One search. Every source. One search. Every source.

EJBCA compliance issue: Potential CA/B Forum compliance issue for customers using EJBCA ACME and MPIC functionality

Created: Updated:

Issue summary

An issue related to the EJBCA MPIC implementation has been discovered which can, depending on deployment and/or configuration, cause a breach to Section 3.2.2.9 of the CA/B Forum Baseline Requirements (BR) when validating certificate requests over ACME.  

The requirement states that ACME Domain Control Validation (DCV) is performed from the primary network perspective and corroborated over multiple, additional, network perspective.  

When EJBCA is configured to use ACME with MPIC, DCV checks will only be performed using MPIC Network Perspectives that might all be considered as Remote Network Perspectives. Even though the quorum is still maintained, the absence of the DCV being performed from the primary network perspective is considered as a breach of the Baseline Requirements.     

What is the impact?

This would have constituted misissuance of certificates issued using ACME with EJBCA’s MPIC implementation. 

Who is affected?

EJBCA customers belonging to one or more of the TLS Root Programs with mandatory compliance to CA/B Forum Baseline Requirements, using EJBCA’s ACME implementation with an MPIC server that is not configured within the primary network. 

Mitigation

Prior to upgrading, the following mitigation can be applied: add an additional MPIC server locally to act as the Primary Network Perspective and set the quorum to ensure that the local perspective is always included.

This issue is resolved in the upcoming EJBCA 9.6 release, scheduled for May 2026.

Add comment

Article is closed for comments.