This section provides information on upgrading from your current version to a later version of EJBCA and the Upgrade Paths table below helps you determine the most efficient upgrade path.
Also see the EJBCA Upgrade Notes for the version you plan to upgrade to (and any version in between).
Upgrade Instructions #
When upgrading or changing a configuration setting in a properties file, it is not required to fully re-install EJBCA or re-configure the application server. Instead, deploy a new EJBCA application (ejbca.ear) to the application server using the
ant deployear command.
Follow the steps below to upgrade from one version of EJBCA to a new version.
conf/*.propertiesfrom the earlier installation.
This step is not required if you are using an ejbca-custom directory (see ejbca-custom below).
- Merge changes (if there are any) from
- Copy the content of the
p12directory from the earlier installation and run the following command with the new version:
$ ant deployearBASH
Note that the command
deployeardeploys a new
ejbca.earto the application server, not performing the same configuration work as the
- If you have switched application server (a new version, or just unpacked a fresh installation of it), you need to run the following additional command to copy the TLS keystores over to the new server:
$ ant deploy-keystoreBASH
- You also need to configure TLS for your application server. See the application server specific instructions for the installation, for example for WildFly on Application Servers.
All database upgrades require CREATE and ALTER TABLE privileges in addition to the usual privileges SELECT, UPDATE, INSERT, and DELETE. The SQL executed by database upgrades code is available in
src/upgrade/<oldversion>_<newversion>/<oldversion>_<newversion>-upgrade-<database>.sql. For example,
src/upgrade/700_710/700_710-upgrade-oracle.sql. For MariaDB, use the
To ease upgrades and allow keeping your personal configurations from a version to another, you can store your personal EJBCA modifications in the
ejbca-custom folder. Your modifications will automatically overwrite any existing files found in the
EJBCA_HOME directory before executing an
ant command. For more information, see Modifying EJBCA.
Upgrade Paths #
Use the table below to determine the most efficient upgrade path from your current version to the later versions of EJBCA and see the Notes section below for details.
Also see thefor the version you plan to upgrade to (and any in between).
Recommended Upgrade Path
|4.0.15 or earlier on JDK6 or earlier||Upgrade to 4.0.16 and then upgrade to 220.127.116.11.||
|4.0.16 to 5.0.11 on JDK6 or earlier||Upgrade to 18.104.22.168 and then upgrade to the latest version of EJBCA.||
|5.0.12 to 6.3.x||Upgrade to the latest version of EJBCA.||
|6.4.0 or later||Upgrade to the latest version of EJBCA.||
Intermediate Release EJBCA 22.214.171.124 #
The intermediate release EJBCA 126.96.36.199, released 1 December 2017, handles intermediate upgrade steps when upgrading a version prior to 5.0.12 to a later EJBCA version.
Up until and including version 188.8.131.52, EJBCA can be run on JBoss 5.1, while higher versions of EJBCA require Java 8 and WildFly.
Approval Request after EJBCA 6 Upgrade #
If you are using approvals and upgrading to EJBCA 6, please be aware of an issue preventing approval requests created in EJBCA 5.x or earlier from being displayed after the upgrade. For details, refer to ECA-8831.
Technology Jumps #
Upgrading past these technology jumps requires not only upgrading EJBCA, but also the underlying software such as the JDK and the application server.
- EJBCA 6.4.0: JDK6 → JDK7: End of support for legacy runtime version JDK6 and moving to JDK7.
- EJBCA 6.4.0: JEE5 → JEE6: With the move to runtime version JDK7, it can no longer be deployed to application servers based on JDK6 such as JBoss versions 4 and 5. The latest version that can still run under JDK6 is the EJBCA 184.108.40.206 intermediate release. Thus, EJBCA 220.127.116.11 and earlier can be run on JBoss 5.1.0.GA server (JEE5), while later versions require an upgrade of the JDK and application server, JDK8 and JBoss EAP 7 or WildFly 10 are recommended.
- EJBCA 7.0.0: JDK7 → JDK8: End of support for legacy runtime version JDK7 and moving to JDK8
- EJBCA 7.0.0: JEE6 → JEE7: With the end of JDK7 support, support of JEE6 reliant application servers ceases as well. Minimum supported version of JBoss is EAP7/Wildfly 10.
Upgrade Process Changes #
- As of EJBCA 4.0, full up-time is supported during upgrades for clustered installations, using the upgrade process steps
upgrade: Performs steps required for upgrading the first node to be able to function once it comes online again.
post-upgrade: Performs remaining upgrade steps (such as clean-up) that can only be performed once all nodes are running the latest code.
- As of EJBCA 6.4.0, the database version is tracked internally, making the upgrade automatically run from the first run running the upgraded code, making the
- As of EJBCA 6.8.0, you can perform post-upgrades from the Admin Web. When a post-upgrade is required, the System Configuration menu option System Upgrade is available.