Skip to main content
Skip table of contents

EJBCA 9.3 Release Notes

JUNE 2025

The EJBCA team is pleased to announce the release of EJBCA 9.3.

This release introduces quantum-safe certificate issuance with HSM support, adds SLH-DSA per FIPS 205, enhances HSM integration via the P11NG Crypto Token, supports Azure Workload Identity for Azure SQL, extends the REST API, and adds compatibility with Java 21.

These release notes cover new features and improvements implemented in EJBCA 9.3.0, EJBCA 9.3.1, and EJBCA 9.3.2 (EJBCA 9.3.0 and EJBCA 9.3.1 were internal releases, not generally available for customers). 

For available deployment options and associated versions, refer to Supported Versions.

Highlights

Quantum-Safe Certificate Issuance with HSM Support

Starting with EJBCA 9.3, the quantum-safe algorithm ML-DSA can be used with HSM integration for select HSMs. HSMs supporting the use of quantum-safe algorithms with EJBCA 9.3 use REST API based HSM integration.

NIST Approved Quantum-Safe algorithm SLH-DSA

Support for the NIST approved quantum-safe algorithm SLH-DSA as specified in FIPS 205 has been added. The algorithm can be used with 12 different parameter sets as specified in Interoperability and Certifications.

HSM Integration Improvements with P11NG Crypto Token

For HSM integration based on the PKCS#11 standard, the P11NG Crypto Token enables use of additional functionality and is prepared for PKCS#11-based integration for quantum-safe algorithms.

The P11NG Crypto Token is recommended for all new PKCS#11 based HSM integrations from EJBCA. To provide a convenient migration path to P11NG for existing customers, EJBCA adds a configuration option based on an environment variable, which, when set, will make EJBCA convert existing PKCS 11 Crypto Tokens to P11NG Crypto Tokens on startup. For more information, see Soft Migration to P11NG Crypto Token.

Azure Workload Identity integration for Azure SQL

For EJBCA deployments in Azure, EJBCA 9.3 adds support for using Azure Workload Identities with Microsoft Entra ID tokens for authenticating EJBCA as an application in the connection to Azure SQL service.

REST API Extensions

The /v1/certificate/pkcs10enroll endpoint in the EJBCA REST API has been extended with new optional input data allowing systems integrated using the REST API to create an end entity and issue a certificate using a single REST API call. In previous EJBCA versions, the end entity needed to be created in a separate REST API call. This enhancement in EJBCA 9.3 enables higher performance and a more straightforward migration to REST API for integrations previously using the EJBCA SOAP API.

In EJBCA 9.3, the REST API is also extended with a new endpoint enabling issuance of X509 and CVC certificates using the public key instead of PKCS10 as input. This endpoint increases the REST API flexibility and enables integration from clients where a complete CSR is not available but only a public key.

The EJBCA 9.3 REST API also adds functionality for migrating keys from external Certificate Authorities (CAs) into EJBCA, regardless of whether the CA that issued the certificate exists in the EJBCA system. A common use case involves customers migrating user encryption key history from their CA environment to EJBCA while not importing the CA, which may be decommissioned. For more information, see Key Import.

Java 21 Support

EJBCA 9.3 now officially supports Java 21, with a minimum required version of 21.0.5.

Note that Java 21 introduces changes to how certificates are removed from PKCS#11 key stores. As a result, deleting Crypto Token key pairs that were generated in versions of EJBCA prior to 9.3 may leave behind orphaned certificates in the HSM. Although this behavior does not pose a security risk, such orphaned certificates can be manually removed using tools provided by your HSM vendor.

MPIC Support for API v2 Specification (3.5.0)

MPIC has been updated to support the latest API version, which is implemented by MPIC Lambda version 1.0.0. For details, see the EJBCA 9.3 Upgrade Notes.

Enhanced Event Logging

Analyzing log files can be time-consuming for customers, support teams, and developers. To improve event logging and simplify log analysis, EJBCA now generates a unique request ID for each request. This allows for easier correlation of log entries associated with the same request.

With this enhancement, customers can provide a more targeted set of logs when reporting issues, reducing the volume of data that needs to be reviewed. As a result, support and development teams can identify issues more efficiently, leading to faster troubleshooting and resolution. For more information, see Logging.

Announcements

Removal of Server Log Localization

To improve efficiency, reduce complexity, and enhance supportability, server log localization has been removed in EJBCA 9.3. All server logs will now be primarily in English.

With this, the following values can be removed from the cesecore.properties configuration file:

  • intresources.preferredlanguage

  • intresources.secondarylanguage

Note that this change does not affect localization of the CA or RA web user interfaces.

Configuration File Changes

The property ca.doPermitExtractablePrivateKeys has been removed from the cesecore.properties configuration file.

If this property was set to true, EJBCA would not fail if an HSM contained extractable private keys. Since this is considered poor security practice, the check has instead been hard coded to always fail if an HSM contains extractable keys.

User Data Sources Removed

As previously announced in the EJBCA 9.2 release notes, the User Data Sources feature has been unsupported and untested for several years. It has now been fully removed in version 9.3. For details on the post-upgrade behavior, see the EJBCA 9.3 Upgrade Notes.

Bouncy Castle Upgrade

Bouncy Castle has been upgraded to version 1.80. For information about the latest Bouncy Castle releases, refer to the Bouncy Castle Release Notes.

Upgrade Information

Review the EJBCA Upgrade Notes for important information about the respective releases. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in EJBCA 9.3.0, EJBCA 9.3.1, and EJBCA 9.3.2.

Issues Resolved in 9.3.2

Released June 2025

Bug Fixes

ECA-13441 Possible break of 100% uptime due to ClassCastException

Issues Resolved in 9.3.1

Released Internally June 2025

Bug Fixes

ECA-13373 Serial number should become a Sequence number for CVC certificate with Rest enroll request

ECA-13382 Renewal of encryption certificates (key archival) with MSAE

Issues Resolved in 9.3.0

Released Internally June 2025

New Features

ECA-9981 REST: ability to specify subject DN validity override and additional data in pkcs10enroll call

ECA-11574 Change key recovery encryption algorithm to RSA-OAEP instead of RSA PKCS1.5

ECA-12475 New REST endpoint to submit public key instead of PKCS10 to get a certificate issued

ECA-12575 Allow EC CAs to use RSA keyEncrypt keys

ECA-12579 Add support for LMS certificates

ECA-12618 ML-DSA and LMS with Securosys

ECA-12820 LMS with Fortanix

ECA-12866 Key migration - REST Endpoint

ECA-12868 Key migration - Backend implementation

ECA-12995 Enable server side support for ACME dns-account-01 challenge

ECA-13012 Automatic populate blocklist with key related to cert revoked as "keyCompromise"

ECA-13071 Ability to create Hybrid CAs with CLI

ECA-13114 SLH-DSA support - Soft CryptoToken

ECA-13134 SunP11 to P11NG - Soft Migration

ECA-13160 Allow OCSP responder to sign from previous CA generations

ECA-13205 Add Workload Identity auth support for Azure SQL databases

ECA-13332 Documentation for Key Compromise Blocklist

Improvements

ECA-12427 Parametrized integration of HSM containers in Helm chart

ECA-12563 SNI support for Azure and Intune authentication

ECA-12777 Make sure log output is available through all endpoints

ECA-12779 Remove linter limitations for pkimetal Validator.

ECA-12813 Upgrade to BC 1.80, and KFC for ML-DSA and LMS

ECA-12835 Change all SHA1PRNG SecureRandom calls

ECA-12841 Remove User Data Sources

ECA-12867 Key migration - Error handling

ECA-12878 Add profile EKU, Key Usage, and Validity Period to /v2/certificate/profile/{profile_name}

ECA-12900 Enable Internal CAs to be exported as External CAs for convenient import in Peers

ECA-12934 MSAE Kerberos Token Extra Sid Group Membership

ECA-12937 Improve event tracking in log-file

ECA-12967 Upgrade Apache CXF to 4.0.6 or later

ECA-12974 Upgrade libraries used by EJBCA for 9.3.0

ECA-12983 Hide field "If Validator was not applicable" on Validator pages if not required

ECA-12991 Admin Web - MPIC Validator - API Key field should be disabled in the view mode

ECA-12998 Improve event tracking in log-file for OCSP

ECA-13007 Allow CV cert issuance public key request

ECA-13016 Add support for imported keys and certificates in the existing key recovery process

ECA-13047 Enable Server Name Indicator (SNI) based with Ingress at Helm Chart for secure end to end communication with EJBCA

ECA-13049 Improve helptext for importcertsms CLI command

ECA-13119 Fix MSAE key archival issue with HSM

ECA-13122 Remove unused imports from adding RandomHelper class usage to EJBCA

ECA-13123 Clean up certificates after web tests and add dynamic OCSP port

ECA-13132 Fix typo in debug message

ECA-13138 Add missing translation labels for incoming peer connections

ECA-13146 EE edit page in adminweb is shown wrong in CSR section

ECA-13147 Improve handling of date in ExpiredCertsOnCRL (OID 2.5.29.60)

ECA-13149 Fix Acme alias MPIC configuration validation + logic

ECA-13150 Update jsch to latest version 0.2.24

ECA-13155 Publisher description with swedish character(å, ä and ö)

ECA-13174 Remove intresources.* from cesecore.properties and non-English language files

ECA-13192 Remove ca.doPermitExtractablePrivateKeys

ECA-13193 ML-DSA with Fortanix

ECA-13211 Cleanup: Fix warnings in VaPeerStatusServlet and VaPeerStatusServletSystemTest

ECA-13212 Fix CA & CRLs pages loading time

ECA-13216 Reduce unwanted logs in ClientToolBox

ECA-13224 Upgrade PrimeFaces library to version 15.0.1 or newer

ECA-13237 Build clientToolBox with Gradle

ECA-13266 MPIC 3.3.0 Support - ACME http-01/dns-01

ECA-13282 Enable using all supported database types with Gradle

ECA-13298 Fix pull request template path

ECA-13300 Update French language

ECA-13311 Log recipients of emails in EmailSender

Bug Fixes

ECA-8088 SCP Publisher does not detect certain errors

ECA-9990 OAuth role members not fully working in ConfigDump

ECA-11953 Key recovery using EC with P11NG key not working

ECA-12185 OCSP Issuer Hash Lookup Fails for SubCAs with Microsoft CA Compatibility Mode Enabled

ECA-12380 OAuth Provider can not be imported from JSON ConfigDump

ECA-12658 Some CertificateData fields are not published to the VA

ECA-12732 Regression: Fix end entity profile username for manual enrollment

ECA-12754 CommonCacheBase is not synchronized

ECA-12927 IODEF code is prone to race conditions

ECA-12946 Renovate handling of NSEC3 opt-out

ECA-12947 MSAE alias changes in a cloned alias are carried over to the source alias

ECA-12976 CA with softKeys ML-DSA-xx can't be exported as P12

ECA-12988 End entity password edit fails from adminweb when it uses keystore based enrollment

ECA-13027 Fix number of allowed requests in RA Web

ECA-13032 Error in OCSP due to SERIALNUMBER property

ECA-13034 Docker 'latest' tag is not pointing to the latest main version anymore

ECA-13048 Character encoding issue of text field in Edit Publisher page

ECA-13060 Some configuration alternatives from the EE profile missing when enrolling from Ra Web

ECA-13083 Password bit strength calculation error gives one bit lower than documented

ECA-13108 Regression: ejbca.cmd file has wrong path for ejbca-ejb-cli.jar and logging jar

ECA-13124 Inappropriate Value in RA UI

ECA-13166 UNID-FNR doesn't work with database protection, due to too short data type

ECA-13187 DESKPRO-1490 Incorrect url redirect in RAWeb with OAuth

ECA-13195 Post upgrade broken since 9.0

ECA-13207 End entity information contains keys with "__zzz_" in the name

ECA-13214 Fix Bouncy Castle version in jboss-deployment-structure.xml

ECA-13223 MPIC validator sends wrong type for wildcard certificates

ECA-13226 Rest endpoint checks if CA/CP/EEP is present only locally

ECA-13248 PII Log Redaction Leak detected by Jenkins

ECA-13253 Regression: CMP Name Generation pre and postfix missing for client mode

ECA-13275 Admin Web - Creation of Role Member stopped working (Community Edition)

ECA-13290 SCP Publisher loses exception stack traces and messages

ECA-13322 v1/certificate/enrollKeyStore endpoint checks CA exists locally

ECA-13343 MSAE Key Archival Recovery fails when HSM doesn't Support Triple DES (DES-EDE3-CBC) cipher algorithm

ECA-13358 Utimaco HSM template can not be used with templates

ECA-13360 Helm chart template version of Luna is a version old and the current version has bugfix

ECA-13377 Change default "Key encrypt padding algorithm" to RSA-OAEP instead RSA PKCS1.5

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close