EJBCA 7.9.0 Release Notes
APRIL 2022
The EJBCA team is pleased to announce the release of EJBCA 7.9.0.
This release introduces support in EJBCA for acting as Enrollment Authority in C-ITS PKI, enabling vehicle manufacturers to take part in evolving C-ITS ecosystems. The release also includes enhancements to Intune integration and RA Web.
Included in this release are also the changes made in EJBCA 7.8.2, which was only released internally.
Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.
Highlights
Log4j Upgrade
As has been stated before, EJBCA was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that EJBCA handles logging through JBoss EAP/Wildfly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that many of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about EJBCA being vulnerable.
Use of Microsoft Graph API in EJBCA Intune Integrations
Previous versions of EJBCA use the Azure AD Graph API for Intune integrations. Microsoft has announced that Azure AD Graph API will be deprecated as of June 2022 and Intune integrations need to use Microsoft Graph API instead. EJBCA 7.9.0 uses Microsoft Graph API for Intune integrations making it an important upgrade for EJBCA customers using Intune.
Support for acting as Enrollment Authority in C-ITS PKI
Cooperative Intelligent Transport Systems (C-ITS) is an ecosystem facilitating communication between vehicles and between vehicles and infrastructure, jointly known as vehicle-to-everything (V2X). EJBCA 7.9.0 introduces functionality allowing EJBCA to act as an Enrollment Authority (EA) in a C-ITS PKI, registering ITS entities and issuing enrollment credentials. While not including every component of the C-ITS PKI, this release marks our first effort toward supporting the C-ITS PKI lifecycle with EJBCA. For more information, see C-ITS ECA Overview.
Announcements
Public Web Deprecated
Since the launch of EJBCA, the Public Web has been used for common operations such as enrollment, CRL and CA certificate download, etc. EJBCA 6.6 introduced the new RA Web along with a new RA architecture, enabling more efficient RA workflows that also overlapped many functionalities of the Public Web. Throughout recent releases including this one, we have added additional features to the RA Web in an effort to allow all RA operations to be managed from the location. RA Web enhancements have made the Public Web increasingly redundant and Public Web is therefore deprecated as of EJBCA 7.9.
Public Web is still available in EJBCA 7.9.0 but will no longer be supported as of the next major version of EJBCA. We recommend migrating your workflows to the RA Web in preparation for the future removal of the Public Web. Certain use cases might not be fully replaceable by the RA Web yet but we will be putting the last pieces together to support them in upcoming releases. Endpoints for CA/CRL distribution located under the Public Web URL will remain available.
CMP over TCP no longer Supported
Use of CMP over TCP has been discouraged per our documentation since EJBCA 6.5. The plan was to end support of CMP over TCP in the next major version but due to incompatibilities with the Log4J upgrade, we have accelerated the schedule. As of EJBCA 7.9.0, CMP over TCP is no longer supported by EJBCA or by the legacy CMP Proxy. Support for CMP over HTTP is unaffected.
SaferDailyRollingFileAppender no longer Supported
The SaferDailyRollingFileAppender (enabled by settingocsp.log-safer=true
in the ocsp.properties configuration file) has been deprecated and removed due to incompatibilities with the Log4J upgrade. Enabling the setting caused a transaction rollback in case the server logs could not be written to and was a corner case for certain VAs with legal requirements to register all OCSP traffic to log. This setting is no longer supported by EJBCA.
Upgrade Information
Review the EJBCA 7.9.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
EJBCA 7.9.0 is included in EJBCA Hardware Appliance 3.9.5 and EJBCA Cloud 2.10.0 and can be deployed as EJBCA Software Appliance.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in EJBCA 7.9.0, refer to our JIRA Issue Tracker.
Issues Resolved in 7.9.0
New Features
ECA-7321 - RA Web should accept CSR in DER format
ECA-9834 - ACME configuration alias max. length of 250 characters
ECA-10261 - Add support for RFU bits in cert-cvc
ECA-10263 - Add support for RFU bits in EJBCA
ECA-10467 - Define new CA type for ITS CA's
ECA-10468 - ITS CA Type in the UI
ECA-10470 - REST Resource for ITS Certificate Request
ECA-10529 - ITS end entity request and response creation and verification
ECA-10554 - Allow CMPv2 enrollment in RA mode using vendor certificate
ECA-10592 - Authorization validation for ETSI certificates and integration to REST
ECA-10593 - End Entity management over REST for C-ITS ETSI
ECA-10612 - Import CITS CA and other UI changes for CITS
ECA-10613 - Subject attributes validation during registration, EC enroll and authorization validation
ECA-10614 - Download or rest endpoint for CITS certificates
ECA-10625 - Future Dated CRLs from the CLI.
ECA-10627 - Allow WS requests using Request Processors send through editUser as well
Improvements
ECA-7381 - Sunset Public Web
ECA-7588 - Remove CADataHandler
ECA-7765 - Allow public user to finalize enrollment in RA Web
ECA-8476 - Only show logout button in CA web when "Session timeout" is enabled
ECA-9256 - Allow an OCSP Responder to sign for other CAs
ECA-9566 - The Option "Send notification" is Not Available in RA Web
ECA-9799 - Search for Certificates at RA Web doesn't reflect Expired status in the main table list
ECA-10296 - Update EJBCA libs for Swagger to work on Wildfly > 22.0.0
ECA-10345 - Put PIN last in the GUI when creating crypto token
ECA-10413 - Allow EEP Subject DN values to be enforced
ECA-10414 - Add E-mail checkbox "Use email from address field" to RA-web
ECA-10416 - Increase CSR Size Limit
ECA-10418 - Name constraint support for make new request in RA web
ECA-10421 - Add checkbox to RA Web when creating end entity to activate key recovery
ECA-10452 - Trim external log lib
ECA-10454 - Improve dn merge procedure for end entities
ECA-10456 - Add end entity with clear text password in the RA web
ECA-10459 - Code cleanup: modules/oldlogexport
ECA-10460 - Code cleanup: modules/externalra-gui
ECA-10469 - Define MVP TBSCertificate fields for ITS CA's
ECA-10473 - Complete the rest endpoint implementation for CITS
ECA-10474 - Increase length of ACME EAB with symmetric keys generated key.
ECA-10476 - Introduce ITS Certificate Profile
ECA-10488 - Upgrade ITS epic branch with BC 1.7.1 b03
ECA-10489 - Create enrollment endpoint for the ITS REST API
ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect
ECA-10501 - Remove support for CMP over TCP
ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2
ECA-10512 - Upgrade EJBCA Intune Integration to Use Microsoft Graph API
ECA-10530 - Update standalone scripts with log4j compatability flag
ECA-10538 - SHAxWithRSAAndMGF1 / SHAxWithRSASSA-PSS not working with Azure Key Vault or AWS KMS Crypto tokens
ECA-10539 - Update slf4j
ECA-10543 - Update PublicAccessToken to not require delete end entities access rule
ECA-10548 - Add CrmfRequestTest into Jenkins
ECA-10555 - OEREncoding for InnerECRequest/Response
ECA-10558 - REST endpoint for ITS-S Registration
ECA-10576 - System test for ITS REST endpoint
ECA-10584 - Update ejbca.cmd with log4j changes
ECA-10585 - Deprecate and remove legacy batch enrollment GUI
ECA-10610 - Hardening
ECA-10615 - Upgrade BC to 1.71, pull in main branch changes
ECA-10619 - Upgrade commons-cli to 1.5
ECA-10628 - Allow the encryptpwd CLI command to run without appserver active
ECA-10633 - Upgrade jack11nji
ECA-10642 - Refactor ITS enrollment operation to be performed by CA implementation
ECA-10647 - Improve EJBCA's behavior when looking up invalid DNS records for CAA
Bug Fixes
ECA-9950 - Batchenrollment gives BCFKS error
ECA-10219 - New role members cannot manage existing approval requests
ECA-10228 - Invalid ocsp certificate prevents wildfly startup
ECA-10279 - CVC is not working in RA web
ECA-10388 - Peer connections using RSA Authentication Key binding with P11NG, Azure and AWS crypto tokens stopped working after JDK update
ECA-10424 - Logging Location of API Requests
ECA-10426 - Configurable DN order in LDAP Publisher
ECA-10436 - Regression: Error editing Key Vault crypto Token
ECA-10437 - CA Functions CRL download link fails to download CRL when CA SubjectDN contains ampersand
ECA-10457 - REST configdump export can fail even if ignore errors is enabled
ECA-10463 - ConfigDump Export/Import EEPs with multiple DNs/SANs
ECA-10471 - Regression - ejbca-db-cli not working after upgrading to 7.8.0.1
ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE
ECA-10485 - CMP Certificate Confirmation - Default CA
ECA-10490 - Cannot re-activating suspended cert with "Safe Direct Publishing"
ECA-10491 - X.509 CA sequence is compared with keysequence from cert request in a wrong way
ECA-10497 - Regression: OCSP signing cache is always reloaded for requests with unknown CAs
ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms
ECA-10532 - Fix ACME issuance of certificates with non-validated domains
ECA-10533 - EJBCA RA - Navigation dead-ends
ECA-10534 - Enrollment fails with GetCACert enabled in SCEP CA mode
ECA-10535 - AWSS3Publisher causes OCSP Peer Publishing to fail
ECA-10549 - Disable "Use queue ..." options when "Safe Direct Publishing" enabled
ECA-10550 - Regression: Potential NPE causes test failures when Trace logging is enabled
ECA-10557 - Jenkins CMP test failure
ECA-10569 - Create tests for cmp update command in cli
ECA-10571 - Make "Unspecified" revocation reason in OCSP responses configurable
ECA-10572 - URI Name Constraints should not allow/require protocol to be specified.
ECA-10577 - Key algorithm of uploaded CSR field shows wrong value
ECA-10579 - Clean up access rules requirements for using a CSR on the Make New Request page
ECA-10583 - Name constraint error produces stacktrace and unintuitive error message in RA UI
ECA-10591 - Startup database error due to deprecated property UserData.hardTokenIssuerId
ECA-10601 - Failures in PostgreSQL running create-index sql script, comment out drop index statements
ECA-10603 - ejbca-db-cli Broken
ECA-10620 - Request and EE CA mismatch still cause EE status change
ECA-10621 - Minor security issue
ECA-10622 - Changing an EE status over RA web leads to unwanted disabling of Batch generation (clear text pwd storage) checkbox
ECA-10626 - Support 'Any' cryptoProivder in MSAE templates
ECA-10634 - Fix IOException in db-cli
ECA-10635 - Update AzureBlobPublisher to use new Azure auth
ECA-10637 - Azure Key Vault only lists the first 25 key aliases
ECA-10638 - EJBCA restricts OCSP nonce to 30 octets instead of 32 as stated in RFC8954
ECA-10644 - The publisher queue inspection window should display the time with a 24-hour clock
ECA-10662 - Intune Resource URL not honored in new SCEP code
Issues Resolved in 7.8.2
EJBCA 7.8.2 was an internal release, not generally available for customers
Improvements
ECA-10479 - Library upgrade
ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect
ECA-10501 - Remove support for CMP over TCP
ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2
ECA-10509 - Remove SaferDaily, SigningDaily and ScriptrunningDailyRollingFileAppender
ECA-10510 - Upgrade Appender in TestLogAppenderResource to Log4J2
ECA-10530 - Update standalone scripts with log4j compatability flag
ECA-10531 - Resolve test failures after log4j upgrade
Bug Fixes
ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE
ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms
ECA-10532 - Fix ACME issuance of certificates with non-validated domains