EJBCA 7.2 Upgrade Notes

Below are important changes and requirements when upgrading from EJBCA 7.1 to EJBCA 7.2:

For upgrade instructions and information on upgrade paths, see Upgrading EJBCA. For details of the new features and improvements in this release, see the EJBCA 7.2 Release Notes

Behavioral Changes

Certificate Store and CRL Store Servlets Always Available

The configuration files certstore.properties and crlstore.properties are removed and should no longer be used.

These configuration files allowed you to specify the context root of the servlet and whether the servlet should be available in the EAR file. As of EJBCA 7.2, these two servlets are always available and the context root property has been removed.

Access to these servlets is controlled using Modular Protocols Configuration.

If you are using a custom context root for these servlets, you should reconfigure your client to use the new context root, or put an HTTP proxy between EJBCA and your client.

PropertyDefault setting in EJBCA <7.2Default setting as of EJBCA 7.2
CRL Store
crlstore.enabledfalse

Setting configured in crlstore.properties at compile time.
true

Setting configured using Modular Protocols Configuration at runtime.
crlstore.contextroot/ejbca/publicweb/crls

Setting configured in crlstore.properties at compile time.
/ejbca/publicweb/crls

Setting is not configurable.
Certificate Store
certstore.enabledfalse

Setting configured in certstore.properties at compile time.
true

Setting configured using Modular Protocols Configuration at runtime.
certstore.contextroot/ejbca/publicweb/certificates

Setting configured in certstore.properties at compile time.
/ejbca/publicweb/certificates

Setting is not configurable.

If you are upgrading from EJBCA 6.11 or later, and your previous deployment did not contain the servlet, access to it will be disabled after an upgrade. However, if you are upgrading from EJBCA 6.10 or older (where the Modular Protocols Configuration feature was not implemented) access to the servlet cannot be configured automatically during an upgrade, since there is no way of determining whether your previous deployment contained the servlet or not. If your previous deployment did not contain the servlet and you do not want it to be accessible, you need to manually disable it.

Upgrading fromEJBCA 6.10 or olderEJBCA 6.11 and later versions
Previous deployment contained servletNew deployment will still contain the servlet, and it will be enabled.New deployment will still contain the servlet, and the existing configuration value in Modular Protocols Configuration is kept.
Previous deployment did not contain servletNew deployment will contain the servlet, and it will be enabled.
You can disable it manually using Modular Protocols Configuration.
New deployment will contain the servlet, but it will be disabled.

Improved Service Execution Logging

Previously the logs stated that service workers had executed or not, but didn't note the state of the execution (any errors being rendered as parts of output). Service workers have been modified to report to the logs the complete execution state, which can be Successful (if run), Failed (if run, although with some failures) or No Action (if executed, but no actions needed to be taken).

Default CA for SCEP Aliases

If the alias being used is operating in RA mode and the message parameter is not specified in the SCEP request, the SCEP operations GetCACert, GetCACertChainGetNextCACert and GetCACaps use the RA CA name defined by the alias, instead of relying on the scep.defaultca property. This allows for more flexibility and easier configuration for deployments where editing configuration files is inconvenient or not possible.

The old behavior for determining the CA name to use was as follows:

  • If a message was sent, use the CA specified by the message.
  • If no message was sent, use the CA specified by the property scep.defaultca.

As of EJBCA 7.2, the name of the CA to use is computed as follows:

  • If a message was sent, use the CA specified by the message.
  • If the alias is in RA mode and no message is sent, use the RA CA name specified by the alias.
  • If the alias is in CA mode, the property scep.defaultca is defined, and no message is sent, use the CA specified by the property scep.defaultca.
  • If the alias is in CA mode, the property scep.defaultca is not defined, and no message is sent, produce an error.

For more information, see SCEP.

Certificate Transparency

Persistent Caching

Persistent caching of Certificate Transparency SCTs (Signed Certificate Timestamps) has been added in addition to the existing in-memory caching. This adds a new table, SctData for storing cached SCT data. Please ensure this table exists if you use Certificate Transparency.

As there can be several SCTs per certificate, the SctData table will grow large over time. Therefore, we strongly recommend creating an index on the fingerprint column. Refer to doc/sql-scripts/create-index-ejbca.sql for an SQL command to create the index.

Non-Functional Logs Caching (fast fail)

The "fast fail" cache is now enabled by default. For details, see EJBCA 7.2 Release Notes.

Please make sure that only CAs that are trusted by the CT logs are used in certificate profiles where CT is enabled. If a certificate issued by an untrusted CA is submitted, the CT log will return an error, and EJBCA will consider the log to be non-functional (for all CAs, not just the untrusted one).

To disable the "fast fail" cache, set the property ct.fastfail.enabled to false in the file conf/cesecore.properties.

For more information, see Certificate Transparency.

Post Upgrade

When upgrading to EJBCA 7.2.0, you must perform a post-upgrade after all nodes have been upgraded. The post-upgrade is required because of an improvement allowing custom certificate start time/end time to be set with seconds granularity. The time value was previously saved with minutes granularity.

To perform the post-upgrade, click the EJBCA System Upgrade menu option, and then click Start post-upgrade. For more information, see Upgrading EJBCA.