Tl;dr
EJBCA 9.4 marks a major step forward in bringing quantum-safe security, planet-scale automation, and modernized deployment flexibility to the world’s most trusted PKI.
With expanded hardware security module (HSM) integrations, FIPS 140-3 compliant SCEP support, new 3rd party vulnerability management policies, and major updates to both Hardware and Software Appliances, this release extends EJBCA’s reach across every environment.
Read the release notes here, or continue below for a deeper dive into what’s new.
1. Quantum-Safe PKI: Expanded HSM Power and PQC Coverage
As organizations build long-lived cryptographic systems—especially those securing IoT devices, critical infrastructure, and regulated environments—post-quantum protection has become non-negotiable.
EJBCA 9.4 expands support for quantum-safe cryptography with broader ML-DSA key support across the industry’s leading HSMs, including:
-
Thales Luna 7
-
Utimaco u.trust Anchor
-
Entrust nShield Connect
-
AWS KMS
-
Fortanix DSM
-
Securosys Primus
These integrations allow organizations to place PQC keys inside FIPS-validated, hardware-backed environments—critical for long-term confidentiality and compliance.
Why it matters:
Customers can future-proof their PKI using the hardware vendors they already trust, without redesigning their infrastructure. Quantum-safe keys can now be generated, stored, and managed in enterprise-grade HSMs, ensuring modern security without operational disruption.
2. Planet-Scale PKI: Automation, Publishing, and High Availability
Managing PKI across globally distributed architectures often becomes a bottleneck. With 9.4, EJBCA introduces new automation capabilities designed for scale.
Key enhancements include:
-
ConfigDump improvements for simpler, YAML-based configuration export/import
-
SCP publishing across all deployment types
-
New SFTP support for secure, key-based automated publishing workflows
These updates streamline PKI lifecycle operations, reduce human error, and make it easier to replicate or distribute CA services across cloud regions, data centers, or containerized environments.
Why it matters:
Whether issuing thousands of certificates or billions, EJBCA needs to function as a foundational service. With stronger automation and more flexible publishing, organizations can operate PKI at true “planet scale.”
3. Compliance & Protocol Advancements: ACME, FIPS, and Transparency
Cybersecurity regulations increasingly require transparency into vulnerabilities, component libraries, and cryptographic processes. EJBCA 9.4 delivers on this with several compliance-driven enhancements.
ACME Renewal Information (ARI)
Support for ARI (RFC 9773) allows EJBCA to proactively communicate certificate renewal timing to clients, reducing the risk of mass certificate expirations.
Official Vulnerability Management Policy
EJBCA now provides:
-
Automated CVE scanning,
-
Analysis of third-party components, and
-
An SBOM for every release.
This helps organizations meet evolving supply chain security requirements.
FIPS 140-3 Compliant SCEP Enhancements
Earlier versions of SCEP used a single key for signing and encrypting CNC payloads. Under FIPS 140-3, this is no longer permissible, especially when keys are generated in a compliant HSM.
EJBCA 9.4 introduces separate signing and encryption key pairs, ensuring full adherence to FIPS requirements.
Why it matters:
Compliance isn’t just a checkbox—it’s operational safety. These updates help ensure EJBCA fits seamlessly into regulated environments where transparency and correctness are mandatory.
4. Platform Modernization: A Stronger, Faster Foundation
EJBCA 9.4 brings significant under-the-hood upgrades to improve performance, security, and long-term maintainability.
Key technology updates include:
-
Java 21 as the recommended runtime
-
WildFly 38 application server support
-
Bouncy Castle 1.82 for enhanced PQC and cryptographic capabilities
-
Dynamic OAuth hostname support for multi-hostname environments
Why it matters:
These updates ensure EJBCA continues to meet enterprise-grade performance needs while enabling easier upgrades, stronger cryptographic support, and cleaner deployments.
5. Admin Experience Enhancements: Simplified, Streamlined Workflows
Usability upgrades in 9.4 help PKI administrators work more quickly and safely.
Highlights include:
-
Streamlined CA, profile, and crypto token creation flows
-
Inline editing for names (no more separate rename actions)
-
New dedicated Delete and Clone pages
-
Tabbed interfaces for CA Management and OCSP Responder configuration
Why it matters:
Even highly technical teams benefit from cleaner UX. These improvements reduce error rates, speed up configuration, and make the daily operations of running PKI more intuitive.
6. Appliance Upgrades: Hardware 5.2 and Software 2.9
Hardware Appliance 5.2: The Next-Generation “PKI in a Box”
New capabilities include:
-
Quantum support for the built-in Thales Luna and Utimaco PCI HSMs via simple WebUI-driven firmware updates
-
Support for network-attached HSMs, including Entrust nShield, Thales Luna Network, Securosys Primus, and Utimaco LAN devices
-
Support for external databases: MariaDB, Oracle, PostgreSQL, SQL Server, all configurable through the WebUI
Software Appliance 2.9: PKI on Your Hypervisor—Simplified
Major improvements:
-
One-click backup and restore, eliminating the need for hypervisor-level tooling
-
PQC support for net-attached HSMs (Entrust nShield, Thales Luna)
-
USB HSM support, beginning with Thales Luna USB modules—ideal for secure offline root CA deployments
Why it matters:
Both appliances reduce operational complexity by centralizing management in the WebUI and removing dependency on deep PKI expertise or specialized infrastructure teams.
A New Era for EJBCA
EJBCA 9.4 represents more than a feature update—it’s a turning point. With a stronger cryptographic foundation, deeper automation, enhanced compliance posture, and more flexible deployment capabilities, this release positions EJBCA for the next decade of digital trust.
Whether you’re building for the post-quantum transition, scaling certificate issuance into the billions, or modernizing PKI infrastructure in appliances or containers, EJBCA 9.4 helps ensure your organization is ready for whatever comes next.
