Below are important changes and requirements when upgrading from EJBCA 7.9 to EJBCA 18.104.22.168. (EJBCA 7.10.0 was an internal release, not generally available for customers).
When you upgrade to EJBCA 22.214.171.124, you must perform a post-upgrade. The post-upgrade is required for ACME pre-authorization and if a post-upgrade is not performed, order creation will fail for pre-authorized identifiers and a new authorization must be requested by the ACME client. ACME pre-authorizations expire after 24 hours. To avoid these cases, disable the ACME protocol (under EJBCA System Configuration > Protocol Configuration > ACME) before the update and re-enable it after the post-upgrade is complete.
To perform the post-upgrade, click the EJBCA System Upgrade menu option, and then click Start post-upgrade. For more information, see Upgrading EJBCA.
Produce Pre-signed OCSP Responses Only for non-expired Certificates
The OCSP Response Pre-Signer worker now generates responses for non-expired certificates and updates the expired responses for non-expired certificates. The expired certificates will keep receiving OCSP responses generated online. For more information, see OCSP Response Pre-Signer.
ConfigDump Import Improvements
The EJBCA ConfigDump tool will now only import or update role members if the token being used is important to the role being updated. A token is considered important for a role if the access rights granted to the token by the role are not duplicated in some other role that has the same token as a member. For more information, see ConfigDump Tool
More Fine-grained Access Rules for RA GUI
The access rules
/ca_functionality/use_approval_request_id have been added and correspond to the pages with the same name in the EJBCA RA UI. These access rules are added automatically to all roles with
/ca_functionality/create_certificate access. For more information, see Access Rules and RA Administrator Access Rules.
New Extension Added by Default During MS Auto-enrollment
Addressing a recent vulnerability discovered for Microsoft Certificate-Based Authentication, EJBCA now supports the new extension szOID_NTDS_CA_SECURITY_EXT that maps the certificate to an Active Directory user /computer object. The extension will be allowed by default for all certificate profiles and included in certificates enrolled via EJBCA's Microsoft Auto-enrollment integration. Enrollment via other endpoints and protocols is not affected. For more information, see Microsoft ObjectSid Security Extension in Certificate Profile Fields.
The legacy script-based auto-enrollment (relevant before Microsoft Auto-enrollment was integrated into EJBCA proper) has been removed. For more information on auto-enrollment in EJBCA, see Microsoft Auto-enrollment Overview.
Validation CLI Tool
The legacy Validation CLI has not been supported for several years and is being sunset in this release, to be removed in the next major/feature release.