DECEMBER 2022 FEBRUARY 2023
The EJBCA team is pleased to announce the release of EJBCA 7.11.
This release includes enhancements to our CMP implementation, usability improvements, compliance updates, and more. This release also upgrades Bouncy Castle to version 1.72.
Revocation Reason Change
Addressing Mozilla's Root Store Policy, this release introduces the ability to change the revocation reasons for previously revoked certificates. Changing revocation reason is enabled at the Certificate Authority level, and backdating is allowed if set in the relevant Certificate Profile. The new revocation reason can only be Key Compromise. The revocation reason can be changed through the EJBCA REST API, RA Web UI, and Web Services. For more information, see Allow Changing Revocation Reason in CA Fields and Allow Backdated Revocation in Certificate Profile Fields.
RA Validation of CMP Messages
For EJBCA deployments with a peer-connected RA separate from the CA where the CMP protocol is used for enrollment, EJBCA 7.11 now provides a new option in which the CMP messages are validated on the RA before being forwarded to the CA. The validation applies to signature-protected messages as well as to HMAC-protected messages. Aside from providing enhanced security in deployments using CMP for enrollment, it allows customers to migrate to a standard peer-connected EJBCA CA/RA configuration following the deprecation of the CMP Proxy and External RA in EJBCA 7.11. For more information, see CMP.
Partial Support for CMP Lightweight Profile
With EJBCA 7.11, a subset of the CMP Lightweight Profile is available for use with CMP in EJBCA. CMP Lightweight profile defines a specified subset of CMP operations and functionality, mainly targeting industrial and IoT use cases including resource-constrained devices. With this release, support has been added for message protection with PBMAC-1 as well as the P10CR message body. For more information, see CMP.
Separation of Keybindings into OCSP Responders and Remote Authentication
To improve usability, the OCSP Key Bindings and Authentication Key Bindings configurations have been replaced with new OCSP Responders and Remote Authenticators pages in the EJBCA CA UI. User input for OCSP Responder and Remote Authenticator configuration is now tailored to each use case, while the Internal Keybindings concept is still used internally. The behavior of existing key bindings is not affected by this usability change. For more information, see Remote Authenticators Overview.
Validation CLI Tool Removed
As announced in previous upgrade notes, the legacy CLI-based Validation Tool has now been removed from EJBCA.
Deprecation of External RA and CMP Proxy
Change Log: Resolved Issues
The following lists fixed bugs and implemented features in EJBCA 7.11.
Released February 2023
ECA-11227 - Key Recovery data not stored using P11NG
ECA-9261 - Allow enrollment of SSH Certificates over the RA Web
ECA-9263 - Allow SSH certificates to be searched in the RA web
ECA-10522 - Add support for ECDSA Authentication in peers using TLS 1.2
ECA-10813 - Support for PBMAC1 algorithm in CMP
ECA-10816 - Support for P10CR request body in CMP
ECA-10963 - End entity profile for SSH
ECA-10965 - Add support for SHA3 ECDSA signature algorithms to P11NG
ECA-10980 - GUI: Ability to toggle revocation reason change
ECA-10981 - Invoke publisher when revocation reason is changed.
ECA-10982 - Backend: Allow revocation reason change
ECA-10997 - RA Web support for revocation reason change
ECA-11023 - CMP Alias Configuration for "Extended validation"
ECA-11034 - Check if CMP extended validation via peers is enabled
ECA-11096 - Add cache for signer certificate in CMP servlet
ECA-11119 - Custom 'Expire' header for OCSP
ECA-11134 - Implement full support for Ra Mode HMAC protection when using Extended Validation
ECA-10541 - Improve RoleMembers in Partitioned approvals
ECA-10691 - Split Keybindings page into OCSP Keybindings and Authentication Keybindings
ECA-10719 - Remove ValidationTool
ECA-10937 - Make entity e-mail field unchecked by default for RFC 822 in End Entity Profile
ECA-10940 - Inject cross-certificates in CA Certificate chains for ACME (and others)
ECA-10946 - Add Certificate validity start and end date option in RA Web
ECA-10947 - Remove hardcoded DB name in mysql-privileges.sh
ECA-10952 - Extract AD group membership from PAC (MSAE)
ECA-10959 - Add PKUP in View Certificates
ECA-10961 - Changes in external properties are not detected sufficiently fast
ECA-10969 - CryptoToken page: Add IDs to the form elements so that test automation can identify them unambiguously
ECA-10976 - Shortened IPv6 Parsing Errors in 7.9.0
ECA-10988 - p11ng: implement better detection for vendor-specific behaviour
ECA-10992 - Add option to enforce HTTPS client authentication for ACME
ECA-10999 - Allow MSAE LDAP queries to follow LDAP referrals
ECA-11008 - Merge P11NG changes from SignServer
ECA-11012 - Request: Add new Index to create-index-ejbca.sql
ECA-11049 - Configurable non-expired preproduced OCSP responses
ECA-11052 - Improve error handling of EjbcaWS.cvcRequest
ECA-11059 - Improve error message for future revocation date (RA-Web)
ECA-11060 - RA-Web Change of revocation reason || Rendering conditions
ECA-11061 - Improve /v2/endentity/search pagination and documentation
ECA-11063 - Make SSH source-address field searchable in RA
ECA-11065 - Create placeholder methods for RA Validation of CMP message
ECA-11066 - Signature verification of cmp message in RA
ECA-11067 - Support P10CR request body in cmpclient
ECA-11083 - Add MAC verification to CmpServlet
ECA-11092 - Minor language and UI improvements
ECA-11093 - Move database.useSeparateCertificateTable above database settings in sample config file
ECA-11094 - Validate Certificate status in CMP message
ECA-11120 - Full French language and some GUI localization support, contributed by David Carella of Linagora.
ECA-11124 - Add cache clearing to CMP Servlet and fix test
ECA-11126 - Fix cmp message signature validation in Client Mode
ECA-11131 - Oracle DB grants updated not to require DBA or admin rights
ECA-11139 - Support either of multiple authentication modules in CMP extended validation
ECA-11143 - Add PBMAC1 support for extended CMP validation
ECA-11144 - Add test related for p10cr in CmpExtendedValidationTest
ECA-11145 - Allow CMP CERT_REQ requests in HMAC mode with extended validation
ECA-10401 - Force local key generation option should not be visible in Community
ECA-10799 - Renamed CAs stuck in "List Of Vendor CAs" in EST alias
ECA-10859 - CA imported with empty name
ECA-10874 - Documentation for WildFly 24 specifies PKCS12, while JKS are generated
ECA-10894 - Configure OCSP extensions to always return if configured
ECA-10897 - Azure OAuth OID Approval Prompt with AWS EJBCA Issues
ECA-10919 - REST Certificate search V2 returns totalCert = null when certificates size is 0
ECA-10925 - Special characters in IssuerDN not displayed correctly when reviewing certificate
ECA-10929 - Pkcs12 content for PEM with enrollment with key recovery enabled
ECA-10930 - CMP request without Content-Length returns wrong HTTP status code
ECA-10953 - "Flush item" sometimes flushes a different item from the queue
ECA-10954 - Default rules preset require /administrator/ in REST
ECA-10958 - Saving Service config page takes too long when selecting large number of CAs
ECA-10962 - Execution error when approving certificate in RA Web
ECA-10967 - Concurrent requests to adminweb cause interrupted page loads and uppercase text
ECA-10970 - Key Pair Created In The Wrong Slot For Crypto Token When 2 Tabs Are Open
ECA-10989 - EJBCA CE Test Build Fail (false positive)
ECA-10990 - Delete EE Subject DN Field with Same DN Attribute and Validation merges fields
ECA-10991 - 'Required' has no effect at Key recovery options
ECA-10998 - Use Username and Request ID are missing from RA web
ECA-11004 - ConfigDump import fails when signing CA of SubCA is non-existent
ECA-11005 - NullPointerException in SCEP GetCACert when CA name is incorrect
ECA-11011 - REST max results increase stopped working
ECA-11017 - Adding a CT log with specific usage period causes exception
ECA-11020 - Fix issue with FQDN in SAN for MSAE
ECA-11025 - EndEntity profile Subject field validation runs against the wrong field
ECA-11029 - ClientToolBox creates not correctly DER wrapped OCSP Nonce extension
ECA-11031 - Revisit EndEntityManagementSession TRIM queries
ECA-11033 - Change revocation reason for Pre-cert revocation Service
ECA-11041 - Revocation backdate does not survive approval.
ECA-11042 - Revocation reason PRIVILEGE WITHDRAWN text does not show proper
ECA-11044 - Upgrade apache common-text to 1.10 and commons-lang3 to 3.12.0
ECA-11045 - fix encryptpwd not to require running appsrv
ECA-11047 - Not able to delete soft/p11 cryptotoken (CE Contribution)
ECA-11048 - Revocation backdate/change reason fix for partitioned approval.
ECA-11051 - ACME EAB Issue upgrading from 7.8.2 to 188.8.131.52
ECA-11054 - cmpclient missing libs
ECA-11056 - Publishing is interrupted if one item in queue cannot publish
ECA-11058 - Unable to upload cert file to enable the OCSP responders.
ECA-11068 - configdump - "Use entity e-mail field" checkbox at a RFC 822 Name (e-mail address)
ECA-11073 - REST endpoint profile related issues
ECA-11090 - Updating remote keybindings should generate key names with "-" instead of "_"
ECA-11095 - Make client certificate revocation effective for ACME over peers
ECA-11122 - Remove location header for acme order post-as-get
ECA-11123 - "ejbca.sh cryptotoken list" returns list without details for P11NG Tokens
ECA-11127 - ConfigDump can fail with NPE when importing CMP configuration
ECA-11138 - Fix language file