Skip to main content
Skip table of contents

EJBCA 9.1 Release Notes

NOVEMBER 2024

The EJBCA team is pleased to announce the release of EJBCA 9.1.

EJBCA 9.1 includes support for NIST-approved quantum-safe algorithms ML-DSA and ML-KEM, the first completed standards from NIST’s post-quantum cryptography (PQC) standardization project. The release also expands functionality with Matter-compliant Operational Certificates, extended HSM integration, and enhancements to the REST API. Additionally, the release addresses a potential compliance issue and resolves a potential security issue.

These release notes cover new features and improvements implemented in EJBCA 9.1.0 and EJBCA 9.1.1 (EJBCA 9.1.0 was an internal release, not generally available for customers). 

EJBCA 9 introduced S/MIME CAA validation support to align with CA/Browser Forum standards for email security. This major release also introduced support for an upgraded technology stack, requiring WildFly 32 or JBoss EAP 8 as the application servers and Java 17 as the runtime environment. For more information, see the EJBCA 9.0 Release Notes.

For available deployment options and associated versions, refer to Supported Versions.

Highlights

NIST Approved Quantum-Safe Algorithms ML-DSA and ML-KEM

image-20241126-133937.jpeg

EJBCA 9.1 adds support for issuing certificates with NIST-approved quantum-safe algorithms ML-DSA and ML-KEM. These standardized PQC algorithms replace the candidate algorithms Dilithium and Kyber that were supported in previous EJBCA versions before the NIST-approved algorithms were released.

For more information, see Post-Quantum Cryptography Keys and Signatures.

Matter Operational Certificates

image-20241126-134053.jpeg

Matter is the industry standard for interoperable smart home devices. Support for issuing Matter standard compliance Device Attestation Certificates was introduced in EJBCA 8 and EJBCA 9.1 now offers support for issuing Matter standard compliant Operational Certificates. For more information, see Create CAs for Matter Operational PKI.

Extended Hardware Security Module (HSM) Support

In EJBCA 9.1, the EJBCA Container Set supports the use of Entrust nShield Connect HSM. For more information, refer to the EJBCA Container documentation on HSM Integration. EJBCA 9.1 also introduces support for REST API-based integration with Securosys HSM through the introduction of a new crypto token.

REST API Extensions

For deployments set up to use hybrid certificates, an extension to the REST API in EJBCA 9.1 enables REST API clients to retrieve information about available alternative key algorithms when fetching information about certificate profiles through the /v2/certificate/profile/ endpoint.

Announcements

Potential CAA Compliance Issue

Due to a logical error in EJBCA while interpreting Certification Authority Authorization (CAA) responses, EJBCA versions prior to 8.3.3 and 7.1 might incorrectly approve issuing of a wildcard certificate related to domain name which is prohibited by the CAA entries in the DNS. For details, refer to the Keyfactor Support portal article Potential CAA Compliance Issue.

Potential Security Issue related to Reverse Proxy Deployment

Updated EJBCA Security documentation includes recommended reverse proxy configuration to avoid potential vulnerabilities.

Removal of GOST and DSTU Algorithm Support

Support for the GOST and DSTU algorithms has been removed. These algorithms were deprecated in EJBCA 8.3 and are no longer available in this release.

Removal of Certificate Profile-specific OCSP Functionality

The following properties were declared deprecated in EJBCA 8.3:

  • ocsp.999.untilNextUpdate

  • ocsp.999.revoked.untilNextUpdate

  • ocsp.999.maxAge

  • ocsp.999.revoked.maxAge

These properties allowed specific settings to be set based on individual certificate profiles. The properties and the associated functionality have been removed.

Removal of Unused Properties from cesecore.properties

The following properties in the cesecore.properties file are unused (or not required) and have been removed.

  • ca.toolateexpiredate

  • authkeybind.ciphersuite

  • db.keepinternalcakeystores

  • ca.keepocspextendedservice

Bouncy Castle Upgrade

Bouncy Castle has been upgraded to version 1.79. For information about the latest Bouncy Castle releases, refer to the Bouncy Castle Release Notes.

Upgrade Information

Review the EJBCA Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in EJBCA 9.1.0 and EJBCA 9.1.1.

Issues Resolved in 9.1.1

Released November 2024

Bug Fixes

ECA-12782 Regression: Few chiper suites not moved after dropping cesecore unused properties

ECA-12805 Issuance of wildcard certificate is incorrectly allowed when CAA issue ";" record is present

Issues Resolved in 9.1.0

Internal release November 2024

New Features

ECA-12327 Add Matter IoT specific DN components for Node Operational Certificates

ECA-12371 Implement building and running unit tests

ECA-12453 nShield Connect integration with EJBCA container in Kubernetes

ECA-12576 Render PQC \(alternative\) public keys for hybrid certificates in RA Web view certificate screen

ECA-12599 Securosys Primus HSM REST API CryptoToken

ECA-12659 Issuance of ML-KEM certificate with CMP v3 using encrCert proof of possession

ECA-12759 Enable changing serial number generator algorithm in the Container

Improvements

ECA-12044 Render ML-DSA and ML-KEM public parameters in RA Web certificate checker

ECA-12084 Remove deprecated certificate profile specific ocsp functionality

ECA-12270 Network policy for EJBCA Helm chart

ECA-12326 Remove support for GOST and DSTU

ECA-12423 Allow OCSP Nonce of up to 128 bytes as per RFC9654

ECA-12578 Upgrade to BC 1.79 final

ECA-12645 An email address in the RA Web - Make New Request is required, but not marked as such

ECA-12653 Use DNS name for filename when NO subject DN is used

ECA-12666 Return alternative key algo through /v2/certificate/profile/

ECA-12693 Improve logging for certain EST errors

ECA-12699 Drop unused properties from cesecore.properties

ECA-12704 Document how to export and import data removed by database-housekeeping.sql

ECA-12706 Remove LegacySoftCryptoToken and attendant classes

ECA-12712 Remove Sample Code from src directory

ECA-12736 Ignore entries without alias in P11NG-CLI listkeypair, update p11ng to 0.25.1

ECA-12743 Cleanup: CertTools.genSelfCertForPurpose is deprecated and references should be removed

ECA-12755 Fix CMP test failures after encrCert ML-KEM merge

Bug Fixes

ECA-12394 Proper handling of Public Access Role Members during container startup

ECA-12471 The infinite token glitch

ECA-12523 RA Web - Inspect Certificate - Public Key not being presented correctly when PQ algorithm is used

ECA-12529 Caches are not updated after external configurations have been reloaded

ECA-12608 Admin Web - New Crypto Token - NPE while creating new pkcs#11NG token \(error message improvement\)

ECA-12691 Admin Web - Create CA - CVC available, but disabled \(CE inconsistency\)

ECA-12692 REST andpoint v1/cas return wrong issuerDN for three \(or more\) level hierarchies

ECA-12719 KF command REST response are not being read fully during Proxy CA enrollments

ECA-12726 EJBCA CE - PKCS#11 not working after upgrading EJBCA to JDK17

ECA-12729 Regression: APPSERVER\_USE\_MANAGED\_ID

ECA-12734 Update BC version in jboss-deployment-structure.xml

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close