EJBCA 7.4.1 Release Notes

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.4.1.

With this release, we have implemented Microsoft Intune Device Enrollment support, allowing devices to be set up to directly request certificates from the EJBCA RA. This release also brings the ability to have Multiple DVCAs with the same Holder Country and Mnemonic.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

Microsoft Intune Device Enrollment

images/download/thumbnails/93592134/Microsoft_Intune_Logo.png

Intune is Microsoft's cloud-based device management solution, and EJBCA can be configured as the CA backend to allow devices to enroll for certificates. Intune support has previously been provided through a 3rd party connector, but from EJBCA 7.4.1 devices can be set up to directly request certificates from the EJBCA RA. This is set up using SCEP aliases, and we provide a guide for setting up your enterprise for Intune Device Enrollment from start to finish.

Ability to have Multiple DVCAs with the same Holder Country and Mnemonic

In the context of CV certificates, EJBCA has traditionally used the holder mnemonic and requesting country code to build the Subject DN, causing a uniqueness constraint. EJBCA 7.4.1 allows multiple DVCAs to share the same country and mnemonic fields. For more information, see Managing CVC CAs.

Security Issue

As a part of standard testing, we found a minor security issue which has been fixed in this version of EJBCA. When employing a client certificate to authenticate an EST client, we've discovered that no check is performed on the status of this certificate, allowing a revoked client to still request certificates over EST. The vulnerability only affects EST, and can be mitigated by removing the affected client certificate from the roles which allows it to perform enrollments. This vulnerability will be published as a CVE two weeks following the release of EJBCA 7.4.1 and the distribution of security announcements to customers.

Upgrade Information

Review the EJBCA 7.4.1 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.4.1 is included in EJBCA Hardware Appliance 3.5.3 and EJBCA Cloud 2.3 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.4.1, refer to our JIRA Issue Tracker.

Issues Resolved in 7.4.1

Released July 2020

New Features

ECA-9244 - Allow the SCEP SSB to verify messages from Intune

ECA-9248 - Add option to certificate serial number generator to use a FIPS/SP800 BC hybrid entropy source

ECA-9250 - Modify ziprelease command to not include the SSH module by default

ECA-9251 - Review implementation of the SSH CA

ECA-9252 - Modifications to End Entity and Certificate Profiles for SSH Certificates

ECA-9253 - Review implementation of SSH Public Keys

ECA-9254 - Review implementation of SSH Certificates

ECA-9255 - Review implementation of SSH-related WS methods

ECA-9265 - Add REST stress test command to clientToolBox

Improvements

ECA-8432 - OCSPkeyBinding Default Responder DB Queries

ECA-8787 - Add the ability to have multiple DVCAs with the same holder country and mnemonic

ECA-9211 - Optionally include certificate chain in /pkcs10enroll response

ECA-9275 - Database protection compatibility code should skip automatic upgrade

ECA-9283 - SSH Implementation improvements

ECA-9289 - Allow validity changes for SSH certificate profiles

ECA-9293 - SSH Implementation remaining TODOs

ECA-9294 - Microsoft Intune feature documentation

ECA-9295 - Make sure all files under the ssh module have the Enterprise license header

ECA-9299 - Remove unneeded values from intune configuration

ECA-9319 - Add CVC WS system test how to renew a domestic DV from a CVCA in the same instance

Bug Fixes

ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6

ECA-9206 - Prevent peer system from being removed when referenced by a publisher

ECA-9217 - ACME http challenge validation process fails when the server redirects to HTTPS

ECA-9278 - SHA512withRSAandMGF1 cannot be used by JackNJI11

ECA-9291 - Incorrect encoding of critical options for SSH certificates

ECA-9296 - SSH values still show up in end entity profiles even if SSH module is not present

ECA-9298 - Security Issue

ECA-9314 - Regression: "Key already in use" functionality stopped working on CA page

ECA-9326 - SCEP approvals only works with soft Crypto Tokens, not HSM.