EJBCA Upgrade Notes

EJBCA is a maintenance release resolving vulnerabilities found in EJBCA during penetration testing.

Below are important changes and requirements to be aware of when upgrading from EJBCA 7.3.1 to EJBCA

For general upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

Database Changes

Being a patch release, EJBCA includes no database changes. If upgrading from 7.2.1 or earlier versions of EJBCA, the changes are the same as for EJBCA 7.3.

Behavioral Changes

CVCA Link Certificate Validity and Signature Algorithm


When renewing a Country Verifying CA (CVCA) in the EJBCA Admin UI, a link certificate is automatically created. In earlier versions of EJBCA, the CVCA link certificate inherited the validity (notAfter date) from the old CVCA certificate. This has now been fixed and the notAfter date of the CVCA link certificate will now match the validity of the new CVCA certificate according to the Common Certificate Policy for the Extended Access Control Infrastructure for Travel and Residence Documents (BSI TR-03139).

When renewing a Country Verifying CA (CVCA) and changing the signature algorithm for the new CVCA, the link certificate was previously signed with the algorithm of the new CVCA. This has now been resolved and the link certificate is now signed with the algorithm of the old CVCA. Note that the algorithm identifier in the link certificate itself is the new algorithm as the algorithm is tied to the public key, not to the certificate signature.