EJBCA 7.4.1 Release Notes
The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.4.1.
With this release, we have implemented Microsoft Intune Device Enrollment support, allowing devices to be set up to directly request certificates from the EJBCA RA. This release also brings the ability to have Multiple DVCAs with the same Holder Country and Mnemonic.
Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.
Highlights
Microsoft Intune Device Enrollment
Intune is Microsoft's cloud-based device management solution, and EJBCA can be configured as the CA backend to allow devices to enroll for certificates. Intune support has previously been provided through a 3rd party connector, but from EJBCA 7.4.1 devices can be set up to directly request certificates from the EJBCA RA. This is set up using SCEP aliases, and we provide a guide for setting up your enterprise for Intune Device Enrollment from start to finish.
Ability to have Multiple DVCAs with the same Holder Country and Mnemonic
In the context of CV certificates, EJBCA has traditionally used the holder mnemonic and requesting country code to build the Subject DN, causing a uniqueness constraint. EJBCA 7.4.1 allows multiple DVCAs to share the same country and mnemonic fields. For more information, see Managing CVC CAs.
Security Issue
As a part of standard testing, we found a minor security issue which has been fixed in this version of EJBCA. When employing a client certificate to authenticate an EST client, we've discovered that no check is performed on the status of this certificate, allowing a revoked client to still request certificates over EST. The vulnerability only affects EST, and can be mitigated by removing the affected client certificate from the roles which allows it to perform enrollments. This vulnerability will be published as a CVE two weeks following the release of EJBCA 7.4.1 and the distribution of security announcements to customers.
Upgrade Information
Review the EJBCA 7.4.1 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
EJBCA 7.4.1 is included in EJBCA Hardware Appliance 3.5.3 and EJBCA Cloud 2.3 and can be deployed as EJBCA Software Appliance.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in EJBCA 7.4.1, refer to our JIRA Issue Tracker.
Issues Resolved in 7.4.1
New Features
ECA-9244 - Allow the SCEP SSB to verify messages from Intune
ECA-9248 - Add option to certificate serial number generator to use a FIPS/SP800 BC hybrid entropy source
ECA-9250 - Modify ziprelease command to not include the SSH module by default
ECA-9251 - Review implementation of the SSH CA
ECA-9252 - Modifications to End Entity and Certificate Profiles for SSH Certificates
ECA-9253 - Review implementation of SSH Public Keys
ECA-9254 - Review implementation of SSH Certificates
ECA-9255 - Review implementation of SSH-related WS methods
ECA-9265 - Add REST stress test command to clientToolBox
Improvements
ECA-8432 - OCSPkeyBinding Default Responder DB Queries
ECA-8787 - Add the ability to have multiple DVCAs with the same holder country and mnemonic
ECA-9211 - Optionally include certificate chain in /pkcs10enroll response
ECA-9275 - Database protection compatibility code should skip automatic upgrade
ECA-9283 - SSH Implementation improvements
ECA-9289 - Allow validity changes for SSH certificate profiles
ECA-9293 - SSH Implementation remaining TODOs
ECA-9294 - Microsoft Intune feature documentation
ECA-9295 - Make sure all files under the ssh module have the Enterprise license header
ECA-9299 - Remove unneeded values from intune configuration
ECA-9319 - Add CVC WS system test how to renew a domestic DV from a CVCA in the same instance
Bug Fixes
ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6
ECA-9206 - Prevent peer system from being removed when referenced by a publisher
ECA-9217 - ACME http challenge validation process fails when the server redirects to HTTPS
ECA-9278 - SHA512withRSAandMGF1 cannot be used by JackNJI11
ECA-9291 - Incorrect encoding of critical options for SSH certificates
ECA-9296 - SSH values still show up in end entity profiles even if SSH module is not present
ECA-9298 - Security Issue
ECA-9314 - Regression: "Key already in use" functionality stopped working on CA page
ECA-9326 - SCEP approvals only works with soft Crypto Tokens, not HSM.