EJBCA 9.6.2 Release Notes | Keyfactor Docs

June 2026

The EJBCA team is pleased to announce the release of EJBCA 9.6.2.

This maintenance release includes improvements and corrections related to Multi-Perspective Issuance Corroboration (MPIC), ACME, Amazon Web Services (AWS), and Microsoft Auto-enrollment (MSAE).

For available deployment types and associated versions, refer to Supported Versions.

Highlights

MPIC implementation improvements

This release includes several improvements to the implementation of Multi-Perspective Issuance Corroboration (MPIC). The release updates support for MPIC API 3.3.0 and adds corroboration for the Certification Authority Authorization (CAA) accounturi parameter and the ACME tls-alpn-01 challenge through MPIC. For more information, see MPIC Validator and ACME.

Configurable hostnames for AWS KMS Crypto Tokens

Support has been added for configuring the hostname of AWS KMS crypto tokens, enabling deployments in various regions.

Configurable hostnames for AWS S3 Publishers

Support has been added for configuring the hostname of AWS S3 Publishers, enabling deployments in various regions.

Improved CRL import performance

Performance has been significantly improved when importing large Certificate Revocation Lists (CRLs) through the EJBCA Administration user interface.

Updated Commons BeanUtils

EJBCA 9.6.2 includes an updated version of Apache Commons BeanUtils (commons-beanutils 1.11.0). Previous EJBCA versions used a Commons BeanUtils release affected by CVE-2025-48734. This vulnerability is not exploitable in earlier EJBCA versions, as EJBCA does not use the PropertyUtilsBean or BeanUtilsBean classes.

Upgrade Information

Review the EJBCA Upgrade Notes for important upgrade information. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in EJBCA 9.6.2.

Issues Resolved in 9.6.2

Released June 2026

New Features

ECA-14923 ACME CAA “accounturi” check via MPIC

ECA-14937 Allow AWS KMS CryptoTokens to have configurable hostnames

ECA-15113 Allow S3 Publishers to have configurable hostnames

ECA-13267 ACME tls-alpn support for MPIC

Improvements

ECA-14848 Improve Adminweb CRL import performance

ECA-14864 Consolidate HSM support to Enterprise Edition - SunPKCS#11

ECA-14896 Fix Crypto token page warning

ECA-14961 Make MSAE key archival work with newer Microsoft cryptographic providers

ECA-14963 Log MPIC request and response JSON

ECA-14987 Consolidate HSM support to Enterprise Edition - Azure Key Vault

ECA-14988 Consolidate HSM support to Enterprise Edition

ECA-15031 Remove sensitive information from server.log and UI after storing an MS Intune Certificate Revocation service

ECA-15052 Update MPIC Lambda to 1.8.0

ECA-15092 Update commons-beanutils to version 1.11.0 or later (CVE-2025-48734)

Bug Fixes

ECA-14207 Admin Web - Cannot create CA based on PQ algorithms during installation process

ECA-14273 ConfigDump imported services have to be manually activated

ECA-14442 Adding the 244th EAB to an ACME Alias crashes with HTTP Error 500

ECA-14858 ApprovalData does not perform deserialization checks

ECA-14912 Fix MPIC ACME corroboration configuration and help

ECA-15063 Admin Web - Some parts of the application accessible without client certificate