EJBCA 6.5 Upgrade Notes


EJBCA 6.4.2 to EJBCA 6.5.3

The following lists important notes on upgrading to EJBCA 6.5.x versions:

For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

For details of the new features and improvements in the releases, see the EJBCA 6 Release Notes.

EJBCA 6.5.1 to EJBCA 6.5.3


6.5.3 involves a minor change to the CLI command "ca editca". The "-listFields" and "-getValue" flags have been removed, and have been replaced with the "ca listcafields" and "ca getcafield" commands instead.

EJBCA 6.5.0 to EJBCA 6.5.1


EJBCA 6.5.1 involves two minor changes to CMP aliases:

  • End Entity Profiles (for RA configurations) were referred to by name instead of by ID. Since End Entity Profile Names are both volatile and not guaranteed unique, this led to issues where renaming a profile could cause a CMP alias to enter an error state. 6.5.1 will automatically convert existing CMP aliases to the new format while preserving the old value for 100% uptime needs. CMP will function, no configuration changes should be made during the upgrade.

  • As a result of this, EJBCA no longer supports the ra.endentityprofile=KeyId or ra.certificateprofile=KeyId configuration values, which was deprecated in 2013 (ECA-2948).

EJBCA 6.4.2 to EJBCA 6.5.0


Upgrading to 6.5.0 involves the following changes:

Key algorithm constraints in certificate profiles

EJBCA 6.5.0 allows configuration of key algorithm constraints in certificate profiles and by default any type compatible with the current allowed

key lengths will be preselected during the upgrade. If you allow 1024 bits, both RSA and DSA will be allowed and since it is now possible to

request tokens using any allowed key algorithm from the public web, requesting a DSA 1024 keystore will be allowed compared to earlier when only RSA

was available over this interface.

Configuration changes in CMP Proxy

For those running the CMP Proxy, the following values have changed names in cmpProxy.properties:

From

To

cmp.backend.extra.caservicecertpath

cmp.backend.caservicecertpath

cmp.backend.extra.issuerchainpath

cmp.backend.issuerchainpath

cmp.backend.extra.keystorepath

cmp.backend.keystorepath

cmp.backend.extra.keystorepwd

cmp.backend.keystorepwd

The old values will continue to function for the time being, but will get dropped at a future date.

Database maximum query count

The maximum query count (maximum number of object retrieval from the database in a single request), previously several predefine constants, can now be set from the web UI (in the Systems Configuration screen).

CMP error message

A couple of error messages for CMP have been changed.

  • When submitting a request with a URL that does not match an existing CMP alias, a HTTP 404 (not found) is returned instead of a CMP badRequest error message.

  • When trying to revoke a certificate that has already been revoked, a CMP certRevoked error message is returned instead of a CMP badRequest error message.

healthcheck.publisherconnections property

The property healthcheck.publisherconnections was documented as defaulting to false, but actually defaulted to true. This has now been corrected to default to false.