-12627 SnakeCaseConverter is not working in Swagger UI
ECA-12635 Incorrect version of slf4j in settings.gradle.kts
ECA-12638 CAA S/MIME validation is not applied to SAN In extension in request
ECA-12639 Environment variable expansion breaks ConfigDump import
ECA-12640 REST API /v1/certificate/pkcs10enroll fails with CA with name null does not exist
ECA-12644 Statedump is not working with Java 17
ECA-12651 Regression: RA Web - Inspect CSR - Unhandled error while uploading empty file
ECA-12660 Regression - Statedump fails with IllegalArgumentException when CryptoToken KeyPairInfo KeyUsage is null.
ECA-12662 EJBCA container test for- Statedump is not working with Java 17
ECA-12667 Fix NPE at cryptotoken init
ECA-12670 Update cert-cvc to fix very rare padding issue with EC signatures
ECA-12673 Regression: Admin Web - Publishers - Edit Form gets deformed when many publishers available
ECA-12674 Ejbca-Db-Cli "verify" throws exception and "export" commands has issues with ampersand character in database.url
ECA-12684 Port the Statedump Java 17 fix to the container