EJBCA 7.9.0 Release Notes
APRIL 2022
The EJBCA team is pleased to announce the release of EJBCA 7.9.0.
This release introduces support in EJBCA for acting as Enrollment Authority in C-ITS PKI, enabling vehicle manufacturers to take part in evolving C-ITS ecosystems. The release also includes enhancements to Intune integration and RA Web.
Included in this release are also the changes made in EJBCA 7.8.2, which was only released internally.
Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.
Highlights
Log4j Upgrade
As has been stated before, EJBCA was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that EJBCA handles logging through JBoss EAP/Wildfly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that many of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about EJBCA being vulnerable.
Use of Microsoft Graph API in EJBCA Intune Integrations
Previous versions of EJBCA use the Azure AD Graph API for Intune integrations. Microsoft has announced that Azure AD Graph API will be deprecated as of June 2022 and Intune integrations need to use Microsoft Graph API instead. EJBCA 7.9.0 uses Microsoft Graph API for Intune integrations making it an important upgrade for EJBCA customers using Intune.
Support for acting as Enrollment Authority in C-ITS PKI
Cooperative Intelligent Transport Systems (C-ITS) is an ecosystem facilitating communication between vehicles and between vehicles and infrastructure, jointly known as vehicle-to-everything (V2X). EJBCA 7.9.0 introduces functionality allowing EJBCA to act as an Enrollment Authority (EA) in a C-ITS PKI, registering ITS entities and issuing enrollment credentials. While not including every component of the C-ITS PKI, this release marks our first effort toward supporting the C-ITS PKI lifecycle with EJBCA. For more information, see C-ITS ECA Overview.
Announcements
Public Web Deprecated
Since the launch of EJBCA, the Public Web has been used for common operations such as enrollment, CRL and CA certificate download, etc. EJBCA 6.6 introduced the new RA Web along with a new RA architecture, enabling more efficient RA workflows that also overlapped many functionalities of the Public Web. Throughout recent releases including this one, we have added additional features to the RA Web in an effort to allow all RA operations to be managed from the location. RA Web enhancements have made the Public Web increasingly redundant and Public Web is therefore deprecated as of EJBCA 7.9.
Public Web is still available in EJBCA 7.9.0 but will no longer be supported as of the next major version of EJBCA. We recommend migrating your workflows to the RA Web in preparation for the future removal of the Public Web. Certain use cases might not be fully replaceable by the RA Web yet but we will be putting the last pieces together to support them in upcoming releases. Endpoints for CA/CRL distribution located under the Public Web URL will remain available.
CMP over TCP no longer Supported
Use of CMP over TCP has been discouraged per our documentation since EJBCA 6.5. The plan was to end support of CMP over TCP in the next major version but due to incompatibilities with the Log4J upgrade, we have accelerated the schedule. As of EJBCA 7.9.0, CMP over TCP is no longer supported by EJBCA or by the legacy CMP Proxy. Support for CMP over HTTP is unaffected.
SaferDailyRollingFileAppender no longer Supported
The SaferDailyRollingFileAppender (enabled by settingocsp.log-safer=true
in the ocsp.properties configuration file) has been deprecated and removed due to incompatibilities with the Log4J upgrade. Enabling the setting caused a transaction rollback in case the server logs could not be written to and was a corner case for certain VAs with legal requirements to register all OCSP traffic to log. This setting is no longer supported by EJBCA.
Upgrade Information
Review the EJBCA 7.9.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
EJBCA 7.9.0 is included in EJBCA Hardware Appliance 3.9.5 and EJBCA Cloud 2.10.0 and can be deployed as EJBCA Software Appliance.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in EJBCA 7.9.0, refer to our JIRA Issue Tracker.
Issues Resolved in 7.9.0
Released April 2022 ECA-7321 - RA Web should accept CSR in DER format ECA-9834 - ACME configuration alias max. length of 250 characters ECA-10261 - Add support for RFU bits in cert-cvc ECA-10263 - Add support for RFU bits in EJBCA ECA-10467 - Define new CA type for ITS CA's ECA-10468 - ITS CA Type in the UI ECA-10470 - REST Resource for ITS Certificate Request ECA-10529 - ITS end entity request and response creation and verification ECA-10554 - Allow CMPv2 enrollment in RA mode using vendor certificate ECA-10592 - Authorization validation for ETSI certificates and integration to REST ECA-10593 - End Entity management over REST for C-ITS ETSI ECA-10612 - Import CITS CA and other UI changes for CITS ECA-10613 - Subject attributes validation during registration, EC enroll and authorization validation ECA-10614 - Download or rest endpoint for CITS certificates ECA-10625 - Future Dated CRLs from the CLI. ECA-10627 - Allow WS requests using Request Processors send through editUser as well ECA-7381 - Sunset Public Web ECA-7588 - Remove CADataHandler ECA-7765 - Allow public user to finalize enrollment in RA Web ECA-8476 - Only show logout button in CA web when "Session timeout" is enabled ECA-9256 - Allow an OCSP Responder to sign for other CAs ECA-9566 - The Option "Send notification" is Not Available in RA Web ECA-9799 - Search for Certificates at RA Web doesn't reflect Expired status in the main table list ECA-10296 - Update EJBCA libs for Swagger to work on Wildfly > 22.0.0 ECA-10345 - Put PIN last in the GUI when creating crypto token ECA-10413 - Allow EEP Subject DN values to be enforced ECA-10414 - Add E-mail checkbox "Use email from address field" to RA-web ECA-10416 - Increase CSR Size Limit ECA-10418 - Name constraint support for make new request in RA web ECA-10421 - Add checkbox to RA Web when creating end entity to activate key recovery ECA-10452 - Trim external log lib ECA-10454 - Improve dn merge procedure for end entities ECA-10456 - Add end entity with clear text password in the RA web ECA-10459 - Code cleanup: modules/oldlogexport ECA-10460 - Code cleanup: modules/externalra-gui ECA-10469 - Define MVP TBSCertificate fields for ITS CA's ECA-10473 - Complete the rest endpoint implementation for CITS ECA-10474 - Increase length of ACME EAB with symmetric keys generated key. ECA-10476 - Introduce ITS Certificate Profile ECA-10488 - Upgrade ITS epic branch with BC 1.7.1 b03 ECA-10489 - Create enrollment endpoint for the ITS REST API ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect ECA-10501 - Remove support for CMP over TCP ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2 ECA-10512 - Upgrade EJBCA Intune Integration to Use Microsoft Graph API ECA-10530 - Update standalone scripts with log4j compatability flag ECA-10538 - SHAxWithRSAAndMGF1 / SHAxWithRSASSA-PSS not working with Azure Key Vault or AWS KMS Crypto tokens ECA-10539 - Update slf4j ECA-10543 - Update PublicAccessToken to not require delete end entities access rule ECA-10548 - Add CrmfRequestTest into Jenkins ECA-10555 - OEREncoding for InnerECRequest/Response ECA-10558 - REST endpoint for ITS-S Registration ECA-10576 - System test for ITS REST endpoint ECA-10584 - Update ejbca.cmd with log4j changes ECA-10585 - Deprecate and remove legacy batch enrollment GUI ECA-10610 - Hardening ECA-10615 - Upgrade BC to 1.71, pull in main branch changes ECA-10619 - Upgrade commons-cli to 1.5 ECA-10628 - Allow the encryptpwd CLI command to run without appserver active ECA-10633 - Upgrade jack11nji ECA-10642 - Refactor ITS enrollment operation to be performed by CA implementation ECA-10647 - Improve EJBCA's behavior when looking up invalid DNS records for CAA ECA-9950 - Batchenrollment gives BCFKS error ECA-10219 - New role members cannot manage existing approval requests ECA-10228 - Invalid ocsp certificate prevents wildfly startup ECA-10279 - CVC is not working in RA web ECA-10388 - Peer connections using RSA Authentication Key binding with P11NG, Azure and AWS crypto tokens stopped working after JDK update ECA-10424 - Logging Location of API Requests ECA-10426 - Configurable DN order in LDAP Publisher ECA-10436 - Regression: Error editing Key Vault crypto Token ECA-10437 - CA Functions CRL download link fails to download CRL when CA SubjectDN contains ampersand ECA-10457 - REST configdump export can fail even if ignore errors is enabled ECA-10463 - ConfigDump Export/Import EEPs with multiple DNs/SANs ECA-10471 - Regression - ejbca-db-cli not working after upgrading to 7.8.0.1 ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE ECA-10485 - CMP Certificate Confirmation - Default CA ECA-10490 - Cannot re-activating suspended cert with "Safe Direct Publishing" ECA-10491 - X.509 CA sequence is compared with keysequence from cert request in a wrong way ECA-10497 - Regression: OCSP signing cache is always reloaded for requests with unknown CAs ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms ECA-10532 - Fix ACME issuance of certificates with non-validated domains ECA-10533 - EJBCA RA - Navigation dead-ends ECA-10534 - Enrollment fails with GetCACert enabled in SCEP CA mode ECA-10535 - AWSS3Publisher causes OCSP Peer Publishing to fail ECA-10549 - Disable "Use queue ..." options when "Safe Direct Publishing" enabled ECA-10550 - Regression: Potential NPE causes test failures when Trace logging is enabled ECA-10557 - Jenkins CMP test failure ECA-10569 - Create tests for cmp update command in cli ECA-10571 - Make "Unspecified" revocation reason in OCSP responses configurable ECA-10572 - URI Name Constraints should not allow/require protocol to be specified. ECA-10577 - Key algorithm of uploaded CSR field shows wrong value ECA-10579 - Clean up access rules requirements for using a CSR on the Make New Request page ECA-10583 - Name constraint error produces stacktrace and unintuitive error message in RA UI ECA-10591 - Startup database error due to deprecated property UserData.hardTokenIssuerId ECA-10601 - Failures in PostgreSQL running create-index sql script, comment out drop index statements ECA-10603 - ejbca-db-cli Broken ECA-10620 - Request and EE CA mismatch still cause EE status change ECA-10621 - Minor security issue ECA-10622 - Changing an EE status over RA web leads to unwanted disabling of Batch generation (clear text pwd storage) checkbox ECA-10626 - Support 'Any' cryptoProivder in MSAE templates ECA-10634 - Fix IOException in db-cli ECA-10635 - Update AzureBlobPublisher to use new Azure auth ECA-10637 - Azure Key Vault only lists the first 25 key aliases ECA-10638 - EJBCA restricts OCSP nonce to 30 octets instead of 32 as stated in RFC8954 ECA-10644 - The publisher queue inspection window should display the time with a 24-hour clock ECA-10662 - Intune Resource URL not honored in new SCEP codeNew Features
Improvements
Bug Fixes
Issues Resolved in 7.8.2
EJBCA 7.8.2 was an internal release, not generally available for customers
Released February 2022
Improvements
ECA-10479 - Library upgrade
ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect
ECA-10501 - Remove support for CMP over TCP
ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2
ECA-10509 - Remove SaferDaily, SigningDaily and ScriptrunningDailyRollingFileAppender
ECA-10510 - Upgrade Appender in TestLogAppenderResource to Log4J2
ECA-10530 - Update standalone scripts with log4j compatability flag
ECA-10531 - Resolve test failures after log4j upgrade
Bug Fixes
ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE
ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms
ECA-10532 - Fix ACME issuance of certificates with non-validated domains