.png){kind=logo}
EJBCA 9.4 Release Notes
DECEMBER 2025
The EJBCA team is pleased to announce the release of EJBCA 9.4.
This version adds support for quantum-safe algorithms across additional HSM types, expands automation capabilities through enhanced ConfigDump functionality, and introduces ACME Renewal Information (ARI) along with several other enhancements.
EJBCA 9.4 also extends the availability of the SCP Publisher to all EJBCA deployment types and enables use of the SCEP protocol with HSMs operating in FIPS 140-3 mode across all deployment types.
These release notes cover new features and improvements implemented in EJBCA 9.4.0, EJBCA 9.4.1, and EJBCA 9.4.2 (EJBCA 9.4.0 and EJBCA 9.4.1 were internal releases, not generally available for customers).
For available deployment types and associated versions, refer to Supported Versions.
Announcing EJBCA Licensing Mechanism in EJBCA 9.4
As of EJBCA 9.4, the EJBCA Container Set, EJBCA Software Appliance, and EJBCA Hardware Appliance (Next Generation) require a valid license file. Obtain a license file from Keyfactor by submitting a request through the Keyfactor Support Portal before upgrading to EJBCA 9.4.
For instructions on how to apply the license file in an EJBCA Container Set deployment, refer to the EJBCA Container Set documentation EJBCA License.
Highlights
Additional HSM Support for Quantum-Safe Algorithms
EJBCA 9.4 adds support for using ML-DSA with hardware-protected keys on Thales Luna 7, Utimaco u.trust Anchor, Entrust nShield Connect, and AWS Key Management Service (KMS). These expand on the existing support introduced in EJBCA 9.3 for Fortanix DSM, and Securosys Primus HSM and CloudHSM Service.
Additional HSM Support in the EJBCA Container Set
In EJBCA 9.4, the EJBCA Container Set provides integration with additional HSM types. For more information, see HSM Integration.
ConfigDump Improvements
ConfigDump functionality has been expanded to include additional object types, including Certificate Transparency and S3 Publisher settings. For more information, see ConfigDump Tool.
With these enhancements, the Statedump tool is now deprecated. Customers should transition to ConfigDump, see Deprecation of Statedump.
SCP Publisher Across EJBCA Deployment Types
The SCP Publisher now supports flexible use in any EJBCA deployment type.
SFTP is introduced as a secure alternative to SCP, providing improved compatibility and support for key-pair–based authentication through EJBCA Crypto Tokens. For configuration details, see SCP Publisher.
Support for ACME Renewal Information (ARI)
EJBCA 9.4 implements support for ACME Renewal Information (ARI) as defined in RFC 9773. The ARI extension enables certificate authorities (CAs) using the ACME protocol to define a set time in the future for a planned revocation or replacement of a subscriber certificate, allowing clients to poll the CA and renew their certificates within the defined timeframe. For more information, see ACME.
Dynamic OAuth Hostname Support
EJBCA’s OAuth implementation now supports defining a set of valid hostnames. This enables redirects and authentication across multiple hostnames. For more information, see OAuth Providers.
Java 21 Recommended Runtime Environment
The recommended Java runtime environment for EJBCA 9.4 is Java 21. Customers using Java 17 are advised to plan for upgrading to Java 21. For more information on software requirements, see Installation Prerequisites.
Support for WildFly 38
EJBCA 9.4 introduces support for WildFly 38. For more information on software requirements, see Installation Prerequisites.
User Interface Improvements
EJBCA 9.4 introduces improvements of several administration pages to enhance layout, navigation, and consistency across the interface.
Overview Pages Improvements
Main overview pages have been updated to make managing resources easier and more consistent.
Easier creation workflow: Adding a new certificate authority, profile, or crypto token is now more straightforward. All required settings are configured on a dedicated page, and the resource is created only after you click Save. This replaces the previous behavior, where some resources were created and then required a separate Edit step.
Edit names directly: Resource names can now be modified directly on the Edit page. The separate Rename action is no longer needed.
Separate pages for delete and clone: The Delete and Clone actions now occur on dedicated pages, providing a clearer and safer workflow.
CA Management and OCSP Responders Settings
Settings on the OCSP Responders and CA Management pages are now organized under separate tabs for improved structure. Certain settings, including Enable ICAO Name Change and OCSP Response Cleanup, have also been moved from System Configuration to their respective configuration tabs.
FIPS mode HSM Improvements
EJBCA 9.4 includes the SCEP implementation feature introduced in EJBCA 9.3.4, allowing the use of a separate key pair for encryption and/or decryption of SCEP payloads. This enhancement supports use of the SCEP protocol with certificate authorities (CAs) that have CA signing keys stored on Hardware Security Modules (HSMs) operating in FIPS 140-3 mode.
Announcements
Deprecation of SunPKCS11 Crypto Token
As of EJBCA 9.4, the SunPKCS11 Crypto Token type is deprecated and will be removed in a future release. While the SunPKCS11 Crypto Token type is still supported, it is strongly recommended to migrate to the newer P11NG Crypto token type. Certain functionality, such as use of quantum-safe algorithms, is only available through use of a P1NG Crypto Token.
For more information about migrating from SunPKCS11 to P11NG, see Soft Migration from SunPKCS11 to P11NG Crypto Token.
Security Issue
A security issue affecting self-renewal through the Registration Authority (RA) User Interface was resolved in EJBCA 9.3.4. The same correction is included in EJBCA 9.4.
The issue does not affect Certificate Authorities (CAs) that have not issued any client certificates or systems where access to the RA UI is not accessible. Keyfactor rates the issue as having a severity level of low.
Once EJBCA 9.4 has been generally available across all deployment types for at least two weeks, a CVE with the identifier CVE-2025-62819 will be published.
Vulnerability Management Statement
As part of every product release, Keyfactor identifies and evaluates vulnerabilities reported for third-party components included in the EJBCA Container Set. This process ensures that dependencies used within the EJBCA environment are continuously monitored and appropriately mitigated before release. For details, refer to the EJBCA Vulnerability Management Statement in the EJBCA Container Set documentation.
Configuration File Changes
The following properties have been moved from the static configuration under the conf directory into the database, where they can now be modified either through the EJBCA user interface or via the ConfigDump tool.
All migrated properties are automatically copied from the configuration files during upgrade and can be removed from their respective configuration files afterward.
From ocsp.properties
The following properties have been migrated to the database configuration in this release.
ocsp.includecertchainocsp.includesignercertocsp.reqsigncertrevcachetimeocsp.signingCertsValidTime
These properties are now available in the OCSP Responders overview page in the EJBCA user interface.
In addition, the following properties:
ocsp.nonexistingisgoodocsp.nonexistingisrevokedocsp.nonexistingisunauthorized
have been merged into a single configuration value and also migrated into the database configuration. This behavioral change is documented in more detail below.
OCSP Configuration for non-existing certificates has been unified into a single value
Prior to version 9.4, configuring EJBCA’s behavior when responding to a request was suboptimal, involving selecting one of three options (or the equivalent configuration value in ocsp.properties for global CA behavior) to configure if the default response would be GOOD, REVOKED, UNAUTHORIZED, or UNKNOWN.
As of version 9.4, this configuration has been streamlined into a single drop-down value, available both for individual responders and for global CA behavior. The unified configuration is also fully represented in ConfigDump. For configuration details, see OCSP Responders
Permission Changes in EJBCA REST API
The permission model for the EJBCA REST API /v1/endentity and /v1/endentity/edit has been updated. Previously, when an administrator wanted to use an End Entity Profile, they needed access to all CAs associated with that profile. Starting with this release, the user only needs authorization for the CA specified in the REST API request. This allows End Entity Profiles to include multiple CAs while maintaining access restrictions.
This change applies only to the two endpoints above. All other REST API endpoints (for example, End Entity Search, Revoke and Certificate) and the RA Web interface continue to use the previous permission model, where access to all CAs in an End Entity Profile is required. For more information about the EJBCA REST API, see EJBCA REST Interface.
Deprecation of Statedump
As of EJBCA 9.4, the Statedump tool is deprecated and will be removed in a future release.
Users are advised to use the ConfigDump tool for configuration management tasks. ConfigDump provides enhanced functionality while producing human-readable YAML output that can be easily inspected and modified before import. For more information, see ConfigDump Tool.
Bouncy Castle 1.82 Upgrade
Bouncy Castle has been upgraded to version 1.82. For information about the latest Bouncy Castle releases, refer to the Bouncy Castle Release Notes.
Upgrade Information
Review the EJBCA 9.4 Upgrade Notes for important information about the release.
Note that EJBCA 9.4.X no longer supports direct upgrades from versions earlier than 7.X. For details on upgrading the EJBCA Software Stack, refer to Upgrade EJBCA Software Stack.
For general information about upgrading EJBCA, see Upgrading EJBCA.
Change Log: Resolved Issues
The following lists implemented features and fixed issues in EJBCA 9.4.0, EJBCA 9.4.1, and EJBCA 9.4.2.
Issues Resolved in 9.4.2
Released December 2025
Bug Fixes
ECA-14267 CA mode with separate keys fails when Allow Client Certificate Renewal enabled
ECA-14292 ConfigDump returns error for SCEPCONFIG
ECA-14294 Use separate keys for SCEP decryption doesn't render keys on p11ng tokens
ECA-14296 SCEP add/edit alias fail on first page load when p11ng crypto token exists
ECA-14297 Wrong error message when no CA is selected in SCEP alias
Issues Resolved in 9.4.1
Released December 2025
New Features
ECA-14158 Should be able to use separate encryption/decryption keys when in CA mode too
Improvements
ECA-13419 Update Helm README and Chart.yaml files
Bug Fixes
ECA-12494 Intune enrolment is failing for renewals
ECA-14162 ConfigDump doesn't translate name/Id for access rules
ECA-14164 Internal SCEPENCRYPTOR and SCEPSIGNER certificate profiles are exposed in some endpoints
ECA-14166 Regression: Certificate Profile Import is failing
ECA-14191 Editing MSAE alias breaks CEP policy after cache renewal
ECA-14199 CaCertificateCache doesn't load signing certificate validity time properly
ECA-14213 SCEP enrollment with separate signing keys over peers (with denied access to unknown CAs) is denied
ECA-14230 RaMasterApi breakage
ECA-14237 Approval management not backwards compatible from 9.4.X
ECA-14241 RA node does not have import button to import CA
Issues Resolved in 9.4.0
Released December 2025
New Features
ECA-12415 ML-DSA and LMS with Utimaco and P11NG
ECA-12614 ML-DSA with Thales TCT and P11NG
ECA-12616 ML-DSA with Thales Luna and P11NG
ECA-12836 ConfigDump support for S3 publisher
ECA-12851 Add ConfigDump support for global CT settings
ECA-12960 Enable EJBCA Containers to support TLS connection to Postgres Db
ECA-13066 Automate Git hook setup
ECA-13068 Configure Git hooks
ECA-13071 Ability to create Hybrid CAs with ca init CLI
ECA-13164 Allow CT logs to be imported through ConfigDump
ECA-13336 p11ng-cli: Add gencsr command
ECA-13348 QA: Create a testing container for use of testing/developing the SCP publisher
ECA-13362 Implement SFTP as an alternative transfer method to SCP
ECA-13385 Extend ACME order object with 'replaces'
ECA-13386 UI configuration for ACME ARI "Retry-after"
ECA-13443 ACME ARI - configurable suggestion policy
ECA-13444 ACME ARI - Explanation URL
ECA-13592 ML-DSA with AWS KMS
ECA-13607 Create ProtocolData Entity/ORM
ECA-13608 Create ProtocolSession CRUD Bean
ECA-13633 AWS KMS status fix
ECA-13663 Support Thales DPoD in the EJBCA container set
ECA-13664 Support Utimaco u.trust Anchor in the EJBCA container set
ECA-13700 Enable CAA validation for Mark certificates
ECA-13738 Spike: figure out how to validate licenses and log on admin side
ECA-13756 ConfigDump Global CA Configuration
ECA-13757 ConfigDump Global End Entity Profile Configuration
ECA-13758 ConfigDump Global CT-log Configuration
ECA-13759 ConfigDump Global OCSP Configuration
ECA-13760 ConfigDump Global System Configuration
ECA-13770 Test ML-DSA with Entrust nShield 5c and P11NG
ECA-13844 Create an allow list for OAuth hostnames
ECA-13854 Construct OAuth redirect URL dynamically
ECA-13867 ConfigDump GlobalCesecoreConfiguration
Improvements
ECA-12474 Allow Custom EKU Human Readable Name in ConfigDump
ECA-12553 Add general EAB import/export to ConfigDump
ECA-12683 Enable Remote Internal Key Binding Updater to initial issuance to remote OCSP keybindings
ECA-12758 Use service-manifest-builder in Gradle
ECA-12929 Align CAA with RFC 8659
ECA-13046 Migrate EJBCA pipelines from Jenkins X to GitLab CI
ECA-13067 Refactor existing checks into standalone scripts
ECA-13069 Document the Git hook solution
ECA-13115 Normalize Certificate Authorities Page
ECA-13116 Normalize Certificate Profiles Page
ECA-13117 Normalize Publishers Page
ECA-13118 Normalize End Entity Profiles Page
ECA-13120 Normalize Crypto Tokens Page
ECA-13175 Normalize Services Page
ECA-13176 Add a Configuration tab to OCSP responders page
ECA-13210 Replace unneeded getters in GlobalConfiguration with static values
ECA-13217 Move global CT settings into their own Global Config
ECA-13234 Make the auto-generated end entity enrollment code configurable with the end entity profile for MSAE
ECA-13256 Document how to use Workload Identities with Azure SQL
ECA-13326 Increase test coverage for SignSessionBean
ECA-13347 Allow SCP Publisher to function independently of a local known_hosts
ECA-13349 Allow SCP Publisher to use crypto token keys instead of file system keys
ECA-13368 Improve Admin UI message for alternative signature algorithm
ECA-13374 Remove upgrade code for upgrading from > EJBCA 6.1.0.1 or earlier
ECA-13378 Cleanup: Remove all references to legacy EndEntityManagementSession.addUser
ECA-13437 Move global CA configuration to GlobalCaConfiguration
ECA-13458 Move ocsp.includecertchain and ocsp.includesignercert into System Configuration
ECA-13469 Replace RoleCache with the new Repository
ECA-13475 Remove upgrade code for upgrading to EJBCA 6.2.4
ECA-13479 Cleanup: Replace deprecated references to ExpectedException.none()
ECA-13484 Remove upgrade code for upgrading to EJBCA 6.3.2
ECA-13507 Cleanup: Remove startup warning from AddEndEntityMBean
ECA-13509 Cleanup: P12toPEM is mainly scrap code
ECA-13520 Remove upgrade code for upgrading to EJBCA 6.4.2
ECA-13523 Remove orphaned classes
ECA-13528 Cleanup: Close streams in BasicCertificateExtensionUnitTest
ECA-13529 Update commons-collections to 4.5.0
ECA-13530 Cleanup: Close streams in ECAUtils
ECA-13532 Convert ocsp.nonexistingis* into a single value
ECA-13541 Allow Cryptotoken public key to be exported in SSH key format for SCP Publisher v2
ECA-13556 Apply a common look and feel to normalized pages
ECA-13566 Cleanup: close streams in X509CACrlUnitTest
ECA-13567 Clean warnings in SerObjectMerger and SerObjectAnalyzer
ECA-13577 Remove upgrade code for upgrading to EJBCA 6.5.1
ECA-13584 Remove upgrade code for upgrading to EJBCA 6.6.1
ECA-13586 Improve documentation in regards to zero downtime and upgrades
ECA-13602 Enable dynamic UI element rendering for SCP Publisher fields
ECA-13606 Support CMP client mode with vendor certificate using p10cr commands
ECA-13619 Cleanup: Change deprecated references to org.apache.commons.lang3.StringEscapeUtils.escapeXml(String)
ECA-13626 Remove upgrade code for upgrading to EJBCA 6.8.0
ECA-13630 Cleanup: get rid of deprecated methods in EjbcaWebBean
ECA-13640 Cosmetic changes to the new UI style
ECA-13689 MSAE request fails if there is a processor active on the associated CA
ECA-13692 Build ejbca-caa-cli with Gradle
ECA-13725 Improve Home Page
ECA-13744 EJBCA 9.4.0 Alpha 1: Adding DOM IDs to heal legacy/MONT Appliance Test Automation Pipelines
ECA-13746 Normalize CA Activation Page
ECA-13749 Improve Crypto Token page
ECA-13751 Upgrade all references to commons-lang to commons-lang3.
ECA-13752 Update to BC 1.82
ECA-13765 Certificate profile UI defaults, remove CRLIssuer and forbid ECC encryption key usage
ECA-13766 Add pagination to Admin Web home page tables
ECA-13771 Forbid ECC encryption key usage should apply too all sign-only algorithms including PQC
ECA-13774 Document limitation of “Use explicit ECC parameters” causing ECDSA key generation failures via enrollkeystore REST API
ECA-13780 Apply different style for disabled buttons
ECA-13784 Normalize CA Structure & CRLs Page
ECA-13792 Cleanup: update references to AESEngine and CCMBlockCipher
ECA-13811 Rename RA Name generation prefix/postfix to drop RA
ECA-13816 Cleanup: remove references to end entity profile printing settings
ECA-13822 Clarify Hardware Module Name labeling and details in RA Web
ECA-13834 ConfigDump exports CA and Crypto token as id instead of name for SCPPublisher
ECA-13842 Cleanup: Update references to org.bouncycastle.asn1.crmf.CertReqMsg.getPopo()
ECA-13845 Use Helm chart to provide license file
ECA-13846 Modify ant and/or gradle build script to build releasable zip release and CE without license validation logic
ECA-13848 Remove (soon to be) deprecated references to FileTools.createTempDirectory
ECA-13851 Trigger license validation logic StartupSingletonSessionBean during startup for early validation
ECA-13852 Finalize the license validation logic
ECA-13863 Create a Configuration tab under the Manage CA's page and use it to store global CA settings
ECA-13884 Improve error output in ConfigdumpSessionBean.performExport(AuthenticationToken, ConfigdumpSetting)
ECA-13887 Improve Post Upgrade label text
ECA-13889 Documentation for Module Protected slots in nCipher is missing an environment variable
ECA-13890 Remove upgrade code for upgrade to 6.10.1
ECA-13895 UI Cleanup: Change all references of "Certification Authorit[y|ies]" to "Certificate Authority"
ECA-13896 Migrate ocsp.reqsigncertrevcachetime into system configuration
ECA-13908 Remove upgrade code for upgrade to 6.11
ECA-13912 Reorganize OCSP Global Configurations page
ECA-13932 Remove upgrade code for upgrade to 6.12
ECA-13937 Remove upgrade code for upgrade to 6.14 and 6.15
ECA-13942 Update myfaces-api to 4.1.1
ECA-13943 Cleanup: remove warnings in CachedDatabaseUnitTest
ECA-13945 Move "Enable OCSP Responses Cleanup" from System Configuration to OCSP Configuration page
ECA-13951 Cleanup: Remove warnings from CmpRaThrowAwaySystemTest
ECA-13953 Update to BC 1.82 - Composite Epic Branch
ECA-13957 Migrate ocsp.signingCertsValidTime from ocsp.properties into GlobalOcspConfiguration and GlobalCaConfiguration
ECA-13962 Cleanup: Remove references to ocsp.signtrustvalidtime and ocsp.keys.cardPassword
ECA-13963 Replace popup with error message for empty crypto token name
ECA-13966 Change input validation for session timeout
ECA-14008 Combine and place ACME ARI controls in the ACME alias
ECA-14009 Make the 'Enable Renewal Info Endpoint' switch effective
ECA-14020 Remove contact email from license messages
ECA-14026 Add the replaces attribute to the ACME newOrder resource response.
ECA-14051 Relocate the license implementation
ECA-14058 Upgrade HSM container version in Helm chart for luna and nshield to 0.5.0
ECA-14061 Fix ConfigDump import command system test
ECA-14093 Documentation of ACME ARI
ECA-14109 Upgrade the EJBCA container to use WildFly 38
Bug Fixes
ECA-6886 Security Issue
ECA-8805 ConfigExport of CertCrlService Doesn't Allow "None" Signing CA
ECA-12132 RA Web doesn't identify URI in SubjectAlt Name from the CSR
ECA-12324 Admin Web - Create EST alias - Misleading error message
ECA-12363 Admin Web - Services - No error message while cloning object using the same name
ECA-12535 Admin Web - ACME protocol page - Target Unreachable, identifier 'resourceBean' resolved to null
ECA-12724 Admin Web - Add End Entity - Unhandled rollback exception when SubjectDN char limit is exceeded
ECA-12869 Admin Web - Custom Certificate Extensions - system allows for duplications
ECA-12875 Admin Web - Custom Certificate Extensions - OID change is not blocked for incorrect values
ECA-13104 PKI Metal Validator - Button for uploading certificate is disabled
ECA-13124 Inappropriate Value in RA UI
ECA-13225 OCSP Responder Key Pair Alias list isn't refreshed when Crypto Token is changed if name is empty
ECA-13228 Fix NumberFormatException in EndEntityProfileSessionBean.getAuthorizedEndEntityProfileIdsWithMissingCAs
ECA-13354 EXTERNAL_ACCOUNT_BINDING_ID duplicated in openapi.json
ECA-13365 Fix the case sensitivity problem in the User Data native query
ECA-13423 AD publisher does not remove the user object or the certificate
ECA-13478 Secrets are not imported by ConfigDump
ECA-13485 Admin Web - Whitespace is not trimmed in EEP name, causing loss of access to add end entity page
ECA-13488 Add missing Gradle dependency
ECA-13495 Hibernate errors when using Microsoft SQL Server with EJBCA 9.2+ / WildFly 35
ECA-13524 ACME EAB fails if an EAB with asymmetric keys is configured first.
ECA-13549 EJBCA container not restarting when startup fails
ECA-13559 Publish Queue Process Service doesn't DonfigDump properly
ECA-13561 Validators sets field incorrectly on ConfigDump import
ECA-13563 Throwing exceptions in @PostConstruct-annotated method leads to warn output on startup
ECA-13571 Fix Normalized CA page in HA
ECA-13576 Ed25519 on nShield stopped working after HSM FW update
ECA-13579 Peer systems synchronization checkbox "Ignore newer entries at peer" has inverted text label
ECA-13588 End Entity Profile edit/view page does not work with HA(possibly)
ECA-13590 CMP page has a extra cell in UI
ECA-13618 All bugs related to the new Publisher layout/flow
ECA-13629 Regression: Can't edit end entity profile if some CA ID have gone missing
ECA-13634 Fix the View/Edit CA functions in Gradle builds
ECA-13680 Post upgrade is required on fresh EJBCA installation
ECA-13684 EJBCA is not starting with JDK21 since 2025/07/02
ECA-13685 EJBCA CE is not building after merging recent repository changes (failing since 2025/07/01)
ECA-13710 SQL Scripts - certificatedata_idx_san index not created in the postgresql database
ECA-13711 [CE] Admin Web - Cloning publisher process is broken
ECA-13745 [ConfigDump] Exported default RSA validator throws error on import
ECA-13762 Services attempt to run many times if canWorkerRun throws an exception
ECA-13764 Edit End Entity is broken again
ECA-13777 Admin Web - Manage Crypto Tokens - NPE because "flashInfo" is null
ECA-13803 In CRLUpdateWorker InvalidKeyException should be ignored just as an offline token
ECA-13804 REST API Documentation issue
ECA-13806 SCEP getcrl cannot override default content encryption algorithm
ECA-13821 S3 Publisher doesn't handle "." in the bucket name
ECA-13841 [HA] Admin Web - Cannot open Crypto Token Edit form due to existing bugs
ECA-13843 ConfigDump - secrets being exported incorrectly
ECA-13871 OCSP Keybindings with errors not reported in health check due to being ignored on signing cache reload
ECA-13894 Remove double resource definitions from the Helm chart
ECA-13901 Add SHA512withRSAandMGF1 to OCSP Responder Algorithms
ECA-13925 Fix NullPointer in Msae templates list
ECA-13969 Fix ConfigDump test fail caused by Allow OAuth host name feature
ECA-13971 Lack of input validation when configdumping EKUs
ECA-13973 Publicweb search cgi does not list CAs CRL when the chain begins with a non-root CA
ECA-13979 Investigate and fix container automation test failures
ECA-13994 Always execute the CodeQualityUnitTest
ECA-14018 RA authentication password field not properly displayed when "Authenticate through Microsoft Intune" is enabled
ECA-14023 CAA DNSSEC validation fails for some multi-label domains
ECA-14067 RA Web does not allow proper end entity creation with clear text password
ECA-14083 Suggested Renewal Time Window Start/End does not normalize correctly if only hours are mentioned, normalization fails.
ECA-14100 Add a null guard to org.ejbca.configdump.objects.ConfigdumpCertificateProfile.validateEKUs(List<String>)