This section provides information on upgrading from your current version to a later version of EJBCA.
Also see the EJBCA Upgrade Notes for the version you plan to upgrade to (and any version in between).
When EJBCA is deployed with external Registration Authorities (RAs) and external Validation Authorities (VAs) using peering, the strategy for upgrading is to start with the external EJBCA nodes first. After the external EJBCA nodes are upgraded, upgrade the EJBCA CA nodes. Upgrading the external EJBCA nodes first ensures the CA node uses the Peering protocol version of the CA instance. Therefore if the CA is upgraded first it would use a newer version of the Peering protocol that could be incompatible with the external RA/VA EJBCA nodes. Remember the phrase outside-in when upgrading EJBCA with external RA/VA nodes.
When upgrading or changing a configuration setting in a properties file, it is not required to fully re-install EJBCA or re-configure the application server. Instead, deploy a new EJBCA application (ejbca.ear) to the application server using the
ant deployear command.
Always make a backup of the database before upgrading. The database contains all CA data, and in case you need to roll back an upgrade you can restore the database backup. For information on how to back up and restore an EJBCA installation, see Backup and Restore.
Follow the steps below to upgrade from one version of EJBCA to a new version.
conf/*.propertiesfrom the earlier installation.
This step is not required if you are using an ejbca-custom directory (see ejbca-custom below).
- Merge changes (if there are any) from
Copy the content of the
p12directory from the earlier installation and run the following command with the new version:
$ ant deployearBASH
Note that the command
deployeardeploys a new
ejbca.earto the application server, not performing the same configuration work as the
Wildfly 24 and later versions support the PKCS12 type of keystore (.p12 files).
- To continue to use the JKS format, configure the JKS keystore type and file name in the TLS configuration.
- To switch to the PKCS12 format, change the keystore type for the end entity "tomcat" (using the EJBCA RA UI, for example), renew the keystore, and configure the following in the EJBCA configuration file web.properties:
If you have switched application server (a new version, or just unpacked a fresh installation of it), you need to run the following additional command to copy the TLS keystores over to the new server:
$ ant deploy-keystoreBASH
- You also need to configure TLS for your application server. See the application server specific instructions for the installation, for example for WildFly on Application Servers.
All database upgrades require CREATE and ALTER TABLE privileges in addition to the usual privileges SELECT, UPDATE, INSERT, and DELETE. The SQL executed by database upgrades code is available in
src/upgrade/<oldversion>_<newversion>/<oldversion>_<newversion>-upgrade-<database>.sql. For example,
src/upgrade/700_710/700_710-upgrade-oracle.sql. For MariaDB, use the
To ease upgrades and allow keeping your personal configurations from a version to another, you can store your personal EJBCA modifications in the
ejbca-custom folder. Your modifications will automatically overwrite any existing files found in the
EJBCA_HOME directory before executing an
ant command. For more information, see Modifying EJBCA.
Use the table below to determine the most efficient upgrade path from your current version to the later versions of EJBCA and see the Notes section below for details.
Also see thefor the version you plan to upgrade to (and any in between).
|Your Version||Recommended Upgrade Path||Upgrade Steps|
|6.4.0 or later||Upgrade to the latest version of EJBCA.|
|5.0.12 to 6.3.x||Upgrade to the latest version of EJBCA.|
|4.0.16 to 5.0.11 on JDK6 or earlier||Upgrade to 220.127.116.11 and then upgrade to the latest version of EJBCA.|
4.0.15 or earlier on JDK6 or earlier
|Upgrade to 4.0.16 and then upgrade to 18.104.22.168.|
Upgrading past these technology jumps requires not only upgrading EJBCA, but also the underlying software such as the JDK and the application server.
- EJBCA 8.0: JEE7 → JEE8: EJBCA 8 supports running on Java 17 in addition to Java 11. Running on Wildfly 26 as application server is also supported and the EJBCA use of application server is based on JEE8. For more information about technology upgrades, see EJBCA 8.0 Release Notes.
- EJBCA 7.0.0: JEE6 → JEE7: With the end of JDK7 support, support of JEE6 reliant application servers ceases as well. Minimum supported version of JBoss is EAP7/Wildfly 10.
- EJBCA 7.0.0: JDK7 → JDK8: End of support for legacy runtime version JDK7 and moving to JDK8
- EJBCA 6.4.0: JEE5 → JEE6: With the move to runtime version JDK7, it can no longer be deployed to application servers based on JDK6 such as JBoss versions 4 and 5. The latest version that can still run under JDK6 is the EJBCA 22.214.171.124 intermediate release. Thus, EJBCA 126.96.36.199 and earlier can be run on JBoss 5.1.0.GA server (JEE5), while later versions require an upgrade of the JDK and application server, JDK8 and JBoss EAP 7 or WildFly 10 are recommended.
- EJBCA 6.4.0: JDK6 → JDK7: End of support for legacy runtime version JDK6 and moving to JDK7.
Upgrade Process Changes
- As of EJBCA 6.8.0, you can perform post-upgrades from the Admin Web. When a post-upgrade is required, the System Configuration menu option System Upgrade is available.