EJBCA 7.8.1 Release Notes

DECEMBER 2021

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.8.1.

This release has seen a primary focus on improving our REST API, as well as further integration with the Microsoft ecosystem.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

REST API Improvements

ConfigDump over REST

Our ConfigDump tool, used to manage and audit EJBCA configurations through human-readable YAML, can now be accessed over REST, both for export and import. This allows easy use of the ConfigDump tool for the Hardware and Software Appliances, Cloud and other platforms without command-line interface access.

New REST calls and improvements

End Entity Search extended with MODIFIED_DATE.
Added pagination to certificate search endpoint.
Added a new certificate enrollment endpoint that prioritizes predefined end entity values over values defined in the CSR.
Added End Entity Profile and Certificate Profile names to the search results of certificate searches.

For more information, see EJBCA REST Interface.

Microsoft Integration

EJBCA Roles can be populated through Azure Active Directory

EJBCA's roles can now have its members populated by corresponding Active Directory Groups through Azure Role Based Authentication (RBAC). What this means is that when using Azure as an OAuth provider for authenticating to EJBCA, role members don't need to be manually populated but can instead be automatically read from existing AD Groups. For more information, see Integrating EJBCA with Azure AD Role Based Authentication (RBAC).

Integration with Microsoft Application Insights

Application Insights is an Application Performance Management (APM) service hosted in the Azure cloud platform that allows DevOps professionals to monitor live applications. By integrating Application Insights and EJBCA, administrators can monitor the performance and availability of their EJBCA servers. For more information, see Integrating EJBCA with Azure Application Insights.

Domain Allow List Validator

By popular request, we've added a companion Domain Allow List Validator to the existing Domain Block List Validator. Performing the exact opposite role, this new validator restricts dnsName field domains to whatever subset is defined. For more information, see Certificate Field Validators.

URIs Added as Name Constraints

In addition to constraints on DNS Name and IP Address, we've added name constraints for URIs. For more information on name constraints, see CA Fields.

Sunset of ejbca-setup.sh Script

We are sunsetting the ejbca-setup.sh quick installation script and associated documentation to decrease the maintenance load and consolidate the installation paths. If you're currently relying on this script, we recommend you migrate your workflows.

Basic HTTP Authentication for EST

When using EST in client mode, it's now possible to authenticate over HTTP with username/password.

Bouncy Castle Upgraded to Version 1.70

Just in time to make this release, we upgraded Bouncy Castle to the latest version.

Support for Oracle19C

We have implemented support for the Oracle 19C database

Compliance

Added Granularity to Certificate Transparency Configuration

Due to CT Policy Updates in Apple's Root Program, the configuration of the number of required Signed Certificate Timestamps (SCTs) per time interval has been made fully granular.

Possible to add empty dnsName values and URIs as Name Constraints

As per name constraints discussions in the CA/Browser Forum Validation Working Group, we've added the ability to add an empty DNS name to name constraints. Adding this value constrains a Sub CA from issuing any certificates containing dnsName SAN values. For more information on name constraints, see CA Fields. We've also taken the chance to add URIs as possible Name Constraint values.

Upgrade Information

Review the EJBCA 7.8.1 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.8.1 is included in EJBCA Hardware Appliance 3.9.3 and EJBCA Cloud 2.9.2 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.8.1, refer to our JIRA Issue Tracker.

Issues Resolved in 7.8.1

Released December 2021

New Features

ECA-9561 - ACME IP Identifier Validation http-01 Challenge

ECA-9760 - REST searchCertificates call with pagination

ECA-10108 - Merge additional support for the NONEwithRSAandMGF1 (raw RSASSA-PSS) signature algorithm in P11NG

ECA-10184 - KeyVault Machine Identity Authentication

ECA-10334 - HTTP Basic Authentication in EST client mode

ECA-10344 - REST API support for configdump export

ECA-10347 - REST API support for configdump import

ECA-10349 - Add configdump support to Azure BLOB publisher

ECA-10356 - Add Primus HSM PKCS#11 library path

ECA-10380 - Domain Allow List Validator

ECA-10395 - Add support for URI Name Constraints

Improvements

ECA-5472 - Foldable view when there are many optional fields in the RA

ECA-8562 - Improve tests coverage of Configdump's import of Certificate Profiles

ECA-8745 - Increase the number of SANs configurable in end entity profiles (to >100)

ECA-9681 - Fix AcmeOrderData end entity stored including binary data as map

ECA-9763 - Change the message for CA Activation with approvals

ECA-10092 - Add cert auth to Azure Trusted OAuth Provider

ECA-10266 - Upgrade Nimbus JOSE+JWT to nimbus-jose-jwt-9.12.1.jar

ECA-10284 - Check if all invocations of AcmeAccountSessionBean.updateAccount are required

ECA-10293 - Bad signature performance using P11-NG with network HSMs

ECA-10302 - Revoking certificates from adminweb with reason 'Privileges withdrawn'

ECA-10318 - Add roles claim to Azure OAuth for Authentication

ECA-10322 - Create tables SQL script for NDB cluster has flaws

ECA-10324 - Combine ACME and general EAB

ECA-10327 - Reduce CRL and OCSP Validities by 1 second

ECA-10330 - Change default settings SCT in EJBCA 7.x

ECA-10333 - REST Search - Return eep and cp values

ECA-10339 - Viewing CRL's for CA with MS Compat Enabled

ECA-10345 - Put PIN last in the GUI when creating crypto token

ECA-10352 - MS CA compat with Sub CA in EJBCA and External Root

ECA-10353 - Allow name constraints to block all DNS Names

ECA-10354 - Fix ACME pre-authorization returns order object without authorization

ECA-10355 - Update EJBCA to work with Wildfly 25

ECA-10358 - ACME performance - refactor AcmeOrderSessionBean.processPendingOrders

ECA-10360 - Add aliases cache for P11-NG crypto tokens

ECA-10361 - PKCS#10 REST endpoint using end entity information (not CSR)

ECA-10367 - Optimize PKCS#11 sign to avoid redundant PKCS#11 calls

ECA-10377 - EE REST API support search by modified date

ECA-10382 - Allow to configure ignored CAA properties when their processing is done outside EJBCA

ECA-10384 - Differentiate rows in CA Structures & CRLs

ECA-10398 - Align buttons in Certificate Profile and Publishers sections

ECA-10400 - X509CACrlUnitTest test fix

ECA-10406 - Merge smaller P11-NG changes from SignServer

ECA-10428 - Remove extra dot from cert

ECA-10430 - Upgrade BC to 1.70

Bug Fixes

ECA-6166 - CA key export does not warn if no RSA keys are present for encryption.

ECA-7235 - Settings are reset when Match with setting is changed

ECA-8227 - It is possible to revoke an already revoked end entity

ECA-9203 - Exception occurrs even if 'Gender' value is given

ECA-10126 - Error when syncing to VA via peer connector

ECA-10157 - Security Issue

ECA-10172 - EST Vendor Mode ChangeSubjectName should not compare with the CSR DN

ECA-10224 - CREATE CA: NullPointerException

ECA-10229 - CMP Authentication Radio Buttons are not disabled in view page

ECA-10237 - Trusted OAuth Providers are removed without any warning or confirmation

ECA-10254 - SCEP alias for Intune not allowing certain characters for client secret.

ECA-10264 - Configdump import failed if the /cryptotoken/keys/remove/ rule is set

ECA-10295 - Configdump does not import Approval Profiles

ECA-10301 - Revoking certificates from adminweb with reason 'AA compromise'

ECA-10303 - Throwaway CA Revocation Broken in 7.6.0

ECA-10311 - View CMP Alias page says: Edit CMP Alias

ECA-10319 - Broken RA End Entity edit page

ECA-10320 - OCSP not working when CA uses Ed25519

ECA-10323 - Enrollment code can not be empty when setting EE status from Generated to New with autogenerated enrollment codes

ECA-10343 - NumberFormatException when creating a crypto token using token label when cryptotoken.p11.lib.X.slotlist is used

ECA-10357 - Ignore keys which cannot be read by the P11NgCryptoToken

ECA-10363 - Make audience check optional

ECA-10365 - Fix links in ACME HTTP response headers

ECA-10383 - In RAWeb custom values "Set validity" doesn't work

ECA-10390 - "Republish" publisher queue view action uses wrong PublishQueueProcessWorker

ECA-10391 - 'Required' restriction on name constraints in end entity profiles are not validated.

ECA-10394 - Clean up of cesecore-p11 is not optional

ECA-10399 - ExpiredCertsOnCRL encodes with fractional seconds

ECA-10404 - Make EEP upgrade for 7.8.1 cluster compatible

ECA-10407 - Audience cannot be empty when "disable audience check" is selected

ECA-10410 - Reintroduce ECA-9475

ECA-10422 - Fix failing tests