Skip to main content
Skip table of contents

EJBCA 9.6 Release Notes

MAY 2026

The EJBCA team is pleased to announce the release of EJBCA 9.6.

This version adds support for ACME Device Attestation (device-attest-01) for Enterprise Device Management use cases involving devices with hardware-protected keys. It also adds REST API support for Request Approval workflows, introduces additional CAA record extensions, increases the database SAN column size, and includes several other enhancements and corrections.

These release notes cover new features and improvements implemented in EJBCA 9.6.0 and EJBCA 9.6.1. The update in EJBCA 9.6.1 is not applicable for the EJBCA Software Appliance or the EJBCA Hardware Appliance, and these deployment types are based on EJBCA 9.6.0.

For available deployment types and associated versions, refer to Supported Versions.

Highlights

ACME Device Attestation

EJBCA 9.6 introduces support for version 08 of the draft Automated Certificate Management Environment (ACME) Device Attestation Extension specification, including support for the Apple attestation format. This enables the use of Apple Managed Device Attestation certificates to securely identify devices in ACME workflows.

The feature validates attestation data in the certificate signing request (CSR), ensuring that device identity can be verified during certificate issuance. Usage requires integration with a separate Mobile Device Management (MDM) server. For more information, see ACME Device Attestation and Configure EJBCA ACME Device Attestation with Jamf for Apple devices.

CAA Record Extensions for ACME

EJBCA 9.6 adds support for RFC 8657: Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding, enabling more secure and controlled domain validation in ACME environments.

Updated CVC Certificate Support

Support has been updated to align with version 2.2 of BSI TR-03110: Technical Guideline Advanced Security Mechanisms for Machine Readable Travel Documents and eIDAS Token, improving compatibility with modern eID and travel document systems. This includes new access rights: BIT_READ_DG22 (bit 29) and BIT_WRITE_DG22 (bit 32).

REST API Improvements

Approvals through REST API

Approval workflows are now available through the REST API, making it easier to automate and integrate approval processes into existing systems. Note that CA activation approval is not supported via the REST API. For more information, see EJBCA REST Interface.

Extract CA CSR via REST API

EJBCA 9.6 adds support for exporting a CA Certificate Signing Request (CSR) via the REST API, enabling it to be signed by an external CA. This functionality was previously only available through the EJBCA user interface. For more information, see EJBCA REST Interface.

External Mu Support for ML-DSA

EJBCA introduces support for External Mu for ML-DSA, a technique where the hash of the message and public key is computed outside an HSM prior to signing. EJBCA 9.6 supports External Mu when using Thales Luna HSM.

Subject Alternative Names column size increased

The default database column size for Subject Alternative Names (SANs) has been increased from 2000 to 8000 characters to prevent upgrade issues caused by schema handling changes in WildFly/Hibernate.

This change has been tested and verified across all officially supported databases. See the EJBCA 9.6 Upgrade Notes for upgrade considerations, database privilege requirements, and Oracle Database limitations.

Announcements

Bouncy Castle 1.84 Upgrade

Bouncy Castle has been upgraded to version 1.84. For information about the latest Bouncy Castle releases, refer to the Bouncy Castle Release Notes.

Compliance Issue

EJBCA 9.6 resolves an issue in the EJBCA MPIC implementation which, depending on deployment or configuration, could result in non-compliance with Section 3.2.2.9 of the CA/B Forum Baseline Requirements when validating certificate requests over ACME.

For details, refer to the Keyfactor Support Portal: EJBCA compliance issue: Potential CA/B Forum compliance issue for customers using EJBCA ACME and MPIC functionality.

Deprecation of SunPKCS11 Crypto Token

As of EJBCA 9.4, the SunPKCS11 Crypto Token type is deprecated and will be removed in a future release. While the SunPKCS11 Crypto Token type is still supported, it is strongly recommended to migrate to the newer P11NG Crypto token type. Certain functionality, such as use of quantum-safe algorithms, is only available through use of a P1NG Crypto Token.

For more information about migrating from SunPKCS11 to P11NG, see Soft Migration from SunPKCS11 to P11NG Crypto Token.

Upgrade Information

Review the EJBCA Upgrade Notes for important upgrade information. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in EJBCA 9.6.0 and 9.6.1.

Issues Resolved in 9.6.1

Released May 2026

ECA-15058 DB upgrade resources for EJBCA 9.6

Issues Resolved in 9.6.0

Released May 2026

New Features

ECA-12603 RFC 8657 CAA record extension support in ACME

ECA-13609 Create ProtocolSession Business Layer and DTO

ECA-13658 Create ProtocolSession Cache

ECA-13882 Ability to disable certificate signature verification on issuance

ECA-14311 Add ability to issue SCEP enc/sign certs via ProxyCA

ECA-14323 ProxyCA specific fields to SCEP alias

ECA-14364 Dispatch SCEP enrollment to ProxyCA

ECA-14450 Create REST resource for v1/approval

ECA-14491 Add a profile (TLS|DeviceAttest|SMIME) to ACME aliases

ECA-14637 Ability to create PKCS7 via ClientToolBox

Improvements

ECA-11795 Document RA Proxying behavior for v1/ca endpoints

ECA-13869 Extract a CA CSR with REST API

ECA-13897 Change container keystores to PKCS12 because JKS is deprecated and EC for speed

ECA-14319 OAuth Support for Proxy CA REST authentication with Keycloak

ECA-14366 Modify getCACaps for proxyca

ECA-14436 Create REST endpoint to fetch the status of approval request

ECA-14438 Create REST endpoint to approve or reject approval requests per admin

ECA-14445 De-prettify licenses

ECA-14460 Revisit approval handling of REST enrollment endpoints

ECA-14465 Return request_id for REST API end entity

ECA-14486 Create REST Endpoint to retrieve information about a specific approval request

ECA-14495 Migrate database.crlgenfetchsize and database.crlgenfetchordered from cesecore.properties into database configuration.

ECA-14503 Hide ProxyCA Client Secret

ECA-14511 Make REST Approvals available in CE

ECA-14549 Return step for partitioned approval request

ECA-14554 Allow Key Recovery to work with signature verification disabled

ECA-14580 Implement extended flexibility in EJBCA Container license mechanism

ECA-14583 Include CertificateRequestSessionBean update officially in EJBCA release.

ECA-14600 REST Approvals should return all approvals in the same step

ECA-14601 Misleading log message on RA_MASTER_API_STATUS_REQUEST_MESSAGE

ECA-14602 REST Approvals - Approve partitioned approvals

ECA-14605 Improve error handling in Remote Authentication form when no CA is available

ECA-14606 Improve displaying CA Structure & CRLs table when no records are available

ECA-14615 Access Control for REST Approval endpoints

ECA-14640 Disable ProxyCA ZIP release generation

ECA-14644 Allow for cabf-specific validation methods to be used with the CAA Record extension.

ECA-14733 ACME - MPIC Primary network corroboration

ECA-14742 Make it possible to enter template names when creating a SCEP alias for RA and proxy CA.

ECA-14755 Support externalMu ML-DSA with Thales Luna HSM

ECA-14761 Improvements to displaying approval steps in the REST API

ECA-14776 Add specific renewal time to ARI

ECA-14795 Update CMP ML-KEM encrCert enrollment to use HKDF_SHA256 for max interoperability with RFC9936

ECA-14796 Admin Web - Change message level for create end entity approval

ECA-14830 Upgrade to BC 1.84

ECA-14836 Upgrade to Log4j2-core, log4j2-api and log4j1-1.2-api to 2.25.4

ECA-14843 Upgrade to the latest versions of x509-common-util, cryptotokens and p11ng

ECA-14870 Upgrade EJBCA base container version to alma9-jre21-wf39-4

Bug Fixes

ECA-9141 Selecting the Library in CryptoToken does not updated Reference Type or Reference

ECA-11462 Swagger docs can no longer be generated in YAML format

ECA-11669 TLS 1.3 remote keybindings does not work with RSA keys in P11NG cryptotokens

ECA-13587 Increase default SAN column sizes from 2000 to 8000

ECA-13917 AWS S3 Publisher – Authentication Type "Access Key ID and Secret" Fails

ECA-14025 Nshield HSM cryptotokens do not auto-activate after restart in Kubernetes

ECA-14112 [HA] Crypto token key list is not synchronized between nodes

ECA-14134 Add Field from dropdown action fails silently on approval profile page

ECA-14135 Delete Partition Fails silently on Approval Profile page (Partitioned Approval)

ECA-14233 Admin Web - Testing EC/brainpool/Ed keys throws NPE while using Utimaco

ECA-14293 OCSP Configuration Default Validity Times does not save properly

ECA-14356 OAuth and Peer connection issue with MSAE

ECA-14405 SCEP not working with Auto-generated password

ECA-14406 CMP not working with Auto-generated password

ECA-14408 EST not working with Auto-generated password

ECA-14410 Remote Internal Key Binding Updater should be able to provide a cert chain

ECA-14466 Cannot add multiple Custom Certificate Extensions with the same OID

ECA-14471 /v2/certificate/search endpoint doesn't use "ca_functionality/view_certificate" access rule

ECA-14514 EST: Disabling "End Entity E-mail: Use" while having "RFC 822 Name" SAN results in error

ECA-14520 NullPointerException when editing an ACME alias

ECA-14533 Regression - NPE while trying to delete crypto token in Admin Web (CE)

ECA-14569 MSAE: OID mixup with high load

ECA-14571 RA Web - issue displaying SAN attributes

ECA-14593 Every name set during cloning of EMPTY EEP ends up with forbidden name error

ECA-14608 Port ECA-14569 MSAE code changes from 9.3.9

ECA-14614 Not able to search SSH cert through AdminWeb

ECA-14618 Allow Special character in common name for AdminWeb

ECA-14642 ProxyCA oauthClientSecret is stored in plain text

ECA-14645 EST Alias UI RFC reference error for ChangeSubjectName

ECA-14649 OAuth Azure log in with a key binding doesn't work on the RA

ECA-14710 Allow s3alias S3 bucket name suffix

ECA-14717 Bug: RA admin can not renew end-entity with EEP enforced notification

ECA-14735 LDAP publisher removes ALL certificates when one certificate is revoked

ECA-14754 Typo in Subject Directory Attributes in RA Web

ECA-14756 Regression: 'Generate' buttons in 'CA Validation Data' doesn't work

ECA-14767 OAuth over REST remains inactive unless a Active CA is present or a CA instance is connected

ECA-14770 Regression: View Certificate impacted by the SSH CA certificate fix

ECA-14777 Remote Authenticator UI broken when adding more than one trusted TLS Certificate

ECA-14779 Fix typos related to ACME ARI

ECA-14789 ACME http-01 validation does not use alias-defined resolver or validate trust anchor

ECA-14791 Regression : ConfigDump cannot import its own export

ECA-14793 ejbca.sh keybind create options are no longer valid

ECA-14797 Certificate Issued Without Key Encipherment

ECA-14807 Disallow CA Activation approvals via REST API

ECA-14846 Soft crypto token keys still in UI after deletion in HA mode

ECA-14855 Regression : Crypto Token key test function always tests the first in the list

ECA-14862 ACME Alias Certificate Type configuration not isolating correct challenge types

ECA-14881 Regression : Command observed change in URL behavior which working with OAuth and EJBCA RA. investigation required

ECA-14891 ACME Device Attestation Root CA Validation

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close