Skip to main content
Skip table of contents

EJBCA 7.1 Release Notes


Spring has finally arrived in Stockholm, following the traditional seasons of Winter, False Spring, Second Winter, the Spring of Deceit and the final cold snap of I-Just-Changed-My-Tires. The melting snows bring with them many gifts, besides the beer forgotten on the balcony last November, among them EJBCA 7.1 

Partitioned CRLs

Long and enduringly requested, EJBCA 7.1 is now capable of producing partitioned CRLs. Activated under the CA configuration, the number of partitions per CRL is dynamically configurable, allowing new partitions to be added as the CRL grows, and assignment to older partitions to be suspended in order to allow for future growth. CDP partition assignment is random in order to allow for even distribution of certificates, and partition definition can be looked up in the CDP extension as defined in RFC5280. 

For those of you not wishing to use partitioned CRLs life will mostly move on as usual while for those of you applying partitioned CRLs to existing installations you will retain a legacy CRL for pre-existing certificates (as the CDP can't be changed retroactively) while newly issued certificates will be issued to partitions. 

Deprecation and Removal of Hard Token Support

In an effort to relieve ourselves of maintaining little-used features we have chosen in this release to deprecate and remove support of hard tokens, after analyzing that it has little to no use among PrimeKey customers. Naturally this will have no impact on existing installations, but we have provided scripts for those of you wishing to remove the relevant tables from the database. See the upgrade notes for more details.

VA and RA Specific Distributions 

As a response to market interest, we've enhanced our build process and modularization in order to produce VA and RA specific builds of EJBCA, each capable of acting in their specific roles but not as a CA. This allows PrimeKey to offer a more dynamic model for Appliance and Cloud users who would like to add RA and VA instances to their PKIs but find it prohibitive to pay for the full fee for the complete distribution. The standard CA distribution still retains the full VA and RA capabilities as before. If you're interested in finding out more, please contact sales@primekey.com 

EJBCA 6.15.2 CE Available on Docker Hub

As some of you already know, as part of our ongoing containerization project we've added a docker container to Docker Hub, built on a sneak-peek of the coming release of EJBCA 6.15.2 Community Edition. 

If you're interested in moving your PKI towards containerization, please go ahead and have a look, and feel free to give us any feedback! 

Upgrade Information

Read the EJBCA 7.1 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.1.0, refer to our JIRA Issue Tracker.

Issues Resolved in 7.1.0

Released on the 29th of April 2019

New Features

ECA-961 - Partitioning of large CRLs by number of issued certificates

ECA-7384 - Protocol (WS/CMP/REST/CLI) support for issuing with multi-value RDNs

ECA-7474 - GUI support to enable/disable multi-value RDNs in End Entity Profiles

ECA-7785 - New validator phase that will run before using the CA private key to sign the tbsCertificate

ECA-7815 - Selenium tests for Domain Blacklist Validator

ECA-7906 - Remove CA related UI parts from RA/UI builds.

ECA-7907 - Rendering conditions for "Certificate Authority" page on different builds

ECA-7909 - Hide unusable commands from EJBCA CLI (ejbca.sh)

ECA-7910 - Create separate module for X509CA

ECA-7911 - Split X509 CA into common and build specific parts

ECA-7912 - Create new ant target for RA/VA ziprelease

ECA-7921 - Configdump support for Domain Blacklist Validator

ECA-7934 - Add CRL partition index column in certificate tables

ECA-7935 - Add crlPartitionIndex column in CRLData

ECA-7936 - Add partition configuration in X509CAInfo

ECA-7937 - User interface for configuration of CA CRL partitioning

ECA-7938 - Add documentation for partitioned CRL configuration

ECA-7939 - Update X509CA.generateCRL function to handle partitioned CRLs

ECA-7940 - Assign certificates to CRL partitions upon issuance or import

ECA-7941 - Show available CRL URLs if partitioning is used, in Edit CA page

ECA-7942 - Method generating partitioned CRL CDP URLs

ECA-7945 - Perform regression testing for certificate issuance with and without CRL partitioning

ECA-7946 - Add extensive system test of CRL partitioning

ECA-7953 - Allow for the export of single CP/EEPs

ECA-7962 - Make "ca republish" CLI command work with partitioned CRL

ECA-7963 - Update CRL Download Service to handle Partitioned CRLs

ECA-7964 - Create a separate module for CVC CA

ECA-7966 - RA-API, WS and REST support for Partitioned CRLs

ECA-8030 - Add YubiHSM2 P11 library to known P11 libraries

ECA-8048 - Add support for Partitioned CRLs in CertDistServlet, GetCRLServlet and CRLStoreServlet

ECA-8052 - Partitioned CRLs should not be allowed without "Issuing Distribution Point" CRL extension

Tasks

ECA-7385 - Document multi value RDN behavior for 'Subset of Subject DN' (not working with multi-value)

ECA-7389 - Document Administrator matching of multi-valued RDNs

ECA-7435 - Java 11: ClassNotFoundException: org.apache.geronimo.osgi.locator.ProviderLocator from WS Tests

ECA-7766 - Create a Jenkins job for testing Oracle DB

ECA-7825 - Java 11: ejbca-db-cli uses endorsed.dirs which is not supported in java 11

ECA-7857 - Create a Jenkins job for testing openJdk11

ECA-7892 - Make validationtool tests runnable

ECA-7904 - Investigate what to remove from Admin Web in RA/VA builds

ECA-7913 - Document changes RA / VA / CA builds.

ECA-7944 - Exploratory testing

ECA-7956 - Refactoring ExternalProcessTools.writeTemporaryFileToDisk for readability

ECA-7970 - Update changelog summary

ECA-7987 - Clarify documentation of fixed octet random serial number generator

ECA-7990 - Remove usage of SecureRandom from test cases to avoid copy-paste

ECA-8026 - Create Jenkins jobs for limited RA / VA builds

ECA-8027 - Fix remaining failures for Selenium tests in Jenkins

ECA-8034 - Upgrade testing of Partitioned CRL

ECA-8045 - Exemplify of the Required flag for custom certificate extensions

ECA-8050 - Add to CRL documentation - expired certs not included in new CRL

ECA-8058 - Fix EcaQa198 selenium test fail in Jenkins.

Improvements

ECA-7272 - Security verification

ECA-7391 - Only show CA-related approvals in CA Web (and vice versa)

ECA-7418 - Java 11: Xerces throws ClassNotFoundException: org.w3c.dom.ls.DocumentLS

ECA-7521 - User must fix malformed file when making cert request.

ECA-7554 - POC of Jenkins warnings job to analyze the code style/quality/shape

ECA-7593 - Add ClientToolBoxTest in new Jenkins

ECA-7596 - Unification and consolidation of dockers' shell scripts

ECA-7622 - Ability to edit token type in the RA Web

ECA-7722 - Minor usability improvements on Edit CA page

ECA-7797 - Upgrade JAX-RS 2.0 related libraries, correct swagger ACME generation and rely more on app server's JAX-RS implementation

ECA-7798 - Unit tests for the Configuration Checker

ECA-7853 - Change default digest alg of CMP request and response messages to SHA256

ECA-7884 - System test for copying DNSName from CN over WS

ECA-7902 - Add ExtentReport Plugin

ECA-7954 - Replace "Export profiles..."-links from profiles pages with buttons.

ECA-7957 - Improve error message when pinging an unknown peer system

ECA-7965 - Document CertTools.verify behavior for bad params with JUnit test

ECA-7975 - Avoid using two executors for Jenkins jobs

ECA-7986 - Better validation message when CAA validator is running on a certificate without dNSNames

ECA-7997 - Translate the RA web to Swedish

ECA-8000 - External Command Validator output not forwarded to EJBCAWS

ECA-8011 - Make crlPartitionIndex nullable instead of DEFAULT 0

ECA-8013 - Upgrade BC to 1.61

ECA-8016 - Database publishing of partitioned CRLs

ECA-8029 - Remove Hard Tokens, Hard Token Profiles and Hard Token Issuers from EJBCA

ECA-8097 - Selenium test for CA with incorrect Partitioned CRL settings

ECA-8101 - Upgrade notes for partitioned CRLs

ECA-8103 - CRL Update Worker should handle partitioned CRLs

ECA-8107 - Change terminology for "retired CRL partitions"

ECA-8109 - CRL partition fields in new CA page appear after changing Crypto Token

ECA-8110 - Document that CRL partition 0 gets URL without partition number

Bug Fixes

ECA-7626 - Fix out of memory issues on new Jenkins

ECA-7731 - Subject AltName does not appear in the RA Web when Subject DN is not used

ECA-7733 - Security Fix

ECA-7753 - Selenium Docker Jenkins followup ticket - NoInitialContextException: Need to specify class name in environment or system property

ECA-7841 - Regression: Missing JAXB in JDK11 and lack of bundled API JAR causes complication error for Acme classes

ECA-7868 - Regression: CA names in Edit End Entity Profile page should be sorted

ECA-7915 - Unexpected error while using Create Authenticated Certificate Signing Request in CA page

ECA-7929 - Fingerprints downloaded from the RA Web are scrambled

ECA-7952 - Some rules not applied when creating a role from the RA Web

ECA-7958 - New fields in X509CAInfo should be added to configdump

ECA-7973 - Clicking Test Command twice in External Command Certificate Validator gives exception

ECA-7974 - Community Edition build broken in trunk

ECA-7977 - CRL Downloader can't handle entries with extensions, but no reason code

ECA-7984 - Jenkins not cleaning up temporary fles

ECA-7985 - Unit tests do not respect tests.jvmargs

ECA-7989 - Possible race condition in SerialNumberGenerator with different CAs use different octet sizes

ECA-7991 - Make ApprovalSessionTest reliable

ECA-8002 - CRL Partition: CA does not retain CRL Partition settings

ECA-8004 - List of validators in certificate profiles is not sorted

ECA-8005 - NPE when trying to change ca token of a non existing CA

ECA-8010 - JBoss CLI on Jenkins uses too much memory on Jenkins

ECA-8012 - Regression: Delegated key pair generation doesn't work with RA-Gui enrollment

ECA-8014 - Trivial typo in revoke end entity reason codes

ECA-8015 - Exception in Admin UI trying to view a crypto token configured with a non-existing P11 library file

ECA-8018 - For Signed CMP messages, signed error message may not be signed with the expected signature for some errors

ECA-8023 - Update the default key aliases when importing keystores

ECA-8040 - Regression: End Entity Profiles ZIP file with directory cannot be imported

ECA-8042 - Cannot create CA with 'Use CRL partitions' option checked

ECA-8046 - Jenkins jobs use the same name for docker resources

ECA-8047 - Regression: Some End Entity Profiles ZIP files cannot be imported

ECA-8054 - Some classes still try to instantiate EjbcaWebBean

ECA-8055 - Log errors at initialization failure of EjbcaWebBeanImpl

ECA-8061 - Creating a CA using CRL Partition gives EntityExistsException

ECA-8062 - EST reenrollment fails if the DN includes more components than CN

ECA-8063 - ExtRAMessagesTest does not compile

ECA-8072 - CaRenewCACommandTest stops working after 2019-04-15

ECA-8075 - The "Generate" buttons do not include the "&partition=*" if using Partitioned CRLs in a new CA

ECA-8083 - Certification Authorities: Creating new CA with CRL Partitions fails

ECA-8085 - Fix potential race condition in REST initialization found by PMD

ECA-8087 - Unable to create CA with CRL Partitions

ECA-8090 - Certificate created with "use partitions" CA has 0 as crlPartitionindex

ECA-8095- Null pointer exception when a certificate profile uses CA defined AIA values, but the CA has defined none

ECA-8105- Regression: Cannot edit approval requests in RA-web

ECA-8111- SoftHSM directory has wrong owner on Jenkins


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.