Skip to main content
Skip table of contents

EJBCA 9.3.4 Release Notes

OCTOBER 2025

The EJBCA team is pleased to announce the release of EJBCA 9.3.4.

This maintenance release contains corrections and improvements in several areas, including the SCEP and ACME protocols, database drivers, and compliance.

EJBCA 9.3.4 is available for software stack and Container Set-based deployments. For available deployment types and associated versions, refer to Supported Versions

Highlights

Separate Keys for SCEP Payloads

EJBCA 9.3.4 introduces an optional feature in the SCEP implementation. This enhancement supports use of the SCEP protocol with certificate authorities (CAs) that have CA signing keys stored on Hardware Security Modules (HSMs) operating in FIPS 140-3 mode.

When enabled, the feature allows the use of a separate key pair for encryption and/or decryption of SCEP payloads. This separation is required because FIPS 140-3 prohibits using the same key for encryption and signing operations. The option is enabled by setting the configuration property Use separate keys for SCEP decryption in SCEP RA mode as described in the SCEP Operations Guide.

Announcements

Bouncy Castle Upgrade

Bouncy Castle has been upgraded to version 1.80.2. For information about the latest Bouncy Castle releases, refer to the Bouncy Castle Release Notes.

Security Issue

EJBCA 9.3.4 resolves a security issue affecting self-renewal through the Registration Authority (RA) User Interface. The issue does not affect Certificate Authorities (CAs) that have not issued any client certificates or systems where access to the RA UI is not accessible. Keyfactor rates the issue as having a severity level of low.

Once EJBCA 9.3.4 has been generally available across all platforms for at least two weeks, a CVE will be published.

Upgrade Information

Review the EJBCA 9.3 Upgrade Notes for upgrade information. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

The following lists improvements and fixed issues in EJBCA 9.3.4.

Issues Resolved in 9.3.4

Released October 2025

New Features

ECA-13874 Create encryption and signing certificates on SCEP configuration save

ECA-13875 Return encryption certificate in GetCaCert response

ECA-13876 Use encryption and signing certificate when processing SCEP request

ECA-13879 Create SCEP encryption and signing certificate renewal service.

ECA-13952 Administrator should be able to choose the signature algorithm

Improvements

ECA-5985 SCEP servlet should take default values from end entity profile into account

ECA-13434 Import end entity key recovery keys even if p12 contains a CA certificate

ECA-13540 Cover missing edge case of authentication cache checks in ECA-13456

ECA-13572 Add Utimaco R3 default driver locations

ECA-13703 Upgrade PostgreSQL JDBC driver in container

ECA-13750 Upgrade commons-lang3 to 3.18

ECA-13782 CVE: Upgrade Apache CXF to 4.1.3

ECA-13832 Improve concurrency control for CEPService's oidLookup cache to avoid NPE and race conditions.

ECA-13839 Update to BC 1.80.2

ECA-13975 Upgrade nimbus-jose to 9.37.4 due to CVE-2025-53864

ECA-13987 Upgrade P11ng for Ed25519 nShield support

Bug Fixes

ECA-12516 EJBCA WebService cacertresponse asks for CA token password again even if password is provided in command

ECA-13515 Certificate Data Synchronization can fail if clock has moved backwards on CA

ECA-13552 "Forbid encryption usage for ECC keys" is not taken into account when client generates keypair

ECA-13599 Imported SCEP profiles are missing fields

ECA-13651 NPE on RA web for "CA Certificate and CRLs" Navigation menu

ECA-13662 Approvals requests for ACME over peers are not created

ECA-13677 ACME Endpoints duplicate request Lock

ECA-13790 In AWS S3 Publisher, all information meant to be store in cert bucket are stored in CRL bucket

ECA-13794 PKIMetal Validator filters out OCSP-related certificate profiles when cleaning responses related to OCSP responses

ECA-13830 Printable string in CSR is signed wrongly as UTF-8

ECA-13835 MSAE - GetPolicies response require enrollment permissions

ECA-13858 Security: RA web allows certificate renewal without authorization checks

ECA-13860 MSAE alias configuration override

ECA-13866 Incorrect SCEP auth passwords are logged in clear text

ECA-13959 CA SubjectDN with escaped special characters

ECA-13965 EJBCA Helm repo point to the old repo

ECA-13969 Fix ConfigDump test fail caused by Allow OAuth host name feature

ECA-14014 End entity for SCEP RA certificates should CA ID based

ECA-14034 SCEP RA end entity needs to be in GENERATED state

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close