Skip to main content
Skip table of contents

EJBCA 6.3 Release Notes

The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.3.

The following covers information on new features and improvements in the 6.3.x releases:

Read the EJBCA 6.3 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 6.3.0

EJBCA 6.3.0 introduces a powerful new feature for Enterprise and Appliance users: the EJBCA Peer System protocol. The purpose is to allow secure communication over TLS between peered installations of EJBCA, doing away with the need of direct database publishing in order to propagate certificates and certificate information. This means that direct and synchronous communication is now possible between a Certificate Authorities and their associated Verification Authorities, also enabling verification of synchronization status and health.

EJBCA Peer System represents a step forward in how setup up complex multi-system installations, and we have great hopes for what we will be able to make possible in EJBCA in the future.

Noteworthy changes

  • Introduction of the EJBCA Peer System protocol.
  • Fully localized in French, thanks to David Carella of Linagora.

A selection of known issues

  • External RA GUI cannot handle SubCA certificates with critical CDP ECA-2138
  • One test failure on DB2: ECA-3298
  • ant install is known to fail on Windows machines running JDK >= 7.21 ECA-3602
  • Wrong CA key used when decrypting SCEP requests ECA-3807
  • Importing an externally produced certificate with empty DN fields fails ECA-4018
  • CA Certificates using brainpool curves can't be imported from the ClI. GUI works though. ECA-4022

EJBCA 6.3.1

This maintenance release contains 17 new features, bug fixes and improvements, in addition to all fixes made in 6.2.8 and 6.2.9.

New Features

  • Now possible to create CAs and issue End Entity certificates through the Web Service API.
  • SCEP Client Certificate Renewal.
  • Web Service API calls for monitoring certificate expiration.
  • Single Active Certificate Constraint has been added to Certificate Profiles, allowing for automatic revocation of old certificates, as new ones are issued.


  • All Audit Log messages have been properly JavaDoc:ed.

A selection of known issues

  • External RA GUI cannot handle SubCA certificates with critical CDP: ECA-2138
  • One test failure on DB2:
  • Regression: Healtcheck is not enabled for new CAs by default: ECA-3999
  • CA Certificates using brainpool curves can't be imported from the ClI. GUI works though: ECA-4022
  • End entity profiles can't be deleted in high volume databases: ECA-4158
  • JDK patches for RSAWithMGF1 is not working on newer java: ECA-4175

EJBCA 6.3.2

This maintenance release contains 23 new features, bug fixes and improvements, in addition to all fixes made in 6.2.10. Below is a selection of the most noteworthy.

Upgrading to this version will require a post-upgrade step.

New Features

  • CA certificate rollover via SCEP has been implemented in accordance to draft-nourse-scep-23


  • VA Publisher and External RA have become Enterprise features
  • Build times have been improved

A selection of known issues

  • One test failure on DB2: ECA-3298
  • CA Certificates using brainpool curves can't be imported from the ClI. GUI works though: ECA-4022
  • End entity profiles can't be deleted in high volume databases: ECA-4158
  • Some ECDSA key specifier missing in drop down menu for crypto tokens: ECA-4251
  • No HTTP Header 'Content-Type' in the Renew public web page: ECA-2844


This patch release primarily fixes the issue of certain elliptic curves having different human readable names in the JDK vs BouncyCastle.


This patch release primarily fixes the issue of the DirectoryName component of subjectAltName not being included in certificates.


This patch release primarily fixes bugs and adds missing functionality with respect to Client Certificate Renewal via SCEP.


This patch release fixes two bugs

  • An issue in SCEP Client Certificate Renewal in regards to renewing a certificate with the same issuing date as its issuing certificate
  • A change to the enforcement of Single Active Certificate Constraints, where certificates where revoked by subjectdn+issuer instead of by username


This patch release fixes one bug and introduces a new feature

  • A small bug where soft crypto tokens generated during CA creation had auto-activate set during cache reload, even if that property had been set false.
  • Custom order of DN in issued certificates can now be defined in Certificate Profiles

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 6.3.0-, refer to our JIRA Issue Tracker.

Issues Resolved in 6.3.0

Released on 14 January 2015

Bug Fixes

[ECA-2478] - UnrevokeEndEntity unrevokes cert but not user
[ECA-3528] - GUI: Some messages not localized in Admin Web
[ECA-3590] - Cache the slot list
[ECA-3598] - Fix handling of invalid ZIP contents when importing certificate profiles
[ECA-3599] - Fix handling of invalid ZIP contents when importing end entity profiles
[ECA-3609] - Name constraints properties are duplicated in CLI editca command
[ECA-3631] - database valid connection sql for VA publisher is taken from instead of
[ECA-3634] - OCSP does not audit and transaction log UNAUTHORIZED messages
[ECA-3656] - Forbidden characters can be allowed
[ECA-3719] - GUI: Publisher page usability
[ECA-3745] - Some language have not the standard language code
[ECA-3797] - Statedump incorrectly tries to export full BasePublisher object
[ECA-3804] - (altname) is ipaddress by default, and no dnsName matching CN
[ECA-3813] - GUIDGeneratorTest fails intermittently
[ECA-3841] - JAR file used by CT should be rebuilt for JDK6
[ECA-3849] - Admin must be authorized to all CAs to import keybinding certificate
[ECA-3855] - Loading saved CMP configuration referencing a deleted EEP results in NPE
[ECA-3892] - GUI: A lot of event messages not set in "View Log"
[ECA-3908] - Allow OcspKeyRenewalTest to run predictably on system with existing AuthenticationKeyBindings
[ECA-3949] - Status parameter in "keybind create" command shouldn't be case sensitive
[ECA-3960] - CaPKCS11SessionTest fails and never recovers if test is aborted
[ECA-3968] - Sort and count peer connectors correctly in statedump
[ECA-3993] - ejbca-db-cli does not work due to PeerConnector
[ECA-4003] - "CRL Updater" service doesn't update the CRL
[ECA-4012] - Reject IP addresses in dNSName name constraints
[ECA-4032] - Regression: Key Recoverable not set in EE when activated and required in profile

[ECA-2272] - Refactoring some DN attributes and Alternative names naming
[ECA-2340] - GUI: Audit Log usability
[ECA-2576] - New key sizes available in certificate profiles
[ECA-3043] - Document SameRequestRateLimiter better
[ECA-3256] - Split the va-war module into its logical parts
[ECA-3412] - Rework VA/OCSP documentation
[ECA-3414] - Clean up Exception handling in SignSessionBean
[ECA-3601] - Enterprise feature
[ECA-3654] - Enterprise feature
[ECA-3674] - Allow certificate validity before current date using end entity ExtendedInformation
[ECA-3720] - GUI: Certificate Profile page usability
[ECA-3726] - Make CertSafe implement CustomPublisherUiSupport
[ECA-3746] - GUI: Displaying the language name in configuration sections
[ECA-3753] - Add OpenSC PKCS#11 to default crypto token library path
[ECA-3769] - CryptoToken usage should also include internal key bindings
[ECA-3773] - Add NIST PIV Card Authentication extended key usage
[ECA-3809] - Improve the message for signed SubCAs regarding the need of *.pem or *chain.pem
[ECA-3824] - CertSafePublisher should use a dropdown pane for setting authentication keybindings
[ECA-3854] - Optimize Language tool
[ECA-3869] - Sort key aliases by name in InternalKeyBinding edit view
[ECA-3874] - RSA 4096 keys pre-selected in Crypto Token form
[ECA-3891] - GUI: Firefox CRLs direct import removed
[ECA-3930] - CryptoTokenManager: Add a column for auto-activation status.
[ECA-3955] - Add some missing OCSP system tests
[ECA-4051] - Correct documentation of CLI command when updating a CMP alias

Master Ticket
[ECA-3144] - Improved sub system integration (EJBCA Peer Systems)
[ECA-3652] - Create PeerMessage datatype, ORM and CRUD beans
[ECA-3653] - Create basic JSF pages for Peer mgmt
[ECA-3659] - Connect GUI with CRUD
[ECA-3671] - Add auth checks to CRUD bean
[ECA-3694] - Milestone: Make PingMessage work from a PeerConnector created in the GUI
[ECA-3699] - Outgoing TLS configuration as part AuthenticationKeyBinding
[ECA-3700] - Rename peerconnector-common to *-ejb and move common classes under ear/lib/..jar
[ECA-3702] - Basic publishing to peer system
[ECA-3704] - Framework for making custom publisher configuration nicer
[ECA-3710] - Do parallel publishing when the same thing is published to multiple targets
[ECA-3711] - Changes to publishing API for efficient publishing of full CertificateData (and Base64CertData)
[ECA-3712] - Efficient resynchronization of data between CA and Peer VA
[ECA-3715] - Requested capabilities should be saved when creating peer connector
[ECA-3722] - Create CLI support for PeerConnector
[ECA-3742] - Publish the same updateTime that is used in the CA's database
[ECA-3751] - Manual renewal of OcspKeyBinding at peer
[ECA-3752] - Behavioral configuration for PeerConnectors
[ECA-3756] - Make InternalKeyBinding access rules configurable
[ECA-3757] - Minor PeerConnector refactoring and documentation
[ECA-3759] - Service for automatic renewal of remote key bindings
[ECA-3762] - Documentation: Create a security model for PeerConnectors
[ECA-3770] - PeerConnector GUI improvements
[ECA-3775] - Forbid start and return error when background task with same id exist
[ECA-3777] - ListPeersCommand improvements
[ECA-3778] - Drop concept of capabilities and use regular access rules framework
[ECA-3781] - Improve peer message format
[ECA-3782] - Stop connection pool and prevent start when peer connector is disabled or URL changes
[ECA-3784] - More fine grained access rules for peer connectors
[ECA-3785] - Disable plain http connections for peers
[ECA-3786] - Shorten peer connector Servlet URL
[ECA-3787] - Option for synchronization dry run
[ECA-3803] - Peer connector system tests
[ECA-3805] - Propagation of peer connection errors to UI
[ECA-3806] - CLI for generic peer connection settings
[ECA-3810] - Minor PeerConnector GUI improvements
[ECA-3811] - Lookup authentication token at pool startup
[ECA-3825] - Allow one AuthenticationKeyBinding to be used per Peer Connector
[ECA-3833] - JEE5 support for enterprise edition only SSBs
[ECA-3839] - Use one connection pool per outgoing id instead of URL
[ECA-3840] - Cache PeerOutgoingInformation objects
[ECA-3846] - More fine grained errors than UnknownMessageTypeResponse without information leakage
[ECA-3850] - Use separate GlobalConfiguration for peer connections
[ECA-3867] - Correct peer module license headers
[ECA-3876] - Statedump support for peer connectors and configuration
[ECA-3881] - Improve error message when peer responds with an unknown or broken message
[ECA-3882] - PeerConnector: Ugly errors when using illegal characters in URL
[ECA-3898] - Adjust logging of handled failures during peer publishing
[ECA-3899] - Show mismatched access rules for incoming peer authorization instead of fixing it
[ECA-3923] - Handle additional server side certificate end entity alias from PeerConnectionsTest
[ECA-3928] - Rename Remote Systems menu item to "Peer System"

New Features
[ECA-3705] - Create a plugin interface for rules
[ECA-3800] - get the certificate of an ocsp keybinding
[ECA-3885] - New signature algorithm SHA512withECDSA

[ECA-3962] - EJBCA Enterprise features

Issues Resolved in 6.3.1

Released on 26 March 2015

Bug Fixes

ECA-4044] - Ignore EJBCA test certificates from been published using the Peer connector
[ECA-4048] - Peer System: Failure to connect when list of trusted certs is empty
[ECA-4068] - Add PeerData to drop tables SQL script
[ECA-4073] - typo in exception 'Failed to write audit log...'

[ECA-3146] - Allow an renewal of an external CA certificate by import
[ECA-3951] - Add a column to InternalKeyBindingPage/CLI to warn for inactive certificate
[ECA-4033] - Do not include administrators registered via certificate serial numbers in statedump
[ECA-4092] - Create module for separate enterprise and community specific implementation
[ECA-4093] - Lower log-level of CmsCAService "KEYSTORE is null..." message
[ECA-4117] - CMPProxy not updated to work with different cmpalias

New Features
[ECA-3581] - Single Active Certificate Constraint
[ECA-3754] - CLI: Create a table utility
[ECA-4062] - WS API support to create a new CA and Superadmin certificate
[ECA-4063] - WS APIs for monitoring certificate expiration
[ECA-4064] - SCEP support for Client Certificate Renewal
[ECA-4159] - Show what version documentation applies to at all times

[ECA-4145] - Document all audit log messages

Issues Resolved in

Released on 1 June 2015

Bug Fixes

ECA-4208] - OcspKeyBindings are not listed as available default responders
[ECA-4209] - Regression: Ad hoc upgrade of OCSP might be broken by the CachingCryptoToken

[ECA-4038] - Have EJBCA DB CLI fail nicely when built in Community Edition
[ECA-4245] - GUI: CA creation page usability
[ECA-4260] - Add flowchart of SCEP enrollment/renewal to admin docs

[ECA-4119] - Enterprise feature
[ECA-4120] - Enterprise feature
[ECA-4196] - Replace EJBCA logotypes in documentation
[ECA-4227] - Update EJBCA logo and favicon

Issues Resolved in 6.3.2

Released on 29 May 2015

Bug Fixes

[ECA-4198] - Regression: ScepServlet can't compile in CE
[ECA-4202] - Random failure in CMP stress test
[ECA-4236] - Peer connection are unable to verify server certificates with critical server auth EKU
[ECA-4258] - Table PeerData creation is missing from create-tables-ejbca-*.sql
[ECA-4259] - Scep Certificate Renewal is configurable in RA Mode

[ECA-4038] - Have EJBCA DB CLI fail nicely when built in Community Edition
[ECA-4186] - WS - Use the "isRunningEnterprise()" method in EjbcaWSTest
[ECA-4201] - SCEP test improvements
[ECA-4206] - Add documentation about new WS CLI commands
[ECA-4211] - Use ISO8601 date format for CA expiration in initialization log
[ECA-4245] - GUI: CA creation page usability
[ECA-4255] - Update EJBCA architecture diagrams
[ECA-4260] - Add flowchart of SCEP enrollment/renewal to admin docs
[ECA-4263] - Move static class load from CryptoTokenFactory singleton to init
[ECA-4265] - Small improvements of SCEP config JSF
[ECA-4268] - Improve build time
[ECA-4269] - Update CMP Proxy README

New Features
[ECA-4168] - SCEP support for CA certificate rollover
[ECA-4178] - Admin GUI translated in Czech language
[ECA-4199] - Add Enterprise/Community identifier to
[ECA-4205] - Add new WS CA Admin commands to the WS CLI

[ECA-4119] - Enterprise feature
[ECA-4120] - Enterprise feature

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.