EJBCA 7.11.0 Upgrade Notes

Below are important changes and requirements when upgrading from EJBCA 7.10 to EJBCA 7.11.

For upgrade instructions and information on upgrade paths, see Upgrading EJBCA . For details of the new features and improvements in this release, see the EJBCA 7.10 Release Notes.

Post Upgrade

Behavioral Changes

OCSP Extensions always returned if configured

A minor behavioral change in EJBCA 7.11.0 is that the OCSP responder will always return an extension if possible, if configured. Prior behavior was that extensions were only returned if specified by the client in the request.

Rest API requires Certificate Profile flag to backdate revocations

A small behavioral change in how certificate revocation endpoint works with backdated revocation date: During revocation of certificates or changing revocation reason of previously revoked certificates, the /revoke REST endpoint requires the “Allow Backdated Revocation” setting to be enabled in related Certificate Profiles.

Custom header mandate for REST calls from browser

A minor security fix to prevent CSRF against EJBCA REST API. A configurable setting is added to mandate a custom header for REST endpoints when it is invoked from browser. This setting is available in Available Protocols tab at System Configurations. Backend service calls and browser calls are distinguished by presence of any of the two forbidden headers "Sec-Fetch-Mode" and "Sec-Fetch-Dest". Hence, there should not be any impact on backend services unless these headers were being forwarded to EJBCA. These forbidden headers are added by most modern browsers except Safari.


Validation CLI Tool Removed

As announced in the previous release, the Validation CLI tool has been removed due to lack of use, hence lack of support.