.png){kind=logo}
EJBCA 9.2 Release Notes
JANUARY 2025
The EJBCA team is pleased to announce the release of EJBCA 9.2.
The main features of EJBCA 9.2 include functionality for EJBCA to perform CAA and ACME requests leveraging Multi-Perspective Issuance Corroboration (MPIC), along with improved linting capabilities.
The EJBCA 9.2 release is available for software and container-based deployments. For available deployment options and associated versions, refer to Supported Versions.
Highlights
Multi-Perspective Issuance Corroboration (MPIC)
EJBCA 9.2 introduces support for leveraging Multi-Perspective Issuance Corroboration (MPIC) according to the CA/Browser Forum Baseline Requirements (Latest Baseline Requirements) when performing Certification Authority Authorization (CAA) checks, as well as DNS and IP validation using ACME.
Support for MPIC is implemented through a new EJBCA MPIC Validator for CAA checks and as a configurable option in ACME.
pkimetal Validator
EJBCA 9.2 now supports integration with pkimetal, an external PKI Meta-Linter container, enabling enhanced pre- and post-linting via REST API. pkimetal simplifies certificate linting for Certificate Authorities (CAs) and provides a straightforward way for CAs to adopt and stay current on multiple linting tools to prevent a whole category of compliance errors.
This functionality is introduced through the new EJBCA pkimetal Validator.
REST API Extensions
The EJBCA REST Interface has been extended with a new endpoint /v1/endentity/{endentity_name}/edit to enable updating endEntity properties.
Additionally, the existing endpoint /v1/certificateRequest has been extended with additional request types to support using CRMF, public key, CVC, and SPKAC Request input as alternatives to PKCS#10, which was supported in this endpoint in previous versions.
Support for WildFly 35
EJBCA 9.2 introduces support for WildFly 35. For more information on software requirements, see Installation Prerequisites.
Default Encryption of PKCS#12 Changed to AES
When generating a PKCS#12, the default encryption method has been changed from 3DES to AES, which can be configured in the End Entity Profile.
To avoid compatibility issues with legacy systems, existing End Entity Profiles are not automatically updated (with the exception of the default EMPTY profile). However, the encryption cipher can be changed either via the user interface or through the EJBCA ConfigDump tool.
Note that 3DES encryption is still considered secure, and the change primarily concerns interoperability.
Announcements
Migration of Property File Configurations into System Configuration
As part of our ongoing effort to reduce reliance on static configuration files, we are gradually migrating properties from the various *.properties files into the EJBCA System Configuration. This allows the properties to be managed by the user interface and the EJBCA ConfigDump tool, eliminating the need to restart the application server. If you’ve set these properties to something other than the default, they will automatically be migrated at upgrade.
These properties should be left in their respective property files until after the upgrade, after which they can be removed.
Certificate Transparency Cache Configuration
The following Certificate Transparency (CT) properties have been migrated from cesecore.properties into the Certificate Transparency tab in System Configuration:
ct.cache.enabled
ct.cache.maxentries
ct.cache.cleanupinterval
ct.fastfail.enabled
ct.fastfail.backoff
Dropped Configuration Properties
The following properties are no longer used in EJBCA and can be removed from any static configuration.
ejbca.properties
appserver.type
publish.parallel.enabled
peerconnector.rar.disabled
peerconnector.connection.sokeepalive
peerconnector.connection.tcpnodelay
peerconnector.connection.sotimeout
peerconnector.incoming.maxmessagesize
peerconnector.incoming.authcachetime
jaxws.properties
ejbcaws.enabled
jaxws.approvalprofileid
jaxws.gentokens.setmslogononhold
ocsp.properties
ocsp.enabled
ocsp.signaturealgorithm
web.properties
Values that are still used by EJBCA have instead been hardcoded to full allowance.
httpserver.external.privhttps
web.availablelanguages
web.contentencoding
web.errorpage.notification
web.errorpage.stacktrace
raapi.legacyest.enabled
Deprecations
Deprecation of User Data Sources feature
From our analysis, the User Data Sources feature is no longer used by any customers and will thus be removed in the next release of EJBCA.
Upgrade Information
Review the EJBCA Upgrade Notes for important information about the respective releases. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
Change Log: Resolved Issues
The following lists implemented features and fixed issues in EJBCA 9.2.
Issues Resolved in 9.2
Released January 2025
New Features
ECA-10221 Add REST endpoint /v1/endentity/{endentity_name}/edit
ECA-12372 Implement building and running system tests
ECA-12498 Add timout for ACME challenge requests
ECA-12747 Create a PKIMetal Validator Prototype
ECA-12785 Update Amazon S3 publisher to no longer require AWS CLI
ECA-12799 Add new MPIC Validator
ECA-12818 MPIC ACME integration
ECA-12822 Implement ConfigDump support for pkimetal Validator
Improvements
ECA-12501 Add P12 cipher option for PBES2, PBKDF2, AES-256-CBC
ECA-12571 MSAE support "Merge DN for all interfaces"
ECA-12598 Support Worker Properties for OAuth Key Update Worker in ConfigDump
ECA-12708 Drop unused properties from ejbca.properties
ECA-12709 Drop unused properties from jaxws.properties
ECA-12710 Drop unused properties from ocsp.properties
ECA-12718 Cleanup: X509Certificate.getSubjectDN and .getIssuerDn have been deprecated
ECA-12733 Compare subjects of end entities and CSR for EST vendor mode independent of the sequence of their DN attributes
ECA-12738 Replace configurable header JSP file path with a header selection/upload and remove unused ones.
ECA-12748 EJBCA EE SSH Principal order non-deterministic
ECA-12764 Add RFC4108 Hardware Module Name to SAN field in the end entity profile
ECA-12775 Change pkimetal profile select from single to multiple
ECA-12778 Perform documentation of pkimetal
ECA-12781 Remove support for keystore.use_legacy_pkcs12
ECA-12784 Extend v1/certificateRequest with additional requestTypes
ECA-12806 Upgrade xstream to 1.4.21
ECA-12809 Cleanup: Remove references to CertTools.genCertForPurpose
ECA-12811 Update Apache Commons Libs
ECA-12814 Cleanup: Infer generics in CaRestResourceSystemTest
ECA-12816 Add public key request type to clientToolBox certificaterequest
ECA-12821 Update EJBCA with x509-common-util 5.0.6
ECA-12842 Cleanup: Remove static methods from CertReqHistoryData
ECA-12847 Added OpenSSF Best Practices badge in README
ECA-12853 Change Unknown Active Directory OIDs warning to debug
ECA-12858 Update documentation for JDK21 support
ECA-12895 Increase number of threads available for REST based crypto tokens
ECA-12923 Update french language
ECA-12926 Optimize latest end entity certificate fetch from database (DESKPRO-1286)
ECA-12933 Cosmetic ordering in dncomponents.properties
ECA-12939 Add new 2024 IANA DNSSEC default trust anchor
ECA-12967 Upgrade Apache CXF to 4.0.6 or later
Bug Fixes
ECA-12750 Certificate Validity Start/End Time is not visible in Approval Requests
ECA-12753 Outgoing peer connections that time out causes unrelated publishers to fail
ECA-12757 Fix SCEP config "Allow Legacy Digest Algorithms in Response" to be updated by configdump
ECA-12760 Forbidden characters is initialized in the wrong order, leading to property being ignored
ECA-12761 RA Admins Unable to Approve Requests After Revocation by Another RA Admin in Partitioned Approval
ECA-12765 Regression in handling DN with trailing whitespace
ECA-12767 SCEP config value Authenticate through MS Intune always return true in configdump
ECA-12770 Certificate fails to generate with DN override when the CSR contains Subject DN fields not present in the EEP
ECA-12771 Optional end entity fields can not be left blank in the CA UI / AdminWeb, if Validation is enabled
ECA-12772 Change misleading error message.
ECA-12773 Ouath configs are not not updated in EjbcaWebBean when updated by Worker.
ECA-12774 Admin web search End Entities Apostrophe Encoding Problem
ECA-12787 Regression: Admin Web - Create Crypto Token - GOST algorithm leftovers
ECA-12812 "External Scripts" gets unchecked after saving CT Log config (with or without changes)
ECA-12827 Unable to use clientToolBox stress test command with EC or EdDSA
ECA-12838 Regression: Edit EE in Admin Web doesn't set password
ECA-12840 Missing null guard in AcmeOrderSessionBean.processReadyOrder
ECA-12845 Possible NPE listing certificates (upgrade x509-common-util)
ECA-12848 CLI remove admin from role by email address not implying the right type
ECA-12854 RA Web - Make Request - GOST algorithms appearing in the key algorithm list (randomly)
ECA-12860 ACME /cert response shouldn't have "explanatory text" lines in PEM chain
ECA-12861 Fix 403 Error: Unauthorization error for enrollkeystore via REST API
ECA-12901 Admin Web - Update Certificate Profile - jakarta.el.PropertyNotWritableException
ECA-12905 Regression: Admin Web - ECC Key Validator - GOST algorithm leftovers
ECA-12908 PKIMetal validator is not available when EJBCA is built with Gradle
ECA-12912 pkimetal validator does not fill transitive fields when instantiated
ECA-12913 False negative validations
ECA-12925 Ping is misbehaving
ECA-12930 Prevent enrollment of certificates with invalid emails in the SAN in RA UI
ECA-12935 MPIC Validator - Issuance is allowed in case of misconfiguration
ECA-12953 JSONObject.toString() cannot be used for comparison
ECA-12979 External Command Validator does not work in Pkimetal epic branch
ECA-12989 EC curve based stress test stopped working