EJBCA 7.9.0 Release Notes

APRIL 2022

The EJBCA team is pleased to announce the release of EJBCA 7.9.0.

This release introduces support in EJBCA for acting as Enrollment Authority in C-ITS PKI, enabling vehicle manufacturers to take part in evolving C-ITS ecosystems. The release also includes enhancements to Intune integration and RA Web.

Included in this release are also the changes made in EJBCA 7.8.2, which was only released internally.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

Log4j Upgrade

As has been stated before, EJBCA was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that EJBCA handles logging through JBoss EAP/Wildfly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that many of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about EJBCA being vulnerable.

Use of Microsoft Graph API in EJBCA Intune Integrations

Previous versions of EJBCA use the Azure AD Graph API for Intune integrations. Microsoft has announced that Azure AD Graph API will be deprecated as of June 2022 and Intune integrations need to use Microsoft Graph API instead. EJBCA 7.9.0 uses Microsoft Graph API for Intune integrations making it an important upgrade for EJBCA customers using Intune.

Support for acting as Enrollment Authority in C-ITS PKI

Cooperative Intelligent Transport Systems (C-ITS) is an ecosystem facilitating communication between vehicles and between vehicles and infrastructure, jointly known as vehicle-to-everything (V2X). EJBCA 7.9.0 introduces functionality allowing EJBCA to act as an Enrollment Authority (EA) in a C-ITS PKI, registering ITS entities and issuing enrollment credentials. While not including every component of the C-ITS PKI, this release marks our first effort toward supporting the C-ITS PKI lifecycle with EJBCA. For more information, see C-ITS ECA Overview.

Announcements

Public Web Deprecated

Since the launch of EJBCA, the Public Web has been used for common operations such as enrollment, CRL and CA certificate download, etc. EJBCA 6.6 introduced the new RA Web along with a new RA architecture, enabling more efficient RA workflows that also overlapped many functionalities of the Public Web. Throughout recent releases including this one, we have added additional features to the RA Web in an effort to allow all RA operations to be managed from the location. RA Web enhancements have made the Public Web increasingly redundant and Public Web is therefore deprecated as of EJBCA 7.9.

Public Web is still available in EJBCA 7.9.0 but will no longer be supported as of the next major version of EJBCA. We recommend migrating your workflows to the RA Web in preparation for the future removal of the Public Web. Certain use cases might not be fully replaceable by the RA Web yet but we will be putting the last pieces together to support them in upcoming releases. Endpoints for CA/CRL distribution located under the Public Web URL will remain available.

CMP over TCP no longer Supported

Use of CMP over TCP has been discouraged per our documentation since EJBCA 6.5. The plan was to end support of CMP over TCP in the next major version but due to incompatibilities with the Log4J upgrade, we have accelerated the schedule. As of EJBCA 7.9.0, CMP over TCP is no longer supported by EJBCA or by the legacy CMP Proxy. Support for CMP over HTTP is unaffected.

SaferDailyRollingFileAppender no longer Supported

The SaferDailyRollingFileAppender (enabled by settingocsp.log-safer=true in the ocsp.properties configuration file) has been deprecated and removed due to incompatibilities with the Log4J upgrade. Enabling the setting caused a transaction rollback in case the server logs could not be written to and was a corner case for certain VAs with legal requirements to register all OCSP traffic to log. This setting is no longer supported by EJBCA.

Upgrade Information

Review the EJBCA 7.9.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.9.0 is included in EJBCA Hardware Appliance 3.9.5 and EJBCA Cloud 2.10.0 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.9.0, refer to our JIRA Issue Tracker.

Issues Resolved in 7.9.0

Released April 2022

New Features

ECA-7321 - RA Web should accept CSR in DER format

ECA-9834 - ACME configuration alias max. length of 250 characters

ECA-10261 - Add support for RFU bits in cert-cvc

ECA-10263 - Add support for RFU bits in EJBCA

ECA-10467 - Define new CA type for ITS CA's

ECA-10468 - ITS CA Type in the UI

ECA-10470 - REST Resource for ITS Certificate Request

ECA-10529 - ITS end entity request and response creation and verification

ECA-10554 - Allow CMPv2 enrollment in RA mode using vendor certificate

ECA-10592 - Authorization validation for ETSI certificates and integration to REST

ECA-10593 - End Entity management over REST for C-ITS ETSI

ECA-10612 - Import CITS CA and other UI changes for CITS

ECA-10613 - Subject attributes validation during registration, EC enroll and authorization validation

ECA-10614 - Download or rest endpoint for CITS certificates

ECA-10625 - Future Dated CRLs from the CLI.

ECA-10627 - Allow WS requests using Request Processors send through editUser as well

Improvements

ECA-7381 - Sunset Public Web

ECA-7588 - Remove CADataHandler

ECA-7765 - Allow public user to finalize enrollment in RA Web

ECA-8476 - Only show logout button in CA web when "Session timeout" is enabled

ECA-9256 - Allow an OCSP Responder to sign for other CAs

ECA-9566 - The Option "Send notification" is Not Available in RA Web

ECA-9799 - Search for Certificates at RA Web doesn't reflect Expired status in the main table list

ECA-10296 - Update EJBCA libs for Swagger to work on Wildfly > 22.0.0

ECA-10345 - Put PIN last in the GUI when creating crypto token

ECA-10413 - Allow EEP Subject DN values to be enforced

ECA-10414 - Add E-mail checkbox "Use email from address field" to RA-web

ECA-10416 - Increase CSR Size Limit

ECA-10418 - Name constraint support for make new request in RA web

ECA-10421 - Add checkbox to RA Web when creating end entity to activate key recovery

ECA-10452 - Trim external log lib

ECA-10454 - Improve dn merge procedure for end entities

ECA-10456 - Add end entity with clear text password in the RA web

ECA-10459 - Code cleanup: modules/oldlogexport

ECA-10460 - Code cleanup: modules/externalra-gui

ECA-10469 - Define MVP TBSCertificate fields for ITS CA's

ECA-10473 - Complete the rest endpoint implementation for CITS

ECA-10474 - Increase length of ACME EAB with symmetric keys generated key.

ECA-10476 - Introduce ITS Certificate Profile

ECA-10488 - Upgrade ITS epic branch with BC 1.7.1 b03

ECA-10489 - Create enrollment endpoint for the ITS REST API

ECA-10494 - Not able to reconnect to P11NG Crypto Token after HSM network disconnect

ECA-10501 - Remove support for CMP over TCP

ECA-10504 - Get rid of appender code in UpgradeBean to Log4J2

ECA-10512 - Upgrade EJBCA Intune Integration to Use Microsoft Graph API

ECA-10530 - Update standalone scripts with log4j compatability flag

ECA-10538 - SHAxWithRSAAndMGF1 / SHAxWithRSASSA-PSS not working with Azure Key Vault or AWS KMS Crypto tokens

ECA-10539 - Update slf4j

ECA-10543 - Update PublicAccessToken to not require delete end entities access rule

ECA-10548 - Add CrmfRequestTest into Jenkins

ECA-10555 - OEREncoding for InnerECRequest/Response

ECA-10558 - REST endpoint for ITS-S Registration

ECA-10576 - System test for ITS REST endpoint

ECA-10584 - Update ejbca.cmd with log4j changes

ECA-10585 - Deprecate and remove legacy batch enrollment GUI

ECA-10610 - Hardening

ECA-10615 - Upgrade BC to 1.71, pull in main branch changes

ECA-10619 - Upgrade commons-cli to 1.5

ECA-10628 - Allow the encryptpwd CLI command to run without appserver active

ECA-10633 - Upgrade jack11nji

ECA-10642 - Refactor ITS enrollment operation to be performed by CA implementation

ECA-10647 - Improve EJBCA's behavior when looking up invalid DNS records for CAA

Bug Fixes

ECA-9950 - Batchenrollment gives BCFKS error

ECA-10219 - New role members cannot manage existing approval requests

ECA-10228 - Invalid ocsp certificate prevents wildfly startup

ECA-10279 - CVC is not working in RA web

ECA-10388 - Peer connections using RSA Authentication Key binding with P11NG, Azure and AWS crypto tokens stopped working after JDK update

ECA-10424 - Logging Location of API Requests

ECA-10426 - Configurable DN order in LDAP Publisher

ECA-10436 - Regression: Error editing Key Vault crypto Token

ECA-10437 - CA Functions CRL download link fails to download CRL when CA SubjectDN contains ampersand

ECA-10457 - REST configdump export can fail even if ignore errors is enabled

ECA-10463 - ConfigDump Export/Import EEPs with multiple DNs/SANs

ECA-10471 - Regression - ejbca-db-cli not working after upgrading to 7.8.0.1

ECA-10484 - Regression: P11NG and CloudHSM using Healthcheck sometimes causes HSM to go offline with CKR_OPERATION_ACTIVE

ECA-10485 - CMP Certificate Confirmation - Default CA

ECA-10490 - Cannot re-activating suspended cert with "Safe Direct Publishing"

ECA-10491 - X.509 CA sequence is compared with keysequence from cert request in a wrong way

ECA-10497 - Regression: OCSP signing cache is always reloaded for requests with unknown CAs

ECA-10507 - Regression: P11NG signing misses NULL parameter in PKCS#1 algorithms parameters for RSA SHA algorthms

ECA-10532 - Fix ACME issuance of certificates with non-validated domains

ECA-10533 - EJBCA RA - Navigation dead-ends

ECA-10534 - Enrollment fails with GetCACert enabled in SCEP CA mode

ECA-10535 - AWSS3Publisher causes OCSP Peer Publishing to fail

ECA-10549 - Disable "Use queue ..." options when "Safe Direct Publishing" enabled

ECA-10550 - Regression: Potential NPE causes test failures when Trace logging is enabled

ECA-10557 - Jenkins CMP test failure

ECA-10569 - Create tests for cmp update command in cli

ECA-10571 - Make "Unspecified" revocation reason in OCSP responses configurable

ECA-10572 - URI Name Constraints should not allow/require protocol to be specified.

ECA-10577 - Key algorithm of uploaded CSR field shows wrong value

ECA-10579 - Clean up access rules requirements for using a CSR on the Make New Request page

ECA-10583 - Name constraint error produces stacktrace and unintuitive error message in RA UI

ECA-10591 - Startup database error due to deprecated property UserData.hardTokenIssuerId

ECA-10601 - Failures in PostgreSQL running create-index sql script, comment out drop index statements

ECA-10603 - ejbca-db-cli Broken

ECA-10620 - Request and EE CA mismatch still cause EE status change

ECA-10621 - Minor security issue

ECA-10622 - Changing an EE status over RA web leads to unwanted disabling of Batch generation (clear text pwd storage) checkbox

ECA-10626 - Support 'Any' cryptoProivder in MSAE templates

ECA-10634 - Fix IOException in db-cli

ECA-10635 - Update AzureBlobPublisher to use new Azure auth

ECA-10637 - Azure Key Vault only lists the first 25 key aliases

ECA-10638 - EJBCA restricts OCSP nonce to 30 octets instead of 32 as stated in RFC8954

ECA-10644 - The publisher queue inspection window should display the time with a 24-hour clock

ECA-10662 - Intune Resource URL not honored in new SCEP code

Issues Resolved in 7.8.2

EJBCA 7.8.2 was an internal release, not generally available for customers

Released February 2022

Improvements

ECA-10479 - Library upgrade