EJBCA 7.10.0.1 Release Notes

SEPTEMBER 2022

The EJBCA team is pleased to announce the release of EJBCA 7.10.0.1. (EJBCA 7.10.0 was an internal release, not generally available for customers).

This release includes REST API improvements, ECCDH support for key recovery and certificate self-renewal among other features. The release also addresses several security issues.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

REST API Improvements

Expansion of the EJBCA REST API has been a top wish list item for some time and with this release, we have added new endpoints to make it easier to determine available profiles and manage CRLs. Several existing endpoints have also been improved to facilitate integration and you can expect further REST API expansion down the road.

New Endpoints

  • /v1/ca/{issuer_dn}/createcrl - CRL Creation

  • /v1/ca/{issuer_dn}/importcrl - CRL Import

  • v2/endentity/profiles/authorized/ - Retrieve end entity profiles the requesting client is authorized to. This allows clients to determine which profiles they can use for enrollment against the certificate REST API.

  • v2/certificate/profile/{certProfileName} - Retrieve certificate profile information, such as available key algorithms.

  • v2/endentity/profile/{profileName} - Retrieve end entity profile information, such as available certificate profiles and subject fields.

Endpoint Improvements

  • E-mail notification support for v1/endentity

  • Sort and pagination support for end entity search

  • Key specification parameters added to /v1/certificate/{request_id}/finalize. This allows for finalizing an approval request when the key algorithm is not already set.

For a full list of REST API fixes and improvements included in this release, see Issues Resolved in 7.10.

Documentation Improvements

Every EJBCA release comes with the bundled REST API documentation. In previous releases, the documentation for many endpoints was limited to endpoint URLs, request parameters, and response codes. In EJBCA 7.10, the documentation for all endpoints has been extended with more details including endpoint descriptions, parameter descriptions, and expected request and response values.

ECCDH Support for Key Recovery

We've added support for using EC keys to encrypt archived keys using ECCDH. For more information, see Encryption Keys in Key Recovery.

Certificate Self-Renewal

An updated version of the old self-renewal feature in the Public Web has been brought to the RA. Clients can now authenticate themselves to the RA Web using a client certificate and renew their own (and only their own) certificate without the intervention of an RA administrator. This feature must be enabled by an administrator per end entity profile and a minimum period of time before expiration can be configured before renewal is allowed.

images/download/attachments/143741238/Screenshot_from_2022-09-01_12-12-02.png

Security Issues

EJBCA 7.10 includes fixes for the following security issues.

Microsoft ADCS Vulnerability

Addressing a recent vulnerability discovered for Microsoft Certificate-Based Authentication, EJBCA now supports the new Extension szOID_NTDS_CA_SECURITY_EXT that maps the certificate to an Active Directory user/computer object. The extension will be allowed by default for all certificate profiles and included in certificates enrolled via EJBCA's Microsoft Auto-enrollment integration. For more information, see Microsoft ObjectSid Security Extension in Certificate Profile Fields.

XSS Vulnerability in Admin Web

This release resolves a stored XSS vulnerability discovered in the EJBCA Admin Web. An authenticated administrator with sufficient access could compromise other administrators using the AdminWeb, via script injection. The injection could be done via addendentity.jsp for end entity profiles that have Number of allowed requests configured. Triggering occurred when viewendentity.jsp was rendered. An attacker would need administrator access, with access to the access rules /administrator, /ra_functionality/create_end_entity or /ra_functionality/edit_end_entity, and access to at least one End Entity Profile and at least one CA. Two weeks after the release of EJBCA 7.10.0.1, this issue will be reported as a CVE.

XSS Vulnerability in RA Web

During internal testing, a stored XSS vulnerability was discovered in the RA Web end entity and certificate search pages, caused by subject fields not being escaped properly. This affects installations that allow subject fields to be specified by untrusted clients, for example, via protocols configured in RA mode, and profiles configured to allow subject DN override by CSR. Two weeks after the release of EJBCA 7.10.0.1, this issue will be reported as a CVE.

Upgrade Information

Review the EJBCA 7.10.0.1 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.10.0.1 is included in EJBCA Hardware Appliance 3.9.7, EJBCA Software Appliance 2.2.2 and EJBCA Cloud 2.11.0.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.10.0. and EJBCA 7.10.0.1, refer to our Jira issue tracker.

Issues Resolved in 7.10.0.1

Released September 2022

    Improvements

    ECA-10950 - ConfigurationHolder cannot expect that all external config files exists

    Bug Fixes

    ECA-10951 - Missing dependecy at p11ng-cli for common-collection4

    ECA-10955 - External web.properties override end up in (cesecore) ConfigurationHolder

    ECA-10957 - Warning from CLI commands "Error when creating PropertyDescriptor"


    Issues Resolved in 7.10.0

    Internal Release September 2022

      New Features

      ECA-9266 - Create a REST call for retrieving an SSH CA's public key

      ECA-9561 - ACME IP Identifier Validation http-01 Challenge

      ECA-9998 - REST endentity/search call with pagination

      ECA-10222 - Produce Pre-signed OCSP Responses Only for non-expired Certificates

      ECA-10392 - Add REST end point to /ca to import a CRL

      ECA-10574 - Allow v1/certificate REST module to be released with the next CE edition

      ECA-10640 - Add HSM/PKCS11 support for CITS

      ECA-10667 - CA type and CA Implementation for ProxyCA

      ECA-10693 - Periodically update public keys on Azure OAuth Alias

      ECA-10705 - Add 'Renew' to the menu and Implement the renew page UI

      ECA-10706 - Implement the Renew Current Client Certificate section

      ECA-10723 - Allow REST to use CSR + keep end entity email address

      ECA-10742 - Sort and pagination on End Entity Search v2

      ECA-10743 - REST Endpoint for CRL Creation

      ECA-10765 - Add support for ssh-ed25519-cert-v01 for SSH keys/certificates

      ECA-10795 - Make P11NG work with GCP KMS PKCS#11 library

      ECA-10828 - Key encryption/archival using ECCDH

      ECA-10868 - Remove default public access role after initial installation

      ECA-10869 - REST Endpoint to get end entity profiles

      ECA-10870 - REST Endpoint to get certificate profiles

      ECA-10871 - REST Endpoint to get end entity profile content

      ECA-10917 - Cert Safe Publisher in Community Edition

      Improvements

      ECA-10005 - App version, host and used auth is not shown when init wizard is

      ECA-10009 - Remove old script based autoenrollment

      ECA-10060 - Improve AcmeAuthorizationData data structure for read operations

      ECA-10298 - Editing Certificate Extension Data in RA web

      ECA-10386 - Keep Subject DN order in EE profiles with configdump export

      ECA-10402 - Remove ejbca-setup.sh and modify documentation

      ECA-10443 - ACME performance - Make challenge types configurable per ACME alias

      ECA-10451 - Catch NPE for subject key ID in SearchCertificatesRestResponseConverterV2 REST API

      ECA-10481 - Add protocol configuration to configdump

      ECA-10519 - Add proper Git readme and license files in root directory

      ECA-10562 - Add support for EE email in REST /v1/certificate/pkcs10enroll POST

      ECA-10563 - Upgrade dnsjava to 3.5.0

      ECA-10645 - Merge P11NG change to close sessions with unfinished operation

      ECA-10649 - Upgrade json-smart to version 2.4.8 or later

      ECA-10663 - Add Email notification support to /v1/endentity REST

      ECA-10672 - Add internal "setupgradeversion" command

      ECA-10677 - Create new access rule for restricted public access in RA UI

      ECA-10679 - Migrate P11NG into its own module

      ECA-10684 - Upgrade commons-codec to 1.15 or later

      ECA-10687 - Upgrade commons-fileupload to 1.4 or later

      ECA-10690 - Upgrade commons-text to 1.9

      ECA-10697 - Upgrade Nimbus JOSE+JWT to nimbus-jose-jwt-9.21.jar

      ECA-10700 - Upgrade csrfguard to 4.0.0 or later

      ECA-10714 - Remove ROOT access requirement for EMPTY EEP when enrolling via Use Username

      ECA-10720 - EJBCA REST API Update Time field doesn't work for query criteria with cert v2 api

      ECA-10726 - Change ACME system test methods to challenge type to DNS to fix test failures in Jenkins

      ECA-10727 - Replace cli-util with keyfactor-commons-cli

      ECA-10733 - Remove references to ocsp.defaultresponder in ocsp.properties.sample

      ECA-10739 - Allow renewal when certificate is about to expire

      ECA-10741 - Implement EST enrolment (RE) for Proxy CA

      ECA-10744 - Add keyAlg parameter to Finalize endpoint in certificate REST API

      ECA-10746 - Improve ACME DNS challenge error handling and logging

      ECA-10747 - In the renewal page, use client certificate from the request

      ECA-10753 - Add index recommendation that plays nice with Keyfactor Gateway Connector

      ECA-10762 - upgrade jakarta.activation to 2.1.0 or later

      ECA-10773 - ConfigDump support for ProxyCA

      ECA-10776 - Investigate and improve high db usage

      ECA-10786 - Editing Certificate Other Data in RA web

      ECA-10804 - Upgrade Extent libs

      ECA-10805 - Upgrade csrfguard to 4.1.4 or later

      ECA-10810 - Remove URLEncoder.encode-warnings from CaRestResourceSystemTest

      ECA-10812 - Upgrade Apache Commons Configuration from 1.6 to 2.7

      ECA-10815 - Remove src/pkg subdirectory

      ECA-10817 - Include Domain FQDN for Kerberos / DC templates

      ECA-10819 - Merge P11NG changes from SignServer

      ECA-10821 - Documentation improvement for REST API

      ECA-10842 - Wildfly 26 officially supported/recommended

      ECA-10843 - clientToolBox: EjbcaWsRaCli stress: allow to specify the number of tests to run

      ECA-10844 - clientToolBox: add a bit of tooling to help handling of the result.ser Serialized Java Object File

      ECA-10909 - RA Web Self-Renewal improvements

      ECA-10921 - Update Documentation on CA Fields with PrintableString encoding in DN

      ECA-10932 - Improve post upgrade UI logging

      Bug Fixes

      ECA-2140 - Multichoice for SubjectDN fields generates Exception

      ECA-4383 - Add input validation and remove case sensitivity from keybind modify command.

      ECA-8929 - configdump can not import Super Administrator Role

      ECA-9094 - Regression - Exception occurs in RA Web preferences on changing language

      ECA-9169 - Issue in configdump import for CP with extended key usages.

      ECA-10131 - Duplicate certificates when database.crlgenfetchordered is used

      ECA-10300 - MSAE alias "Test connection" clears user input

      ECA-10371 - Configdump does not differentiate between spaces and underscore and can miss items

      ECA-10381 - Null Pointer Exception in eedetails.xhtml

      ECA-10502 - Adding role member through RA web assert tokenIssuerId=0

      ECA-10545 - RA Web Make New Request does not correctly parse CSR

      ECA-10588 - Support OCSP Pre-Signer service in Configdump

      ECA-10623 - Default CRL Distribution Point is not a valid URI when ( " ) is used

      ECA-10639 - Duplicate OCSPKeyBinding Entry

      ECA-10646 - CertificateCrlReader fails if full CA chain is not present on VA.

      ECA-10660 - REST /v1/endentity/{user}/setstatus doesn't allow PEM token

      ECA-10665 - IllegalStateException in End Entity view for superadmin

      ECA-10675 - RA Request preview shows EKU even if cleared from Cert Profile

      ECA-10692 - Intune revocation poller fails if CA uses ldap order

      ECA-10703 - Improving the log entry when publishing CRL but not storing them in db

      ECA-10707 - Improve EJBCA's behavior with trailing spaces

      ECA-10711 - Email not displaying in waiting for approval status

      ECA-10712 - Post Upgrade Failing

      ECA-10713 - MSAE cannot be used if AD template has "Subject name format: None"

      ECA-10715 - CAs list not correct in edit EE page in Ra

      ECA-10725 - CSR parsing with -----BEGIN NEW CERTIFICATE REQUEST----- is missing

      ECA-10730 - EJBCA ACME MOD_MD ISSUES (SSL.Com)

      ECA-10731 - ACME email notifications - how to make it work

      ECA-10734 - ADConnectionSingletonBean - could not obtain lock within 5000MILLISECONDS

      ECA-10736 - No options for "Issuer" When Editing End Entity in RA Web if Available CAs is Set to “Any CA"

      ECA-10745 - MSAE "RelatesTo" Id can get overwritten during parallel requests

      ECA-10750 - MSAE does not work when EJBCA is running on Windows

      ECA-10758 - Sun PKCS11 not working on RedHat OpenJDK 11.0.15

      ECA-10763 - Name constraints throwing NPE after 7.6.0

      ECA-10775 - getAvailableCAsInProfile(int entityProfileId) in Web Services does not return CAs in case Any CA

      ECA-10779 - Community Edition build failures

      ECA-10792 - Missing descriptions in swagger.json

      ECA-10793 - Unable to enroll superadmin due to missing transactional support

      ECA-10796 - fix clientToolBox help/documentation

      ECA-10798 - REST protocols can't be enabled in CE

      ECA-10801 - Unexpected Exception when creating new OcspKeyBinding (when not selecting Key Pair Alias)

      ECA-10811 - CertificateCrlReader can't update certificate if type changes from standard to limited

      ECA-10822 - JsfDynamicUiPsmFactory ArrayIndexOutOfBoundsException

      ECA-10826 - Configdump EST configuration can not update

      ECA-10827 - EST configuration in UI does not show most recent state

      ECA-10830 - REST SSH resource improvements

      ECA-10839 - RA web enroll make new request page does not properly handle required fields

      ECA-10849 - SSH Rest access token and response content to UTF

      ECA-10850 - Correct test failure Jenkins related to ticket eca 10775

      ECA-10851 - Intune revocation only working with a proxy

      ECA-10853 - Library load/activation failure of auto-activated PKCS#11 NG token causes partial lock-out from GUI

      ECA-10856 - Address duplicate entries in NoconflictCertificateData table

      ECA-10857 - AuthToken 250 character limit preventing certificate issuance

      ECA-10860 - End entity DN merge does not work on fields with DN as attribute value

      ECA-10864 - Issue on importing validators via configdump

      ECA-10865 - Regression: Access rule with non-existent CA causes NPE on RA certificate search

      ECA-10872 - Update ejbcaClientToolbox with log4j compatability flag

      ECA-10875 - Regression: Upgrade to Commons Configuration 2 breaks database protection using HSMs

      ECA-10876 - Error obfuscating non-ASCII passwords

      ECA-10881 - Upgrade to Commons Configuration 2 reloads config every minute instead of at file change

      ECA-10886 - Marker from REST resource is never removed

      ECA-10890 - User needs to re-select algorithm after the certificate has been approved in RAWeb

      ECA-10891 - Publish Queue Process Service does not handle missing certificate correctly

      ECA-10894 - Configure Certificate Hash OCSP extension to always return if configured

      ECA-10896 - Add CRL generation upon revocation is not working

      ECA-10904 - Security Issue

      ECA-10905 - Security Issue

      ECA-10908 - Upgrade page in CA UI always show "Failed"

      ECA-10920 - OCSP transaction and audit logging could not be modified in UI

      ECA-10922 - Allow soft (default) key generation to support EdDSA

      ECA-10923 - Missing libraries on p11ng-cli classpath causes NoClassDefFoundError for StringLookupFactory

      ECA-10926 - Security Issue

      ECA-10927 - NoClassDefFoundError for ejbcawsracli