An OCSP compliance issue was identified with the “Pre-produce OCSP response upon issuance/revocation” feature in EJBCA version 8.2.0.
Keyfactor has released EJBCA 8.2.0.3 to resolve this matter.
Issue Summary:
Due to a software issue in EJBCA version 8.2.0, the system may generate incorrect OCSP responses. The generation of incorrect OCSP responses is triggered if a new option in EJBCA 8.2.0 “Pre-produce OCSP response upon issuance/revocation” is enabled. Enabling this option will make the system generate responses ignoring the configuration parameter for the nextUpdate. This may result in a nextUpdate of more than 10 days from the thisUpdate, which is a violation of CA/Browser Forum TLS BRs section 4.9.10, and possibly other schemes.
CRL generation is not impacted.
Impacted Customers:
Customers that have upgraded to EJBCA 8.2.0 and enabled the new option “Pre-produce OCSP response upon issuance/revocation” are impacted. Customers using previous EJBCA versions or who have not enabled the option are not impacted.
Mitigation:
Keyfactor has released EJBCA 8.2.0.3, please see details here.
Our recommendation is for customers that are using EJBCA 8.2.0 to upgrade to EJBCA 8.2.0.3
Thank you for your continued support.