Skip to main content
Skip table of contents

EJBCA 8.3 Release Notes

MAY 2024

The EJBCA team is pleased to announce the release of EJBCA 8.3. With this release, the EJBCA Container Set is introduced for customer EJBCA deployment on Kubernetes using the Helm charts also part of the release. The release also brings support for hybrid certificates and MS Auto-enrollment improvements among other things.

For available deployment options and associated versions, refer to Supported Versions.

Highlights

EJBCA Container Set

EJBCA introduces the EJBCA Container Set, enabling customers to deploy EJBCA on Kubernetes using Helm charts included in this release. The EJBCA Container Set provides separate container variants for Certificate Authority (CA), Registration Authority (RA), and Validation Authority (VA). Customer deployments are designed to utilize a setup where RA(s) and VA(s) are distinct EJBCA instances from the CA(s), connected via the Peers protocol.

For Hardware Security Module (HSM) integration in a container-based deployment, the EJBCA Container Set includes sidecar containers tailored to each supported HSM type. Alternatively, an EJBCA container-based deployment may integrate with HSMs using REST API integrations, which do not require a sidecar container.

Hybrid Certificates

EJBCA 8.3 introduces support for hybrid certificates, enabling the use of multiple signing keys in a single hybrid CA. Certificates issued by this CA will have signatures and public keys of two different algorithms. Typically, the system is set up to use a quantum-safe algorithm as the alternative algorithm. This setup allows parts of the ecosystem to validate the certificate using both keys and algorithms, while other parts may ignore the non-critical extensions and alternative algorithm, treating the certificate as a traditional RSA/ECC X.509 certificate.

Note that the quantum-safe algorithms currently implemented in EJBCA are NIST draft algorithms and not for production use, see Hybrid CA.

Microsoft Auto-Enrollment Improvements

Microsoft Auto-enrollment support has been significantly improved. It is recommended to configure auto-enrollment aliases on the CA(s) rather than the RA(s) in distributed deployments, enhancing operations in multi-domain and multi-RA deployments. Additionally, ECDSA is now supported as an algorithm in Microsoft auto-enrollment. EJBCA 8.3 also introduces the "supply in the request" option for Subject Name. For more information, see Microsoft Auto-enrollment Overview.

EJBCA updated with top-level menu

EJBCA now has a top-level menu, relocated from the left side to align with other Keyfactor products. The menu structure remains the same, ensuring that existing users can find previous menu items under the corresponding top-level categories.

Documentation on docs.keyfactor.com

As of EJBCA 8.3, the EJBCA product documentation is available at docs.keyfactor.com.

EJBCA RA Web Translated to French

The EJBCA RA user interface is now available in French. A huge thank you goes out to David Carella from Linagora who made this possible.

Announcements

Upcoming Technology Stack upgrade in EJBCA 9

As a Java application running on an application server, EJBCA 8.3 runs on WildFly 24/26 or JBoss EAP 7.4 and supports running on Java 11 or Java 17. Due to changes in recent WildFly versions and JBoss EAP 8 that are not backward compatible with WildFly 26 and JBoss 7.4, the upgrade from EJBCA 8 to the upcoming new major version EJBCA 9 will require a complete tech stack upgrade. 

Overview of the EJBCA 8 and EJBCA 9 tech stacks

Overview of the EJBCA 8 and EJBCA 9 tech stacks.

EJBCA customers with software-based deployments are advised to plan for an upgrade to the EJBCA 9 tech stack once EJBCA 9 is released during the second half of 2024.

Security Issue

EJBCA 8.3 resolves a security issue affecting the CMP CLI client bundled with EJBCA. The issue does not affect EJBCAs server-side CMP implementation.

We rate the issue as having a severity level of medium. Once EJBCA 8.3 has been generally available across all platforms for at least two weeks, a CVE with the identifier CVE-2024-36066 will be published.

Removal of legacy OCSP key renewal mechanism

A legacy key renewal mechanism (using the SOAP API) has been removed, as it has been made redundant by automated key renewal over Peers for a few years. With this, properties matching ocsp.rekeying.* in ocsp.properties are no longer used and can be removed.

Deprecation of Certificate Profile and revocation status specific OCSP Response validities

Response validities (and Max-Age for the HTTP header) can be configured to be specially handled per certificate profile or if the status is revoked by setting them in ocsp.properties. This functionality has been redundant for the last few years by instead configuring the values in the OCSP Responder, and will be removed in the next release of EJBCA. The properties that will be removed are:

  • ocsp.999.untilNextUpdate
  • ocsp.999.revoked.untilNextUpdate
  • ocsp.999.maxAge
  • ocsp.999.revoked.maxAge

In addition, the following properties were unused and have been removed in this release:

  • ocsp.revoked.untilNextUpdate
  • ocsp.revoked.maxAge

Deprecation of DSTU and GOST algorithms

As of EJBCA 8.3, support for the DSTU and GOST algorithms is deprecated and will be removed in the next release.

Removal of DSA algorithm

Support for the DSA algorithm has been removed in EJBCA 8.3, following its deprecation in EJBCA 8.2. Users of this algorithm must migrate to other algorithms.

Note that if you have used ConfigDump in earlier versions to export Certificate Profiles with all key algorithms selected (per default behavior), you must remove DSA from the list before importing the profiles into EJBCA 8.3.

Removal of Configuration Checker

The experimental user interface tool Configuration Checker is removed in EJBCA 8.3, since support and development have been dropped.

Removal of ca.keystorepass property from cesecore.properties

The ca.keystorepass property, declared in cesecore.properties, and its associated functionality has been removed. The property enabled the setting of a default keystore password for soft crypto tokens, and only when created from the CLI. Besides being of questionable functionality, its use would at best be considered poor security practice and has thus been removed.

Upgrade Information

Review the EJBCA 8.3 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Microsoft Auto-Enrollment via RA in EJBCA 8.3.1

Customers using Microsoft Auto-enrollment via the RA will face an issue in EJBCA 8.3.1, causing enrollment to fail. Affected customers are advised to upgrade to EJBCA 8.3.2, where this issue has been corrected.

Before upgrading to EJBCA 8.3.2, customers using EJBCA 8.3.1 and Microsoft Auto-enrollment via the RA can manually export the certificate profiles used by the MSAE aliases from the CA side using either the GUI or the EJBCA ConfigDump tool. Importing the profiles on the RA will then make the RA accept Microsoft Auto-enrollment requests successfully.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in EJBCA 8.3.1 and EJBCA 8.3.0. (EJBCA 8.3.0 was an internal release, not available for customers). 

Issues Resolved in 8.3.1

Released May 2024

Bug Fixes

ECA-12422 - External RA Cannot Query Peered CA Certificate Profiles

ECA-12428 - Upgrade JDBC drivers used by EJBCA containers

Issues Resolved in 8.3.0

Released May 2024

New Features

ECA-10867 - Make the nextUpdateHours element configurable in the GetPolicesResponse

ECA-11319 - Add REST API endpoint for key recovery

ECA-11559 - Autoenrollment: Support "Supply in the request" enrollment

ECA-11623 - Recreate the menu as Primefaces and changing to a top-menu

ECA-11859 - Add support for being able to restrict keys/algorithms in the certificate profile for alternative signatures.

ECA-11931 - Add ConfigDump support for the hybrid settings for the CA

ECA-11932 - Add ConfigDump support for the hybrid settings for Certificate Profiles

ECA-1Z1997 - REST add ability to add end endtity with key recovery enabled

ECA-12024 - Allow enrollment of Hybrid CSRs through UI.

ECA-12091 - RA mode support for EST over CoAPs

ECA-12104 - Review only: P11NG Cli command to list keypairs in the same way as EJBCA does

ECA-12107 - Server Name Indicator support in Coap-proxy

ECA-12138 - Use SCEP alias name for defaultCA if CA is not specified in request

ECA-12206 - Support alternative signature in ExtendedInformation and in KeyStoreCreateSessionBean

ECA-12339 - SBOM for EJBCA Container Set

Improvements

ECA-10214 - Extend REST /v1/ca results to include external CAs

ECA-10671 - Allow setting OCSP settings in the UI and CLI that can only be set in the ocsp.properties when using pre-signed proofs

ECA-10949 - Move MSAE Config to the CA

ECA-11606 - Add ability to test encrypt/decrypt-only keys on a crypto token

ECA-11750 - Add CryptoToken Key Usage to ConfigDump

ECA-11798 - Improve handling of HSM connection timeouts

ECA-11889 - Load CKAs, such as public key value and key usage, more efficiently from PKCS11 HSMs when listing keys

ECA-11941 - Enable validity start and end dates in the past

ECA-11985 - Adapt to stricter SubjectDN checks in IETFUtils.rDNsFromString

ECA-11996 - Add API in Crypto Token and P11NG to read key usage

ECA-12008 - Cleanup: Fix warnings introduced from x509-common-util

ECA-12009 - Change AcmeReplayNonceFilter to ContainerResponseFilter

ECA-12010 - Update documentation related to LW CMP Profile

ECA-12015 - Add time limit of certificate archival during CRL generation

ECA-12016 - ejbca.sh importcacert should include full CA chain

ECA-12017 - Add republish button per item in Publisher Queue

ECA-12019 - Include "id-etsi-ext-valassured-ST-certs" extension in the Certificate Profile

ECA-12023 - Use CKA_KEY_TYPE for P11 key algorithm, by upgrading p11ng, and use publicKey to get correct algorithm for CMS

ECA-12031 - Remove support for DSA

ECA-12035 - Add a prohibition to create a non-hybrid CA under a hybrid root, and vice versa.

ECA-12036 - Updated readme and security policy, add Issue templates

ECA-12037 - Include ECDSA hashing mechanisms in the Legacy Java PKCS#11 providers disabledMechanisms

ECA-12042 - CoAP proxy updates to support Software Appliance multi-NIC capabilities

ECA-12053 - RA Web Edit End Entity pressing enter selects Revoke And Delete, reorder so that is not the default

ECA-12062 - Add wildcard unit tests to DomainBlacklistBaseDomainCheckerTest

ECA-12063 - Change the default value of httpsserver.tokentype property to P12

ECA-12070 - Add OAuth (optional) support for userinfo

ECA-12073 - Reduce overhead for listing keys with P11NG Crypto token

ECA-12076 - Cleanup: Remove OcspKeyRenewalSession

ECA-12087 - Update language files, from David Carella

ECA-12088 - Remove jndi.properties.glassfish and jndi.properties.jbosseap6

ECA-12090 - Modify CreateCsrCommand to not require an SDN

ECA-12094 - Change behavior of Pre-Certificate Revocation Service

ECA-12106 - L10n: Localize Message Use entity CN (for SAN/dNSName extension) in Admin UI

ECA-12108 - Improve GUI info when testing key pair

ECA-12115 - Add support for maxWorkerJobs in configdump of publish queue service

ECA-12117 - Create multi-stage Dockerfile

ECA-12134 - Correct MSAE SPN format help in Admin UI

ECA-12156 - Minor language updates for Peer systems

ECA-12163 - Allow EJBCA container to import JSON via configdump

ECA-12174 - Clean up code after implementation of issuance/revocation prompted ocsp response pre-production

ECA-12182 - Upgrade MailAttachment to not use > JDK17 classes

ECA-12213 - SCEP GetCACaps returns error in SCEP CA mode when no CA is passed in message

ECA-12225 - L10n: French GUI language fixes

ECA-12226 - L10n: RA GUI Missing keys and fixes (ICAO, OAuth, etc.)

ECA-12228 - Minor code cleanup

ECA-12230 - Refactor "Add End Entity" page

ECA-12241 - Introduce granular search criteria in REST API

ECA-12254 - Remove ConfigurationChecker

ECA-12257 - RA GUI Make New Request page improvements

ECA-12266 - Remove all localizations used in crypto tokens

ECA-12268 - Review only: Ability to issue Link Certificate using previous signature algorithm when changed

ECA-12271 - Remove Services related localizations

ECA-12293 - Review: admin-gui: Adding more id= attributes to the new menu

ECA-12301 - Upgrade Apache CXF to 4.0.4

ECA-12316 - Introduce 'begins with' search operation in REST API

ECA-12322 - MSAE Intermediate CAs with same DN causes issues with LDAPS

ECA-12325 - Allow ejbca.sh change slot PINs w/o providing the previous PIN

ECA-12330 - Drop ca.keystorepass and ca.cmskeystorepass

ECA-12337 - Update p11ng to support Ed448 on Utimaco

ECA-12364 - Upgrade EJBCA to BC 1.78

ECA-12367 - Admin and RA UI language improvements from David Carella

ECA-12382 - Show alternative signing algorithm when enrolling via CSR in RA GUI

ECA-12384 - Fix documentation error in step-by-step instruction for ra web make new request with CSR

ECA-12387 - Warning removal: Add missing serialVersionUID

ECA-12388 - Warning cleanup: Update references to org.junit.rules.Timeout

ECA-12389 - Warning cleanup: Update references to org.junit.Assert.assertThat

ECA-12397 - Add list/table of deprecated and dropped features to the documentation

ECA-12400 - Upgrade to Nimbus-Jose to 9.37.3

ECA-12414 - Localization - French translation for RA web

Bug Fixes

ECA-11548 - Unable to only create deltacrl in REST

ECA-11626 - Enrollment code (minimum bit length) by pass

ECA-11962 - Fix InternalKeyBinding rekeying when keyspec is an OID

ECA-11969 - ejbca-db-cli verify broken - P11ng ClassNotFoundException

ECA-11970 - User can add Crypto Token with just spaces

ECA-11988 - RA Search engine keeps old incorrect results

ECA-11989 - RA Misleading message when no criteria selected.

ECA-11991 - CE cannot be compiled due to MSAE classes

ECA-11994 - Fix session timeout issue when edit ca

ECA-11995 - URI Name Constraints Not Accepting Multiple Subdomains

ECA-12006 - SCP Publisher doesn't validate empty URL fields

ECA-12011 - custom_data in REST v1/endentity requires extension_data set as well

ECA-12013 - Typo when SCEP_CLIENT_CERTIFICATE_RENEWAL_CLASSNAME can not be instansiated

ECA-12014 - CompressedCollection fails in some environments during CRL generation. Remove it

ECA-12025 - Notification Timeout Not Returning Generated Certificate

ECA-12026 - Missing OCSP transaction log entries

ECA-12040 - /v1/certificate/expire does not return certificates if maxNumberOfResults is not mentioned

ECA-12045 - Ensure all CA certificates are loaded into CaCertificateCache

ECA-12049 - EJBCA appears to leave PKCS#11 sessions around (CKR_SESSION_COUNT error)

ECA-12050 - CMP NestedMessageContent reading RA certs directory should ignore subdirectories

ECA-12051 - ant runweb misspells ocsp for included test

ECA-12057 - Ldap timeouts not saved properly in MSAE autoenrollment alias

ECA-12059 - CmpRevokeResponseMessage may be created with incorrect Sender in header in some cases

ECA-12060 - Sign CMPv2 responses with CA sigAlg when request uses HMAC - refactoring

ECA-12071 - Regression: rest api v2 certificate search broken in 8.2 when performing count

ECA-12077 - CMP Aliases in RA Mode doesn't survive upgrade to 8.2

ECA-12083 - Enroll with username/requestId incorrectly validations CSR fields

ECA-12085 - ejbca.cmd file does not work

ECA-12093 - Private keys without CKA_ID keys on an HSM gives NoSuchMethodError: 'boolean org.apache.log4j.Logger.isWarnEnabled()'

ECA-12105 - Regression: NPE in Admin UI when crypto token contains DSA key

ECA-12110 - OCSP Issuer URLs not showing on configdump export

ECA-12116 - Regression: ConfigDump fails with p11 error

ECA-12120 - Potential NPE when creating SSH CA, optimize usage of extgen.generate

ECA-12126 - SubCAs not provisioned with hybrid key

ECA-12129 - Unable to restart container when Security parameters are set

ECA-12130 - Regression: Community admin web for CMP aliases misses the 'Add' button

ECA-12131 - Username should come from changed DN in EST RA Vendor mode with Allow ChangeSubjectName enabled

ECA-12135 - Add back favicon to Admin UI Add End-Entity page

ECA-12137 - Error with focus and duplication in RA GU subject directory attributes

ECA-12139 - Review only: HealthCheckServlet query parameters dont work under load

ECA-12145 - Containerized installation issues - Public Access Member is not removed

ECA-12170 - Possible NPE in CAInterfaceBean

ECA-12172 - Compliance issue

ECA-12189 - Fortanix HSM Failures after idling without HSM activity

ECA-12196 - REST API Key Recovery endpoint doesn't work over Peers

ECA-12197 - Regression: DeltaCRLException trying to renew a CA

ECA-12204 - Regression: Un-revokation does not work when an invalidityDate is used

ECA-12215 - Regression: Community admin web for SCEP aliases - cannot delete alias

ECA-12223 - Regression: Order of Name and Id changed in WS API NameAndId object

ECA-12224 - Regression: Error revoking certificate when invalidityDate is null - Row was updated or deleted by another transaction

ECA-12227 - Merge DN function when merging SANs is case sensitive

ECA-12231 - Increase metaspace size

ECA-12233 - RaEndEntitySearchPaginationSummary does not implement Serializable

ECA-12238 - Speed up certificate search query

ECA-12246 - Regression: Order of ResponseType and Data changed in WS API CertificateRequestResponse object

ECA-12249 - Enroll EC certificate using MSAE protocol

ECA-12251 - Add new hard coded PQC key(s) for pre-signing validation

ECA-12253 - CRL store servlet shows CRL download links even if CRL is not present.

ECA-12255 - Log Redaction is not always performed in publishers

ECA-12256 - Ed25519 CSR in RA UI fails with NPE on Java 17

ECA-12264 - Regression: CertificateSamplerCustomPublisher can not be created

ECA-12278 - Incorrect alter table SQL for MS-SQL in post-upgrade scripts

ECA-12291 - Configdump export for Roles considers only internal CAs

ECA-12306 - Fix stack overflow while storing Validation Authority Publisher

ECA-12312 - Remove duplicates in RA Web field 'Key Algorithms'

ECA-12313 - Not possible to change key type or size when reissuing a certificate.

ECA-12335 - PKCS#12 files from key recovery through the WS API uses legacy certificate bag algorithm

ECA-12338 - Admin Web - Rename approval profile - error message to be improved

ECA-12375 - Handle AWS KMS disconnects without errors

ECA-12386 - Fix YamlWriterUnitTest

ECA-12391 - Fix usage of imagePullSecrets in EJBCA Helm Chart

ECA-12392 - Missing 'VA Functions' menu in VA builds

ECA-12393 - Security issue

ECA-12396 - CLI - gencsr - Could not create key: Key Algorithm DILITHIUM5 was unknown

ECA-12399 - RA Web CSR enrollment with Dilithium as primary algorithm only works when all EC curves allowed

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.