Below are important changes and requirements when upgrading from EJBCA 7.4 to EJBCA 18.104.22.168. (EJBCA 7.5.0 was an internal release, not generally available for customers.)
EJBCA 22.214.171.124 contains the new columns
accountBindingId in CertificateData and
tokenProviderId in RoleMemberData as well as
subjectDn, email in ApprovalData (added in EJBCA 7.4.3).
The columns are created automatically by Hibernate when EJBCA 126.96.36.199 is deployed for the first time. However, if your EJBCA database user does not have GRANT privileges, you need to run the ALTER commands in the upgrade SQL scripts before deploying EJBCA. SQL scripts are located under
New Secure Authentication Web Property
To support authentication with both certificate and OAuth2 token, a new
web.reqauth property has been added to the web.properties configuration file, replacing and deprecating the former property
web.reqauth property enforces secure authentication by the client TLS certificate or OAuth2 token to access the EJBCA Administration interface. The change is backward compatible and thus the former
web.reqcert property can still be used in existing configurations. Note, however, that new installations should only use the
Improved RA and CA Approvals Handling
RA approvals and CA approvals are now handled in their respective UIs.
RA Related Approvals Moved To RA UI
Approvals for the following actions are now managed using the RA UI and are no longer listed in the CA UI:
- Add/Edit End Entity
- Key recovery
CA Related Approvals Moved To CA UI
CA related approvals are shown in the CA UI (Supervision Functions > Approve Actions) and approvals for the CA Token Activation are no longer listed in RA UI. For more information, see Approving Actions.
Default Encoding of Policy Notice Text X.509 Certificate Extension Changed to UTF-8
When creating a new CA, the option Use UTF-8 in policy notice text previously defaulted to false in order to support older versions of Windows. Since Windows now supports the standard UTF-8 encoding, the default value of Use UTF-8 in policy notice text has been changed to true (enabled). The change only applies to creating new CAs and values of existing CAs are not changed.
Removed Support for Native Browser Enrollment
The Public Web menu option Create Browser Certificate has been removed since relevant browsers no longer support this functionality.
If upgrading a software installation of EJBCA eIDAS edition, the following two options need to be enabled in
conf/web.properties in order for the Utimaco CP5 HSM options to be visible in the Admin UI when creating new crypto tokens and activating keys in crypto tokens.