EJBCA 8.1 Release Notes

SEPTEMBER 2023

The EJBCA team is pleased to announce the release of EJBCA 8.1. With this release, new EJBCA features for Subject Name Log Redaction and Expired Certificate Cleanup are introduced. The release also includes other improvements and error corrections. In addition, Bouncy Castle has been upgraded to 1.75.

Deployment options include EJBCA Software Appliance and EJBCA Cloud.

Highlights

Subject Name Log Redaction

Using the Subject Name Log Redaction feature in EJBCA 8.1, EJBCA administrators can set up the system to redact Subject Distinguished Name (SubjectDN) and Subject Alternate Name (SAN) from the audit log and trace logs for configured end entities. Subject Name Log Redaction can be used to set up EJBCA for compliance with data privacy regulations relating to the content of the SubjectDN and SAN fields. For more information, see Subject Name Log Redaction.

Expired Certificate Cleanup

A new service has been added in EJBCA 8.1 to enable automated cleanup of expired certificates and Certificate Revocation Lists (CRLs). The interval used by the service to check for expired certificates and CRLs is configurable as well as the time period to keep certificates and CRLs in the system once expired. For more information, see Database Maintenance Service.

Upgrade Information

Review the EJBCA Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 8.1 is included in EJBCA Software Appliance 2.4.2 and will be included in the upcoming EJBCA Cloud 3.3.

Change Log: Resolved Issues

The following lists implemented features and fixed issues in EJBCA 8.1.

Issues Resolved in 8.1

Released September 2023

New Features

ECA-10059 - Add Auto Enrollment configuration to configdump for import/export

ECA-11456 - Not possible to create a keystore for PQC

ECA-11485 - Fix key specification configuration for NTRU in Certificate Profile and Ra web

ECA-11583 - Create new service worker type "Database Maintenance Worker"

ECA-11584 - CRL cleanup logic for DatabaseMaintenanceWorker

ECA-11601 - End Entity Profile field for Subject Name redaction

ECA-11636 - Allow WildFly container start with cgroup2

ECA-11660 - Support id_token in OAuth2

ECA-11672 - Subject Name log redaction for ACME

ECA-11675 - Subject Name log redaction for REST

ECA-11676 - Subject Name log redaction for RA web

ECA-11680 - Subject Name log redaction for ejbca-ejb module

ECA-11682 - Subject Name log redaction for cesecore-ejb module

ECA-11683 - Subject Name log redaction for cesecore-common and cesecore-entity module

ECA-11685 - Subject Name log redaction for x509-common-util module

ECA-11700 - Subject Name log redaction for protocols: EST, CMP and SCEP

ECA-11719 - Subject Name log redaction for ejbca-common

ECA-11720 - P11NG-CLI ability to list and delete data objects

ECA-11739 - HSM support for Dilithium for HSMs supported by P11NG

ECA-11746 - CLI command for certificate count

ECA-11763 - PingFederate Oauth Integration

ECA-11806 - Ability to issue CV Certificates (from a CVCA) from a PKCS#10 CSR

Improvements

ECA-7617 - Hide "Create CRL" button for CVC CAs

ECA-7618 - Add option to use custom port with ScpPublisher

ECA-9297 - Name Registration Authorities not included in QC Statements

ECA-10590 - Add Configdump import/export support for peer systems

ECA-10673 - Update CRL links of Publisher Queue Status

ECA-10964 - When registering through WS/SOAP "edituser" the "startTime" and "endTime" is always modifiable regardless of the EEP settings

ECA-11273 - Protect CMP error messages whenever possible

ECA-11323 - Improve v1/certificate/certificaterequest error handling

ECA-11413 - Ensure that all session data is Serializable

ECA-11450 - Introduce revocation cache for authentication

ECA-11551 - Search End Entities Slow/Timeout if upper() used

ECA-11557 - Add Invalidity date to REST /v2/certificate/search

ECA-11570 - Remove self-register properties from web.properties.sample

ECA-11594 - Library upgrade (xstream)

ECA-11615 - Validate subject_dn in REST /v1/endentity

ECA-11631 - Change dnsjava Lookup default cache for ACME dns-01 challenge

ECA-11647 - P11NG-CLI: print key type and public values

ECA-11661 - Add configdump support for External CRL Distribution Point

ECA-11678 - Subject Name Redaction Audit Log - Remaining System Tests

ECA-11714 - Migrate to the new jsch library

ECA-11725 - Support validity parameters in SSH certificate enrollment in REST

ECA-11753 - Update relevant EJBCA doc

ECA-11766 - Subject Name log redaction for ACME refinement

ECA-11771 - Subject Name log redaction for ejbca-common-web and ejbca-entity refinement

ECA-11797 - Configurable CA Chain order for SCEP

ECA-11805 - Document use of P11NG for RSASSA-PSS

ECA-11811 - CLI importca command should take a token name argument for pre-existing crypto token

ECA-11813 - Update docs related to ECA-11754

ECA-11816 - Clear warning in Admin UI about renewing existing CA

ECA-11824 - Upgrade x509-common-utils to 0.10.5

ECA-11841 - Upgrade RESTEasy libraries to version 4.7.8.Final or newer

Bug Fixes

ECA-7089 - /ca_functionality/add_ca access rule can't be set in Admin GUI

ECA-11228 - Cache clearance fails in cluster due to https redirect

ECA-11289 - Revisit "Generate OCSP responses for" in VA Responders

ECA-11467 - External Issuing CAs are displayed as Root CAs

ECA-11498 - REST API fails with "REST resources is not authorized for this Peer connection"

ECA-11515 - Manage Services - Delete Service without selection opens dialog

ECA-11518 - Manage CAs - Import CA certificate - Import arbitrary file results in a NullPointerException

ECA-11531 - Fix p11ng-cli.sh deleteobject command

ECA-11545 - ejbca.sh ca importcert command does not print a user message after failure

ECA-11561 - Duplicate service timer invocations are not ignored

ECA-11568 - Ensure that data on Search End Entity page is Serializable

ECA-11572 - Exception creating CSR for CA without uploading CA chain

ECA-11580 - Remote Internal Key Binding Updater E-mail action doesn't work

ECA-11602 - Multiple MSAE alias value override

ECA-11604 - RA web Certificate Validity fields - doesn't support "days:hours:minutes"

ECA-11610 - EST get CA certificate fails when certificate authentication is used

ECA-11612 - Error should be displayed when clicking on buttons on search End Entity Page

ECA-11624 - Search End Entity Advance, Searching by Date of Creation only is not possible

ECA-11627 - Auditor role shows "Edit" button on end entity profiles

ECA-11634 - JsfDynamicUiHtmlInputFileUpload$1 Exception on acme alias modification.

ECA-11691 - In Edit CA page directoryName name constraints is classified as URI type

ECA-11692 - Enrollment in RA web fails for DILITHIUM(n) keys

ECA-11703 - EJBCA does not provide OCSP response with the proper hash when using the CA signing key

ECA-11705 - NPE arises when no CAs to check have been chosen

ECA-11710 - BE Lack of messages in ValidationMessages.properties

ECA-11712 - Add error messages for End Entity /setstatus REST API

ECA-11717 - CA certificate should be possible to revoke from Admin web only

ECA-11721 - CA revocation revokes expired certificates

ECA-11723 - ITS REST APIs are not accessible via Swagger UI

ECA-11726 - Documented database index incompatible with postgresql

ECA-11727 - Remove references to ejbca-rest-common src-test directory

ECA-11730 - BE Lack validation for publisher REST import

ECA-11737 - pkcs11ng cryptotokens incorrectly show as active if used by a CA

ECA-11744 - Wrong timezone is used for CT log sharding

ECA-11756 - Node local log redaction settings are not immediately detected after restart

ECA-11757 - CT Pre-certs trigger Unique Subject DN check

ECA-11773 - Refinement on log redaction audit log and other

ECA-11774 - Minor refinement on log redaction for EjbcaWS

ECA-11786 - Refinement on missed log redactions

ECA-11802 - Fix NPE in CertificateData.getLogSafeSubjectAltName

ECA-11810 - Regression: NPE after upgrade from older EJBCA to current main (which has Subject Name log redaction feature)

ECA-11817 - End Entities cannot be edited in RA Web

ECA-11819 - Enrollment Issues with WebService (log redaction)

ECA-11822 - Calculation of maximumExpirationDate to renew certificate overflows at 25 days

ECA-11827 - ca_management endpoint must be Unavailable in CE edition

ECA-11829 - Fix AvailableProtocolsConfigurationTest

ECA-11832 - Fix broken equals/hashCode in PeerOutgoingInformation

ECA-11835 - Selecting CertSafePublisher and AzureCrlPublisher in Edit publisher page generates NPE

ECA-11836 - No default value for the 'Available Security Levels'

ECA-11839 - Regression: NPE on certificate issuance in RA web, when CA is running 8.0

ECA-11843 - Fix non-deterministic serialization of Certificate Profiles