Skip to main content
Skip table of contents

EJBCA 9.3 Upgrade Notes

Below are important changes and requirements when upgrading from EJBCA 9.2 to EJBCA 9.3.

For upgrade instructions and information on upgrade paths, see Upgrading EJBCA. For details of the new features and improvements in this release, see the EJBCA 9.3 Release Notes.

Behavioral Changes

Evaluation of Microsoft Auto-enrollment Kerberos Token Extra SID Group Membership

In EJBCA 9.3, we have added a code to the Kerberos ticket validation class to allow our Microsoft Auto-enrollment solution to read and evaluate additional Security Identifier (SID) group memberships through the Privilege Attribute Certificate (PAC) data within the Kerberos ticket.

As a result, if a Microsoft user or entity has assigned group membership SIDs present in the Kerberos ticket's PAC data, those SIDs will be evaluated. Enrollment actions will then be performed based on the permissions associated with those groups, in addition to the standard group SIDs the user may already possess.

For more information on Kerberos Token Extra SID Group Membership Support, see Microsoft Auto-enrollment Operations.

MPIC Support for API v2 Specification (3.3.0)

MPIC has been updated to support the latest API version, which is implemented by MPIC Lambda version 1.0.0 for:

  • CAA TLS Validator

  • CAA SMIME Validator

  • ACME http-01 challenge

  • ACME dns-01 challenge

If using an older version of MPIC Lambda, update MPIC Lambda to the latest release (1.0.0) to ensure full support for ACME challenges.

Removal of User Data Sources

The User Data Source feature has been removed in version 9.3. Any access rules associated with this feature are automatically removed from all roles in the database during the post-upgrade process.

After the upgrade has been performed on all nodes, the related table can be safely dropped (though not doing so has no adverse effects).

Stricter Checks of End Entity Status and Profiles during Self-Renewal

EJBCA provides a Renew Certificate page in the RA UI, which allows a user authenticated with a client certificate to renew their own certificate.

In versions prior to EJBCA 9.3.4, this function always allowed renewal, regardless of the status of the end entity and profile settings such as the number of days specified for Allow renewal before expiration in the End Entity Profile.

As of EJBCA 9.3.4, proper status and profile validation is enforced. Additional checks have also been introduced for security hardening and to prevent configuration errors:

  • The Certificate Profile must be of type End Entity.

  • The Key Usage in the Certificate Profile must be valid for client certificate authentication: it must include Digital Signature, may include Non-Repudiation and/or Key Encipherment, and may not include other key usages.

  • The Extended Key Usage in the Certificate Profile must include Client Authentication.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close