EJBCA 7.11.0 Upgrade Notes
Below are important changes and requirements when upgrading from EJBCA 7.10 to EJBCA 7.11.
For upgrade instructions and information on upgrade paths, see Upgrading EJBCA. For details of the new features and improvements in this release, see the EJBCA 7.11 Release Notes.
Behavioral Changes
OCSP Extensions always returned if configured
As of EJBCA 7.11, the OCSP responder will always return an extension if possible, if configured. Previously, extensions were only returned if specified by the client in the request.
REST API requires Certificate Profile setting to backdate revocations
EJBCA 7.11 brings a minor behavioral change in how the certificate revocation endpoint works with backdated revocation dates. During revocation of certificates or changing revocation reason of previously revoked certificates, the /revoke
REST endpoint requires the Allow Backdated Revocation setting to be enabled in related certificate profiles. For more information on backdated revocation, see Certificate Profile Fields.
Custom header mandate for REST calls from browser
EJBCA 7.11 includes a minor security fix to prevent Cross-Site Request Forgery (CSRF) attacks against the EJBCA REST API. A system configuration setting has been added to mandate a custom header for REST endpoints when invoked from the browser (System Configuration > Available Protocols). Backend service calls and browser calls are distinguished by the presence of any of the two forbidden headers "Sec-Fetch-Mode" and "Sec-Fetch-Dest". Hence, there should not be any impact on backend services unless these headers were forwarded to EJBCA. These forbidden headers are added by most modern browsers except Safari.
Deprecations
Validation CLI Tool Removed
As announced in the previous release, the Validation CLI tool has been removed.