EJBCA 7.7.0 Release Notes

JULY 2021

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.7.0.

Running hot on the heals of EJBCA 7.6.0, this feature release is our final push towards full Microsoft Windows compatibility before the summer. With this release, we're aiming to be able to offer a fully holistic solution to any Microsoft based enterprise looking to power their PKI with the easiest, fastest, and most powerful solution available. 

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

Microsoft Windows Compatible CA Key Updates

Due to some differences in how Microsoft Windows handles CRLs, we've introduced a Microsoft Compatibility mode that changes the CA's behavior when the CA is rekeyed. The commonly expected behavior when a CA is rekeyed, is that all future CRLs and OCSP responder certificates are signed by the new key pair after the rollover. Instead, Microsoft environments expect each generation of CA key pairs to continue signing CRLs for those certificates which were issued by that particular key pair. Likewise, OCSP responses are expected to be continued to be signed with an OCSP responder certificate signed by the original key pair. 

The end result of Microsoft Compatibility mode is that:

• The CA will produce as many CRLs as there are generations of CA keys.
• OCSP responses will have different signing keys, depending on which generation of CA keys signed the relevant certificate.

Microsoft Compatibility mode comes with some caveats:

• It's not possible to switch between the two modes, so Microsoft Compatibility Mode must be enabled upon CA creation if required.
• Microsoft Compatibility Mode is mutually exclusive with the use of Partitioned CRLs.

For more information about EJBCA's Microsoft Compatibility mode, see Microsoft Compatible CA Key Updates.

Approvals in ACME Workflow

Upon popular demand, we have implemented Approvals for the ACME workflow. Configuring Approvals for a CA or Certificate Profiles and enrolling over ACME will now trigger an approval event for the account and subsequent end entity creation. For more information, see ACME.

Azure Blob CRL Publisher

To further increase compatibility with the Microsoft space, we have introduced a CRL publisher to Azure Blob. For more information, see Azure Blob Storage Publisher.

Announcements

Sunset of JDK8 support

With JDK8 seeing the end of its official support window from Oracle, we will towards the end of this year sunset support for JDK8 ourselves to be able to take advantage of the many features in JDK11 and later. We want to recommend all customers to upgrade their JDKs to JDK11. With the coming release of JDK17 as the next LTS release from Oracle, we will be implementing full support towards the autumn. 

Upgrade Information

Review the EJBCA 7.7.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.7.0 is included in EJBCA Hardware Appliance 3.9.0 and EJBCA Cloud 2.8.0 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.7.0, refer to our JIRA Issue Tracker.

Issues Resolved in 7.7.0