EJBCA Upgrade Notes

EJBCA is a maintenance release resolving a potential security issue when using SCEP in RA mode.

Below are important changes and requirements to be aware of when upgrading from EJBCA 7.3.1 to EJBCA

For general upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Database Changes

Being a patch release, EJBCA includes no database changes. If upgrading from 7.2.1 or earlier versions of EJBCA, the changes are the same as for EJBCA 7.3.

Behavioral Changes

SCEP Security Fix - More Restrictive CA Access

In earlier versions of EJBCA, the CA for SCEP was only restricted by the configured End Entity Profile and Certificate Profile. The RA CA Name option, while documented as restricting the CA, was in fact only used as a default option.

As of EJBCA (as well as versions and 7.4.0), a SCEP alias will only allow issuance using the CA selected as RA CA Name. Note that this CA must still be selected in the configured End Entity Profile and the Certificate Profile.