EJBCA 7.3 Release Notes

The PrimeKey EJBCA team is proud to announce the release of EJBCA 7.3.

With this release, EJBCA supports the standardized version of the ACME protocol. The release also brings a new tool for importing YAML exports from ConfigDump into EJBCA, as well as a new crypto token type for integrating with Azure Key Vault. Additionally, we have implemented CT log sharding based on arbitrary expiration periods and also improved the configuration of OCSP archive cutoff.

Highlights

ACME RFC Support

Up until now, EJBCA has supported IETF draft 12 of ACME. As of March 2019, IETF standardized the ACME protocol as RFC 8555. We are happy to announce that EJBCA now complies with the RFC standard. Having the standardized protocol supported will facilitate usage from an integration point of view as more ACME clients will work "out of the box" and the uncertainty whether the protocol will change again in the future is mitigated.

For a complete list of supported ACME operations and workflow examples, see the latest EJBCA ACME documentation.

ConfigDump Import

You may be familiar with our ConfigDump export tool, used for exporting the current state of your installation in a human-readable (YAML) format. The export tool is useful for auditing purposes and comparing configuration changes made in EJBCA.

The new ConfigDump import feature enables the reversed functionality, importing parts of or a complete configuration from an existing configuration dump.


EJBCA Configdump import CLI

The provided CLI tool allows you to target a configuration for import into EJBCA whether it contains a set of profiles, CAs, a complete configuration, or any other previously exported object. Since the configuration dump itself is human-readable, you can edit the fields in each object (for example, change the subject DN of an end entity profile) before import.

For more information on using the tool, see the ConfigDump documentation.

OCSP Archive Cutoff

The OCSP archive cutoff extension (RFC 6960 section 4.4.4.) was previously configured per EJBCA instance in ocsp.properties, by setting the property ocsp.expiredcert.retentionperiod to the retention period in seconds.

This setting is now configured per CA, by editing the corresponding OCSP key binding. This allows for different archive cutoff settings being used for different CAs. We have also added a setting to base the archive cutoff date on the issuer's notBefore date (instead of the retention period and the producedAt date of the OCSP response) as mandated by ETSI EN 319 411-2, CSS-6.3.10-08.

For more information, see Archive Cutoff and for important notes to be aware of when upgrading, see EJBCA 7.3 Upgrade Notes.

Certificate Transparency Sharding

It is now also possible to define a validity interval accepted by Certificate Transparency (CT) log servers. The new setting allows limiting the scope of acceptable certificates to a date range and is configured in the CA Web, under System Configuration > Certificate Transparency Logs, by editing an existing CT log.

For more information on Sharded CT logs, see Certificate Transparency.

Azure Key Vault Crypto Token

Microsoft Azure provides a cloud "Key Vault" for HSM storage of cryptographic keys. As of EJBCA 7.3, Azure Key Vault can be set up as a Crypto Token in EJBCA, leveraging the advantages of cloud-stored keys. For detailed information and configuration instructions, see the EJBCA Cloud Azure Key Vault Integration Guide.

Upgrade Information

Review the EJBCA 7.3 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.3, refer to our JIRA Issue Tracker.

Resolved Issues in EJBCA 7.3.0

Released October 2019

New Features

ECA-7278 - Initial support for Azure Key Vault as EJBCA Crypto Token

ECA-8039 - Make OCSP Archive cutoff configurable in the CA UI, for all OCSP responses, and with (optional) static date (CA notBefore)

ECA-8236 - CA/Browser Forum Organization Identifier Field certificate extension (OID: 2.23.140.3.1) for PSD2 certificates

ECA-8371 - Add RA proxying to get global configurations

ECA-8372 - Get GlobalAcmeConfiguration over peer

ECA-8379 - EST support in Statedump

ECA-8390 - Convert caaIdentities URLs to IDN (ASCII) for ACME processing

ECA-8402 - Update SCEP GetCACaps return message to scep draft23

ECA-8403 - SCEP: set default hash algorithm to SHA-256 and support 3DES as response message encryption

ECA-8438 - Create Configdump EJB interface

ECA-8439 - Create configdump import CLI command

ECA-8440 - Add EJBCA version field to Configdump exports

ECA-8449 - Overwrite option for Configdump CLI: Replace/Update/Leave

ECA-8461 - Add the ability to view queued items in the CA web

ECA-8517 - Configdump import of Custom Certificate Extensions

ECA-8518 - Configdump import of Extended Key Usages

ECA-8519 - Configdump import of Internal Key Bindings

ECA-8520 - Configdump import of Publishers

ECA-8521 - Configdump import of Services

ECA-8522 - Configdump import of Certification Authorities

Tasks

ECA-7435 - Java 11: ClassNotFoundException: org.apache.geronimo.osgi.locator.ProviderLocator from WS Tests

ECA-8277 - clientToolBox uses the ext dir, which no longer exists in Java 11

ECA-8380 - ACME: QA Testing of ACME Changes

ECA-8405 - Documentation: Clarify CMP concurrent request to same user fails

ECA-8453 - Update some external dependencies

ECA-8454 - Update the last MySQL5Dialect to MySQL5InnoDBDialect in (old) external RA

ECA-8459 - Webtests: Add platform verification feature

ECA-8474 - Documentation: Add database driver and DataSource for PostgreSQL

ECA-8500 - QA Testing 7.3

ECA-8526 - System Test Investigation: EE_COS7_OpenJDK8_WF10_NOHSM_MSSQL2017

Improvements

ECA-7596 - Unification and consolidation of dockers' shell scripts

ECA-8073 - Include key information in ConfigDump

ECA-8247 - Allow CT logs to pick sharding by period

ECA-8273 - acme: Reduce code duplication

ECA-8329 - Clean up language files (Hard Token)

ECA-8330 - GUI: Rename all "Administrator Role" to "Role"

ECA-8335 - Update ACME authorization resources to RFC 8555 compliance

ECA-8336 - Update ACME 'revokeCert' resource to RFC 8555 compliance

ECA-8337 - Update ACME 'directory' resource to RFC 8555 compliance

ECA-8338 - Update ACME certificate resources to RFC 8555 compliance

ECA-8339 - Update ACME 'newAccount' resource to RFC 8555 compliance

ECA-8340 - Update ACME account resources to RFC 8555 compliance

ECA-8341 - Update ACME order resources to RFC 8555 compliance

ECA-8342 - Update ACME 'keyChange' resource to RFC 8555 compliance

ECA-8346 - Include references to the sql scripts available in the documentation.

ECA-8347 - Update ACME 'newNonce' resource to RFC 8555 compliance

ECA-8350 - Implement 'revokeCert' resource authorization for an ACME account holding all of the identifiers in the certificate

ECA-8356 - Exceptions caught by the EST servlet are not logged properly

ECA-8370 - Update ACME challenge response resource to RFC 8555 compliance

ECA-8397 - Update ACME documentation to RFC 8555 compliance

ECA-8399 - Remove ACME 'challenge' GET resource

ECA-8401 - Display a fingerprint of the imported Statedump after it has been imported in the CA web

ECA-8406 - Give a proper error message when using an attributes file for Client Toolbox in EJBCA

ECA-8409 - Select the correct attribĂștes file when editing a crypto token

ECA-8413 - Include the configured OCSP archive cutoff extension in all OCSP responses, not only for expired certs

ECA-8422 - Add CLI functionality for listing and editing OCSP extensions

ECA-8441 - Add import to ConfigdumpCore

ECA-8442 - Add YamlReader class

ECA-8443 - Add PoC for import of one object type in ConfigdumpSessionBean

ECA-8444 - Add import of important objects types in ConfigdumpSessionBean

ECA-8445 - Add import in configdump dump handlers

ECA-8446 - Create functional test (system test) for configdump import

ECA-8447 - CLI test for Configdump

ECA-8466 - ACME test suite re-factorings

ECA-8468 - Only report when available upstream RA peers changes

ECA-8475 - ACME end point test coverage

ECA-8477 - Add import of End Entity Profiles in Configdump

ECA-8478 - Configdump import of roles

ECA-8481 - Add implementation version in jar files to CAA cli tool, and other tools

ECA-8482 - Fix call of ACME operations with explicit ACME alias

ECA-8490 - Configdump import of Certificate Profiles

ECA-8502 - Create test for CaImportMsCaCertificates (import dump file created by certutil)

ECA-8513 - Sort items in list boxes on the role_edit.xhtml page in alphabetic order

ECA-8523 - Print CRL and public key when CRL fails to verify

ECA-8525 - Test of configdump import of Publishers

ECA-8527 - Option to export defaults in Configdump

ECA-8528 - Configdump documentation

ECA-8529 - AzureCryptoToken: Fix missing html ID and log if password is empty

ECA-8537 - Test of Configdump import of Internal Key Bindings

ECA-8543 - Exclude configdump import from ziprelease

Bug Fixes

ECA-7320 - CN from CSR not loaded correctly when "Changing a CSR"

ECA-7486 - EEP default Token type selection doesn't work on RaWeb enrollmakenewrequest page

ECA-7739 - Using a certificate profile template does not select the correct fields

ECA-7849 - Regression: foot_banner not used

ECA-7947 - Unused access rules are saved in basic mode

ECA-8033 - For configdump, allow it to skip past CAs waiting for a response and complete.

ECA-8099 - CA created with "Signed By External CA" has Serial Number Octet Size -1

ECA-8232 - IPv6 RFC compliant HREF links in EJBCA

ECA-8307 - CryptoTokenData: P11CryptoToken row entry touched/updated without need

ECA-8319 - "clientToolBox PKCS11HSMKeyTool linkcert" command should work according to ICAO 9303

ECA-8320 - SCP Publisher uses managing admin to sign payload

ECA-8322 - CertificateCrlReader does not handle revocation publications correctly

ECA-8323 - Fix findbugs warnings

ECA-8325 - CMP Configuration UI issues

ECA-8326 - CryptoToken.getPublicKey return javadoc differs from implementation

ECA-8344 - Jenkins job EE_COS7_OpenJDK8_WF10_NOHSM_DB2 cannot find DB2 Express-C docker image

ECA-8345 - Jenkins failing test 'org.ejbca.core.model.services.worker.CertificateCrlReaderSystemTest.testReadCertificateFromDisk'

ECA-8354 - First column not displayed when running the script language-tool.sh -s

ECA-8360 - Generated CRL Distribution Point and Issuer do not show correct DN

ECA-8375 - Regression: Failing Selenium test EcaQa206_CRLPartitionsIncorrectSettings

ECA-8383 - Reference lib.jpa.classpath not found when building cmpProxy for Tomcat.

ECA-8391 - New EST alias fields missing from ConfigDump export

ECA-8407 - User is asked to confirm slot re-use when editing an existing PKCS#11 crypto token

ECA-8410 - Set EJBCA_HOME in ejbca.sh if not set already

ECA-8411 - CRL is stored in publisher queue even if direct publishing is successful

ECA-8412 - PublishQueueProcessWorker always reports a NO_ACTION ServiceExecutionResult

ECA-8419 - Jenkins failing test 'org.ejbca.core.ejb.ProfilingTest.retrieveStats'

ECA-8420 - Jenkins failing test 'org.ejbca.core.ejb.upgrade.UpgradeSessionBeanTest.testUpgradeOcspExtensions6120'

ECA-8423 - Update Muehlbauer WS for removed Hardtoken

ECA-8426 - Trim CT log URLs

ECA-8428 - EST Name Generation USERNAME option gives error message when client username not set

ECA-8433 - Add placeholder to ejbca resourses CMP error message

ECA-8434 - OCSP Extensions are temporarily saved, even when the Save button is not clicked

ECA-8435 - Some CA lists in RA Web is sorted case sensitive

ECA-8436 - Caching issue with PSD2 fields in RA-web

ECA-8457 - Database protection broken on existing installations

ECA-8464 - EST configuration in Admin UI is not cleared when navigating away from the page

ECA-8465 - MSSQL Jenkins job (DB collation has to support case sensitivity)

ECA-8470 - Regression: GUI doesn't render "</br>" correctly for view certificate screen

ECA-8479 - Crypto token manage page checks for wrong permission

ECA-8484 - RA enrollment returns older certificate when validation fails

ECA-8485 - Legacy External RA not working with Wildfly 14 because of problem with the hibernate provider.

ECA-8486 - NPE when you click on 'Export selected' without selecting anything on Manage End Entity Profile page

ECA-8488 - L10n: Typo in English language

ECA-8492 - Importing Microsoft CA fails using ejbca.sh

ECA-8504 - Inconsistency when creating roles in CA web and RA web

ECA-8506 - Add missing textfield id for textfieldsharedcmprasecret

ECA-8509 - Regression: EJBCA Ignores CryptoToken Selection While Creating CA When Using the Default Key Option for the CertSignKey

ECA-8514 - RA Web incorrectly claims that role has members

ECA-8515 - Peer connector missing permissions when Approval management is set

ECA-8532 - Allow subject DN override and allow extension override is not honoured in the REST API

ECA-8538 - Regression: exception clicking on "Clear caches" button

ECA-8540 - Configdump error when exporting new unmodified ACME alias

ECA-8541 - Missing setters and unhandled nulls cause errors in Configdump

ECA-8542 - Fix configdump warning when importing certain End Entity Profiles

Resolved Issues in EJBCA 7.3.0.1

Released 30 October 2019

New Features

ECA-8530 - Add CLI support for EST config enhancements

ECA-8554 - Configdump import of EST Configuration

ECA-8606 - EJB CLI command for controlling enabled protocols

Tasks

ECA-8582 - Resolve circular dependency between Certification Authority and Certificate Profile

ECA-8583 - Detect early on if export versions are compatible with current software version

ECA-8602 - Review and update configdump documentation as needed

ECA-8637 - Security: Upgrade external dependency

ECA-8650 - Security: Upgrade external dependency

Improvements

ECA-8396 - System test for P11NG

ECA-8572 - Prevent NPE in PeerPublisher if Peer Connector does not exist

ECA-8574 - Profile edit notification

ECA-8580 - Option to disable adding of new nodes to GlobalConfiguration

ECA-8584 - Detect and prompt for all passwords that will be used during import

ECA-8585 - Add link to Apple CT log list to admin GUI, in addition to Googles

ECA-8586 - Improve documentation for Managing CAs

ECA-8589 - CA Life Cycle JSF rendering conditions are wrong

ECA-8591 - Do not print stack trace in CLI when application server is not running

ECA-8593 - Add more detailed error message to clientToolBox certreq command when csr can not be read or directory is invalid

ECA-8600 - Check ConfigDump for unused/unimplemented code

ECA-8601 - Normalize configdump/src-cli

ECA-8604 - Refactor ConfigDumpImportItem and BaseCrud

ECA-8609 - Remove replace option in Configdump

ECA-8611 - Improve configdump error handling

ECA-8612 - Auto-resolve configdump references after import

ECA-8613 - ConfigdumpException should result in rollback

ECA-8614 - Configdump flag to control non-interactive behavior

ECA-8626 - Update PMD scan pipeline to use warnings-ng plugin syntax

ECA-8642 - Improve detection of current software version for Configdump Import

ECA-8646 - Change session timeouts to 15 minutes for PCI DSS compliance

Bug Fixes

ECA-8544 - P11 slot is already used warning displayed incorrectly

ECA-8553 - Importing CA hierarchies in Configdump not always working

ECA-8578 - REST API certificate search for active certificates do not include certificates notified about expiration

ECA-8595 - ant clean does not clean ra-gui or batchenrollment-gui modules

ECA-8596 - Delta CRL is not generated correctly when a certificate is released from hold

ECA-8597 - Link to delta CRL in CA web fetches base CRL instead

ECA-8605 - EJBCA 7.3.0 and ACME with cleartextpassword

ECA-8617 - Exclude tests for org.cesecore.keys.token.p11ng from non-eidas release

ECA-8620 - Default OCSP responder always sends "Unknown" for non-existing CA, regardless of settings

ECA-8623 - Use correct port override in EST alias systemtest

ECA-8624 - Disabling node tracking prevents local clear cache

ECA-8625 - p11ng cache not cleared on token reactivation

ECA-8641 - Improve configdump error message when write access is denied

ECA-8647 - Fix configdump import of Certificate Policy in Certificate Profile

ECA-8655 - Ordering of role members varies in Configdump exports

ECA-8661 - ACME newOrder fails due to lack of access to EEP or other failed assumption

ECA-8662 - problem importing Scep configuration with configdump

ECA-8663 - ConfigDump Import: PKCS12 key store mac invalid