APRIL 2023

The EJBCA team is pleased to announce the release of EJBCA 7.12. This release adds support for CRL Invalidity Date in CRL entries as well as performance improvements and bug fixes.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

CRL Invalidity Date

EJBCA now supports CRL Invalidity Date, a non-critical extension for CRL entries that allows administrators to specify a date for CRL entries on which it is known or suspected that the private key was compromised.

For more information on the CRL Invalidity Date extension, see CRL Generation or refer to RFC 5280: Internet X. 509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (section 5.3.2).

Announcements

Deprecations

The following legacy functionality in EJBCA is now deprecated and will be removed in the next major release:

  • Asynchronous CMP Proxy - Customers previously using the CMP Proxy are advised to migrate to RA Validation of CMP messages in a peer-connected CA/RA setup. For more information, see CMP Proxy.
  • Asynchronous SCEP Proxy - The external RA SCEP server functionality is deprecated and we recommend proxying SCEP requests synchronously through an RA using Peers instead, see Legacy External RA SCEP Server.
  • End Entity printing functionality - For more information, see Printing of User Data.
  • CMS signing for Audit Logs - Customers are recommended to use the built-in Integrity Protected Security Audit Log or external tools for audit log signing. For more information, see Signing Exported Log Files.
  • ECDSA Implicitly CA - Implicitly CA parameters are not the same as explicit parameters and using implicit CA parameters is rare and not useful in practice. For more information, see ECDSA Keys and Signatures.

Upgrade Information

Review the EJBCA 7.12 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.12 is included in EJBCA Hardware Appliance 3.11.3, EJBCA Software Appliance 2.3.3 and EJBCA Cloud 3.1.0.

Change Log: Resolved Issues

The following lists fixed bugs and implemented features in EJBCA 7.12.

Issues Resolved in 7.12

Released April 2023

New Features

ECA-11253 - New column in CertificateData in invalidityDate

ECA-11254 - Add support for CRL extension "Invalidity Date"

ECA-11255 - Extend revocation REST endpoint with invalidity date

ECA-11256 - CRL generation with invalidity date

ECA-11304 - Add checkbox in Edit CA: "Allow invalidity date"

ECA-11322 - Modify the order of certificate extensions in a Certificate Profile

ECA-11411 - Support SCEP RFC8894 CACaps with AES plus RSAES-OAEP

Improvements

ECA-11334 - EC Certificate Issuance Performance Issues

ECA-11336 - Display invalidity date in RA-web search certificate view

ECA-11354 - Update to commons-fileupload-1.5.jar due to CVE-2023-24998

ECA-11379 - Unnecessary resize required during clone of HashMap in EndEntityProfile

ECA-11415 - Add ServletFileUpload.setFileCountMax in request_result.jsp

Bug Fixes

ECA-10286 - IPv6 addresses are not parsed from CSRs

ECA-10703 - Improving the log entry when publishing CRL but not storing them in db

ECA-11175 - Nullpointer when refreshing OAuth bearer token

ECA-11238 - Upgrade to 7.11.0 and Manage Requests generated an error

ECA-11240 - ClientToolBox OCSP command fails if server is configured to use nonce

ECA-11259 - Null Pointer Exception when doing configdump.sh import (p11ng)

ECA-11272 - Unable to create/handle Authenticated CSRs

ECA-11277 - Marshalling error in 7.11 with cvcRequest

ECA-11281 - CRL Updater Service Skip CA if Token Offline

ECA-11299 - Certificate view in CA UI via managed Peer cannot be closed

ECA-11301 - Cache reload causing Java out of memory error

ECA-11303 - Peer Connector - Unable to generate DH keys

ECA-11310 - Regression: p11ng module missing from ejbca-ejb-cli

ECA-11317 - Process ACME wildcard certificates in order state ready

ECA-11325 - Configdump does not allow names with slashes

ECA-11347 - Preserve SAN order when enrolling (est and others).

ECA-11351 - ejbca.sh is ignoring p11ng when importing a CA

ECA-11357 - MSAE Alias - Removing template mapping always removes the top row

ECA-11358 - MSAE "The connection test succeeds." if the default password wasn't changed

ECA-11360 - Certificate Search by Serial Number is timing out

ECA-11365 - Remote Internal Key Binding Updater service renews certificate that expires with the CA

ECA-11371 - Upgrade breaks ACME Aliases where RA Name Generation Scheme = RANDOM

ECA-11374 - Security Issue (Update library kerby-asn1)

ECA-11375 - Security Issue (Update library kerb-core)

ECA-11383 - NPE when viewing certain certificates with Private Key Usage Period extension

ECA-11384 - Static date strings fail in non UTC

ECA-11389 - ADConnectionSingletonBean - could not obtain lock within 5000MILLISECONDS

ECA-11393 - REST end entity management v2 looks to be available in Community

ECA-11403 - In "Edit CA" page "Make certificate request" button is broken

ECA-11408 - Supporting dashes in SCEP Alias names