JULY 2021

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.7.0.

Running hot on the heals of EJBCA 7.6.0, this feature release is our final push towards full Microsoft Windows compatibility before the summer. With this release, we're aiming to be able to offer a fully holistic solution to any Microsoft based enterprise looking to power their PKI with the easiest, fastest, and most powerful solution available. 

Deployment options include EJBCA Hardware ApplianceEJBCA Software Appliance, and EJBCA Cloud.

Highlights

Microsoft Windows Compatible CA Key Updates

Due to some differences in how Microsoft Windows handles CRLs, we've introduced a Microsoft Compatibility mode that changes the CA's behavior when the CA is rekeyed. The commonly expected behavior when a CA is rekeyed, is that all future CRLs and OCSP responder certificates are signed by the new key pair after the rollover. Instead, Microsoft environments expect each generation of CA key pairs to continue signing CRLs for those certificates which were issued by that particular key pair. Likewise, OCSP responses are expected to be continued to be signed with an OCSP responder certificate signed by the original key pair. 

The end result of Microsoft Compatibility mode is that:

  • The CA will produce as many CRLs as there are generations of CA keys.
  • OCSP responses will have different signing keys, depending on which generation of CA keys signed the relevant certificate.

Microsoft Compatibility mode comes with some caveats:

  • It's not possible to switch between the two modes, so Microsoft Compatibility Mode must be enabled upon CA creation if required.
  • Microsoft Compatibility Mode is mutually exclusive with the use of Partitioned CRLs.

For more information about EJBCA's Microsoft Compatibility mode, see Microsoft Compatible CA Key Updates.

Approvals in ACME Workflow

Upon popular demand, we have implemented Approvals for the ACME workflow. Configuring Approvals for a CA or Certificate Profiles and enrolling over ACME will now trigger an approval event for the account and subsequent end entity creation. For more information, see ACME.

Azure Blob CRL Publisher

To further increase compatibility with the Microsoft space, we have introduced a CRL publisher to Azure Blob. For more information, see Azure Blob Storage Publisher.

Announcements

Sunset of JDK8 support

With JDK8 seeing the end of its official support window from Oracle, we will towards the end of this year sunset support for JDK8 ourselves to be able to take advantage of the many features in JDK11 and later. We want to recommend all customers to upgrade their JDKs to JDK11. With the coming release of JDK17 as the next LTS release from Oracle, we will be implementing full support towards the autumn. 

Upgrade Information

Review the EJBCA 7.7.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.7.0 is included in EJBCA Hardware Appliance 3.9.0 and EJBCA Cloud 2.8.0 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.7.0, refer to our JIRA Issue Tracker.

Issues Resolved in 7.7.0

Released July 2021

New Features

ECA-3085 - Option to start audit log verification from a specified sequence number

ECA-10074 - Azure CRL Publisher

ECA-10180 - ACME Name Generation Scheme

Improvements

ECA-9797 - Documentation is missing for "extension_data" field in REST calls

ECA-9863 - SCEP: add option to include CA chain in the GetCACert call (update for RFC8894)

ECA-10050 - GUI option for Microsoft conformant CA creation

ECA-10051 - OCSP Responder support for multiple signer keys

ECA-10080 - Make ms conformant setting irreversible in other end points

ECA-10081 - Improve DynamicUiProperty field validation user mesages

ECA-10084 - UI: Hide "Partition CRL Settings" when "MS Key Updates" is enabled.

ECA-10085 - CA signKey must correspond to partition.

ECA-10086 - Suspend previous CRL partition with CA key re-keying.

ECA-10087 - Enforce Partition CRLs with MS CA Key Updates

ECA-10091 - Add approvals for ACME account management

ECA-10140 - Enforce CRL Distribution Point in Edit CA page if MS CA Compatibilty mode is selected

ECA-10152 - Enforce Use of Authority Key ID

ECA-10153 - Generating Default CRL Dist. Point should use partition suffix

Bug Fixes

ECA-9805 - Enrollment code not shown in RA web when using key recovery

ECA-10138 - Single Active Certificate Constraint sets revocation date to 1970

ECA-10166 - IntuneRevocationWorker is missing setting for AUTH_AUTHORITY in 7.7

ECA-10167 - CA certificate CDP not updated on MS CA re-keying

ECA-10174 - SCEP Issuance has incorrect log message

ECA-10194 - Azure CRL Publisher Not Publishing CRLs via peer

ECA-10197 - CRL Publisher label wrong

ECA-10198 - Azure CRL Publisher fails unless password entered