EJBCA 8.0 Release Notes

JUNE 2023

The EJBCA team is pleased to announce the release of EJBCA 8.0.

This release includes advancements in IoT security, SSH certificate issuance, and post-quantum readiness.

Deployment options include EJBCA Software Appliance, EJBCA Cloud, and EJBCA Hardware Appliance.

Highlights

SSH certificates

EJBCA 8 includes the new Certificate Authority (CA) type SSH CA capable of issuing Secure Shell Protocol (SSH) certificates. The use of SSH certificates for certificate-based authentication in SSH rather than SSH key distribution and management allows organizations to both increase productivity and improve security. Enabling SSH servers and clients to trust the CA means that SSH can leverage the power of PKI.

With EJBCA you can now issue SSH certificates in addition to X.509 certificates, Card Verifiable certificates, and C-ITS certificates. SSH certificate enrollment is supported through the EJBCA REST API and the EJBCA RA user interface. For more information, see SSH CA.

EST over CoAP in EJBCA LRA Software Appliance

In order to extend deployment flexibility EJBCA 8 enables the deployment of a Local Registration Authority (LRA) to issue birth certificates or operational certificates in IIoT and IoT use cases. Resource-constrained devices can enroll for certificates using EST over CoAP. Running EST over CoAP in EJBCA 8 requires using an EJBCA LRA Software Appliance connected to an EJBCA Certificate Authority (CA).

General EST support in EJBCA 8 has also been extended to support server-side key generation. Server-side key generation may be used regardless of whether EST is carried over HTTP or CoAP.

Post-Quantum Readiness

EJBCA 8 includes support for creating CAs using the NIST round 3 candidate post-quantum signature algorithms Dilithium and Falcon. The standardization of these algorithms is planned to be finalized by INST in 2024. These algorithms are not for production use but are well suited for post-quantum preparation activities and proof of concept usage. For more information on post-quantum algorithm support in EJBCA, see Post-Quantum Cryptography Keys and Signatures.

Matter Smart Home support

Matter is a new standard for interoperable and secure smart home devices. Matter security is based on certificates and the required certificates can be issued by EJBCA using new subject DN attributes as specified in the Matter standard. For more information, see Create CAs for Matter IoT.

Fortanix DSM support

EJBCA 8 includes a new crypto token type enabling integration with Fortanix Data Security Manager (DSM) Cloud HSM through the Fortanix REST API. For more information on the REST integration and creating the Fortanix crypto token in EJBCA, see Fortanix Data Security Manager.

ACME improvements

EJBCA 8 adds support for DNS Identifier Validation using the tis-alpn-01 Challenge. ACME has also been extended to support HS384 and HS512 MAC algorithms.

ISO 15118-20 (EV charging) support

Extended EJBCA functionality related to SubjectKeyIdentifier and AuthorityKeyIdentifier enables setting up EJBCA 8 to issue certificates according to the requirements specified in ISO 11518-20.

Certificate Counting

A new REST endpoint enables counting the number of issued and active certificates.

Technology upgrades

As a new major version the technology stack supported by EJBCA 8 includes some important updates compared to EJBCA 7. EJBCA 8 supports running on Java 17 in addition to Java 11. Running on Wildfly 26 as application server is also supported and the EJBCA use of application server is based on JEE8. Bouncy Castle has been upgraded to version 1.73.

Announcements

Security Issue

EJBCA 8.0 resolves an authentication issue discovered in EJBCA 7.12.0 that allowed the EJBCA RA user interface certificate distribution servlet to allow partial denial of service.

We rate the issue as having a severity level of medium. Once EJBCA 8.0 has been generally available across all platforms for at least two weeks, a CVE with the identifier CVE-2023-34196 will be published.

Public Web not supported

EJBCA Public Web has been deprecated since EJBCA 7.9 and is no longer supported in EJBCA 8. Customers are advised to use the functionality available in the EJBCA RA user interface.

Running on Java 8 not supported

Running on Java 8 has previously been deprecated and EJBCA 8 does not support running on Java 8.

Old application servers not supported

Running EJBCA 8 on WildFly 10-22 as well as JBoss EAP 7.0-7.3 is not supported. WildFly 26 and JBoss EAP 7.4 are currently the recommended application servers for running EJBCA 8.

Removal of End Entity Printing Functionality

As of this version of EJBCA, we have removed the functionality to print End Entities using SVG templates, as this feature was rarely used and not maintained.

Removal of cesecore-p11.jar and CKA_MODIFIABLE=false

This feature was added a while back to provide a workaround for a vulnerability that has long since been patched by HSM vendors. This workaround does not work in JDK11 and above, so has been removed.

Removal of CMS Signing for Audit Logs

CMS signing was rarely used and required signatures from a soft key stored on the CA. This functionality has been removed from the audit log pages, as well as the accompanying CA settings.

Removal of the legacy asynchronous CMP Proxy

The legacy CMP Proxy, which allowed the CA to poll a database for incoming CMP requests, has been retired and removed. The main purpose of acting as a proxied CMP endpoint has been redundant for some time by the EJBCA RA, and the last remaining functionality that was available on the proxy has now been rolled into the RA as well.

Removal of the legacy asynchronous SCEP Proxy

Like the CMP proxy above, the SCEP proxy has been redundant for quite some years by EJBCA acting as RA. It has now been fully removed.

Removal of ECDSA ImplicitlyCA

The ECDSA ImplicitlyCA functionality has long been discouraged from use, and support has now been entirely removed from EJBCA. Note that ImplicitlyCA has nothing to do with explicit ECDSA parameters.

Upgrade Information

Review the EJBCA 8.0 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 8.0 is included in EJBCA Software Appliance 2.4 and EJBCA Cloud 3.2. EJBCA 8.0 will also be included in the EJBCA Hardware Appliance 3.12 release.

Change Log: Resolved Issues

The following lists fixed bugs and implemented features in EJBCA 8.0.

Issues Resolved in 8.0.0

Released June 2023

New Features

ECA-9249 - Implement ConfigDump for SSH Certificate objects

ECA-9260 - Create a REST call to request an SSH certificate

ECA-9264 - Allow SSH CA public keys to be downloaded in SSH format from the RA web

ECA-9562 - ACME DNS Identifier Validation tls-alpn-01 Challenge

ECA-9856 - Add validity override option to REST /v1/endentity

ECA-10968 - Initial PoC support for Falcon and Dilithium PQC algorithm using soft token and non-official OIDs

ECA-11136 - CMP HMAC validation in Client Mode (Extended validation)

ECA-11146 - Modify language clue about security strength from only NTRU to PQC general

ECA-11154 - Support EC point compression in issued certificates if CSR has it

ECA-11177 - Fortanix crypto token type

ECA-11201 - Add RFC9336 Document Signing built-in extended key usage

ECA-11248 - Ability to include language files from custom publisher plugins

ECA-11258 - Add Matter IoT specific DN components

ECA-11266 - Make max number of jobs for a publishing queue worker configurable.

ECA-11283 - Create tests for CoAP REST endpoint

ECA-11296 - Support Subject and AuthorityKeyIdentifier method 2

ECA-11297 - Add PQC KEM algorithm NTRU as available algorithms in Certificate Profile

ECA-11298 - Add documentation of PQC support

ECA-11300 - Ability to order Key Identifier extensions in specific order

ECA-11328 - Add protocol configuration for REST CoAP

ECA-11363 - Correct test failure in Jenkins related to ticket ECA-11328

ECA-11367 - Est server side key generation

ECA-11377 - CoAP Support for EST Server Side Key-gen

ECA-11378 - CoAP Support for EST 'simplereenroll'

ECA-11432 - Add options to select encryption and wrapping algorithm in clientToolBox SCEPTest command

ECA-11433 - Add support for RSA-OAEP decryption in P11NG

ECA-11440 - Missing support IPv6 for SANs in CMP protocol

ECA-11453 - REST API endpoint for counting issued and active certificates

ECA-11457 - Add uniqueIDentifier and certificationID DN components

ECA-11504 - Document initial support for IBM HPCS HSM using P11NG

ECA-11520 - OCSP responder support for CertId using SHA384 and SHA512 in OCSP requests

Improvements

ECA-8627 - Allow multiple CRL Updater Services to run in parallel

ECA-9536 - Replace configurable header JSP file path with a header selection/upload

ECA-10442 - Add placeholder for certificate serial number in decimal format to e-mail notifications

ECA-10686 - Remove commons-digester

ECA-10688 - Upgrade commons-io to 2.11 or later

ECA-10903 - Improve logging for ACME EAB failures

ECA-10971 - Create an exportable x509-cert-utils module

ECA-10987 - Don't rely on presence of TLS session tickets when detecting type of public access role member

ECA-11064 - Return list of supported JWS algorithms if ACME EAB request uses an unsupported JWS algorithm

ECA-11075 - Add "verify-required" critical option

ECA-11164 - Update ldap.jar to latest version

ECA-11165 - Upgrade log4j to 2.19.0

ECA-11167 - Extend ACME available MAC algorithms to HS384 and HS512

ECA-11170 - Remove reference to velocity.log from build.xml

ECA-11178 - Upgrade woodstox-core to 6.4.0

ECA-11180 - Upgrade Google Guava to version 31.1 or later

ECA-11188 - Rewrite the Validators Page to conform with emerging UX practices

ECA-11189 - Always check revocation status of certificates during authorization

ECA-11191 - Remove calls to deprecated constructors of Integer and Float

ECA-11192 - Cleanup: Update deprecated BouncyCastle references

ECA-11196 - Refactor some CRL related classes and code.

ECA-11199 - Update commons-configuration2 --> 2.8.0

ECA-11214 - Upgrade EJBCA to use CDI

ECA-11215 - Upgrade to javaee-api-8.0.1

ECA-11216 - Allowing special character "+" in email address in AdminWeb add entity

ECA-11233 - Modify CryptoTokenTestRunner to include P11NG

ECA-11235 - Convert MBeans declared in CA UI's faces-config to use CDI instead

ECA-11261 - Remove CoAP endpoints from SwaggerUI

ECA-11264 - Reduce and upgrade javassist to version 3.29.2

ECA-11267 - Modify the Validators page to use a separate column for validator type

ECA-11269 - Refactor ACME Alias overview page according to current UX practices

ECA-11293 - EJBCA - Create an EST CoAP config API

ECA-11294 - CoAP server - Load EST config from EJBCA

ECA-11316 - Solve the root-resource mistery

ECA-11326 - Add handling of "Number of Allowed Requests" in code for race condition avoidance

ECA-11327 - Fix ACME system test failures false positives due to challenge validations

ECA-11373 - Add PQC key generation by the CA in RA Web

ECA-11376 - Remove deprecated call to CoreMatchers.containsString() in AcmeAssert.java

ECA-11390 - P11NG: Clear cache after login

ECA-11391 - CP improvement - Add only relevant key usages to certificates

ECA-11396 - Update default PKCS#11 libraries for Thales ProtectServer 2 and 3

ECA-11399 - Make scope UI configurable for PingID OAuth Provider

ECA-11400 - Remove unused classes

ECA-11401 - Move KeyTools.getBytesFromOauthKey and KeyTools.getKeyIdFromJwkKey out of x509-commons-util

ECA-11402 - Containerize CoAP Proxy

ECA-11404 - Est over coap access rule for Coap rest resource

ECA-11417 - Decrypt Intune client secret on CA

ECA-11426 - SSH Swagger UI example issues

ECA-11435 - Upgrade SnakeYaml to version 2.0

ECA-11436 - Update jackson libraries

ECA-11442 - Rewrite the Search End Entities page in the CA UI to JSF

ECA-11447 - Add warning about re-keying Root CAs

ECA-11451 - Update Swagger Codegen lib to v2.4.31 or later

ECA-11452 - TLS 1.3 Support for key bindings

ECA-11454 - Support decimal serialNr for EJBCA CLI revoke

ECA-11465 - Include SSH feature(s) in the standard EE build

ECA-11466 - 'Use Entity CN Field" for MS UPN

ECA-11474 - Replace tabs in System Configuration Screen with PrimeFaces tabs

ECA-11476 - RA web is not affected by Certificate Chain ordering

ECA-11486 - Fix key algorithm and key spec for PQC when view certificate in Ra web

ECA-11489 - Add ability to enable/disable Fortanix DSM crypto token in properties

ECA-11491 - Enable post-quantum algorithms by default

ECA-11500 - Updated EJBCA logo based on Keyfactor rebranding

ECA-11501 - Match all active vendor CA certificates with CMP vendor certificate mode

ECA-11502 - Evaluate MSAE deny permissions

ECA-11529 - Add margin for Search End Entity Buttons

ECA-11537 - Make ejbca.sh config available on RA / VA builds

ECA-11553 - editcapage: Add ID to the form elements so that test automation does not break with every single release

Bug Fixes

ECA-4347 - Race condition when multiple RA threads are requesting certificates for the same user

ECA-10304 - ACME Configuration: Modified settings reset after save.

ECA-10412 - Fix warnings

ECA-10754 - REST API: When hitting max_statement_time (or 'Maximum Query Timeout'), the request does not fail

ECA-11080 - AdminWeb: GetCrl with insufficient permissions results in 500 Error

ECA-11089 - Unable to Save Advanced Access Rules

ECA-11128 - Autoenrollment alias does not accept krb5 conf file if it is considered plain text

ECA-11137 - Can't view/edit Batch Generation / Clear Text Password state from RA GUI

ECA-11148 - Conflicting autogenerated password error at EE creation

ECA-11161 - Fix HMACAuthenticationModule extracted username bug

ECA-11174 - ZIP releases fail to build using Java 17

ECA-11194 - post upgrade failure from version 7.3.1.4 to version 7.10.0.1

ECA-11202 - WS javadoc fail after X509-Common-Util move

ECA-11203 - ant test:clientToolBox fails after x509-common-util

ECA-11210 - NPE when enrolling an EE with a revoked CA.

ECA-11213 - org.ejbca.core.protocol.scep.ProtocolScepHttpTest.test03OpenScep() failing

ECA-11222 - Internal error via REST API returns wrong status code

ECA-11229 - REST Endpoint accepting EST messages from CoAP Proxy

ECA-11231 - Fix testEjbcaVersion test

ECA-11263 - ejbca-ws-generate broken since upgrade to JEE8

ECA-11290 - UPN value not included in certificate if "Required" in EE Profile not selected

ECA-11292 - View End Entity page in Ra web is broken

ECA-11295 - Add getCertificateSignatureAlgorithm body in SshCertificateUtility

ECA-11310 - Regression: p11ng module missing from ejbca-ejb-cli

ECA-11317 - Process ACME wildcard certificates in order state ready

ECA-11329 - Regression: NPE trying to delete crypto token, checking presence in ACME EAB

ECA-11340 - BC version number not updated in jboss-deployment-structure.xml

ECA-11343 - CoAP server- NullPointerException on repeated enrollment requests

ECA-11346 - End entity profile validation logic for clear password and send notification

ECA-11355 - Fix classpath error in WS CLI

ECA-11369 - Fix compilation issue caused by ECA-11233

ECA-11380 - CRL Import via CA UI can't handle large CRLs

ECA-11412 - clientToolBox does not honor pkcs11.disableHashingSignMechanisms=false

ECA-11419 - PKCS11CryptoToken not working in CE on Java 17

ECA-11424 - Audit log timezone stuck in UTC

ECA-11425 - SSH User cert with principal

ECA-11430 - Remove RSA-OAEP mapping to RSA in ScepRequestMeassage

ECA-11431 - Error creating new CA when there are failed crypto tokens

ECA-11437 - clientToolBox SCEPTest should URL encode GetCACert CA name

ECA-11443 - Missing RA web language string for Matter DN components VID and PID

ECA-11444 - NPE when enrolling SSH certificate via REST

ECA-11455 - Algorithm key length can not be validated for dilithium algorithm

ECA-11458 - Properly handle Verify-required in RA web certificate pages

ECA-11459 - Fix output format of coap serverkeygen cbor response

ECA-11460 - Ensure P11NG CLI generated keys meet Utimaco CP5 HSM keyUsage constraints

ECA-11469 - OCSP Responder next key update "fail" in 7.11.0.1

ECA-11471 - VaPeerStatusServletSystemTest tests are failing

ECA-11475 - MSAE cannot handle commas "," in CN field

ECA-11477 - Update SafeObjectInputStream with KeyFactor classes

ECA-11478 - Security issue

ECA-11479 - Regression: adding new DN components does not work any longer

ECA-11487 - EC keys generation from REST endpoints does not work

ECA-11492 - Unable to download initial superadmin token from RA web

ECA-11499 - LDAP DN order field on edit SSH CA page does not update after clicking save button

ECA-11510 - Va functionality shows up in RA specific EJBCA build

ECA-11523 - Wrong comparison of Hash sets.

ECA-11525 - Crypto tokens created using ejbca.sh do not autoactivate

ECA-11532 - Remove "Asterisk in freshest CRL field" from documentation

ECA-11534 - Javascript does not run in View Certificate dialog, causing revocation confirmation to not show

ECA-11535 - Oauth link does not work in adminWeb

ECA-11538 - Unescaped single quotes blocks publisher type selection in CA UI

ECA-11539 - Protocol status icons are squashed up

ECA-11541 - After cloning a Validator, further edits also result in cloning

ECA-11550 - Fix regressions on the Search End Entities page in CA GUI

ECA-11558 - Infinite amount of Add Constraint rows

ECA-11563 - On open to view certificate on Search End Entities, Error 404

ECA-11564 - Remove "(unused)" from revocation reasons list on Search End Entities page

ECA-11565 - CA Gui search end entity advanced page match how operators gets reset on new added criteria