EJBCA 8.1 Release Notes
SEPTEMBER 2023
The EJBCA team is pleased to announce the release of EJBCA 8.1. With this release, new EJBCA features for Subject Name Log Redaction and Expired Certificate Cleanup are introduced. The release also includes other improvements and error corrections. In addition, Bouncy Castle has been upgraded to 1.75.
Deployment options include EJBCA Software Appliance and EJBCA Cloud.
Highlights
Subject Name Log Redaction
Using the Subject Name Log Redaction feature in EJBCA 8.1, EJBCA administrators can set up the system to redact Subject Distinguished Name (SubjectDN) and Subject Alternate Name (SAN) from the audit log and trace logs for configured end entities. Subject Name Log Redaction can be used to set up EJBCA for compliance with data privacy regulations relating to the content of the SubjectDN and SAN fields. For more information, see Subject Name Log Redaction.
Expired Certificate Cleanup
A new service has been added in EJBCA 8.1 to enable automated cleanup of expired certificates and Certificate Revocation Lists (CRLs). The interval used by the service to check for expired certificates and CRLs is configurable as well as the time period to keep certificates and CRLs in the system once expired. For more information, see Database Maintenance Service.
Upgrade Information
Review the EJBCA Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
EJBCA 8.1 is included in EJBCA Software Appliance 2.4.2 and will be included in the upcoming EJBCA Cloud 3.3.
Change Log: Resolved Issues
The following lists implemented features and fixed issues in EJBCA 8.1.
Issues Resolved in 8.1
New Features
ECA-10059 - Add Auto Enrollment configuration to configdump for import/export
ECA-11456 - Not possible to create a keystore for PQC
ECA-11485 - Fix key specification configuration for NTRU in Certificate Profile and Ra web
ECA-11583 - Create new service worker type "Database Maintenance Worker"
ECA-11584 - CRL cleanup logic for DatabaseMaintenanceWorker
ECA-11601 - End Entity Profile field for Subject Name redaction
ECA-11636 - Allow WildFly container start with cgroup2
ECA-11660 - Support id_token in OAuth2
ECA-11672 - Subject Name log redaction for ACME
ECA-11675 - Subject Name log redaction for REST
ECA-11676 - Subject Name log redaction for RA web
ECA-11680 - Subject Name log redaction for ejbca-ejb module
ECA-11682 - Subject Name log redaction for cesecore-ejb module
ECA-11683 - Subject Name log redaction for cesecore-common and cesecore-entity module
ECA-11685 - Subject Name log redaction for x509-common-util module
ECA-11700 - Subject Name log redaction for protocols: EST, CMP and SCEP
ECA-11719 - Subject Name log redaction for ejbca-common
ECA-11720 - P11NG-CLI ability to list and delete data objects
ECA-11739 - HSM support for Dilithium for HSMs supported by P11NG
ECA-11746 - CLI command for certificate count
ECA-11763 - PingFederate Oauth Integration
ECA-11806 - Ability to issue CV Certificates (from a CVCA) from a PKCS#10 CSR
Improvements
ECA-7617 - Hide "Create CRL" button for CVC CAs
ECA-7618 - Add option to use custom port with ScpPublisher
ECA-9297 - Name Registration Authorities not included in QC Statements
ECA-10590 - Add Configdump import/export support for peer systems
ECA-10673 - Update CRL links of Publisher Queue Status
ECA-10964 - When registering through WS/SOAP "edituser" the "startTime" and "endTime" is always modifiable regardless of the EEP settings
ECA-11273 - Protect CMP error messages whenever possible
ECA-11323 - Improve v1/certificate/certificaterequest error handling
ECA-11413 - Ensure that all session data is Serializable
ECA-11450 - Introduce revocation cache for authentication
ECA-11551 - Search End Entities Slow/Timeout if upper() used
ECA-11557 - Add Invalidity date to REST /v2/certificate/search
ECA-11570 - Remove self-register properties from web.properties.sample
ECA-11594 - Library upgrade (xstream)
ECA-11615 - Validate subject_dn in REST /v1/endentity
ECA-11631 - Change dnsjava Lookup default cache for ACME dns-01 challenge
ECA-11647 - P11NG-CLI: print key type and public values
ECA-11661 - Add configdump support for External CRL Distribution Point
ECA-11678 - Subject Name Redaction Audit Log - Remaining System Tests
ECA-11714 - Migrate to the new jsch library
ECA-11725 - Support validity parameters in SSH certificate enrollment in REST
ECA-11753 - Update relevant EJBCA doc
ECA-11766 - Subject Name log redaction for ACME refinement
ECA-11771 - Subject Name log redaction for ejbca-common-web and ejbca-entity refinement
ECA-11797 - Configurable CA Chain order for SCEP
ECA-11805 - Document use of P11NG for RSASSA-PSS
ECA-11811 - CLI importca command should take a token name argument for pre-existing crypto token
ECA-11813 - Update docs related to ECA-11754
ECA-11816 - Clear warning in Admin UI about renewing existing CA
ECA-11824 - Upgrade x509-common-utils to 0.10.5
ECA-11841 - Upgrade RESTEasy libraries to version 4.7.8.Final or newer
Bug Fixes
ECA-7089 - /ca_functionality/add_ca access rule can't be set in Admin GUI
ECA-11228 - Cache clearance fails in cluster due to https redirect
ECA-11289 - Revisit "Generate OCSP responses for" in VA Responders
ECA-11467 - External Issuing CAs are displayed as Root CAs
ECA-11498 - REST API fails with "REST resources is not authorized for this Peer connection"
ECA-11515 - Manage Services - Delete Service without selection opens dialog
ECA-11518 - Manage CAs - Import CA certificate - Import arbitrary file results in a NullPointerException
ECA-11531 - Fix p11ng-cli.sh deleteobject command
ECA-11545 - ejbca.sh ca importcert command does not print a user message after failure
ECA-11561 - Duplicate service timer invocations are not ignored
ECA-11568 - Ensure that data on Search End Entity page is Serializable
ECA-11572 - Exception creating CSR for CA without uploading CA chain
ECA-11580 - Remote Internal Key Binding Updater E-mail action doesn't work
ECA-11602 - Multiple MSAE alias value override
ECA-11604 - RA web Certificate Validity fields - doesn't support "days:hours:minutes"
ECA-11610 - EST get CA certificate fails when certificate authentication is used
ECA-11612 - Error should be displayed when clicking on buttons on search End Entity Page
ECA-11624 - Search End Entity Advance, Searching by Date of Creation only is not possible
ECA-11627 - Auditor role shows "Edit" button on end entity profiles
ECA-11634 - JsfDynamicUiHtmlInputFileUpload$1 Exception on acme alias modification.
ECA-11691 - In Edit CA page directoryName name constraints is classified as URI type
ECA-11692 - Enrollment in RA web fails for DILITHIUM(n) keys
ECA-11703 - EJBCA does not provide OCSP response with the proper hash when using the CA signing key
ECA-11705 - NPE arises when no CAs to check have been chosen
ECA-11710 - BE Lack of messages in ValidationMessages.properties
ECA-11712 - Add error messages for End Entity /setstatus REST API
ECA-11717 - CA certificate should be possible to revoke from Admin web only
ECA-11721 - CA revocation revokes expired certificates
ECA-11723 - ITS REST APIs are not accessible via Swagger UI
ECA-11726 - Documented database index incompatible with postgresql
ECA-11727 - Remove references to ejbca-rest-common src-test directory
ECA-11730 - BE Lack validation for publisher REST import
ECA-11737 - pkcs11ng cryptotokens incorrectly show as active if used by a CA
ECA-11744 - Wrong timezone is used for CT log sharding
ECA-11756 - Node local log redaction settings are not immediately detected after restart
ECA-11757 - CT Pre-certs trigger Unique Subject DN check
ECA-11773 - Refinement on log redaction audit log and other
ECA-11774 - Minor refinement on log redaction for EjbcaWS
ECA-11786 - Refinement on missed log redactions
ECA-11802 - Fix NPE in CertificateData.getLogSafeSubjectAltName
ECA-11810 - Regression: NPE after upgrade from older EJBCA to current main (which has Subject Name log redaction feature)
ECA-11817 - End Entities cannot be edited in RA Web
ECA-11819 - Enrollment Issues with WebService (log redaction)
ECA-11822 - Calculation of maximumExpirationDate to renew certificate overflows at 25 days
ECA-11827 - ca_management endpoint must be Unavailable in CE edition
ECA-11829 - Fix AvailableProtocolsConfigurationTest
ECA-11832 - Fix broken equals/hashCode in PeerOutgoingInformation
ECA-11835 - Selecting CertSafePublisher and AzureCrlPublisher in Edit publisher page generates NPE
ECA-11836 - No default value for the 'Available Security Levels'
ECA-11839 - Regression: NPE on certificate issuance in RA web, when CA is running 8.0
ECA-11843 - Fix non-deterministic serialization of Certificate Profiles