Skip to main content
Skip table of contents

EJBCA Upgrade Notes

Below are important changes and requirements when upgrading from EJBCA 7.9 to EJBCA (EJBCA 7.10.0 was an internal release, not generally available for customers). 

For upgrade instructions and information on upgrade paths, see Upgrading EJBCA. For details of the new features and improvements in this release, see the EJBCA Release Notes.

Post Upgrade

When you upgrade to EJBCA, you must perform a post-upgrade. The post-upgrade is required for ACME pre-authorization and if a post-upgrade is not performed, order creation will fail for pre-authorized identifiers and a new authorization must be requested by the ACME client. ACME pre-authorizations expire after 24 hours. To avoid these cases, disable the ACME protocol (under EJBCA System Configuration > Protocol Configuration > ACME) before the update and re-enable it after the post-upgrade is complete.

To perform the post-upgrade, click the EJBCA System Upgrade menu option, and then click Start post-upgrade. For more information, see Upgrading EJBCA.

Behavioral Changes

Produce Pre-signed OCSP Responses Only for non-expired Certificates

The OCSP Response Pre-Signer worker now generates responses for non-expired certificates and updates the expired responses for non-expired certificates. The expired certificates will keep receiving OCSP responses generated online. For more information, see OCSP Response Pre-Signer.

ConfigDump Import Improvements

The EJBCA ConfigDump tool will now only import or update role members if the token being used is important to the role being updated. A token is considered important for a role if the access rights granted to the token by the role are not duplicated in some other role that has the same token as a member. For more information, see ConfigDump Tool

More Fine-grained Access Rules for RA GUI

The access rules /ca_functionality/use_username and /ca_functionality/use_approval_request_id have been added and correspond to the pages with the same name in the EJBCA RA UI. These access rules are added automatically to all roles with /ca_functionality/create_certificate access. For more information, see Access Rules and RA Administrator Access Rules.

New Extension Added by Default During MS Auto-enrollment

Addressing a recent vulnerability discovered for Microsoft Certificate-Based Authentication, EJBCA now supports the new extension szOID_NTDS_CA_SECURITY_EXT that maps the certificate to an Active Directory user /computer object. The extension will be allowed by default for all certificate profiles and included in certificates enrolled via EJBCA's Microsoft Auto-enrollment integration. Enrollment via other endpoints and protocols is not affected. For more information, see Microsoft ObjectSid Security Extension in Certificate Profile Fields.


Script-based Auto-enrollment

The legacy script-based auto-enrollment (relevant before Microsoft Auto-enrollment was integrated into EJBCA proper) has been removed. For more information on auto-enrollment in EJBCA, see Microsoft Auto-enrollment Overview.

Validation CLI Tool

The legacy Validation CLI has not been supported for several years and is being sunset in this release, to be removed in the next major/feature release. 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.