[Important Notice] OCSP Compliance issue in EJBCA version 8.2.0 [Important Notice] OCSP Compliance issue in EJBCA version 8.2.0

[Important Notice] OCSP Compliance issue in EJBCA version 8.2.0

Created: Updated:

An OCSP compliance issue was identified with the “Pre-produce OCSP response upon issuance/revocation” feature in EJBCA version 8.2.0.

Keyfactor has released EJBCA 8.2.0.3 to resolve this matter. 

Issue Summary:

Due to a software issue in EJBCA version 8.2.0, the system may generate incorrect OCSP responses. The generation of incorrect OCSP responses is triggered if a new option in EJBCA 8.2.0 “Pre-produce OCSP response upon issuance/revocation” is enabled. Enabling this option will make the system generate responses ignoring the configuration parameter for the nextUpdate. This may result in a nextUpdate of more than 10 days from the thisUpdate, which is a violation of CA/Browser Forum TLS BRs section 4.9.10, and possibly other schemes.

CRL generation is not impacted.

Impacted Customers:

Customers that have upgraded to EJBCA 8.2.0 and enabled the new option “Pre-produce OCSP response upon issuance/revocation” are impacted. Customers using previous EJBCA versions or who have not enabled the option are not impacted.

Mitigation:

Keyfactor has released EJBCA 8.2.0.3, please see details here.

Our recommendation is for customers that are using EJBCA 8.2.0 to upgrade to EJBCA 8.2.0.3

Thank you for your continued support.