EJBCA 7.8.1 Release Notes

DECEMBER 2021

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.8.1.

This release has seen a primary focus on improving our REST API, as well as further integration with the Microsoft ecosystem.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

REST API Improvements

ConfigDump over REST

Our ConfigDump tool, used to manage and audit EJBCA configurations through human-readable YAML, can now be accessed over REST, both for export and import. This allows easy use of the ConfigDump tool for the Hardware and Software Appliances, Cloud and other platforms without command-line interface access.

New REST calls and improvements

  • End Entity Search extended with MODIFIED_DATE.

  • Added pagination to certificate search endpoint.

  • Added a new certificate enrollment endpoint that prioritizes predefined end entity values over values defined in the CSR.

  • Added End Entity Profile and Certificate Profile names to the search results of certificate searches.

For more information, see EJBCA REST Interface.

Microsoft Integration

EJBCA Roles can be populated through Azure Active Directory

EJBCA's roles can now have its members populated by corresponding Active Directory Groups through Azure Role Based Authentication (RBAC). What this means is that when using Azure as an OAuth provider for authenticating to EJBCA, role members don't need to be manually populated but can instead be automatically read from existing AD Groups. For more information, see Integrating EJBCA with Azure AD Role Based Authentication (RBAC).

Integration with Microsoft Application Insights

Application Insights is an Application Performance Management (APM) service hosted in the Azure cloud platform that allows DevOps professionals to monitor live applications. By integrating Application Insights and EJBCA, administrators can monitor the performance and availability of their EJBCA servers. For more information, see Integrating EJBCA with Azure Application Insights.

Domain Allow List Validator

By popular request, we've added a companion Domain Allow List Validator to the existing Domain Block List Validator. Performing the exact opposite role, this new validator restricts dnsName field domains to whatever subset is defined. For more information, see Certificate Field Validators.

URIs Added as Name Constraints

In addition to constraints on DNS Name and IP Address, we've added name constraints for URIs. For more information on name constraints, see CA Fields.

Sunset of ejbca-setup.sh Script

We are sunsetting the ejbca-setup.sh quick installation script and associated documentation to decrease the maintenance load and consolidate the installation paths. If you're currently relying on this script, we recommend you migrate your workflows.

Basic HTTP Authentication for EST

When using EST in client mode, it's now possible to authenticate over HTTP with username/password.

Bouncy Castle Upgraded to Version 1.70

Just in time to make this release, we upgraded Bouncy Castle to the latest version.

Support for Oracle19C

We have implemented support for the Oracle 19C database

Compliance

Added Granularity to Certificate Transparency Configuration

Due to CT Policy Updates in Apple's Root Program, the configuration of the number of required Signed Certificate Timestamps (SCTs) per time interval has been made fully granular.

images/download/attachments/134453009/Screenshot_2021-11-10_at_09.49.05.png

Possible to add empty dnsName values and URIs as Name Constraints

As per name constraints discussions in the CA/Browser Forum Validation Working Group, we've added the ability to add an empty DNS name to name constraints. Adding this value constrains a Sub CA from issuing any certificates containing dnsName SAN values. For more information on name constraints, see CA Fields. We've also taken the chance to add URIs as possible Name Constraint values.

Upgrade Information

Review the EJBCA 7.8.1 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.8.1 is included in EJBCA Hardware Appliance 3.9.3 and EJBCA Cloud 2.9.2 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.8.1, refer to our JIRA Issue Tracker.

Issues Resolved in 7.8.1

Released December 2021

    New Features

    ECA-9561 - ACME IP Identifier Validation http-01 Challenge

    ECA-9760 - REST searchCertificates call with pagination

    ECA-10108 - Merge additional support for the NONEwithRSAandMGF1 (raw RSASSA-PSS) signature algorithm in P11NG

    ECA-10184 - KeyVault Machine Identity Authentication

    ECA-10334 - HTTP Basic Authentication in EST client mode

    ECA-10344 - REST API support for configdump export

    ECA-10347 - REST API support for configdump import

    ECA-10349 - Add configdump support to Azure BLOB publisher

    ECA-10356 - Add Primus HSM PKCS#11 library path

    ECA-10380 - Domain Allow List Validator

    ECA-10395 - Add support for URI Name Constraints

    Improvements

    ECA-5472 - Foldable view when there are many optional fields in the RA

    ECA-8562 - Improve tests coverage of Configdump's import of Certificate Profiles

    ECA-8745 - Increase the number of SANs configurable in end entity profiles (to >100)

    ECA-9681 - Fix AcmeOrderData end entity stored including binary data as map

    ECA-9763 - Change the message for CA Activation with approvals

    ECA-10092 - Add cert auth to Azure Trusted OAuth Provider

    ECA-10266 - Upgrade Nimbus JOSE+JWT to nimbus-jose-jwt-9.12.1.jar

    ECA-10284 - Check if all invocations of AcmeAccountSessionBean.updateAccount are required

    ECA-10293 - Bad signature performance using P11-NG with network HSMs

    ECA-10302 - Revoking certificates from adminweb with reason 'Privileges withdrawn'

    ECA-10318 - Add roles claim to Azure OAuth for Authentication

    ECA-10322 - Create tables SQL script for NDB cluster has flaws

    ECA-10324 - Combine ACME and general EAB

    ECA-10327 - Reduce CRL and OCSP Validities by 1 second

    ECA-10330 - Change default settings SCT in EJBCA 7.x

    ECA-10333 - REST Search - Return eep and cp values

    ECA-10339 - Viewing CRL's for CA with MS Compat Enabled

    ECA-10345 - Put PIN last in the GUI when creating crypto token

    ECA-10352 - MS CA compat with Sub CA in EJBCA and External Root

    ECA-10353 - Allow name constraints to block all DNS Names

    ECA-10354 - Fix ACME pre-authorization returns order object without authorization

    ECA-10355 - Update EJBCA to work with Wildfly 25

    ECA-10358 - ACME performance - refactor AcmeOrderSessionBean.processPendingOrders

    ECA-10360 - Add aliases cache for P11-NG crypto tokens

    ECA-10361 - PKCS#10 REST endpoint using end entity information (not CSR)

    ECA-10367 - Optimize PKCS#11 sign to avoid redundant PKCS#11 calls

    ECA-10377 - EE REST API support search by modified date

    ECA-10382 - Allow to configure ignored CAA properties when their processing is done outside EJBCA

    ECA-10384 - Differentiate rows in CA Structures & CRLs

    ECA-10398 - Align buttons in Certificate Profile and Publishers sections

    ECA-10400 - X509CACrlUnitTest test fix

    ECA-10406 - Merge smaller P11-NG changes from SignServer

    ECA-10428 - Remove extra dot from cert

    ECA-10430 - Upgrade BC to 1.70

    Bug Fixes

    ECA-6166 - CA key export does not warn if no RSA keys are present for encryption.

    ECA-7235 - Settings are reset when Match with setting is changed

    ECA-8227 - It is possible to revoke an already revoked end entity

    ECA-9203 - Exception occurrs even if 'Gender' value is given

    ECA-10126 - Error when syncing to VA via peer connector

    ECA-10157 - Security Issue

    ECA-10172 - EST Vendor Mode ChangeSubjectName should not compare with the CSR DN

    ECA-10224 - CREATE CA: NullPointerException

    ECA-10229 - CMP Authentication Radio Buttons are not disabled in view page

    ECA-10237 - Trusted OAuth Providers are removed without any warning or confirmation

    ECA-10254 - SCEP alias for Intune not allowing certain characters for client secret.

    ECA-10264 - Configdump import failed if the /cryptotoken/keys/remove/ rule is set

    ECA-10295 - Configdump does not import Approval Profiles

    ECA-10301 - Revoking certificates from adminweb with reason 'AA compromise'

    ECA-10303 - Throwaway CA Revocation Broken in 7.6.0

    ECA-10311 - View CMP Alias page says: Edit CMP Alias

    ECA-10319 - Broken RA End Entity edit page

    ECA-10320 - OCSP not working when CA uses Ed25519

    ECA-10323 - Enrollment code can not be empty when setting EE status from Generated to New with autogenerated enrollment codes

    ECA-10343 - NumberFormatException when creating a crypto token using token label when cryptotoken.p11.lib.X.slotlist is used

    ECA-10357 - Ignore keys which cannot be read by the P11NgCryptoToken

    ECA-10363 - Make audience check optional

    ECA-10365 - Fix links in ACME HTTP response headers

    ECA-10383 - In RAWeb custom values "Set validity" doesn't work

    ECA-10390 - "Republish" publisher queue view action uses wrong PublishQueueProcessWorker

    ECA-10391 - 'Required' restriction on name constraints in end entity profiles are not validated.

    ECA-10394 - Clean up of cesecore-p11 is not optional

    ECA-10399 - ExpiredCertsOnCRL encodes with fractional seconds

    ECA-10404 - Make EEP upgrade for 7.8.1 cluster compatible

    ECA-10407 - Audience cannot be empty when "disable audience check" is selected

    ECA-10410 - Reintroduce ECA-9475

    ECA-10422 - Fix failing tests