EJBCA 7.9.0 Release Notes

APRIL 2022

The EJBCA team is pleased to announce the release of EJBCA 7.9.0.

This release introduces support in EJBCA for acting as Enrollment Authority in C-ITS PKI, enabling vehicle manufacturers to take part in evolving C-ITS ecosystems. The release also includes enhancements to Intune integration and RA Web.

Included in this release are also the changes made in EJBCA 7.8.2, which was only released internally.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.


Log4j Upgrade

As has been stated before, EJBCA was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that EJBCA handles logging through JBoss EAP/Wildfly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that many of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about EJBCA being vulnerable.

Use of Microsoft Graph API in EJBCA Intune Integrations

Previous versions of EJBCA use the Azure AD Graph API for Intune integrations. Microsoft has announced that Azure AD Graph API will be deprecated as of June 2022 and Intune integrations need to use Microsoft Graph API instead. EJBCA 7.9.0 uses Microsoft Graph API for Intune integrations making it an important upgrade for EJBCA customers using Intune.

Support for acting as Enrollment Authority in C-ITS PKI

Cooperative Intelligent Transport Systems (C-ITS) is an ecosystem facilitating communication between vehicles and between vehicles and infrastructure, jointly known as vehicle-to-everything (V2X). EJBCA 7.9.0 introduces functionality allowing EJBCA to act as an Enrollment Authority (EA) in a C-ITS PKI, registering ITS entities and issuing enrollment credentials. While not including every component of the C-ITS PKI, this release marks our first effort toward supporting the C-ITS PKI lifecycle with EJBCA. For more information, see C-ITS ECA Overview.


Public Web Deprecated

Since the launch of EJBCA, the Public Web has been used for common operations such as enrollment, CRL and CA certificate download, etc. EJBCA 6.6 introduced the new RA Web along with a new RA architecture, enabling more efficient RA workflows that also overlapped many functionalities of the Public Web. Throughout recent releases including this one, we have added additional features to the RA Web in an effort to allow all RA operations to be managed from the location. RA Web enhancements have made the Public Web increasingly redundant and Public Web is therefore deprecated as of EJBCA 7.9.

Public Web is still available in EJBCA 7.9.0 but will no longer be supported as of the next major version of EJBCA. We recommend migrating your workflows to the RA Web in preparation for the future removal of the Public Web. Certain use cases might not be fully replaceable by the RA Web yet but we will be putting the last pieces together to support them in upcoming releases. Endpoints for CA/CRL distribution located under the Public Web URL will remain available.

CMP over TCP no longer Supported

Use of CMP over TCP has been discouraged per our documentation since EJBCA 6.5. The plan was to end support of CMP over TCP in the next major version but due to incompatibilities with the Log4J upgrade, we have accelerated the schedule. As of EJBCA 7.9.0, CMP over TCP is no longer supported by EJBCA or by the legacy CMP Proxy. Support for CMP over HTTP is unaffected.

SaferDailyRollingFileAppender no longer Supported

The SaferDailyRollingFileAppender (enabled by settingocsp.log-safer=true in the ocsp.properties configuration file) has been deprecated and removed due to incompatibilities with the Log4J upgrade. Enabling the setting caused a transaction rollback in case the server logs could not be written to and was a corner case for certain VAs with legal requirements to register all OCSP traffic to log. This setting is no longer supported by EJBCA.

Upgrade Information

Review the EJBCA 7.9.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.9.0 is included in EJBCA Hardware Appliance 3.9.5 and EJBCA Cloud 2.10.0 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.9.0, refer to our JIRA Issue Tracker.

Issues Resolved in 7.9.0

Released April 2022

    New Features

    ECA-7321 - RA Web should accept CSR in DER format

    ECA-9834 - ACME configuration alias max. length of 250 characters

    ECA-10261 - Add support for RFU bits in cert-cvc

    ECA-10263 - Add support for RFU bits in EJBCA

    ECA-10467 - Define new CA type for ITS CA's

    ECA-10468 - ITS CA Type in the UI

    ECA-10470 - REST Resource for ITS Certificate Request

    ECA-10529 - ITS end entity request and response creation and verification

    ECA-10554 - Allow CMPv2 enrollment in RA mode using vendor certificate

    ECA-10592 - Authorization validation for ETSI certificates and integration to REST

    ECA-10593 - End Entity management over REST for C-ITS ETSI

    ECA-10612 - Import CITS CA and other UI changes for CITS

    ECA-10613 - Subject attributes validation during registration, EC enroll and authorization validation

    ECA-10614 - Download or rest endpoint for CITS certificates

    ECA-10625 - Future Dated CRLs from the CLI.

    ECA-10627 - Allow WS requests using Request Processors send through editUser as well


    ECA-7381 - Sunset Public Web

    ECA-7588 - Remove CADataHandler

    ECA-7765 - Allow public user to finalize enrollment in RA Web

    ECA-8476 - Only show logout button in CA web when "Session timeout" is enabled

    ECA-9256 - Allow an OCSP Responder to sign for other CAs

    ECA-9566 - The Option "Send notification" is Not Available in RA Web

    ECA-9799 - Search for Certificates at RA Web doesn't reflect Expired status in the main table list

    ECA-10296 - Update EJBCA libs for Swagger to work on Wildfly > 22.0.0

    ECA-10345 - Put PIN last in the GUI when creating crypto token

    ECA-10413 - Allow EEP Subject DN values to be enforced

    ECA-10414 - Add E-mail checkbox "Use email from address field" to RA-web

    ECA-10416 - Increase CSR Size Limit

    ECA-10418 - Name constraint support for make new request in RA web

    ECA-10421 - Add checkbox to RA Web when creating end entity to activate key recovery

    ECA-10452 - Trim external log lib

    ECA-10454 - Improve dn merge procedure for end entities

    ECA-10456 - Add end entity with clear text password in the RA web

    ECA-10459 - Code cleanup: modules/oldlogexport

    ECA-10460 - Code cleanup: modules/externalra-gui

    ECA-10469 - Define MVP TBSCertificate fields for ITS CA's

    ECA-10473 - Complete the rest endpoint implementation for CITS

    ECA-10474 - Increase length of ACME EAB with symmetric keys generated key.

    ECA-10476 - Introduce ITS Certificate Profile

    ECA-10488 - Upgrade ITS epic branch with BC 1.7.1 b03

    ECA-10489 - Create enrollment endpoint for the ITS REST API

    ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect

    ECA-10501 - Remove support for CMP over TCP

    ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2

    ECA-10512 - Upgrade EJBCA Intune Integration to Use Microsoft Graph API

    ECA-10530 - Update standalone scripts with log4j compatability flag

    ECA-10538 - SHAxWithRSAAndMGF1 / SHAxWithRSASSA-PSS not working with Azure Key Vault or AWS KMS Crypto tokens

    ECA-10539 - Update slf4j

    ECA-10543 - Update PublicAccessToken to not require delete end entities access rule

    ECA-10548 - Add CrmfRequestTest into Jenkins

    ECA-10555 - OEREncoding for InnerECRequest/Response

    ECA-10558 - REST endpoint for ITS-S Registration

    ECA-10576 - System test for ITS REST endpoint

    ECA-10584 - Update ejbca.cmd with log4j changes

    ECA-10585 - Deprecate and remove legacy batch enrollment GUI

    ECA-10610 - Hardening

    ECA-10615 - Upgrade BC to 1.71, pull in main branch changes

    ECA-10619 - Upgrade commons-cli to 1.5

    ECA-10628 - Allow the encryptpwd CLI command to run without appserver active

    ECA-10633 - Upgrade jack11nji

    ECA-10642 - Refactor ITS enrollment operation to be performed by CA implementation

    ECA-10647 - Improve EJBCA's behavior when looking up invalid DNS records for CAA

    Bug Fixes

    ECA-9950 - Batchenrollment gives BCFKS error

    ECA-10219 - New role members cannot manage existing approval requests

    ECA-10228 - Invalid ocsp certificate prevents wildfly startup

    ECA-10279 - CVC is not working in RA web

    ECA-10388 - Peer connections using RSA Authentication Key binding with P11NG, Azure and AWS crypto tokens stopped working after JDK update

    ECA-10424 - Logging Location of API Requests

    ECA-10426 - Configurable DN order in LDAP Publisher

    ECA-10436 - Regression: Error editing Key Vault crypto Token

    ECA-10437 - CA Functions CRL download link fails to download CRL when CA SubjectDN contains ampersand

    ECA-10457 - REST configdump export can fail even if ignore errors is enabled

    ECA-10463 - ConfigDump Export/Import EEPs with multiple DNs/SANs

    ECA-10471 - Regression - ejbca-db-cli not working after upgrading to

    ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE

    ECA-10485 - CMP Certificate Confirmation - Default CA

    ECA-10490 - Cannot re-activating suspended cert with "Safe Direct Publishing"

    ECA-10491 - X.509 CA sequence is compared with keysequence from cert request in a wrong way

    ECA-10497 - Regression: OCSP signing cache is always reloaded for requests with unknown CAs

    ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms

    ECA-10532 - Fix ACME issuance of certificates with non-validated domains

    ECA-10533 - EJBCA RA - Navigation dead-ends

    ECA-10534 - Enrollment fails with GetCACert enabled in SCEP CA mode

    ECA-10535 - AWSS3Publisher causes OCSP Peer Publishing to fail

    ECA-10549 - Disable "Use queue ..." options when "Safe Direct Publishing" enabled

    ECA-10550 - Regression: Potential NPE causes test failures when Trace logging is enabled

    ECA-10557 - Jenkins CMP test failure

    ECA-10569 - Create tests for cmp update command in cli

    ECA-10571 - Make "Unspecified" revocation reason in OCSP responses configurable

    ECA-10572 - URI Name Constraints should not allow/require protocol to be specified.

    ECA-10577 - Key algorithm of uploaded CSR field shows wrong value

    ECA-10579 - Clean up access rules requirements for using a CSR on the Make New Request page

    ECA-10583 - Name constraint error produces stacktrace and unintuitive error message in RA UI

    ECA-10591 - Startup database error due to deprecated property UserData.hardTokenIssuerId

    ECA-10601 - Failures in PostgreSQL running create-index sql script, comment out drop index statements

    ECA-10603 - ejbca-db-cli Broken

    ECA-10620 - Request and EE CA mismatch still cause EE status change

    ECA-10621 - Minor security issue

    ECA-10622 - Changing an EE status over RA web leads to unwanted disabling of Batch generation (clear text pwd storage) checkbox

    ECA-10626 - Support 'Any' cryptoProivder in MSAE templates

    ECA-10634 - Fix IOException in db-cli

    ECA-10635 - Update AzureBlobPublisher to use new Azure auth

    ECA-10637 - Azure Key Vault only lists the first 25 key aliases

    ECA-10638 - EJBCA restricts OCSP nonce to 30 octets instead of 32 as stated in RFC8954

    ECA-10644 - The publisher queue inspection window should display the time with a 24-hour clock

    ECA-10662 - Intune Resource URL not honored in new SCEP code

    Issues Resolved in 7.8.2

    EJBCA 7.8.2 was an internal release, not generally available for customers

    Released February 2022


      ECA-10479 - Library upgrade

      ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect

      ECA-10501 - Remove support for CMP over TCP

      ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2

      ECA-10509 - Remove SaferDaily, SigningDaily and ScriptrunningDailyRollingFileAppender

      ECA-10510 - Upgrade Appender in TestLogAppenderResource to Log4J2

      ECA-10530 - Update standalone scripts with log4j compatability flag

      ECA-10531 - Resolve test failures after log4j upgrade

      Bug Fixes

      ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE

      ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms

      ECA-10532 - Fix ACME issuance of certificates with non-validated domains