EJBCA 7.5 Upgrade Notes

Below are important changes and requirements when upgrading from EJBCA 7.4 to EJBCA 7.5.0.1. (EJBCA 7.5.0 was an internal release, not generally available for customers.)

For upgrade instructions and information on upgrade paths, see Upgrading EJBCA . For details of the new features and improvements in this release, see the EJBCA 7.5 Release Notes.

Database Changes

EJBCA 7.5.0.1 contains the new columns accountBindingId in CertificateData and tokenProviderId in RoleMemberData as well as subjectDn, email in ApprovalData (added in EJBCA 7.4.3).

The columns are created automatically by Hibernate when EJBCA 7.5.0.1 is deployed for the first time. However, if your EJBCA database user does not have GRANT privileges, you need to run the ALTER commands in the upgrade SQL scripts before deploying EJBCA. SQL scripts are located under doc/sql-scripts/.

Behavioral Changes

New Secure Authentication Web Property

To support authentication with both certificate and OAuth2 token, a new web.reqauth property has been added to the web.properties configuration file, replacing and deprecating the former property web.reqcert.

The new web.reqauth property enforces secure authentication by the client TLS certificate or OAuth2 token to access the EJBCA Administration interface. The change is backward compatible and thus the former web.reqcert property can still be used in existing configurations. Note, however, that new installations should only use the web.reqauth property.

Improved RA and CA Approvals Handling

RA approvals and CA approvals are now handled in their respective UIs.

RA Related Approvals Moved To RA UI

Approvals for the following actions are now managed using the RA UI and are no longer listed in the CA UI:

  • Add/Edit End Entity

  • Key recovery

  • Revocation

CA Related Approvals Moved To CA UI

CA related approvals are shown in the CA UI (Supervision Functions > Approve Actions) and approvals for the CA Token Activation are no longer listed in RA UI. For more information, see Approving Actions.

Default Encoding of Policy Notice Text X.509 Certificate Extension Changed to UTF-8

When creating a new CA, the option Use UTF-8 in policy notice text previously defaulted to false in order to support older versions of Windows. Since Windows now supports the standard UTF-8 encoding, the default value of Use UTF-8 in policy notice text has been changed to true (enabled). The change only applies to creating new CAs and values of existing CAs are not changed.

Removed Support for Native Browser Enrollment

The Public Web menu option Create Browser Certificate has been removed since relevant browsers no longer support this functionality.

eIDAS Edition

If upgrading a software installation of EJBCA eIDAS edition, the following two options need to be enabled in conf/web.properties in order for the Utimaco CP5 HSM options to be visible in the Admin UI when creating new crypto tokens and activating keys in crypto tokens.

p11ng.cryptotoken.enabled=true
p11ng.utimacocp5.enabled=true