CA Manager
Release notes RSS
December 17, 2024
DigiCert® ONE version: 1.8893.10 | CA Manager: 1.790.0
New
ECDSAwithSHA3 support for private certicates
Issuance and escrow is now supported for ECDSA keys and SHA3.
Fixes
[On-premises clients only] Basic Constraints for Qualified certificates
BasicConstraints have been added back to Qualified end-entity templates.
December 13, 2024
DigiCert® ONE version: 1.8893.7 | CA Manager: 1.787.0
Enhancements
HSM Proxy Options Update
Allow multiple options for downloading the HSM Remote Proxy bundle and support has been added for Thales G5 USB HSM’s.
December 11, 2024
DigiCert® ONE version: 1.8893.5 | CA Manager: 1.786.0
New
CA hierarchy visualization
We added a new graphical view of a selected root CA’s family tree to make navigating the hierarchy easier.
Enhancements
Increased field lenghts for Subject Surname and GivenName
The Subject Surname and GivenName fields now accept up to 64 characters.
Fixes
Minor logging performance fixes
December 4, 2024
DigiCert® ONE version: 1.8893.1 | CA Manager: 1.782.0
Enhancements
Enhancements supporting Crypto4A HSMs and post-quantum algorithms
Made various tweaks to the processes underpinning management of the HSM functionalities.
November 20, 2024
DigiCert® ONE version: 1.8663.5 | CA Manager: 1.777.0
Fixes
Activate / Deactivate AIAs
Fixed the ability to activate and deactivate AIAs.
November 6, 2024
DigiCert® ONE version: 1.8663.1 | CA Manager: 1.770.0
Fixes
Minor SQL fixes for memory improvement
October 30, 2024
DigiCert® ONE version: 1.8480.12 | CA Manager: 1.769.0
Fixes
Expired certificates causing table displays to hang
We corrected an issue where displaying expired certificates cased the table to hang while loading.
Only one AIA URL being inserted into certificate despite multiple being created
Multiple AIAs will now be included in the certificate when created.
Minor usability and accessibility fixes
October 16, 2024
DigiCert® ONE version: 1.8480.4 | CA Manager: 1.760.0
New
Support for third-party intermediate CA certificates
Third-party functionality is no longer restricted to just root CA certificates.
Enhancements
Ed448 verification using the signature OID
Verification first interrogates the signature OID to see if PureEd448 or PreHashedED448 are used and then uses the correct function.
Fixes
Improved Intermediate CA table display table logic for better efficiency
We corrected some backend logic to simplify and reduce overhead to the display table logic.
Other minor efficiency fixes behind the scenes
October 3, 2024
DigiCert® ONE version: 1.8480.1 | CA Manager: 1.756.0
Enhancements
Improvements to logging for HSM changes
Expanded the events captured in logging.
Email checking logic improvements
Made logic consistent across different email validation points.
September 18, 2024
DigiCert® ONE version: 1.8279.3 | CA Manager: 1.750.0
Enhancements
Minor accessibility improvements
Tweaked and improved accessibility in various areas.
September 11, 2024
DigiCert® ONE version: 1.8279.2 | CA Manager: 1.747.0
Enhancements
Minor accesibility improvements
Tweaked and improved accessibility in various areas.
September 4, 2024
DigiCert® ONE version: 1.8279.1 | CA Manager: 1.746.0
Enhancements
Minor interface and accessibility improvements
We tweaked and improved accessibility and interface usability in various spots.
August 29, 2024
DigiCert® ONE version: 1.8094.7 | CA Manager: 1.742.0
Enhancements
Security updates
Mades some security improvements.
August 28, 2024
DigiCert® ONE version: 1.8094.6 | CA Manager: 1.740.0
New
Managers can submit end-entities with past-dated notBefore validity
To address quirks with time zones and SCEP enrollments, managers may submit end-entities with notBefore validities in the past.
August 21, 2024
DigiCert® ONE version: 1.8094.5 | CA Manager: 1.738.0
Enhancements
Accessibility and UX improvements
We made various improvements to improve accessibility and the user experience.
Known issues
Post-quantum algorithms are for test only
NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.
Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.
August 14, 2024
DigiCert® ONE version: 1.8094.4 | CA Manager: 1.736.0
Enhancements
Updated Common UI to version 8.27.1
The updates to Common UI address failure to display flag icons in the phone and localization options.
Changed PathLen enforcement in validation of Ceremony Manager templates
The changed PathLen enforcement provides Operations members more flexibility in creating offline requests.
Display account-friendly identifiers in tables and dropdowns
Account-friendly identifiers provide for better identification of similarly named accounts.
Fixes
Fix date setting for evergreen CAs
We corrected an issue where a CA being signed by another enabled to issue evergreen certificates could not set a longer validity period.
Known issues
Post-quantum algorithms are for test only
NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.
Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.
August 7, 2024
DigiCert® ONE version: 1.8094.1 | CA Manager: 1.730.0
Enhancements
DPoD HSM region setting
Thales DPoD region codes are now required when registering the HSMs to ensure compatibility with DigiCert ONE platforms in the EU and North America.
Localized emails
We refactored the email functionality to allow for email localization. Once translations are complete, recipients can select the language of their choice.
Fixes
Addressed various issues uncovered during regular vulnerability scans
We regularly scan our codebase for newly discovered issues and vulnerabilities to fix, ensuring security is up to date.
Prevented CAs from accidentally being flagged as exportable.
We corrected an issue where creating a CA via an external CSR defaulted the CA as exportable. Flagging a CA as exportable is now an opt-in selection.
Known issues
Post-quantum algorithms are for test only
NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.
Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.
July 23, 2024
DigiCert® ONE version: 1.7827.4 | CA Manager: 1.726.0
New
Support for RSA-PSS with SHA256 code signing
We also include support for the MGF parameter and salt lengths of 2048, 3072, 4096, and 8192.
Offline file paths as CRL distribution points and support for web directory URLs
CRL distribution point creation now supports file directory paths as a schema. Additionally, CA services now provide the option to support web URLs below the top-level domain, such as "somedomain.com/subdir1/subdir2/".
We also tweaked the CRL creation form to support the updated creation process flow better.
Enhancements
Subject Key Identifier and/or Authority Key Identifier optional in end entities
DigiCert ONE managers may omit the SKI or AKI extensions included by default in an end-entity certificate.ement copy
Minor updates to Post Quantum Composite certificate functionality
We made a few behind-the-scenes tweaks.
Removal of “all accounts” option under partition assignments
The remove all accounts option was confusing. Now, the choices are between specific accounts and "none," which allows any user, irrespective of account, including system-scope users who have no accounts, to access an HSM partition.
Fixes
Fixed a bug where generating a CSR for offline signing and having any algorithm selected as an “Allowed signature algorithm” would lead to an error
This is corrected and now behaves as expected.
Private OCSP responder able to have a validity greater than it’s parent CA
OCSP responder validity is now limited to no later than the parent CA's valid to date.
Various vulnerabilities discovered by our regular scans have been address
Known issues
Post-quantum algorithms are for test only
NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.
Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.
July 10, 2024
DigiCert® ONE version: 1.7827.2 | CA Manager: 1.718.0
Enhancements
Updated icons on the Accounts table
The lack of context for the icons shown next to Root and ICA info was confusing. Once accounts have consumed the amount of Roots or ICAs purchased, a green checkmark is now shown. Additionally, tooltips that provide context now display on rollover.
Fixes
Path Length in offline requests
Corrected a bug preventing offline requests from modifying the PathLen.
Table filtering not hiding revoked certificates
Corrected an issue where revoked certificates were included in lists that had the filter “Disabled.”
Import CA without a common name
Resolved an issue preventing CAs without a Subject Common Name from being imported.
Resolved nil pointer issues
A minor nil pointer problem was nullified.
June 20, 2024
DigiCert® ONE version: 1.7645.3 | CA Manager: 1.711.0
Enhancements
Updates to account name handling
The service now supports account names that are not unique.
Support for externally-hosted cross signed root offline requests
The internal ceremony tool now supports cross-signing for roots hosted outside of DigiCert.
Fixes
Incorrect response to GET HSM Keypair API
A 400 “not found” error will now be returned when a keypair has been deleted or not present.
Form not accepting path length changes for internal offline CA requests
An error has been corrected to allow modification of PathLen for offline CA requests.
Known issues
Post-quantum algorithms are for test only
NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.
Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.
June 12, 2024
DigiCert® ONE version: 1.7645.1 | CA Manager: 1.707.0
Enhancements
Minor user interface improvements
Minor user interface updates to improve consistency.
Fixes
Improved error messaging when attempting to disable offline roots
Attempting to disable offline roots now returns a clearer error message letting you know this is not permitted.
Minor bug fixes
Miscellaneous behind-the-scenes bug fixes.
Known issues
Post-quantum algorithms are for test only
NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.
Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.
May 22, 2024
DigiCert® ONE version: 1.7460.3 | CA Manager: 1.702.0
New
SoftHSM support for Post-Quantum Algorithms
The softHSM option now supports the most recent versions of Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA).
PQC no longer supports hardware HSMs because of performance and version support issues. CA services will provide support for hardware HSMs later in 2024, after NIST finalization and once native support is provided.
Fixes
Confusing path length info when creating a CA
We corrected an issue in which the number entry field displayed an incorrect default value of -1 when selecting the "Define a path length over 0" option.
Known issues
Post-quantum algorithms are for test only
NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.
May 15, 2024
DigiCert® ONE version: 1.7460.2 | CA Manager: 1.698.0
Enhancements
Create CA form data retention
When a person creating a Root or CA is on a later page in the form, returning to a prior page will now retain and display the previously entered data, no longer requiring reentry.
Feature flagging functionality
We deployed a service that allows features to be deployed and then remotely enabled and disabled. This will allow less disruptive deployments or rollbacks, as well as simplified testing. It will be transparent to customers but should improve the overall experience.
Multiple search filters available in ICA and Root tables
Table filtering on the ICA and Root CA records table now supports filtering by multiple options.
Fixes
Dutch and Portuguese localization fix
We corrected an issue preventing Dutch and Portuguese languages from displaying when selected from the preferred language dropdown
Third-party roots auto-disabling
We corrected a bug where the application was automatically and silently disabling imported third-party roots.
April 3, 2024
DigiCert® ONE version: 1.7277.0 | CA Manager: 1.686.0
Enhancements
Updated translations
International users should see improved coverage for language localization. We are having an issue with Portuguese refusing to apply properly and are working to fix.
Fixes
Changing account filters while creating CAs caused account field to empty
This has been corrected so that the newly selected account is autofilled.
Known issues
Post-quantum algorithms are for test only
Implementations are subject to change.
NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms (Dilithium, SPHINCS+, Falcon) are for testing purposes only, and features are still rough around the edges.
March 27, 2024
DigiCert® ONE version: 1.7083.5 | CA Manager: 1.681.0
Fixes
Account list page not updating when new account filtered
When the account filter is set, the table now updates and displays correctly.
URL duplication check for proxy apps
CA Manager now checks to ensure an entered URL for an HSM Remote Proxy application does not already exist.
March 20, 2024
DigiCert® ONE version: 1.7083.4 | CA Manager: 1.677.0
New
PQC - Issue Dilithium (MLDSA) certificates from the softHSM
Dilithium (MLDSA)-based End-entities can be issued from softHSM now.
PQC - Sign digest with SPHINCS+ (SLHDSA) and escrow client key on HSM
Digest signing with SPHINCS+ (SLHDSA) post-quantum algorithm is now avaialble.
PCQ - Create SPHINCS+ (SLHDSA) escrow client key on HSM and SoftHSM
SPHINCS+-based escrow client key creation is enabled on both softhsm and hardware HSMs that are PQC enabled.
Enhancements
Fixes
Imported Third-party roots made offline
Corrected an issue where imported third-party roots were turned offline. They now remain online.
API response only returned a subset of the Subject DN submitted
The response to a submission containing a set of Subject fields, only displayed a subset of those fields in response, despite processing the full set. The response now matches the submission for improved clarity.
HSM URLs not validated for duplicates
When adding or editing a HSM URL, CA Services now verifies that no duplicate exists before accepting.
Known issues
Post-quantum algorithms are for test only
Implementations are subject to change.
NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms (Dilithium, SPHINCS+, Falcon) are for testing purposes only, and features are still rough around the edges.
March 13, 2024
DigiCert® ONE version: 1.7083.2 | CA Manager: 1.675.0
Enhancements
Support single or multiple values in Subject Alternative Name: Registered ID
Managers are now able to submit single or multiple values for Registered ID.
Fixes
Pagination fixed on Remote proxy list page
Additional pages are no longer indicated when the list is less than 2 pages.
Various minor usabilty fixes and improvements
Known issues
Post-quantum algorithms are for test only
Implementations are subject to change.
NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms (Dilithium, SPHINCS+, Falcon) are for testing purposes only, and features are still rough around the edges.
March 6, 2024
DigiCert® ONE version: 1.7083.0 | CA Manager: 1.672.0
New
SPHINCS+ post-quantum algorithm support
Roots and CAs may now be generated using the SPHINCS+ algorithms - on the PQC-enabled hardware HSM partitions. SoftHSM will be supported in a future release.
Known issues: Given the size of the keys, timeouts may be experienced during creation. Check back after 10-15 minutes to verify the CA has been added to the root or ICA listings (SLDHSA-SHA2-128f, SLDHSA-SHA2-128fs, and SLDHSA-SHA2-192f are generally the fastest). We will be adding asynchronous support in future releases.
Falcon post-quantum algorithm support
Roots, ICAs, and End-entity certificates may now be generated on the PQC-enabled hardware HSM partition. SoftHSM will be supported in a future release.
Enhancements
Root and CA list pages
These pages now share consistent layouts, filtering, and options to improve usability.
Known issues
Post-quantum algorithms are for test only
Implementations are subject to change.
NIST has not codified final versions yet, nor have PKI standards bodies defined standards. The use of PQC algorithms (Dilithium, SPHINCS+, Falcon) is for testing purposes only, and features are still rough around the edges.
February 28, 2024
DigiCert® ONE version: 1.6887.4 | CA Manager: 1.670.0
Enhancements
Qualified Natural Person templates support two additional fields.
Qualified Natural Persons templates now support Organizational Unit and Organization ID fields in the Subject.
Fixes
Minor user interface (UI) and bug fixes.
February 21, 2024
DigiCert® ONE version: 1.6887.3 | CA Manager: 1.667.0
Enhancements
Domain used for CRLs of issued certificates may not have the CRL usage removed
To prevent breaking CRLDPs, a domain with the usage “CRL” may not have that usage removed if certificates have been issued using that domain.
NIST acronyms now used for Post-Quantum Cryptography (PQC) algorithms
Dilithium is now referred to as MLDSA.
Minor user experience (UX) enhancements
Fixes
Unable to create wildcard certificates
Wildcard certificates can be created once again.
Minor bug fixes
February 14, 2024
DigiCert® ONE version: 1.6887.2 | CA Manager: 1.663.0
New
Issue Dilithium PQC Roots and ICAs from SoftHSM
The SoftHSM can now be used to issue test PQC certificates.
Fixes
Minor Bugfixes
Corrections to non-user-facing issues.
February 7, 2024
DigiCert® ONE version: 1.6887.0 | CA Manager: 1.661.0
New
Qualified Certificates do not require an EKU
To conform with ETSI specs, qualified end-entities no longer require an EKU.
Enhancements
Domains cannot be edited if they are assigned
To prevent the breaking of CRLs and OCSPs, if a domain has been assigned to certificates, then it may not be edited. A new version must be created, or the domain unassigned to each certificate.
Fixes
Discovered a possible SQL injection vulnerability when getting all partitions
This vulnerability has been corrected.
Uploading Root CAs via the “Import intermediate CA” feature
Clients could mistakenly upload a root. The feature now blocks upload and returns an error.
February 1, 2024
DigiCert® ONE version: 1.6665.7 | CA Manager: 1.660.0
Fixes
ICAs created with default settings cannot issue end-entities
These settings have been corrected, and issue end-entities is again enabled by default.
CRL Scope not enforced via API
The API now enforces the same requirements and capabilities as the user interface (UI).
January 10, 2024
DigiCert® ONE version: 1.6665.2 | CA Services: 1.650.0
New
Initial PQC support
For CA and end-entity issuance only, CRYSTALS-Dilithium algorithm use is now offered for testing. OCSP and CRL creation are not yet supported (errors will be returned on creation attempts).
Note
Only a PQC-enabled HSM may be used for signing; otherwise, an error will be returned. SoftHSM will be supported in February.
Enhancements
Updated logging
Improved logging to include CA disable/enable events, end-entity signing, and other activities.
Fixes
API not enforcing CRL scope
Corrected an issue where the CRL scope set via API was not being honored.
Known issues
PQC “invalid key type” errors
Will be displayed if 1) a non PQC-Capable HSM is selected to use Dilithium keys and 2) CRL or OCSP are attempted to be created for certificates using Dilithium keys.
January 3, 2024
DigiCert® ONE version: 1.6665.1 | CA Services: 1.646.0
Enhancements
Qualified certificate end-entity templates key usages
Removed restrictions on grouping of required Key Usages to allow clients more flexibility.