Skip to main content
Skip table of contents

EJBCA Software Appliance 3.0 Release Notes

MAY 2026

We are pleased to announce the release of EJBCA Software Appliance 3.0.

With this release, we have added support for:

  • Automated Renewal of Luna Client Certificates

  • Customizable Static Network Routes

  • One-Click Appliance Updates

  • Automated Deployments & Configuration

This release focuses on simplifying infrastructure management, increasing network flexibility, and minimizing maintenance overhead for administrators.

The release also brings a configurable ProbeTimeout for the Thales Luna HSM Client to ensure reliable failover in High Availability groups, alongside the integration of the latest Thales TCT driver to support Post-Quantum Cryptography (PQC) algorithms. Additionally, underlying packages have been upgraded to address and remediate identified vulnerabilities.

Highlights

New version of EJBCA Enterprise

EJBCA Enterprise has been updated to version 9.6.
For more information, see the EJBCA Release Notes.

Automated Renewal of Luna Client Certificates

The appliance now supports fully automated renewal of Luna HSM client certificates via Command Orchestrator.
This ensures uninterrupted, secure connectivity to your hardware security modules without requiring manual intervention or tracking expiration dates, significantly lowering operational risk.

Customizable Static Network Routes

Users can now configure custom static network routes per network interface directly within the WebConf.
This provides the necessary flexibility to seamlessly route traffic to external systems (such as network-attached HSMs) that sit outside your default gateway, complete with robust validation to prevent misconfigurations.

One-Click Appliance Updates

Updating the Software Appliance has never been easier. We introduce a streamlined update process that allows administrators (without the need of the Hypervisor team) to trigger appliance updates with a single click directly inside WebConf.
This is another key aspect of our efforts to make the appliance less dependent on hypervisor administrators, in order to ensure faster and easier management.

Automated Deployments & Configuration

To better support modern infrastructure-as-code practices, this release introduces automated deployment and configuration options for large and small customer environments.
This allows teams to reliably configure and scale appliances, reducing human error and accelerating deployment timelines.

Improvements and Corrections

The following lists other improvements and corrections included in the release.

  • Configurable ProbeTimeout for Thales Luna HSM Client
    Added support to configure the ProbeTimeout value for the Thales Luna HSM Client within the Software Appliance. This ensures that if an HSM connection hangs (e.g., during Remote PED authentication), the High Availability (HA) group can successfully fail over to a healthy HSM instead of freezing the entire process.

  • Include latest Thales TCT driver for PQ
    Integrated version 7.15. of the Thales TCT client libraries to enable the use of Post-Quantum Cryptography (PQC) algorithms.

  • Log Spam by EJBCA when no license is installed
    Resolved a NullPointerException issue where EJBCA templating would repeatedly throw errors and flood the logs if no active license object was present.

  • Potential Memory Leak in Yocto Kernel (QEMU Only)
    Corrected an issue where memory usage would continually increase over time. This was caused by failing services; these services have now been disabled.

  • CPU limit of luna driver too low
    Fixed a performance throttling issue where the CPU limitation on the Luna HSM driver container was set too low, causing heavy throttling and monitoring issues on customer sites. The resource allocation has been optimized.

  • OpenSSL CVEs 2026
    Upgraded packages to address and remediate identified OpenSSL vulnerabilities.

    • CVE-2026-31790 - Incorrect Failure Handling in RSA KEM RSASVE Encapsulation

    • CVE-2026-28387 – Potential use-after-free in DANE client code

    • CVE-2026-31789 – Heap buffer overflow in hexadecimal conversion on 32-bit platforms

  • Kernel Security Hardening (CVE-2026-31431): Disables the algif_aead kernel component to proactively eliminate a potential local privilege escalation vulnerability, ensuring the highest level of underlying platform security.

  • Mitigation of DirtyFrag Vulnerabilities (CVE-2026-43284 & CVE-2026-43500): Applies patches to resolve the "DirtyFrag" security flaws within kernel networking components.

  • Mitigation of Fragnasia Vulnerability (CVE-2026-46300): Resolves the "Fragnasia" security threat by implementing the required kernel-level network updates. This protects the appliance from network fragment exploitation risks similar to the DirtyFrag vulnerability family.

  • SNMP Security Update (DES Deprecation): The SNMP container has been updated to improve system stability. Please note that DES is no longer supported.

    • If you are currently using DES, the SNMP container will stop running, and a warning message will be displayed on the SNMP configuration page in Webconf. To restore functionality, please switch to a secure alternative algorithm or disable the option. Once changed, the DES option will be permanently removed from the UI.

    • If you are not using DES, the option has been automatically removed from Webconf, and no action is required.

Upgrade Information

For information on the required steps to update the EJBCA Software Appliance, see Update Software Appliance or via Webconf Settings: Update the Appliance.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close