MAY 2021

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.5.0.1. (EJBCA 7.5.0 was an internal release, not generally available for customers.)

The primary focus of this release has been integration with other elements of the PKI ecosystem, not least of which full integration of Microsoft Auto-enrollment into the EJBCA RA and support for authenticating to the CA and RA UIs and REST through OAuth. 

Deployment options include EJBCA Hardware ApplianceEJBCA Software Appliance, and EJBCA Cloud.

Highlights

Microsoft Auto-enrollment Integration

Until now PrimeKey has supplied an Auto-enrollment proxy in order to allow customers to integrate single domain Microsoft PKIs with EJBCA as a backend.

From version 7.5, EJBCA now has Microsoft Auto-enrollment support fully integrated, not only transcending the need for a proxy but also eliminating the need for a Certificate Enrollment Policy server or Certificate Enrollment Server, with the EJBCA RA being the point of first contact for enrolling clients. EJBCA 7.5 also allows for multi forest support, letting all your domains integrate into a single PKI through the same endpoint. For more information, see Microsoft Auto-enrollment Overview.

With the new Microsoft Auto-enrollment integration in EJBCA 7.5, we are announcing end of sale and end of support for the former PrimeKey Auto-enrollment proxy.

  • End of sale as of EJBCA Enterprise 7.5.
  • End of support and maintenance in May 2022.

OAuth Authentication to the EJBCA CA and RA UIs and REST API

Moving on from the classic support for client certificates to access the CA and RA UIs, and the REST API, EJBCA 7.5 now supports access using an OAuth provider over OpenID. So far we've tested and confirmed authentication using KeyCloak and Azure Active Directory

ACME External Account Bindings

Long requested, we've implemented ACME External Account Bindings in accordance with RFC 8555 section 7.3.4. External Account Bindings allows the client to specify a unique ID number that is associated with that ACME account, and in our implementation we've associated the ID with each issued certificate for easy lookup later. In addition to being able to authenticate the ID using a MAC as per the RFC, we've also allowed for using a signature from a locally issued certificate instead.

For more information on managing ACME External Account Bindings in EJBCA, see ACME.

EST Client Mode

We've added Client Mode to EST as with CMP and SCEP. Unlike RA mode, Client Mode only allows issuance against previously created end entities and does not automatically enroll new ones. This workflow is optimal for IOT use cases, where a limited set of devices need to enroll to your PKI. 

HSM support for Ed25519 and support for AWS Cloud HSM

Apart from earlier software support for the signature algorithms Ed25519 and Ed448, support has been added for using Ed25519 with selected HSMs which support Ed25519, starting with nCipher nShield, Thales Luna and SoftHSMv2. This support is only available when using P11-NG Crypto Tokens in EJBCA. In conjunction with this, EJBCA is now fully compatible with the AWS Cloud HSM.

Compliance 

OCSP Support Updated to Conform to RFC 8954

We have updated our OCSP responder to conform with the clarifications specified in RFC 8954, specifically to how EJBCA handles client generated nonces. 

eIDAS Compliance

  • Support has been added in the CA UI for easy editing of the new Legislation Country QC Statement as specified in ETSI EN 319 412-5 v2.3.1 section 4.2.4.
  • Support for multiple SemanticIdentifier to a single certificate, i.e. to specify both EN 319 412-1 Natural Person and Legal Person at the same time.
  • CAs can now be configured to automatically generate a CRL upon revocation.

CA/Browser-Forum Compliance

Ballot SC44 limits the allowed redirect codes by complying CAs. These changes are planned to be implemented in EJBCA in version 7.6, due in the end of May.  

Upgrade Information

Review the EJBCA 7.5 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.5.0.1 is available on EJBCA Hardware Appliance 3.7.1 and EJBCA Cloud 2.6.1 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.5, refer to our JIRA Issue Tracker.

Issues Resolved in 7.5.0.1

Released May 2021

New Features

ECA-6630 - Create YAML export for CMP configuration

ECA-6689 - Not possible to issue CA certificates through the RA web

ECA-9441 - Implement support for a keystore using FIPS compliant algorithms

ECA-9484 - Support for Ed25519 in P11NG

ECA-9490 - General Account Binding (GAB)

ECA-9491 - ACME External Account Binding (EAB)

ECA-9492 - ACME EAB Configuration UI

ECA-9494 - ACME EAB Implementation as specified in RFC8555

ECA-9495 - ACME EAB Implementation for public key signature validation

ECA-9500 - Add support for new eIDAS QC statement esi4-qcStatement-7, Legislation

ECA-9525 - Optionally, add cache header for OCSP unauthorized response

ECA-9527 - Add Role as standard DN field

ECA-9550 - Prevent deployment of EJBCA after a hardcoded date

ECA-9561 - ACME IP Identifier Validation http-01 Challenge

ECA-9572 - Create MSAE Servlet module in EJBCA

ECA-9633 - Support Thales DPoD

ECA-9671 - Option to disable http-01 challenge for ACME wildcard certificates

ECA-9696 - Make the ACME order validity configurable

ECA-9724 - Add XCEP implentation in the msae package

ECA-9737 - Add EST client mode

ECA-9738 - CLI support to create new Crypto Token with Azure key vault (ejbca.sh ca cryptotoken)

ECA-9762 - Read token and give access (RA Web)

ECA-9767 - Add MS Intune Azure Active Directory authentication URL to SCEP alias

ECA-9771 - Add Intune verification Auth. URL to SCEP alias configuration

ECA-9780 - Add MSAE to protcol configuration

ECA-9816 - Add Intune resource URL and Graph related fields to SCEP alias configuration and mask app key field

ECA-9817 - Add CRL generation upon revocation and configdump

Epics

ECA-9005 - Integrate Microsoft Autoenrollment (MSAE) into the EJBCA RA

ECA-9624 - OAuth Support

ECA-9716 - CRL Generation upon revocation

Improvements

ECA-4750 - Change default configuration of User Notice text to use UTF-8

ECA-7391 - Only show CA-related approvals in CA Web (and vice versa)

ECA-7844 - The space before the Validator name is not trimmed

ECA-8350 - Implement 'revokeCert' resource authorization for an ACME account holding all of the identifiers in the certificate

ECA-8705 - Deleting items with dependencies

ECA-8940 - Make P11-NG an optional provider for EJBCA

ECA-9006 - Certificate Template Enrollment Authorization Bypass

ECA-9282 - Replace outmoded language in EJBCA

ECA-9361 - Add "Flush" and "Republish" to publisher queue view

ECA-9378 - Improve the error logging for OCSP response generation

ECA-9475 - Make REST search result limit rely on global config

ECA-9489 - Add support for key unwrapping in P11-NG provider

ECA-9526 - Fix OWASP job in Jenkins

ECA-9532 - ACME system test failures

ECA-9533 - ACME EAB config dump

ECA-9540 - Selenium setup script fails in EJBCA CE

ECA-9554 - Update nimbus-jose-jwt-8.19.jar to latest release 9.1.2

ECA-9573 - Invoke RaMasterApi from MSAE Servlet

ECA-9600 - Documentation improvement: E-mail Notification Configuration in EEP

ECA-9608 - Separate CP5 functionality from regular P11 in P11-NG

ECA-9611 - ACME EAB UI layout and code convention improvements

ECA-9612 - Log which CMP message type is received

ECA-9613 - Improve ACME EAB ConfigDump

ECA-9626 - Add selenium tests for ECA-8705

ECA-9627 - Improve ACME EAB Implementation for public key signature validation GUI

ECA-9628 - Issue a qualified certificate with multiple Semantics Identifier (OIDs)

ECA-9629 - Library upgrade in MSAE Servlet

ECA-9646 - Re-enable OAuth configuration in CA UI

ECA-9657 - Configure Keycloak login url

ECA-9664 - MSAE Servlet Kerberos authentication

ECA-9667 - Fix failing unit tests in Jenkins

ECA-9670 - Improve Documentation: Remove meaningless instruction in REST example script

ECA-9673 - Change kerberos configuration runtime

ECA-9687 - Improve clean up of ACME nonce data

ECA-9701 - Make it possible to query different AD machines from EJBCA server.

ECA-9704 - OAuth login page for RA UI

ECA-9715 - Improve caching for Azure Crypto Token

ECA-9718 - Unit test for OAuth request

ECA-9720 - Minor UX improvements for OAuth

ECA-9728 - Query AD Policies from XCEP Service

ECA-9729 - Encrypt ACME EAB symmetric key

ECA-9730 - Make the CES (MSAE) implementation a Java WebService

ECA-9731 - Option to use SSL / TLS AD connection in MSAE

ECA-9732 - UI Configuration for MSAE

ECA-9753 - Merge CertUtils and CertTools

ECA-9754 - Convert AD time format to Java

ECA-9761 - Fix JSF dynamic UI components update of value range

ECA-9766 - Replace static list of AD Templates in MSAE UI Configuration

ECA-9772 - Refactor MSAE AD Connection

ECA-9773 - CEP Service: Invoke AD connection from external package

ECA-9774 - CES Service: Invoke AD connection from external package

ECA-9775 - Create unit tests for MSAE ASN1 helper class

ECA-9784 - Add default P11 provider path for AWS CloudHSM

ECA-9785 - Rename PKCS#11 CP5 to PKCS#11 NG in crypto token driver select list

ECA-9796 - Add a CLI command to view detailed information about an OAuth provider

ECA-9804 - MSAE UI option for policy name

ECA-9811 - Support SHA256 and SHA512 RSA signatures for certificates issued by RSA based SSH CAs

ECA-9835 - Read AD templates dynamically from CESService

ECA-9838 - REST End Entity Management enabled by default

ECA-9845 - Try to authenticate using OAuth when client certificate authentication fails

ECA-9846 - Pin OAuth role members to a specific provider

ECA-9858 - Support SHA224WithECDSA in P11-NG

ECA-9875 - REST unable to pkcs10Enroll when EE profile uses auto generated password

ECA-9878 - ACME pre-authorization system test

ECA-9894 - Allow usage of JWK public key for OAuth

ECA-9901 - Strip trailing slash from OAuth URL for KeyCloak providers

ECA-9907 - Update mapped AD template settings

ECA-9910 - Set ACME problem response content type to application/problem+json

ECA-9913 - Fallback to database is CEP Service CA cert isn't found in cache.

ECA-9917 - Prevent the user from adding public keys with duplicate keyids

ECA-9923 - Administrator name should not be UUID when logging in with KeyCloak

ECA-9960 - Revisit MSAE libs

ECA-9964 - Allow CEP service to represent multiple CAs

ECA-9965 - Rename default provider type

Bug Fixes

ECA-6010 - CLI importcacert can't import CA chain certificates

ECA-7447 - Disable "set password" in RA web if end entity profile enrollment code is "auto-generated"

ECA-7485 - EEP default CA selection doesn't work on adminweb EE creation and RaWeb enrollmakenewrequest pages

ECA-8499 - Not possible to mix Sun PKCS#11 and CP5 PKCS#11 tokens

ECA-8947 - The CLI command mergecatokens is not working for CAs with token type provider Pkcs11NgCryptoToken

ECA-9140 - CA Structure & CRLs links do not work if CA DN contains &

ECA-9155 - Certificate is generated without Username

ECA-9317 - When "Use entity CN field" In The EEP is Enabled, it is not visible on adminweb while adding EE

ECA-9499 - Security Issue

ECA-9534 - Wrong label in end entity profile: "UID, Unique Identifier" subject DN field should be "userid"

ECA-9543 - Fix DynamicUiProperty / DynamicUiModel property validation.

ECA-9544 - Insert DynamicUiModel JSF into existing table grid

ECA-9545 - Fix DynamicUiProperty / DynamicUiModel component enabling / visibility

ECA-9546 - Adding RA Proxying of EjbcaWS.softTokenRequest

ECA-9549 - Incorrect encoding of non-english languages in RA web on Java 11

ECA-9558 - Multiple choices of the same curves in certificate profile - unable to enroll ECDSA prime256v1 certificate via RA Web

ECA-9565 - Make the CE index page show the correct version information

ECA-9568 - Remove the final/static keywords from EJB methods

ECA-9586 - Regression: First letters of first DC component in CA DN always capitalized

ECA-9590 - CA signing algorithm suggestion defaults to SHA1WithRSA after selecting crypto token

ECA-9615 - Regression: When selecting multiple keys in a crypto token the wrong key(s) are removed

ECA-9619 - Remote internal key binding updater service fails with nullpointer exception

ECA-9622 - Null pointer exception is thrown when the CA tries to issue a certificate using a corrupt CSR

ECA-9630 - Regression: EST re-enroll stopped working due to authorization of re-enrolling entity

ECA-9632 - ExtendedInformation is not parsed correctly by SecureXMLDecoder for some values

ECA-9634 - Fix ACME revokeCert resource for revocations for account holders having all authorizations for the identifiers in a certificate

ECA-9638 - Fix ACME EAB exception handling

ECA-9640 - CMP 3GPP: Unable to enroll Ericsson eNodeB in Vendor Mode

ECA-9656 - EJBCA will debug log a private key if sent with CSR

ECA-9660 - Cannot enroll over ACME using an EC keypair

ECA-9661 - No check if Allow Subject DN Override by CSR in REST

ECA-9666 - Missing space in TLS error message

ECA-9675 - SCEP – null name for End Entity generated instead of DN serialNumber

ECA-9714 - Some system tests failing on processing PKCS10 requests

ECA-9721 - Error Admin UI rendering creating CAs with crypto token errors

ECA-9726 - Regression: error about ApprovalData column when exporting using ejbca-db-cli

ECA-9727 - REST API fail to enroll CSR with Subject Directory Attribute

ECA-9736 - Regression: Add/Edit End Entity actions are not logged to Audit Log

ECA-9741 - RA web ignores Subject Directory Attributes in user CSR

ECA-9749 - Regression: Intune not working, upgrade intune libraries

ECA-9764 - Fix failing configdump unit tests in Jenkins

ECA-9765 - Regression: EjbcaWS.processSoftTokenReq does not work when end entity already exist

ECA-9768 - REST API: NullPointerException enrolling end entity without ExtendedInformation

ECA-9783 - Warnings printed from CEP Service on startup

ECA-9802 - Regression: Response to acme endpoints is not correct in all cases.

ECA-9805 - Enrollment code not shown in RA web when using key recovery

ECA-9806 - AlgorithmTools is spamming the log, lower log level for list of available algorithms

ECA-9807 - Workaround C_GetAttributeValue bug in AWS CloudHSM

ECA-9808 - CE build broken. Package org.cesecore.keys.token.p11ng.provider does not exist (in CE)

ECA-9809 - Unable to sign RSA public keys with SSH CA

ECA-9815 - OAuth login page is not shown when authentication fails on a JSP page

ECA-9822 - Regression: ejbcaClientToolBox.bat does not work

ECA-9824 - Edit CA resets Extended Services Key Specification for CMS CA Service

ECA-9839 - Theoretical NPE in EjbcaWebBeanImpl

ECA-9841 - OAuth provider without keys cannot be deleted

ECA-9847 - Regression: Missing library in CMP HTTP proxy

ECA-9851 - OAuth Client Secret should be input type password

ECA-9853 - OAuth refresh token assumes there is also an access token

ECA-9855 - Security issue

ECA-9859 - Read profiles via Peers for MSAE UI Configuration

ECA-9860 - Same MSAE policy UID is used for all machines

ECA-9862 - MSAE AD password is shown cleartext

ECA-9871 - Fix trace interceptor invocation duration

ECA-9872 - Regression: Peer publishing between 7.5 and older is broken

ECA-9873 - Error clicking "previous" CA certificate in CA structure certificate view

ECA-9877 - External RA: Unable to access external RA

ECA-9886 - Fix ACME pre-authorization order creation

ECA-9887 - Security Issue

ECA-9895 - Oauth login fails in chrome

ECA-9896 - Failed to get token from authorization server. HTTP status code 401

ECA-9900 - Fix AcmeConfiguration upgrade method.

ECA-9904 - LDAP Connection resets regularly

ECA-9908 - Test connection doesn't use the saved password

ECA-9909 - List of "Available MS Templates" isn't sorted

ECA-9912 - Incorrect table definition in sql script for MS-SQL for OcspResponseData.rowProtection

ECA-9916 - Implement oid claim for Azure

ECA-9919 - PKCS11HSMKeyTool fails with missing jna dependency

ECA-9924 - AD Search Scope too narrow

ECA-9931 - Security hardening

ECA-9932 - Fix exception with "default method" in Java on some environments

ECA-9933 - Must enter client secret again when saving OAuth provider

ECA-9938 - OAuth login in RA UI does not work over peer connection

ECA-9949 - OAuth: Failed to get token from authorization server.

ECA-9954 - Regression: NPE when getting non-existent configuration over peers, when debug logging is enabled

ECA-9956 - Conf files update is not reflected

ECA-9958 - Regression: NPEs on System Configuration page

ECA-9959 - MSAE SAN DNS Contains only domain part

ECA-9963 - EstRAModeBasicTest failing due to typo in expected error string

ECA-9967 - Errors in CA UI when TLS session is restarted

ECA-10042 - ACME EAB secret key logged on debug level