An OCSP compliance issue has been identified with the “Pre-produce OCSP response upon issuance/revocation” feature in EJBCA version 8.2.0. Our team is actively working to resolve this matter promptly.
Due to a software issue in EJBCA version 8.2.0, the system may generate incorrect OCSP responses. The generation of incorrect OCSP responses is triggered if a new option in EJBCA 8.2.0 “Pre-produce OCSP response upon issuance/revocation” is enabled. Enabling this option will make the system generate responses ignoring the configuration parameter for the nextUpdate. This may result in a nextUpdate of more than 10 days from the thisUpdate, which is a violation of CA/Browser Forum TLS BRs section 4.9.10, and possibly other schemes.
CRL generation is not impacted.
Customers that have upgraded to EJBCA 8.2.0 and enabled the new option “Pre-produce OCSP response upon issuance/revocation” are impacted. Customers using previous EJBCA versions or who have not enabled the option are not impacted.
Keyfactor is preparing an error correction release EJBCA 220.127.116.11. Customers that are using EJBCA 8.2.0 must not enable the option “Pre-produce OCSP response upon issuance/revocation” on systems before the error correction release is available and systems have been upgraded.
Customers that are using EJBCA 8.2.0 and have enabled the option “Pre-produce OCSP response upon issuance/revocation” should disable the option and contact Keyfactor for assistance on how to handle affected OCSP responses.
We sincerely apologize for any inconvenience this may have caused and appreciate your understanding as we work to resolve this matter. Your trust is of utmost importance to us, and we are committed to maintaining the highest standards in product quality and customer service.
Thank you for your continued support.