EJBCA 7.11 Release Notes

DECEMBER 2022 FEBRUARY 2023

The EJBCA team is pleased to announce the release of EJBCA 7.11.

This release includes enhancements to our CMP implementation, usability improvements, compliance updates, and more. This release also upgrades Bouncy Castle to version 1.72.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

Revocation Reason Change

Addressing Mozilla's Root Store Policy, this release introduces the ability to change the revocation reasons for previously revoked certificates. Changing revocation reason is enabled at the Certificate Authority level, and backdating is allowed if set in the relevant Certificate Profile. The new revocation reason can only be Key Compromise. The revocation reason can be changed through the EJBCA REST API, RA Web UI, and Web Services. For more information, see Allow Changing Revocation Reason in CA Fields and Allow Backdated Revocation in Certificate Profile Fields.

RA Validation of CMP Messages

For EJBCA deployments with a peer-connected RA separate from the CA where the CMP protocol is used for enrollment, EJBCA 7.11 now provides a new option in which the CMP messages are validated on the RA before being forwarded to the CA. The validation applies to signature-protected messages as well as to HMAC-protected messages. Aside from providing enhanced security in deployments using CMP for enrollment, it allows customers to migrate to a standard peer-connected EJBCA CA/RA configuration following the deprecation of the CMP Proxy and External RA in EJBCA 7.11. For more information, see CMP.

Partial Support for CMP Lightweight Profile

With EJBCA 7.11, a subset of the CMP Lightweight Profile is available for use with CMP in EJBCA. CMP Lightweight profile defines a specified subset of CMP operations and functionality, mainly targeting industrial and IoT use cases including resource-constrained devices. With this release, support has been added for message protection with PBMAC-1 as well as the P10CR message body. For more information, see CMP.

Separation of Keybindings into OCSP Responders and Remote Authentication

To improve usability, the OCSP Key Bindings and Authentication Key Bindings configurations have been replaced with new OCSP Responders and Remote Authenticators pages in the EJBCA CA UI. User input for OCSP Responder and Remote Authenticator configuration is now tailored to each use case, while the Internal Keybindings concept is still used internally. The behavior of existing key bindings is not affected by this usability change. For more information, see Remote Authenticators Overview.

Announcements

Validation CLI Tool Removed

As announced in previous upgrade notes, the legacy CLI-based Validation Tool has now been removed from EJBCA.

Deprecation of External RA and CMP Proxy

As of EJBCA 7.11, the use of External RA and CMP Proxy is deprecated. Customers previously using the CMP Proxy are advised to migrate to RA Validation of CMP messages in a peer-connected CA/RA setup.

Upgrade Information

Review the EJBCA 7.11 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.11.0 is included in EJBCA Hardware Appliance 3.11.0, EJBCA Software Appliance 2.3.0, and EJBCA Cloud 3.0.

EJBCA 7.11.0.1 is included in EJBCA Hardware Appliance 3.11.1 and EJBCA Software Appliance 2.3.1.

Change Log: Resolved Issues

The following lists fixed bugs and implemented features in EJBCA 7.11.

Issues Resolved in 7.11.0.1

Released February 2023

Bug Fixes

ECA-11227 - Key Recovery data not stored using P11NG

Issues Resolved in 7.11.0

Released December 2022

    New Features

    ECA-9261 - Allow enrollment of SSH Certificates over the RA Web

    ECA-9263 - Allow SSH certificates to be searched in the RA web

    ECA-10522 - Add support for ECDSA Authentication in peers using TLS 1.2

    ECA-10813 - Support for PBMAC1 algorithm in CMP

    ECA-10816 - Support for P10CR request body in CMP

    ECA-10963 - End entity profile for SSH

    ECA-10965 - Add support for SHA3 ECDSA signature algorithms to P11NG

    ECA-10980 - GUI: Ability to toggle revocation reason change

    ECA-10981 - Invoke publisher when revocation reason is changed.

    ECA-10982 - Backend: Allow revocation reason change

    ECA-10997 - RA Web support for revocation reason change

    ECA-11023 - CMP Alias Configuration for "Extended validation"

    ECA-11034 - Check if CMP extended validation via peers is enabled

    ECA-11096 - Add cache for signer certificate in CMP servlet

    ECA-11119 - Custom 'Expire' header for OCSP

    ECA-11134 - Implement full support for Ra Mode HMAC protection when using Extended Validation

    Improvements

    ECA-10541 - Improve RoleMembers in Partitioned approvals

    ECA-10691 - Split Keybindings page into OCSP Keybindings and Authentication Keybindings

    ECA-10719 - Remove ValidationTool

    ECA-10937 - Make entity e-mail field unchecked by default for RFC 822 in End Entity Profile

    ECA-10940 - Inject cross-certificates in CA Certificate chains for ACME (and others)

    ECA-10946 - Add Certificate validity start and end date option in RA Web

    ECA-10947 - Remove hardcoded DB name in mysql-privileges.sh

    ECA-10952 - Extract AD group membership from PAC (MSAE)

    ECA-10959 - Add PKUP in View Certificates

    ECA-10961 - Changes in external properties are not detected sufficiently fast

    ECA-10969 - CryptoToken page: Add IDs to the form elements so that test automation can identify them unambiguously

    ECA-10976 - Shortened IPv6 Parsing Errors in 7.9.0

    ECA-10988 - p11ng: implement better detection for vendor-specific behaviour

    ECA-10992 - Add option to enforce HTTPS client authentication for ACME

    ECA-10999 - Allow MSAE LDAP queries to follow LDAP referrals

    ECA-11008 - Merge P11NG changes from SignServer

    ECA-11012 - Request: Add new Index to create-index-ejbca.sql

    ECA-11049 - Configurable non-expired preproduced OCSP responses

    ECA-11052 - Improve error handling of EjbcaWS.cvcRequest

    ECA-11059 - Improve error message for future revocation date (RA-Web)

    ECA-11060 - RA-Web Change of revocation reason || Rendering conditions

    ECA-11061 - Improve /v2/endentity/search pagination and documentation

    ECA-11063 - Make SSH source-address field searchable in RA

    ECA-11065 - Create placeholder methods for RA Validation of CMP message

    ECA-11066 - Signature verification of cmp message in RA

    ECA-11067 - Support P10CR request body in cmpclient

    ECA-11083 - Add MAC verification to CmpServlet

    ECA-11092 - Minor language and UI improvements

    ECA-11093 - Move database.useSeparateCertificateTable above database settings in sample config file

    ECA-11094 - Validate Certificate status in CMP message

    ECA-11120 - Full French language and some GUI localization support, contributed by David Carella of Linagora.

    ECA-11124 - Add cache clearing to CMP Servlet and fix test

    ECA-11126 - Fix cmp message signature validation in Client Mode

    ECA-11131 - Oracle DB grants updated not to require DBA or admin rights

    ECA-11139 - Support either of multiple authentication modules in CMP extended validation

    ECA-11143 - Add PBMAC1 support for extended CMP validation

    ECA-11144 - Add test related for p10cr in CmpExtendedValidationTest

    ECA-11145 - Allow CMP CERT_REQ requests in HMAC mode with extended validation

    Bug Fixes

    ECA-10401 - Force local key generation option should not be visible in Community

    ECA-10799 - Renamed CAs stuck in "List Of Vendor CAs" in EST alias

    ECA-10859 - CA imported with empty name

    ECA-10874 - Documentation for WildFly 24 specifies PKCS12, while JKS are generated

    ECA-10894 - Configure OCSP extensions to always return if configured

    ECA-10897 - Azure OAuth OID Approval Prompt with AWS EJBCA Issues

    ECA-10919 - REST Certificate search V2 returns totalCert = null when certificates size is 0

    ECA-10925 - Special characters in IssuerDN not displayed correctly when reviewing certificate

    ECA-10929 - Pkcs12 content for PEM with enrollment with key recovery enabled

    ECA-10930 - CMP request without Content-Length returns wrong HTTP status code

    ECA-10953 - "Flush item" sometimes flushes a different item from the queue

    ECA-10954 - Default rules preset require /administrator/ in REST

    ECA-10958 - Saving Service config page takes too long when selecting large number of CAs

    ECA-10962 - Execution error when approving certificate in RA Web

    ECA-10967 - Concurrent requests to adminweb cause interrupted page loads and uppercase text

    ECA-10970 - Key Pair Created In The Wrong Slot For Crypto Token When 2 Tabs Are Open

    ECA-10989 - EJBCA CE Test Build Fail (false positive)

    ECA-10990 - Delete EE Subject DN Field with Same DN Attribute and Validation merges fields

    ECA-10991 - 'Required' has no effect at Key recovery options

    ECA-10998 - Use Username and Request ID are missing from RA web

    ECA-11004 - ConfigDump import fails when signing CA of SubCA is non-existent

    ECA-11005 - NullPointerException in SCEP GetCACert when CA name is incorrect

    ECA-11011 - REST max results increase stopped working

    ECA-11017 - Adding a CT log with specific usage period causes exception

    ECA-11020 - Fix issue with FQDN in SAN for MSAE

    ECA-11025 - EndEntity profile Subject field validation runs against the wrong field

    ECA-11029 - ClientToolBox creates not correctly DER wrapped OCSP Nonce extension

    ECA-11031 - Revisit EndEntityManagementSession TRIM queries

    ECA-11033 - Change revocation reason for Pre-cert revocation Service

    ECA-11041 - Revocation backdate does not survive approval.

    ECA-11042 - Revocation reason PRIVILEGE WITHDRAWN text does not show proper

    ECA-11044 - Upgrade apache common-text to 1.10 and commons-lang3 to 3.12.0

    ECA-11045 - fix encryptpwd not to require running appsrv

    ECA-11047 - Not able to delete soft/p11 cryptotoken (CE Contribution)

    ECA-11048 - Revocation backdate/change reason fix for partitioned approval.

    ECA-11051 - ACME EAB Issue upgrading from 7.8.2 to 7.10.0.1

    ECA-11054 - cmpclient missing libs

    ECA-11056 - Publishing is interrupted if one item in queue cannot publish

    ECA-11058 - Unable to upload cert file to enable the OCSP responders.

    ECA-11068 - configdump - "Use entity e-mail field" checkbox at a RFC 822 Name (e-mail address)

    ECA-11073 - REST endpoint profile related issues

    ECA-11090 - Updating remote keybindings should generate key names with "-" instead of "_"

    ECA-11095 - Make client certificate revocation effective for ACME over peers

    ECA-11122 - Remove location header for acme order post-as-get

    ECA-11123 - "ejbca.sh cryptotoken list" returns list without details for P11NG Tokens

    ECA-11127 - ConfigDump can fail with NPE when importing CMP configuration

    ECA-11138 - Fix language file