Skip to main content
Skip table of contents

EJBCA Software Appliance 2.9 Release Notes

DECEMBER 2025

We are pleased to announce the release of EJBCA Software Appliance 2.9.0.

This release extends the Software Appliance with native Luna USB HSM support, PQC-ready HSM firmware and driver integration for Luna and Entrust, and built-in backup & restore workflows directly inside the UI of the Software Appliance.

Announcing EJBCA Licensing Mechanism in EJBCA 9.4.2

As of EJBCA 9.4.2, the EJBCA Container Set, EJBCA Software Appliance, and EJBCA Hardware Appliance (Next Generation) require a valid license file to run. Please reach out to Keyfactor by submitting a request via the Keyfactor Support Portal to obtain a valid license file prior to upgrading to EJBCA 9.4.2.

To use the EJBCA application within the appliance the corresponding license provided by Keyfactor must be uploaded.
A valid license can be found in the download folder.
To obtain or renew an expired license contact support@keyfactor.com.

Important!

  • Do not perform an update if you do not have a valid license.

  • EJBCA will not start without a valid license.

  • If an update has been performed without a valid license:

    • no data or key material will be lost

    • only the service will be discontinued.

  • For further details refer to License Management.

Highlights

New version of EJBCA Enterprise

EJBCA Enterprise has been updated to version 9.4.2.
For more information, see the EJBCA Release Notes.

Licensing for EJBCA Software Appliance

With this release, the EJBCA 9.4.2 Application requires a valid license file to run. The license file can be found in the download folder. If this is not the case, please contact Keyfactor before upgrading to ensure that you have a valid license file. After upgrading to Software Appliance 2.9, the EJBCA application will not start until a valid license has been uploaded and verified.
Once the license is in place, the application will start normally and all services will be available.
Instructions for this process can be found in the License Management documentation.

⚠️ Important: Plan your maintenance window accordingly. Obtain and stage the license before the update to avoid extended downtime. If you are unsure about your license status or delivery channel, contact your account team or support (support@keyfactor.com) before upgrading.

SCP Publisher

The SCP Publisher now supports flexible use across all EJBCA deployment types, including the EJBCA Software Appliance 2.9.
SFTP is also available as a secure alternative to SCP, offering improved compatibility and key-pair–based authentication through EJBCA Crypto Tokens. For configuration details, see SCP Publisher.

Luna USB HSM support for Software Appliance

This release adds native support for Luna USB Hardware Security Modules in the Software Appliance so that you can recognize, access, and use connected Luna USB HSMs for key operations, especially useful for Root CA scenarios.

PQC-ready HSM firmware and driver integration

This release introduces support for post-quantum–capable HSM firmware and drivers for Luna (Client Software 10.9.0) and Entrust (Security World 13.9.0). You can configure PQC-enabled HSMs for use with EJBCA and related components, ensuring that key and certificate management workflows are compatible with the new algorithms and firmware.

In Appliance backup & restore for Software Appliance

This release enables backup & restore operations directly inside the Software Appliance VM, without relying on external hypervisor tools. This feature requires an NFS backup location (NFS v4.0/v4.1/v4.2). Administrators can trigger on-demand or scheduled backups, perform restores workflows in a guided way. For information on configuring backup locations, retention, restore procedures, see the Software Appliance administration documentation.

Improvements and Corrections

The following lists other improvements and corrections included in the release.

  • Clearer label for audit log protection

    In WebConf, the option is now called “Integrity Protected Security Audit Logs,” making its purpose easier to understand.

  • New defaults for Microsoft SQL Server

    The MSSQL default now sets sendStringParametersAsUnicode=false, improving compatibility and performance for many SQL Server setups. This default is applied only to new external database connections; existing configurations are not changed. You can still remove or override this setting when setting up the external DB connection.

  • Security update for the internal MariaDB database

    The embedded MariaDB has been updated to version 10.6.22, bringing security fixes and stability improvements.

  • Updated Securosys HSM driver

    The Securosys HSM driver has been upgraded from Primus API 2.0.0 to version 2.5.3 (released November 24, 2025), incorporating the latest compatibility improvements and fixes.

  • Redesign HSM Configuration

    Redesigned HSM configuration page to simplify setup and ongoing management, with a clearer layout, improved guidance, and more actionable validation and error feedback.

Upgrade Information

For information on the required steps to update the EJBCA Software Appliance, see Update Software Appliance.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close