EJBCA 7.11 Release Notes

DECEMBER 2022 FEBRUARY 2023

The EJBCA team is pleased to announce the release of EJBCA 7.11.

This release includes enhancements to our CMP implementation, usability improvements, compliance updates, and more. This release also upgrades Bouncy Castle to version 1.72.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

Revocation Reason Change

Addressing Mozilla's Root Store Policy, this release introduces the ability to change the revocation reasons for previously revoked certificates. Changing revocation reason is enabled at the Certificate Authority level, and backdating is allowed if set in the relevant Certificate Profile. The new revocation reason can only be Key Compromise. The revocation reason can be changed through the EJBCA REST API, RA Web UI, and Web Services. For more information, see Allow Changing Revocation Reason in CA Fields and Allow Backdated Revocation in Certificate Profile Fields.

RA Validation of CMP Messages

For EJBCA deployments with a peer-connected RA separate from the CA where the CMP protocol is used for enrollment, EJBCA 7.11 now provides a new option in which the CMP messages are validated on the RA before being forwarded to the CA. The validation applies to signature-protected messages as well as to HMAC-protected messages. Aside from providing enhanced security in deployments using CMP for enrollment, it allows customers to migrate to a standard peer-connected EJBCA CA/RA configuration following the deprecation of the CMP Proxy and External RA in EJBCA 7.11. For more information, see CMP.

Partial Support for CMP Lightweight Profile

With EJBCA 7.11, a subset of the CMP Lightweight Profile is available for use with CMP in EJBCA. CMP Lightweight profile defines a specified subset of CMP operations and functionality, mainly targeting industrial and IoT use cases including resource-constrained devices. With this release, support has been added for message protection with PBMAC-1 as well as the P10CR message body. For more information, see CMP.

Separation of Keybindings into OCSP Responders and Remote Authentication

To improve usability, the OCSP Key Bindings and Authentication Key Bindings configurations have been replaced with new OCSP Responders and Remote Authenticators pages in the EJBCA CA UI. User input for OCSP Responder and Remote Authenticator configuration is now tailored to each use case, while the Internal Keybindings concept is still used internally. The behavior of existing key bindings is not affected by this usability change. For more information, see Remote Authenticators Overview.

Announcements

Validation CLI Tool Removed

As announced in previous upgrade notes, the legacy CLI-based Validation Tool has now been removed from EJBCA.

Deprecation of External RA and CMP Proxy

As of EJBCA 7.11, the use of External RA and CMP Proxy is deprecated. Customers previously using the CMP Proxy are advised to migrate to RA Validation of CMP messages in a peer-connected CA/RA setup.

Upgrade Information

Review the EJBCA 7.11 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.11.0 is included in EJBCA Hardware Appliance 3.11.0, EJBCA Software Appliance 2.3.0, and EJBCA Cloud 3.0.

EJBCA 7.11.0.1 is included in EJBCA Hardware Appliance 3.11.1 and EJBCA Software Appliance 2.3.1.

Change Log: Resolved Issues

The following lists fixed bugs and implemented features in EJBCA 7.11.

Issues Resolved in 7.11.0.1

Released February 2023

Bug Fixes

ECA-11227 - Key Recovery data not stored using P11NG

Issues Resolved in 7.11.0

Released December 2022

New Features

ECA-9261 - Allow enrollment of SSH Certificates over the RA Web

ECA-9263 - Allow SSH certificates to be searched in the RA web

ECA-10522 - Add support for ECDSA Authentication in peers using TLS 1.2

ECA-10813 - Support for PBMAC1 algorithm in CMP

ECA-10816 - Support for P10CR request body in CMP

ECA-10963 - End entity profile for SSH

ECA-10965 - Add support for SHA3 ECDSA signature algorithms to P11NG

ECA-10980 - GUI: Ability to toggle revocation reason change

ECA-10981 - Invoke publisher when revocation reason is changed.

ECA-10982 - Backend: Allow revocation reason change

ECA-10997 - RA Web support for revocation reason change

ECA-11023 - CMP Alias Configuration for "Extended validation"

ECA-11034 - Check if CMP extended validation via peers is enabled

ECA-11096 - Add cache for signer certificate in CMP servlet

ECA-11119 - Custom 'Expire' header for OCSP

ECA-11134 - Implement full support for Ra Mode HMAC protection when using Extended Validation

Improvements

ECA-10541 - Improve RoleMembers in Partitioned approvals

ECA-10691 - Split Keybindings page into OCSP Keybindings and Authentication Keybindings

ECA-10719 - Remove ValidationTool

ECA-10937 - Make entity e-mail field unchecked by default for RFC 822 in End Entity Profile

ECA-10940 - Inject cross-certificates in CA Certificate chains for ACME (and others)

ECA-10946 - Add Certificate validity start and end date option in RA Web

ECA-10947 - Remove hardcoded DB name in mysql-privileges.sh

ECA-10952 - Extract AD group membership from PAC (MSAE)

ECA-10959 - Add PKUP in View Certificates

ECA-10961 - Changes in external properties are not detected sufficiently fast

ECA-10969 - CryptoToken page: Add IDs to the form elements so that test automation can identify them unambiguously

ECA-10976 - Shortened IPv6 Parsing Errors in 7.9.0

ECA-10988 - p11ng: implement better detection for vendor-specific behaviour

ECA-10992 - Add option to enforce HTTPS client authentication for ACME

ECA-10999 - Allow MSAE LDAP queries to follow LDAP referrals

ECA-11008 - Merge P11NG changes from SignServer

ECA-11012 - Request: Add new Index to create-index-ejbca.sql

ECA-11049 - Configurable non-expired preproduced OCSP responses

ECA-11052 - Improve error handling of EjbcaWS.cvcRequest

ECA-11059 - Improve error message for future revocation date (RA-Web)

ECA-11060 - RA-Web Change of revocation reason || Rendering conditions

ECA-11061 - Improve /v2/endentity/search pagination and documentation

ECA-11063 - Make SSH source-address field searchable in RA

ECA-11065 - Create placeholder methods for RA Validation of CMP message

ECA-11066 - Signature verification of cmp message in RA

ECA-11067 - Support P10CR request body in cmpclient

ECA-11083 - Add MAC verification to CmpServlet

ECA-11092 - Minor language and UI improvements

ECA-11093 - Move database.useSeparateCertificateTable above database settings in sample config file

ECA-11094 - Validate Certificate status in CMP message

ECA-11120 - Full French language and some GUI localization support, contributed by David Carella of Linagora.

ECA-11124 - Add cache clearing to CMP Servlet and fix test

ECA-11126 - Fix cmp message signature validation in Client Mode

ECA-11131 - Oracle DB grants updated not to require DBA or admin rights

ECA-11139 - Support either of multiple authentication modules in CMP extended validation

ECA-11143 - Add PBMAC1 support for extended CMP validation

ECA-11144 - Add test related for p10cr in CmpExtendedValidationTest

ECA-11145 - Allow CMP CERT_REQ requests in HMAC mode with extended validation

Bug Fixes

ECA-10401 - Force local key generation option should not be visible in Community

ECA-10799 - Renamed CAs stuck in "List Of Vendor CAs" in EST alias

ECA-10859 - CA imported with empty name

ECA-10874 - Documentation for WildFly 24 specifies PKCS12, while JKS are generated

ECA-10894 - Configure OCSP extensions to always return if configured

ECA-10897 - Azure OAuth OID Approval Prompt with AWS EJBCA Issues

ECA-10919 - REST Certificate search V2 returns totalCert = null when certificates size is 0

ECA-10925 - Special characters in IssuerDN not displayed correctly when reviewing certificate

ECA-10929 - Pkcs12 content for PEM with enrollment with key recovery enabled

ECA-10930 - CMP request without Content-Length returns wrong HTTP status code

ECA-10953 - "Flush item" sometimes flushes a different item from the queue

ECA-10954 - Default rules preset require /administrator/ in REST

ECA-10958 - Saving Service config page takes too long when selecting large number of CAs

ECA-10962 - Execution error when approving certificate in RA Web

ECA-10967 - Concurrent requests to adminweb cause interrupted page loads and uppercase text

ECA-10970 - Key Pair Created In The Wrong Slot For Crypto Token When 2 Tabs Are Open

ECA-10989 - EJBCA CE Test Build Fail (false positive)

ECA-10990 - Delete EE Subject DN Field with Same DN Attribute and Validation merges fields

ECA-10991 - 'Required' has no effect at Key recovery options

ECA-10998 - Use Username and Request ID are missing from RA web

ECA-11004 - ConfigDump import fails when signing CA of SubCA is non-existent

ECA-11005 - NullPointerException in SCEP GetCACert when CA name is incorrect

ECA-11011 - REST max results increase stopped working

ECA-11017 - Adding a CT log with specific usage period causes exception

ECA-11020 - Fix issue with FQDN in SAN for MSAE

ECA-11025 - EndEntity profile Subject field validation runs against the wrong field

ECA-11029 - ClientToolBox creates not correctly DER wrapped OCSP Nonce extension

ECA-11031 - Revisit EndEntityManagementSession TRIM queries

ECA-11033 - Change revocation reason for Pre-cert revocation Service

ECA-11041 - Revocation backdate does not survive approval.

ECA-11042 - Revocation reason PRIVILEGE WITHDRAWN text does not show proper

ECA-11044 - Upgrade apache common-text to 1.10 and commons-lang3 to 3.12.0

ECA-11045 - fix encryptpwd not to require running appsrv

ECA-11047 - Not able to delete soft/p11 cryptotoken (CE Contribution)

ECA-11048 - Revocation backdate/change reason fix for partitioned approval.

ECA-11051 - ACME EAB Issue upgrading from 7.8.2 to 7.10.0.1

ECA-11054 - cmpclient missing libs

ECA-11056 - Publishing is interrupted if one item in queue cannot publish

ECA-11058 - Unable to upload cert file to enable the OCSP responders.

ECA-11068 - configdump - "Use entity e-mail field" checkbox at a RFC 822 Name (e-mail address)

ECA-11073 - REST endpoint profile related issues

ECA-11090 - Updating remote keybindings should generate key names with "-" instead of "_"

ECA-11095 - Make client certificate revocation effective for ACME over peers

ECA-11122 - Remove location header for acme order post-as-get

ECA-11123 - "ejbca.sh cryptotoken list" returns list without details for P11NG Tokens

ECA-11127 - ConfigDump can fail with NPE when importing CMP configuration

ECA-11138 - Fix language file