Issue summary
An issue related to the EJBCA MPIC implementation has been discovered which can, depending on deployment and/or configuration, cause a breach to Section 3.2.2.9 of the CA/B Forum Baseline Requirements (BR) when validating certificate requests over ACME.
The requirement states that ACME Domain Control Validation (DCV) is performed from the primary network perspective and corroborated over multiple, additional, network perspective.
When EJBCA is configured to use ACME with MPIC, DCV checks will only be performed using MPIC Network Perspectives that might all be considered as Remote Network Perspectives. Even though the quorum is still maintained, the absence of the DCV being performed from the primary network perspective is considered as a breach of the Baseline Requirements.
What is the impact?
This would have constituted misissuance of certificates issued using ACME with EJBCA’s MPIC implementation.
Who is affected?
EJBCA customers belonging to one or more of the TLS Root Programs with mandatory compliance to CA/B Forum Baseline Requirements, using EJBCA’s ACME implementation with an MPIC server that is not configured within the primary network.
Mitigation
Prior to upgrading, the following mitigation can be applied: add an additional MPIC server locally to act as the Primary Network Perspective and set the quorum to ensure that the local perspective is always included.
This issue is resolved in the upcoming EJBCA 9.6 release, scheduled for May 2026.
Articles in this section
- EJBCA compliance issue: Potential CA/B Forum compliance issue for customers using EJBCA ACME and MPIC functionality
- SignServer CVE-2025-47222: Class name enumeration
- SignServer CVE-2025-47221: Arbitrary file write
- SignServer CVE-2025-47220: Local file enumeration
- SignServer security advisory: Container vulnerability CVE-2025-26787 fixed in version 7.2
- EJBCA security advisory: EJBCA standalone CMP CLI client
- Security Advisory: EJBCA - Partial denial of service attack on certificate distribution servlet /ejbca/ra/cert
- Security Advisory: SignServer - Cross-site scripting issue in Admin Web
Add comment
Article is closed for comments.