Skip to main content
Skip table of contents

EJBCA 9.0 Release Notes

OCTOBER 2024

The EJBCA team is pleased to announce the release of EJBCA 9.

EJBCA 9 introduces a new technology stack as well as S/MIME CAA validation support. The release also includes other improvements as well as error corrections.

The EJBCA 9.0 release is exclusively available for software and container-based deployments. For available deployment options and associated versions, refer to Supported Versions.

Highlights

Upgraded Technology Stack

EJBCA 9 introduces support for running on an upgraded technology stack. As of version 9.0, the deployment prerequisites now include WildFly 32 or JBoss EAP 8 as the supported application servers, and Java 17 as the required runtime environment. While Java 17 is required for this release, Java 21 is planned for a future update in a later EJBCA 9 release.

EJBCA9.0_TechStackUpgrade.png

Due to changes in recent WildFly versions and JBoss EAP 8, which are not backward compatible with WildFly 26 and JBoss 7.4, the upgrade from EJBCA 8 to EJBCA 9 requires a complete technology stack upgrade.

S/MIME CAA Validation Support

EJBCA 9 supports validating email addresses included in certificate subjects against DNS issuemail rules, in accordance with the S/MIME Baseline Requirements (S/MIME BR) and RFC 9495: Certification Authority Authorization (CAA) Processing for Email Addresses.

To enable a Certification Authority (CA) to validate against a DNS for S/MIME, the following prerequisites must be met:

  • “Email Protection” must be enabled in the certificate profile.

  • A Certification Authority Authorization (CAA) Validator with one or more issuers must be added to the CA.

When these conditions are met, the validator will query the DNS(s) to verify if the issuers are permitted to use the email domains specified in the Subject Alternative Name fields. For instance, for a certificate request with a subject alternative name like:

rfc822Name=john@example.com

the validator will check if the configured issuer(s) are allowed to issue certificates for emails including the example.com domain by querying the configured DNS(s).

Archive of EJBCA security issues

Keyfactor is strongly committed to responsible reporting and disclosure of security-related issues. As part of that commitment, we maintain a historical list of issues that have been fixed and submitted as CVEs (Common Vulnerabilities and Exposures), see Archive of EJBCA security issues.

Upgrade Information

Review the EJBCA 9.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in EJBCA 9.0.

Issues Resolved in 9.0

Released October 2024

New Features

ECA-12286 Allow ACME dns-01 challenge with IPv6

ECA-12460 Add support for "issuemail" property tag in CAA Validator

ECA-12493 Add SDN support for Mark Certificates

ECA-12545 Implement check for close primes in RSA key validator

Improvements

ECA-10173 'mappedName' in annotations is not supported

ECA-11888 Ability to not read certificates on some P11NG crypto tokens \(CloudHSM\), use heuristic attribute buffer size when reading CKAs

ECA-12262 Replicated Database in CA

ECA-12365 Allow multiple EST templates to enroll using a Keyfactor Enroll CA

ECA-12395 "cryptotoken setpin" command should prompt twice for new password for confirmation

ECA-12401 Update cryptotoken libs

ECA-12408 Upgrade jee-api

ECA-12412 Specify version of the NGINX sidecar

ECA-12418 Use the CA certificate uploaded in EJBCA for Keyfactor Enrollment CA during EST getcacert

ECA-12436 Fix compilation error in Gradle \(after Jakarta 10 upgrade\)

ECA-12443 Upgrade xmlns to Jakarta EE version \(xhtml pages\)

ECA-12455 Convert view ee page to JSF

ECA-12470 Convert Edit EE page to JSF

ECA-12476 Reject issuance if using CAA with both serverAuth and emailProtection in profile

ECA-12483 Add support for S/MIME CAA lookups on ejbca-caa-cli

ECA-12484 Add support for port and protocol ejbca-caa-cli

ECA-12489 Migrate EST list of aliases page from JSF to primefaces

ECA-12490 Migrate My preferences page from JSF to primefaces

ECA-12500 Rewrite CAA Test to use the Test DNS Container

ECA-12524 MSAE LDAP connections should go through RA to outside world.

ECA-12550 Implement and document multiple TLS certifcate support in NGINX sidecar

ECA-12559 Fix typo in javadoc in EndEntityCertificateAuthenticationModule

ECA-12587 VA Peer Publisher throws NPE if CertificateData.base64cert is null.

ECA-12589 L10n: Admin GUI language fix \(ACME\)

ECA-12590 L10n: RA GUI French update \(based on 8.3.2\)

ECA-12591 L10n: Admin GUI French update \(based on 8.3.2\) Fully translated

ECA-12592 Fix help text for removeadmin CLI command

ECA-12593 Fix code typos paramter to parameter

ECA-12594 Fix typo in findendentity cli help

ECA-12619 Upgrade Apache CXF to 4.0.5

ECA-12624 Improve RA GUI layout

ECA-12629 Upgrade dnsjava to 3.6.1

ECA-12631 Upgrade undertow-core to 2.3.16/17

ECA-12632 Upgrade xnio-\* to 3.8.16

ECA-12647 Update CONTRIBUTING.md with test instructions

ECA-12648 Change doc link to new url

ECA-12672 L10n: French GUI fix \(Peer Systems\)

Bug Fixes

ECA-11540 "CMP Authentication Secret" field on Edit CA page gets auto-completed

ECA-12075 Add ACME Alias overwrites the old one if the same name is used

ECA-12288 Admin Web - Search End Entities - multi selection possible, but not working

ECA-12289 Admin Web - Search End Entities - Buttons are activated only after clicking on checkbox

ECA-12309 Admin Web - Certification Authority - Cannot download binary file of certificate request

ECA-12323 Invalid SQL for PostgreSQL when dropping index in UpgradeSessionBean

ECA-12359 Fix RSA-PSS on Windows in p11ng and update p11ng

ECA-12402 Bump Ingress max request body size

ECA-12422 External RA Cannot Query Peered CA Certificate Profiles

ECA-12425 Regression: KEC cache exception when clearing cache on Community

ECA-12428 Upgrade JDBC drivers used by EJBCA containers

ECA-12432 Output proper error message to CMP client when validation fails

ECA-12437 Importing a krb5.conf file for an MSAE alias erases all user input not stored

ECA-12438 CertificateRequest REST API fails after issuing certificate for invalid CA name

ECA-12440 SSH REST certificaterequest adds source\_address only if critical\_option is present

ECA-12459 Configdump - importing SSH CA does not allow CA healthcheck field to be specified

ECA-12461 Cannot create hybrid CA certificate with non-default CA certificate profiles

ECA-12463 UI Exception: javax.faces.Integer

ECA-12466 Certificate enrollment with the RA web inserts the e-mail into the RFC822name if checkbox is disabled

ECA-12468 REST API deployment issue with javassist lib

ECA-12469 A missing certificate lets EJBCA fail to startup if DEBUG / TRACE logging is enabled

ECA-12478 Get certificate profiles over peers in MSAE CESService

ECA-12487 Regression: Configdump - creating crypto token and soft keys

ECA-12488 Remove comma after CA name in Certification Authorities page

ECA-12492 Fix issues with addoauthprovider and oauthproviderkey CLI commands

ECA-12497 RA Web - Make Request - UI got deformed when too many SDN fields are used

ECA-12504 Table already exists warning with EJBCA 9

ECA-12508 Log reloaded properties on server log

ECA-12517 Regression: Download for CSR of newly created External CA fails with error 404

ECA-12518 Regression: p11ng-cli commands gives CRYPTOKI\_NOT\_INITIALIZED or CKR\_DEVICE\_ERROR

ECA-12519 clientToolBox does not work with edward curves

ECA-12549 Cannot delete oAuth configuration

ECA-12551 Resolve SLF4J logger warnings

ECA-12554 Database CLI is broken

ECA-12561 Cannot select ECC key in keyEncryptKey dropdown with p11ng crypto token

ECA-12580 Regression in username validation

ECA-12586 End entity list option is not sorted

ECA-12588 L10n: RA GUI English fix back \(regression\)

ECA-12596 RA Web - View EE displays link to certificates with adjacent username

ECA-12600 EST RA mode settings show up in client mode

ECA-12612 Incorrect CAA Validator message when issuance is prohibited

ECA-12622 Post-upgrade hangs when crldata\_idx3 or crldata\_idx4 exist

ECA-12626 EJBCA errors when deleting keys from a cloudshm v5 HSM

ECA-12627 SnakeCaseConverter is not working in Swagger UI

ECA-12635 Incorrect version of slf4j in settings.gradle.kts

ECA-12638 CAA S/MIME validation is not applied to SAN In extension in request

ECA-12639 Environment variable expansion breaks ConfigDump import

ECA-12640 REST API /v1/certificate/pkcs10enroll fails with CA with name null does not exist

ECA-12644 Statedump is not working with Java 17

ECA-12651 Regression: RA Web - Inspect CSR - Unhandled error while uploading empty file

ECA-12660 Regression - Statedump fails with IllegalArgumentException when CryptoToken KeyPairInfo KeyUsage is null.

ECA-12662 EJBCA container test for- Statedump is not working with Java 17

ECA-12667 Fix NPE at cryptotoken init

ECA-12670 Update cert-cvc to fix very rare padding issue with EC signatures

ECA-12673 Regression: Admin Web - Publishers - Edit Form gets deformed when many publishers available

ECA-12674 Ejbca-Db-Cli "verify" throws exception and "export" commands has issues with ampersand character in database.url

ECA-12684 Port the Statedump Java 17 fix to the container

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.