EJBCA 8.0 Release Notes
JUNE 2023
The EJBCA team is pleased to announce the release of EJBCA 8.0.
This release includes advancements in IoT security, SSH certificate issuance, and post-quantum readiness.
Deployment options include EJBCA Software Appliance, EJBCA Cloud, and EJBCA Hardware Appliance.
Highlights
SSH certificates
EJBCA 8 includes the new Certificate Authority (CA) type SSH CA capable of issuing Secure Shell Protocol (SSH) certificates. The use of SSH certificates for certificate-based authentication in SSH rather than SSH key distribution and management allows organizations to both increase productivity and improve security. Enabling SSH servers and clients to trust the CA means that SSH can leverage the power of PKI.
With EJBCA you can now issue SSH certificates in addition to X.509 certificates, Card Verifiable certificates, and C-ITS certificates. SSH certificate enrollment is supported through the EJBCA REST API and the EJBCA RA user interface. For more information, see SSH CA.
EST over CoAP in EJBCA LRA Software Appliance
In order to extend deployment flexibility EJBCA 8 enables the deployment of a Local Registration Authority (LRA) to issue birth certificates or operational certificates in IIoT and IoT use cases. Resource-constrained devices can enroll for certificates using EST over CoAP. Running EST over CoAP in EJBCA 8 requires using an EJBCA LRA Software Appliance connected to an EJBCA Certificate Authority (CA).
General EST support in EJBCA 8 has also been extended to support server-side key generation. Server-side key generation may be used regardless of whether EST is carried over HTTP or CoAP.
Post-Quantum Readiness
EJBCA 8 includes support for creating CAs using the NIST round 3 candidate post-quantum signature algorithms Dilithium and Falcon. The standardization of these algorithms is planned to be finalized by INST in 2024. These algorithms are not for production use but are well suited for post-quantum preparation activities and proof of concept usage. For more information on post-quantum algorithm support in EJBCA, see Post-Quantum Cryptography Keys and Signatures.
Matter Smart Home support
Matter is a new standard for interoperable and secure smart home devices. Matter security is based on certificates and the required certificates can be issued by EJBCA using new subject DN attributes as specified in the Matter standard. For more information, see Create CAs for Matter IoT.
Fortanix DSM support
EJBCA 8 includes a new crypto token type enabling integration with Fortanix Data Security Manager (DSM) Cloud HSM through the Fortanix REST API. For more information on the REST integration and creating the Fortanix crypto token in EJBCA, see Fortanix Data Security Manager.
ACME improvements
EJBCA 8 adds support for DNS Identifier Validation using the tis-alpn-01 Challenge. ACME has also been extended to support HS384 and HS512 MAC algorithms.
ISO 15118-20 (EV charging) support
Extended EJBCA functionality related to SubjectKeyIdentifier and AuthorityKeyIdentifier enables setting up EJBCA 8 to issue certificates according to the requirements specified in ISO 11518-20.
Certificate Counting
A new REST endpoint enables counting the number of issued and active certificates.
Technology upgrades
As a new major version the technology stack supported by EJBCA 8 includes some important updates compared to EJBCA 7. EJBCA 8 supports running on Java 17 in addition to Java 11. Running on Wildfly 26 as application server is also supported and the EJBCA use of application server is based on JEE8. Bouncy Castle has been upgraded to version 1.73.
Announcements
Security Issue
EJBCA 8.0 resolves an authentication issue discovered in EJBCA 7.12.0 that allowed the EJBCA RA user interface certificate distribution servlet to allow partial denial of service.
We rate the issue as having a severity level of medium. Once EJBCA 8.0 has been generally available across all platforms for at least two weeks, a CVE with the identifier CVE-2023-34196 will be published.
Public Web not supported
EJBCA Public Web has been deprecated since EJBCA 7.9 and is no longer supported in EJBCA 8. Customers are advised to use the functionality available in the EJBCA RA user interface.
Running on Java 8 not supported
Running on Java 8 has previously been deprecated and EJBCA 8 does not support running on Java 8.
Old application servers not supported
Running EJBCA 8 on WildFly 10-22 as well as JBoss EAP 7.0-7.3 is not supported. WildFly 26 and JBoss EAP 7.4 are currently the recommended application servers for running EJBCA 8.
Removal of End Entity Printing Functionality
As of this version of EJBCA, we have removed the functionality to print End Entities using SVG templates, as this feature was rarely used and not maintained.
Removal of cesecore-p11.jar and CKA_MODIFIABLE=false
This feature was added a while back to provide a workaround for a vulnerability that has long since been patched by HSM vendors. This workaround does not work in JDK11 and above, so has been removed.
Removal of CMS Signing for Audit Logs
CMS signing was rarely used and required signatures from a soft key stored on the CA. This functionality has been removed from the audit log pages, as well as the accompanying CA settings.
Removal of the legacy asynchronous CMP Proxy
The legacy CMP Proxy, which allowed the CA to poll a database for incoming CMP requests, has been retired and removed. The main purpose of acting as a proxied CMP endpoint has been redundant for some time by the EJBCA RA, and the last remaining functionality that was available on the proxy has now been rolled into the RA as well.
Removal of the legacy asynchronous SCEP Proxy
Like the CMP proxy above, the SCEP proxy has been redundant for quite some years by EJBCA acting as RA. It has now been fully removed.
Removal of ECDSA ImplicitlyCA
The ECDSA ImplicitlyCA functionality has long been discouraged from use, and support has now been entirely removed from EJBCA. Note that ImplicitlyCA has nothing to do with explicit ECDSA parameters.
Upgrade Information
Review the EJBCA 8.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
EJBCA 8.0 is included in EJBCA Software Appliance 2.4 and EJBCA Cloud 3.2. EJBCA 8.0 will also be included in the EJBCA Hardware Appliance 3.12 release.
Change Log: Resolved Issues
The following lists fixed bugs and implemented features in EJBCA 8.0.
Issues Resolved in 8.0.0
Released June 2023
New Features
ECA-9249 - Implement ConfigDump for SSH Certificate objects
ECA-9260 - Create a REST call to request an SSH certificate
ECA-9264 - Allow SSH CA public keys to be downloaded in SSH format from the RA web
ECA-9562 - ACME DNS Identifier Validation tls-alpn-01 Challenge
ECA-9856 - Add validity override option to REST /v1/endentity
ECA-10968 - Initial PoC support for Falcon and Dilithium PQC algorithm using soft token and non-official OIDs
ECA-11136 - CMP HMAC validation in Client Mode (Extended validation)
ECA-11146 - Modify language clue about security strength from only NTRU to PQC general
ECA-11154 - Support EC point compression in issued certificates if CSR has it
ECA-11177 - Fortanix crypto token type
ECA-11201 - Add RFC9336 Document Signing built-in extended key usage
ECA-11248 - Ability to include language files from custom publisher plugins
ECA-11258 - Add Matter IoT specific DN components
ECA-11266 - Make max number of jobs for a publishing queue worker configurable.
ECA-11283 - Create tests for CoAP REST endpoint
ECA-11296 - Support Subject and AuthorityKeyIdentifier method 2
ECA-11297 - Add PQC KEM algorithm NTRU as available algorithms in Certificate Profile
ECA-11298 - Add documentation of PQC support
ECA-11300 - Ability to order Key Identifier extensions in specific order
ECA-11328 - Add protocol configuration for REST CoAP
ECA-11363 - Correct test failure in Jenkins related to ticket ECA-11328
ECA-11367 - Est server side key generation
ECA-11377 - CoAP Support for EST Server Side Key-gen
ECA-11378 - CoAP Support for EST 'simplereenroll'
ECA-11432 - Add options to select encryption and wrapping algorithm in clientToolBox SCEPTest command
ECA-11433 - Add support for RSA-OAEP decryption in P11NG
ECA-11440 - Missing support IPv6 for SANs in CMP protocol
ECA-11453 - REST API endpoint for counting issued and active certificates
ECA-11457 - Add uniqueIDentifier and certificationID DN components
ECA-11504 - Document initial support for IBM HPCS HSM using P11NG
ECA-11520 - OCSP responder support for CertId using SHA384 and SHA512 in OCSP requests
Improvements
ECA-8627 - Allow multiple CRL Updater Services to run in parallel
ECA-9536 - Replace configurable header JSP file path with a header selection/upload
ECA-10442 - Add placeholder for certificate serial number in decimal format to e-mail notifications
ECA-10686 - Remove commons-digester
ECA-10688 - Upgrade commons-io to 2.11 or later
ECA-10903 - Improve logging for ACME EAB failures
ECA-10971 - Create an exportable x509-cert-utils module
ECA-10987 - Don't rely on presence of TLS session tickets when detecting type of public access role member
ECA-11064 - Return list of supported JWS algorithms if ACME EAB request uses an unsupported JWS algorithm
ECA-11075 - Add "verify-required" critical option
ECA-11164 - Update ldap.jar to latest version
ECA-11165 - Upgrade log4j to 2.19.0
ECA-11167 - Extend ACME available MAC algorithms to HS384 and HS512
ECA-11170 - Remove reference to velocity.log from build.xml
ECA-11178 - Upgrade woodstox-core to 6.4.0
ECA-11180 - Upgrade Google Guava to version 31.1 or later
ECA-11188 - Rewrite the Validators Page to conform with emerging UX practices
ECA-11189 - Always check revocation status of certificates during authorization
ECA-11191 - Remove calls to deprecated constructors of Integer and Float
ECA-11192 - Cleanup: Update deprecated BouncyCastle references
ECA-11196 - Refactor some CRL related classes and code.
ECA-11199 - Update commons-configuration2 --> 2.8.0
ECA-11214 - Upgrade EJBCA to use CDI
ECA-11215 - Upgrade to javaee-api-8.0.1
ECA-11216 - Allowing special character "+" in email address in AdminWeb add entity
ECA-11233 - Modify CryptoTokenTestRunner to include P11NG
ECA-11235 - Convert MBeans declared in CA UI's faces-config to use CDI instead
ECA-11261 - Remove CoAP endpoints from SwaggerUI
ECA-11264 - Reduce and upgrade javassist to version 3.29.2
ECA-11267 - Modify the Validators page to use a separate column for validator type
ECA-11269 - Refactor ACME Alias overview page according to current UX practices
ECA-11293 - EJBCA - Create an EST CoAP config API
ECA-11294 - CoAP server - Load EST config from EJBCA
ECA-11316 - Solve the root-resource mistery
ECA-11326 - Add handling of "Number of Allowed Requests" in code for race condition avoidance
ECA-11327 - Fix ACME system test failures false positives due to challenge validations
ECA-11373 - Add PQC key generation by the CA in RA Web
ECA-11376 - Remove deprecated call to CoreMatchers.containsString() in AcmeAssert.java
ECA-11390 - P11NG: Clear cache after login
ECA-11391 - CP improvement - Add only relevant key usages to certificates
ECA-11396 - Update default PKCS#11 libraries for Thales ProtectServer 2 and 3
ECA-11399 - Make scope UI configurable for PingID OAuth Provider
ECA-11400 - Remove unused classes
ECA-11401 - Move KeyTools.getBytesFromOauthKey and KeyTools.getKeyIdFromJwkKey out of x509-commons-util
ECA-11402 - Containerize CoAP Proxy
ECA-11404 - Est over coap access rule for Coap rest resource
ECA-11417 - Decrypt Intune client secret on CA
ECA-11426 - SSH Swagger UI example issues
ECA-11435 - Upgrade SnakeYaml to version 2.0
ECA-11436 - Update jackson libraries
ECA-11442 - Rewrite the Search End Entities page in the CA UI to JSF
ECA-11447 - Add warning about re-keying Root CAs
ECA-11451 - Update Swagger Codegen lib to v2.4.31 or later
ECA-11452 - TLS 1.3 Support for key bindings
ECA-11454 - Support decimal serialNr for EJBCA CLI revoke
ECA-11465 - Include SSH feature(s) in the standard EE build
ECA-11466 - 'Use Entity CN Field" for MS UPN
ECA-11474 - Replace tabs in System Configuration Screen with PrimeFaces tabs
ECA-11476 - RA web is not affected by Certificate Chain ordering
ECA-11486 - Fix key algorithm and key spec for PQC when view certificate in Ra web
ECA-11489 - Add ability to enable/disable Fortanix DSM crypto token in properties
ECA-11491 - Enable post-quantum algorithms by default
ECA-11500 - Updated EJBCA logo based on Keyfactor rebranding
ECA-11501 - Match all active vendor CA certificates with CMP vendor certificate mode
ECA-11502 - Evaluate MSAE deny permissions
ECA-11529 - Add margin for Search End Entity Buttons
ECA-11537 - Make ejbca.sh config available on RA / VA builds
ECA-11553 - editcapage: Add ID to the form elements so that test automation does not break with every single release
Bug Fixes
ECA-4347 - Race condition when multiple RA threads are requesting certificates for the same user
ECA-10304 - ACME Configuration: Modified settings reset after save.
ECA-10412 - Fix warnings
ECA-10754 - REST API: When hitting max_statement_time (or 'Maximum Query Timeout'), the request does not fail
ECA-11080 - AdminWeb: GetCrl with insufficient permissions results in 500 Error
ECA-11089 - Unable to Save Advanced Access Rules
ECA-11128 - Autoenrollment alias does not accept krb5 conf file if it is considered plain text
ECA-11137 - Can't view/edit Batch Generation / Clear Text Password state from RA GUI
ECA-11148 - Conflicting autogenerated password error at EE creation
ECA-11161 - Fix HMACAuthenticationModule extracted username bug
ECA-11174 - ZIP releases fail to build using Java 17
ECA-11194 - post upgrade failure from version 7.3.1.4 to version 7.10.0.1
ECA-11202 - WS javadoc fail after X509-Common-Util move
ECA-11203 - ant test:clientToolBox fails after x509-common-util
ECA-11210 - NPE when enrolling an EE with a revoked CA.
ECA-11213 - org.ejbca.core.protocol.scep.ProtocolScepHttpTest.test03OpenScep() failing
ECA-11222 - Internal error via REST API returns wrong status code
ECA-11229 - REST Endpoint accepting EST messages from CoAP Proxy
ECA-11231 - Fix testEjbcaVersion test
ECA-11263 - ejbca-ws-generate broken since upgrade to JEE8
ECA-11290 - UPN value not included in certificate if "Required" in EE Profile not selected
ECA-11292 - View End Entity page in Ra web is broken
ECA-11295 - Add getCertificateSignatureAlgorithm body in SshCertificateUtility
ECA-11310 - Regression: p11ng module missing from ejbca-ejb-cli
ECA-11317 - Process ACME wildcard certificates in order state ready
ECA-11329 - Regression: NPE trying to delete crypto token, checking presence in ACME EAB
ECA-11340 - BC version number not updated in jboss-deployment-structure.xml
ECA-11343 - CoAP server- NullPointerException on repeated enrollment requests
ECA-11346 - End entity profile validation logic for clear password and send notification
ECA-11355 - Fix classpath error in WS CLI
ECA-11369 - Fix compilation issue caused by ECA-11233
ECA-11380 - CRL Import via CA UI can't handle large CRLs
ECA-11412 - clientToolBox does not honor pkcs11.disableHashingSignMechanisms=false
ECA-11419 - PKCS11CryptoToken not working in CE on Java 17
ECA-11424 - Audit log timezone stuck in UTC
ECA-11425 - SSH User cert with principal
ECA-11430 - Remove RSA-OAEP mapping to RSA in ScepRequestMeassage
ECA-11431 - Error creating new CA when there are failed crypto tokens
ECA-11437 - clientToolBox SCEPTest should URL encode GetCACert CA name
ECA-11443 - Missing RA web language string for Matter DN components VID and PID
ECA-11444 - NPE when enrolling SSH certificate via REST
ECA-11455 - Algorithm key length can not be validated for dilithium algorithm
ECA-11458 - Properly handle Verify-required in RA web certificate pages
ECA-11459 - Fix output format of coap serverkeygen cbor response
ECA-11460 - Ensure P11NG CLI generated keys meet Utimaco CP5 HSM keyUsage constraints
ECA-11469 - OCSP Responder next key update "fail" in 7.11.0.1
ECA-11471 - VaPeerStatusServletSystemTest tests are failing
ECA-11475 - MSAE cannot handle commas "," in CN field
ECA-11477 - Update SafeObjectInputStream with KeyFactor classes
ECA-11478 - Security issue
ECA-11479 - Regression: adding new DN components does not work any longer
ECA-11487 - EC keys generation from REST endpoints does not work
ECA-11492 - Unable to download initial superadmin token from RA web
ECA-11499 - LDAP DN order field on edit SSH CA page does not update after clicking save button
ECA-11510 - Va functionality shows up in RA specific EJBCA build
ECA-11523 - Wrong comparison of Hash sets.
ECA-11525 - Crypto tokens created using ejbca.sh do not autoactivate
ECA-11532 - Remove "Asterisk in freshest CRL field" from documentation
ECA-11534 - Javascript does not run in View Certificate dialog, causing revocation confirmation to not show
ECA-11535 - Oauth link does not work in adminWeb
ECA-11538 - Unescaped single quotes blocks publisher type selection in CA UI
ECA-11539 - Protocol status icons are squashed up
ECA-11541 - After cloning a Validator, further edits also result in cloning
ECA-11550 - Fix regressions on the Search End Entities page in CA GUI
ECA-11558 - Infinite amount of Add Constraint rows
ECA-11563 - On open to view certificate on Search End Entities, Error 404
ECA-11564 - Remove "(unused)" from revocation reasons list on Search End Entities page
ECA-11565 - CA Gui search end entity advanced page match how operators gets reset on new added criteria