Skip to main content
Skip table of contents

EJBCA 8.3 Upgrade Notes

Below are important changes and requirements when upgrading from EJBCA 8.2 to EJBCA 8.3.x.

For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Microsoft Auto-Enrollment via RA in EJBCA 8.3.1

Customers using Microsoft Auto-enrollment via the RA will face an issue in EJBCA 8.3.1, causing enrollment to fail. Affected customers are advised to upgrade to EJBCA 8.3.2, where this issue has been corrected.

Before upgrading to EJBCA 8.3.2, customers using EJBCA 8.3.1 and Microsoft Auto-enrollment via the RA can manually export the certificate profiles used by the MSAE aliases from the CA side using either the GUI or the EJBCA ConfigDump tool. Importing the profiles on the RA will then make the RA accept Microsoft Auto-enrollment requests successfully.

Behavioral Changes

Changed behavior of REST API createcrl endpoint

Previously, when using /v1/ca/{issuŠµr_dn}/createcrl with 'deltacrl' set to "false", it resulted in the creation of a base CRL. When set to "true", it was supposed to create a base CRL and attempt to create a delta CRL, but it was empty because no certificates were revoked since the previous base CRL was created. Now, when the 'deltacrl' parameter is set to "true", it results in the creation of a delta CRL, and when set to "false", it creates a base CRL.

ocsp.untilNextUpdate, ocsp.maxAge and ocsp.expires.useMaxAge have been moved from ocsp.properties into database configuration.

These properties will be automatically be migrated from ocsp.properties into the database, can now be modified from the UI or ConfigDump instead and may be removed from ocsp.properties after upgrade. See the OCSP Overview page for more information.

Stricter Subject DN validation

Previous versions of EJBCA would accept but silently change malformed parts of Subject DN components when there are un-escaped characters.

For example,  "CN=Example=Test" would become "CN=Example".

Since EJBCA 8.3, these will now give an error. In particular, the SOAP API will respond with an EjbcaException with the message "badly formatted directory string" and the REST "endentity" call will give HTTP error 400.

Pre-certificate revokation service

The service has a changed behaviour and hence a new name. It is now called Pre-certificate maintenance service, and the revokation of the not fully issued certificates which are residing in the IncompleteIssuanceJournalData table is now optional.

It could be configured via GUI under the Services configuration page in EJBCA admin web. It is recommended to keep this option disabled. It will by default be disabled for the newly created services (EJBCA 8.3 and onwards) and for the services created in the older versions, it will be enabled by default, to preserve the backward compatibility. 


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.