EJBCA 9.3.5 Release Notes

NOVEMBER 2025

The EJBCA team is pleased to announce the release of EJBCA 9.3.5.

This maintenance release includes improvements and corrections related to SCEP and Microsoft Auto-enrollment functionality.

EJBCA 9.3.5 is available for software stack and Container Set-based deployments. For available deployment types and associated versions, refer to Supported Versions.

Highlights

SCEP with Separate Key Pairs in CA mode

This enhancement supports use of the SCEP protocol with certificate authorities (CAs) that have CA signing keys stored on Hardware Security Modules (HSMs) operating in FIPS 140-3 mode when EJBCA is running SCEP in CA mode. For more information, see SCEP Operations Guide.

Upgrade Information

Review the EJBCA 9.3 Upgrade Notes for upgrade information. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in EJBCA 9.3.5.

Issues Resolved in 9.3.5

Released November 2025

New Features

ECA-14158 Enable use of separate encryption/decryption keys in CA mode

Improvements

ECA-13419 Update Helm README and Chart.yaml files

Bug Fixes

ECA-12494 Intune enrollment is failing for renewals

ECA-14164 Internal SCEPENCRYPTOR and SCEPSIGNER certificate profiles are exposed in some endpoints

ECA-14191 Editing MSAE alias breaks CEP policy after cache renewal

ECA-14213 SCEP enrollment with separate signing keys over peers (with denied access to unknown CAs) is denied