Introducing the 2024 PKI & Digital Trust Report     | Download the Report

  • Home
  • Blog
  • Tech Updates
  • Updates to SignServer and EJBCA Enhance Deployment Flexibility and Quantum-Readiness

Updates to SignServer and EJBCA Enhance Deployment Flexibility and Quantum-Readiness

Tech Updates

We’re excited to announce the general availability of EJBCA 8.2 and SignServer 6.2, including updates to the software appliance, hardware appliance, and cloud editions. These releases highlight our commitment to moving the industry towards post-quantum readiness as well as providing our customers PKI and signing how and where they need it. 

Here are just a few highlights from the releases:

  • HSM support for post-quantum issuance and signing: Continue issuing certificates and signing artifacts in your test environments, now with Thales Luna 7 or TCT HSM, with more to come.
  • Registration Authority (RA) Chaining: Want an RA inside your network to work with your EJBCA SaaS or PKI as a service deployment? Now you’ve got it. 
  • Automated certificate clean-up: Clear up extra database space by getting rid of expired certificates automatically based on a configurable window.
  • Expanded SignServer REST API: Automate configuration and fully remote control with extended methods and endpoints for SignServer workers. 

Let’s take a closer look at the new enhancements in EJBCA 8.2 and SignServer 6.2.

HSM support for PQC issuance and signing

The requirement for post-quantum certificates and signing is only getting closer. Now is the time to prepare, not panic. The final post-quantum algorithms are still going through their final approvals, making now a perfect time to test them in your lab environments and ensure a smooth transition when deadline requirements hit. 

In EJBCA 8.0 and SignServer 6.0, we introduced support for post-quantum issuance and signing, so our customers can begin testing their lab environment. Now, we’ve taken that a step further, enabling integration with a quantum-capable HSM for key generation. This is yet another step on our roadmap to deliver quantum-ready solutions for a post-quantum world.

This makes now a perfect time for you to get started if you’ve yet to look at testing post-quantum algorithms.  

Enhanced flexibility with RA Chaining

Having a Certificate Authority (CA) or full PKI in the cloud has a ton of great benefits. But sometimes you want that extra layer of security on your enterprise network by only allowing communication to be initiated internally. For our cloud-hosted customers, if you wanted to interact with your Registration Authority (RA), you had to use API calls. Now with EJBCA 8.2 and RA Chaining, you can utilize a full RA from within your network, giving you both more functionality and security when connecting to your external services.

EJBCA RA Chaining

Automated certificate cleanup

With the volume of certificates issued from your PKI, the size of your database can grow quickly. Now, you can purge your database of expired certificates that no longer need to be audited or tracked. Simply turn on clean up, specify the age you want expired certificates to be deleted after, and watch EJBCA free up your space. 

Expanded SignServer REST API

Lastly, we’ve also expanded the REST API for SignServer. Now you have even more granular remote control of your SignServer workers. The new methods can typically be used for automating SignServer setup as part of DevOps processes. 

To learn more about the releases, please refer to the documentation portal.