Below are important changes and requirements when upgrading from EJBCA 7.9 to EJBCA 7.10.

For upgrade instructions and information on upgrade paths, see Upgrading EJBCA . For details of the new features and improvements in this release, see the EJBCA 7.10 Release Notes.

Post Upgrade

When you upgrade to EJBCA 7.10.0, you must perform a post-upgrade. The post-upgrade is required for ACME pre-authorization and if a post-upgrade is not performed, order creation will fail for pre-authorized identifiers and a new authorization must be requested by the ACME client. ACME pre-authorizations expire after 24 hours. To avoid these cases, disable the ACME protocol (under EJBCA System Configuration > Protocol Configuration > ACME ) before the update and re-enable it after the post-upgrade is complete.

To perform the post-upgrade, click the EJBCA System Upgrade menu option, and then click Start post-upgrade . For more information, see Upgrading EJBCA .

Behavioral Changes

Produce Pre-signed OCSP Responses Only for non-expired Certificates

The OCSP Response Pre-Signer worker now generates responses for non-expired certificates and updates the expired responses for non-expired certificates. The expired certificates will keep receiving OCSP responses generated online. For more information, see OCSP Response Pre-Signer.

ConfigDump Import Improvements

The EJBCA ConfigDump tool will now only import or update role members if the token being used is important to the role being updated. A token is considered important for a role if the access rights granted to the token by the role are not duplicated in some other role that has the same token as a member. For more information, see ConfigDump Tool

More Fine-grained Access Rules for RA GUI

The access rules /ca_functionality/use_username and /ca_functionality/use_approval_request_id have been added and correspond to the pages with the same name in the EJBCA RA UI. These access rules are added automatically to all roles with /ca_functionality/create_certificate access. For more information, see Access Rules and RA Administrator Access Rules.

New Extension Added by Default During MS Auto-enrollment

Addressing a recent vulnerability discovered for Microsoft Certificate-Based Authentication, EJBCA now supports the new extension szOID_NTDS_CA_SECURITY_EXT that maps the certificate to an Active Directory user /computer object. The extension will be allowed by default for all certificate profiles and included in certificates enrolled via EJBCA's Microsoft Auto-enrollment integration. Enrollment via other endpoints and protocols is not affected. For more information, see Microsoft ObjectSid Security Extension in Certificate Profile Fields.

Deprecations

Script-based Auto-enrollment

The legacy script-based auto-enrollment (relevant before Microsoft Auto-enrollment was integrated into EJBCA proper) has been removed. For more information on auto-enrollment in EJBCA, see Microsoft Auto-enrollment Overview.

Validation CLI Tool

The legacy Validation CLI has not been supported for several years and is being sunset in this release, to be removed in the next major/feature release.