.png){kind=logo}
EJBCA 9.5 Release Notes
FEBRUARY 2026
The EJBCA team is pleased to announce the release of EJBCA 9.5.
This version introduces support for issuing certificates with composite keys, based on version 13 of the IETF composite signatures draft. It also adds support for Auth0 as a Trusted OAuth (OpenID Connect) provider and additional HSM support in the EJBCA Container Set.
In addition to these features, EJBCA 9.5 contains improvements and corrections in several areas, including CVC certificates, ACME, ConfigDump, the REST API, and CLI tool.
For available deployment types and associated versions, refer to Supported Versions.
Highlights
Composite Certificate Support
EJBCA 9.5 introduces support for issuing certificates based on composite keys. A composite key is constructed from the combination of a classical cryptographic key (RSA, ECDSA, or EdDSA) and a quantum-safe key (ML-DSA-44, ML-DSA-65, or ML-DSA-87).
This implementation is based on version 13 of the IETF Composite ML-DSA draft specification, as defined in Composite ML-DSA for use in X.509 Public Key Infrastructure. The current latest draft, version 15, contains no changes affecting interoperability, and the EJBCA implementation is expected to be compliant with the final RFC once published.
Key Recovery is not supported for composite keys in EJBCA 9.5.
For more information on issuing composite certificates with EJBCA, see Issue Composite Certificates.
Auth0 as Trusted OAuth Provider (OIDC)
EJBCA 9.5 adds built-in support for Auth0 as a Trusted OAuth (OpenID Connect) provider, enabling centralized authentication and single sign-on (SSO). For more information, see Setting up OAuth Using Auth0.
Additional HSM Support in the EJBCA Container Set
In EJBCA 9.5, the EJBCA Container Set provides integration with additional HSM types. For more information, see HSM Integration.
Announcements
Quantum-safe Terminology Update
Hybrid certificates provide a transition mechanism for adopting quantum-safe cryptography by combining classical and quantum-safe algorithms. Certificates previously referred to as Hybrid certificates in EJBCA are now named Chimera certificates to distinguish them from other hybrid certificate types, such as Composite certificates. The updated terminology is reflected throughout the EJBCA user interface and documentation. Existing configurations and functionality are unchanged.
For concise explanations of key quantum-safe concepts and standards, refer to our PQC Glossary.
Support for WildFly 39
EJBCA 9.5 introduces support for WildFly 39. For more information on software requirements, see Installation Prerequisites.
Bouncy Castle 1.83 Upgrade
Bouncy Castle has been upgraded to version 1.83. For information about the latest Bouncy Castle releases, refer to the Bouncy Castle Release Notes.
Configuration File Changes
The following properties have been moved from the static configuration in the conf directory to the database, where they can now be modified via the EJBCA user interface or the ConfigDump tool.
All migrated properties are automatically copied from the configuration files during upgrade and can be removed from their respective configuration files afterward.
From cesecore.properties
forbidden.characters, which sets the list of restricted characters to be inserted into the database, has been moved into the System Configuration page, under the Database Configuration header.
database.crlgenfetchsize and database.crlgenfetchordered have been moved into the System Configuration page, under the Database Configuration header.
From ocsp.properties
The following properties have been migrated into the database, and can now be configured under the Configuration tab under OCSP Responders in the EJBCA user interface or via the ConfigDump tool:
ocsp.warningTimeBeforeExpiration
Ingress NGINX Deprecation by Kubernetes
Ingress NGINX, previously used as the default ingress controller in the EJBCA Helm chart, has been deprecated by Kubernetes and will be retired in March 2026, see Kubernetes Announcement.
EJBCA Container Set users are advised to use alternative options for external access management and TLS termination, see Prerequisites.
Upgrade Information
For general information about upgrading EJBCA, see Upgrading EJBCA.
Change Log: Resolved Issues
The following lists implemented features and fixed issues in EJBCA 9.5.
Issues Resolved in 9.5.0
Released February 2026
New Features
ECA-13197 Add a button for configuring (most) fields for Auth0
ECA-13344 Update CVC Terminal Authentication bits to v.2.2 of BSI TR-03110
ECA-13665 Support Bull Proteccio in the EJBCA container set
ECA-13666 Support Thales TCT Luna in the EJBCA container set
ECA-13877 Add SCEP encryption and signing certificate fields to configdump
ECA-14158 Should be able to use separate encryption/decryption keys when in CA mode too.
Improvements
ECA-12954 Allow Wildfly session encryption key to be derived by PBKDF from a environment variable in HA mode
ECA-13198 Add kf.roles as a valid OIDC claim
ECA-13229 Use first name and family name as display name if available
ECA-13235 Configdump import of Auth0 Provider
ECA-13250 Make it possible to use pipe character in "Match value"
ECA-13251 Add email as a valid OIDC claim
ECA-13305 Create unit tests for LDAPAttributeHelper
ECA-13448 Duplicate token type declarations
ECA-13477 Unable to change email or UPN in AD and perform MSAE certificate renewal
ECA-13825 Migrate forbidden.characters from cesecore.properties into system configuration
ECA-13954 Introduce cache for certificate templates
ECA-13977 Cleanup: remove org.ejbca.ui.web.admin.certprof.CertProfilesBean.LEGACY\_FIXED\_MARKER
ECA-14027 Add option to not enforce name constraints check by CA to be able to comply with GSMA SGP 22 v2
ECA-14028 Encode server generated PKCS12 files with definite length encoding
ECA-14029 Add non-production mode support to containers
ECA-14090 Cancel pipelines if additional commits are pushed to release branches
ECA-14091 P11NG-CLI: Remove debug printout when generating ML-DSA-keys
ECA-14113 Upgrade Nimbus JOSE\+JWT to nimbus-jose-jwt-10.5.jar
ECA-14120 Normalize System Configuration tabs: Protocol Configuration, Extended Key Usages, Custom Certificate Extensions
ECA-14125 Missing base64 validation for binary string in globalconfig configdump import
ECA-14151 Update BC to 1.83
ECA-14206 Cleanup: replace references to AuthorityKeyIdentifier.getKeyIdentifier
ECA-14209 Cleanup: Clear out warnings in CrudCTLog
ECA-14216 Cleanup: clean warnings in PublisherDataUtil
ECA-14219 Investigate and fix value discrepancy in CrudCTLog
ECA-14220 Convert ScepRaCertificateIssuer into a session bean
ECA-14223 Cleanup: Remove the finalize() reference from GeneralPurposeCustomPublisher
ECA-14279 Cleanup: Add deprecation suppression for Role in RaMasterAPI classes
ECA-14282 Upgrade RestEasy to 7.0.0
ECA-14288 Code Coverage: Additional system tests for getCACert SCEP operation
ECA-14303 ant clean doesn't clean all modules
ECA-14320 Clarify SCEP documentation in relationship to Android/jscep
ECA-14334 Upgrade Apache Kerby to version 2.1.1
ECA-14340 Add option to importcertdir CLI command to specify an earlier CA certificate
ECA-14346 Prevent combined hybrid/composite CAs/certificates
ECA-14348 Cleanup: remove non-static reference warnings from StressTestCommandBase
ECA-14354 Cleanup: replace remaining references to X509Certificate.getSubjectDN and getIssuerDN
ECA-14372 Enable composite key handling in BaseCryptoToken and crypto token implementation classes
ECA-14377 Normalize OCSP Responders page
ECA-14378 Cleanup: Update deprecated references to Schema.required
ECA-14382 Normalize OCSP Responder page (Add/Edit/View)
ECA-14384 Normalize Remote Authenticator pages
ECA-14389 Cleanup: remove reference to jakarta.faces.component.html.HtmlInputFile.setSize(int)
ECA-14390 Cleanup: Upgrade references to new BasicThreadFactory.Builder()
ECA-14391 Cleanup: Upgrade references to java.security.Provider.Provider(String, double, String)
ECA-14393 Cleanup: remove references to unused fields
ECA-14403 Update styles for existing add/edit/view forms
ECA-14413 Migrate ocsp.warningBeforeExpirationTime into GlobalOcspConfiguration
ECA-14417 Apply style updates to the remaining parts of Admin Web
ECA-14425 Scale down the forms and simplify CSS
ECA-14427 Cleanup: Resolve warnings in ConfigdumpRoleData
ECA-14431 Deploy RA and VA containers for main branch
ECA-14433 Upgrade commons-lang3 to 3.20
ECA-14434 Upgrade commons-configuration to 2.13
ECA-14451 From Adminweb allow keyEncryptKey of a X509CA to be set to None on creation and editable post creation
ECA-14455 Upgrade the EJBCA container to use WildFly 39
ECA-14456 Upgrade Undertow to 2.3.22 or later
ECA-14474 Community contribution: L10n: Admin GUI French update (based on 9.3.7) Fully translated
ECA-14475 Consolidate all PQC-related nomenclature
ECA-14497 Update readme.md
ECA-14499 Add prefix and suffix option for automatic username generation for end entity profile
ECA-14500 Improve Approval Profiles
ECA-14505 Upgrade HSM sidecar versions for the 9.5.0 release
ECA-14510 Security: Upgrade log4j to 2.25.3 (CVE-2025-68161)
ECA-14515 Performance tuning in Wildfly using environment variables for thread pool size and time outs
ECA-14527 Label font size alignment in smaller forms
ECA-14544 RA GUI French update from 9.3.7
Bug Fixes
ECA-9209 Authority Key ID missing from Link Certificate if not asserted in Root CA cert profile
ECA-10966 Refreshing page can delete another Crypto Token
ECA-11641 Space in Validator name field
ECA-11643 'Save' button on Validators page needs to be pressed twice to work
ECA-11704 ROOTCA shows for new End Entity Profiles and goes away when you edit anything
ECA-12154 Can not use Download PEM keystore in RA Web if end entity is in status key recovery
ECA-12235 Crypto Tokens Disappear from the list when you get session timed out
ECA-12377 Admin Web - Services - NPE for Remote Internal Key Binding Updater
ECA-12444 RA Web - Roles - Overlapping error messages when role name is empty
ECA-13315 v1/certificate/certificaterequest mismatched request and requesttype throws NPE in Peer Environment
ECA-13490 Enrollment fails when optional/modifiable OU field is empty and comes before required/unmodifiable fields in EEP configuration
ECA-13622 [HA] Session times out very often using at least two nodes
ECA-13726 Improper REST API error handling
ECA-13783 Requester's Role's CA access must match or exceed profile's CA access or profile cannot be used
ECA-13885 RA Web - Menu - Tools option badly displayed when no active CA
ECA-13892 Editing an EE over RA web leads to unwanted disabling of Batch generation (clear text pwd storage) checkbox
ECA-13990 Multiple CertIds in OCSP requests are not logged properly in AuditLog
ECA-14052 Fix parsing for Certificate Template with spaces on ejbca.sh importcertsms
ECA-14080 Change error message for rest api endpoint
ECA-14116 Database Maintenance Worker can delete key binding certificates, leading to NPEs
ECA-14127 A validation bypass caused by leading whitespace
ECA-14137 Adding a Comma to the End Entity Username results in not being able to delete or revoke the end entity via the Admin Web
ECA-14138 Don't create obsolete tables in new installations
ECA-14156 Configdump imports random or incorrect values for CVC access rights (Authentication Terminal).
ECA-14179 Obsolete UserDataSourceData table is still being generated on new installations
ECA-14196 Approval Profile: Doesn't correctly display notifications fields
ECA-14213 SCEP enrollment with separate signing keys over peers (with denied access to unknown CAs) is denied
ECA-14214 ConfigDump import attempts to treat global-ct-configuration.yaml like a log
ECA-14218 Doc link html page points to non-existing web page
ECA-14226 IncompleteIssuanceJournalData is not cleaned up when CT log is used and certificate is issued successfully
ECA-14266 Admin Web - Remote Authenticator - Validation error while selecting key pair from HSM
ECA-14267 CA mode with separate keys fails when "Allow Client Certificate Renewal" enabled
ECA-14289 Configdump import of EKU overwrites existing values
ECA-14290 Default Certificate Profiles Actions should be greyed out (disabled)
ECA-14301 Regression: clientToolBox EjbcaWsRaCli fails with java.lang.ClassNotFoundException: org.apache.commons.lang.StringUtils
ECA-14304 Remove usage of Unmodifiable Maps in additional details during Audit logging
ECA-14305 Configdump CA Import Fails: "CMP RA Authentication Secret" incorrectly required to be mandatory
ECA-14321 EJBCA may be unable to start when HSM returns an error on initialization
ECA-14345 End entity DNSSAN validation (regex) bypassed
ECA-14359 Admin UI end entity max login attempts not populated on first render
ECA-14360 Reduce some certificate peer publish logs to debug to avoid confusion
ECA-14363 Validity offset does not work as expected
ECA-14371 SCEP certificate renewal fails on Mysql/Mariadb 5.x
ECA-14387 Keystore generation under some circumstances throw NullPointerException due to transaction issues
ECA-14388 Admin Web - Remote Authentication - Next key pair always set to the current key pair
ECA-14402 Enable Domain Allow List Validator to validate email Rfc822Names
ECA-14420 EST client Reenrollment fails with SAN mismatch error, GUID related
ECA-14424 False-negative CAA related system tests
ECA-14440 Superadmin p12 cannot be enroll in EJBCA container
ECA-14443 User notification fails during Key recovery approval process
ECA-14458 Regression: Key recovery doesn't work with the CLI
ECA-14463 Approval Profile: Doesn't correctly display partitional approval
ECA-14469 NPE when creating Azure Key Vault through the CLI
ECA-14470 Regression - Community Edition container does not start
ECA-14473 Regression: Revert removal of lazy-upgrade code to CertificateProfile.getStoreSubjectAlternativeName
ECA-14494 Configdump OCSPCONFIG with 'defaults=true' throws NPE
ECA-14526 Maximum number of failed login from End Entity Profile is not applied when creating end entity via REST API
ECA-14538 Regression: LDAP publisher removes cert based on base name instead of name
ECA-14541 Nginx sidecar file upload limit
ECA-14542 Fix ConfigdumpScepConfigurationUnitTest compilation issues
ECA-14563 System test EjbcaWSSystemTest.test03\_4GeneratePkcs10Request verifies against wrong error message
ECA-14581 Fix ConfigDump --initialize option for Composite keys
ECA-14573 Composite NPE on `isKeyInitialized`