Skip to main content

CA Manager

Release notes RSS

December 17, 2024

DigiCert® ONE version: 1.8893.10 | CA Manager: 1.790.0

New

ECDSAwithSHA3 support for private certicates

Issuance and escrow is now supported for ECDSA keys and SHA3.

Fixes

[On-premises clients only] Basic Constraints for Qualified certificates

BasicConstraints have been added back to Qualified end-entity templates.

December 13, 2024

DigiCert® ONE version: 1.8893.7 | CA Manager: 1.787.0

Enhancements

HSM Proxy Options Update

Allow multiple options for downloading the HSM Remote Proxy bundle and support has been added for Thales G5 USB HSM’s.

December 11, 2024

DigiCert® ONE version: 1.8893.5 | CA Manager: 1.786.0

New

CA hierarchy visualization

We added a new graphical view of a selected root CA’s family tree to make navigating the hierarchy easier.

Enhancements

Increased field lenghts for Subject Surname and GivenName

The Subject Surname and GivenName fields now accept up to 64 characters.

Fixes

Minor logging performance fixes

December 4, 2024

DigiCert® ONE version: 1.8893.1 | CA Manager: 1.782.0

Enhancements

Enhancements supporting Crypto4A HSMs and post-quantum algorithms

Made various tweaks to the processes underpinning management of the HSM functionalities.

November 20, 2024

DigiCert® ONE version: 1.8663.5 | CA Manager: 1.777.0

Fixes

Activate / Deactivate AIAs

Fixed the ability to activate and deactivate AIAs.

November 6, 2024

DigiCert® ONE version: 1.8663.1 | CA Manager: 1.770.0

Fixes

Minor SQL fixes for memory improvement

October 30, 2024

DigiCert® ONE version: 1.8480.12 | CA Manager: 1.769.0

Fixes

Expired certificates causing table displays to hang

We corrected an issue where displaying expired certificates cased the table to hang while loading.

Only one AIA URL being inserted into certificate despite multiple being created

Multiple AIAs will now be included in the certificate when created.

Minor usability and accessibility fixes

October 16, 2024

DigiCert® ONE version: 1.8480.4 | CA Manager: 1.760.0

New

Support for third-party intermediate CA certificates

Third-party functionality is no longer restricted to just root CA certificates.

Enhancements

Ed448 verification using the signature OID

Verification first interrogates the signature OID to see if PureEd448 or PreHashedED448 are used and then uses the correct function.

Fixes

Improved Intermediate CA table display table logic for better efficiency

We corrected some backend logic to simplify and reduce overhead to the display table logic.

Other minor efficiency fixes behind the scenes

October 3, 2024

DigiCert® ONE version: 1.8480.1 | CA Manager: 1.756.0

Enhancements

Improvements to logging for HSM changes

Expanded the events captured in logging.

Email checking logic improvements

Made logic consistent across different email validation points.

September 18, 2024

DigiCert® ONE version: 1.8279.3 | CA Manager: 1.750.0

Enhancements

Minor accessibility improvements

Tweaked and improved accessibility in various areas.

September 11, 2024

DigiCert® ONE version: 1.8279.2 | CA Manager: 1.747.0

Enhancements

Minor accesibility improvements

Tweaked and improved accessibility in various areas.

September 4, 2024

DigiCert® ONE version: 1.8279.1 | CA Manager: 1.746.0

Enhancements

Minor interface and accessibility improvements

We tweaked and improved accessibility and interface usability in various spots.

August 29, 2024

DigiCert® ONE version: 1.8094.7 | CA Manager: 1.742.0

Enhancements

Security updates

Mades some security improvements.

August 28, 2024

DigiCert® ONE version: 1.8094.6 | CA Manager: 1.740.0

New

Managers can submit end-entities with past-dated notBefore validity

To address quirks with time zones and SCEP enrollments, managers may submit end-entities with notBefore validities in the past.

August 21, 2024

DigiCert® ONE version: 1.8094.5 | CA Manager: 1.738.0

Enhancements

DPoD HSM region code selector now a menu

To make selecting the appropriate region for a DPoD more sensible, regions can now be selected from the menu.

Accessibility and UX improvements

We made various improvements to improve accessibility and the user experience.

Known issues

Post-quantum algorithms are for test only

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.

Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.

August 14, 2024

DigiCert® ONE version: 1.8094.4 | CA Manager: 1.736.0

Enhancements

Updated Common UI to version 8.27.1

The updates to Common UI address failure to display flag icons in the phone and localization options.

Changed PathLen enforcement in validation of Ceremony Manager templates

The changed PathLen enforcement provides Operations members more flexibility in creating offline requests.

Display account-friendly identifiers in tables and dropdowns

Account-friendly identifiers provide for better identification of similarly named accounts.

Fixes

Fix date setting for evergreen CAs

We corrected an issue where a CA being signed by another enabled to issue evergreen certificates could not set a longer validity period.

Known issues

Post-quantum algorithms are for test only

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.

Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.

August 7, 2024

DigiCert® ONE version: 1.8094.1 | CA Manager: 1.730.0

Enhancements

DPoD HSM region setting

Thales DPoD region codes are now required when registering the HSMs to ensure compatibility with DigiCert ONE platforms in the EU and North America.

Localized emails

We refactored the email functionality to allow for email localization. Once translations are complete, recipients can select the language of their choice.

Fixes

Addressed various issues uncovered during regular vulnerability scans

We regularly scan our codebase for newly discovered issues and vulnerabilities to fix, ensuring security is up to date.

Prevented CAs from accidentally being flagged as exportable.

We corrected an issue where creating a CA via an external CSR defaulted the CA as exportable. Flagging a CA as exportable is now an opt-in selection.

Known issues

Post-quantum algorithms are for test only

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.

Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.

July 23, 2024

DigiCert® ONE version: 1.7827.4 | CA Manager: 1.726.0

New

Support for RSA-PSS with SHA256 code signing

We also include support for the MGF parameter and salt lengths of 2048, 3072, 4096, and 8192.

Offline file paths as CRL distribution points and support for web directory URLs

CRL distribution point creation now supports file directory paths as a schema. Additionally, CA services now provide the option to support web URLs below the top-level domain, such as "somedomain.com/subdir1/subdir2/".

We also tweaked the CRL creation form to support the updated creation process flow better.

Enhancements

Subject Key Identifier and/or Authority Key Identifier optional in end entities

DigiCert ONE managers may omit the SKI or AKI extensions included by default in an end-entity certificate.ement copy

Minor updates to Post Quantum Composite certificate functionality

We made a few behind-the-scenes tweaks.

Removal of “all accounts” option under partition assignments

The remove all accounts option was confusing. Now, the choices are between specific accounts and "none," which allows any user, irrespective of account, including system-scope users who have no accounts, to access an HSM partition.

Fixes

Fixed a bug where generating a CSR for offline signing and having any algorithm selected as an “Allowed signature algorithm” would lead to an error

This is corrected and now behaves as expected.

Private OCSP responder able to have a validity greater than it’s parent CA

OCSP responder validity is now limited to no later than the parent CA's valid to date.

Various vulnerabilities discovered by our regular scans have been address

Known issues

Post-quantum algorithms are for test only

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.

Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.

July 10, 2024

DigiCert® ONE version: 1.7827.2 | CA Manager: 1.718.0

Enhancements

Updated icons on the Accounts table

The lack of context for the icons shown next to Root and ICA info was confusing. Once accounts have consumed the amount of Roots or ICAs purchased, a green checkmark is now shown. Additionally, tooltips that provide context now display on rollover.

Fixes

Path Length in offline requests

Corrected a bug preventing offline requests from modifying the PathLen.

Table filtering not hiding revoked certificates

Corrected an issue where revoked certificates were included in lists that had the filter “Disabled.”

Import CA without a common name

Resolved an issue preventing CAs without a Subject Common Name from being imported.

Resolved nil pointer issues

A minor nil pointer problem was nullified.

June 20, 2024

DigiCert® ONE version: 1.7645.3 | CA Manager: 1.711.0

Enhancements

Updates to account name handling

The service now supports account names that are not unique.

Support for externally-hosted cross signed root offline requests

The internal ceremony tool now supports cross-signing for roots hosted outside of DigiCert.

Fixes

Incorrect response to GET HSM Keypair API

A 400 “not found” error will now be returned when a keypair has been deleted or not present.

Form not accepting path length changes for internal offline CA requests

An error has been corrected to allow modification of PathLen for offline CA requests.

Known issues

Post-quantum algorithms are for test only

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.

Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.

June 12, 2024

DigiCert® ONE version: 1.7645.1 | CA Manager: 1.707.0

Enhancements

Minor user interface improvements

Minor user interface updates to improve consistency.

Fixes

Improved error messaging when attempting to disable offline roots

Attempting to disable offline roots now returns a clearer error message letting you know this is not permitted.

Minor bug fixes

Miscellaneous behind-the-scenes bug fixes.

Known issues

Post-quantum algorithms are for test only

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.

Additionally, to ensure performance, PQC support is only provided via the SoftHSM. Hardware HSMs (Safenet) will be delivered once the vendor provides native PQC support.

May 22, 2024

DigiCert® ONE version: 1.7460.3 | CA Manager: 1.702.0

New

SoftHSM support for Post-Quantum Algorithms

The softHSM option now supports the most recent versions of Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA).

PQC no longer supports hardware HSMs because of performance and version support issues.  CA services will provide support for hardware HSMs later in 2024, after NIST finalization and once native support is provided.

Fixes

Confusing path length info when creating a CA

We corrected an issue in which the number entry field displayed an incorrect default value of -1 when selecting the "Define a path length over 0" option.

Known issues

Post-quantum algorithms are for test only

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.

May 15, 2024

DigiCert® ONE version: 1.7460.2 | CA Manager: 1.698.0

Enhancements

Create CA form data retention

When a person creating a Root or CA is on a later page in the form, returning to a prior page will now retain and display the previously entered data, no longer requiring reentry.

Feature flagging functionality

We deployed a service that allows features to be deployed and then remotely enabled and disabled. This will allow less disruptive deployments or rollbacks, as well as simplified testing. It will be transparent to customers but should improve the overall experience.

Multiple search filters available in ICA and Root tables

Table filtering on the ICA and Root CA records table now supports filtering by multiple options.

Fixes

Dutch and Portuguese localization fix

We corrected an issue preventing Dutch and Portuguese languages from displaying when selected from the preferred language dropdown

Third-party roots auto-disabling

We corrected a bug where the application was automatically and silently disabling imported third-party roots.

April 3, 2024

DigiCert® ONE version: 1.7277.0 | CA Manager: 1.686.0

Enhancements

Updated translations

International users should see improved coverage for language localization. We are having an issue with Portuguese refusing to apply properly and are working to fix.

Action menu now available on HSM partition table records

To simplify selecting partitions for registration, an action menu is now available on HSM partition table records.

Fixes

Changing account filters while creating CAs caused account field to empty

This has been corrected so that the newly selected account is autofilled.

Known issues

Post-quantum algorithms are for test only

Implementations are subject to change.

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms (Dilithium, SPHINCS+, Falcon) are for testing purposes only, and features are still rough around the edges.

March 27, 2024

DigiCert® ONE version: 1.7083.5 | CA Manager: 1.681.0

Fixes

Account list page not updating when new account filtered

When the account filter is set, the table now updates and displays correctly.

URL duplication check for proxy apps

CA Manager now checks to ensure an entered URL for an HSM Remote Proxy application does not already exist.

March 20, 2024

DigiCert® ONE version: 1.7083.4 | CA Manager: 1.677.0

New

PQC - Issue Dilithium (MLDSA) certificates from the softHSM

Dilithium (MLDSA)-based End-entities can be issued from softHSM now.

PQC - Sign digest with SPHINCS+ (SLHDSA) and escrow client key on HSM

Digest signing with SPHINCS+ (SLHDSA) post-quantum algorithm is now avaialble.

PCQ - Create SPHINCS+ (SLHDSA) escrow client key on HSM and SoftHSM

SPHINCS+-based escrow client key creation is enabled on both softhsm and hardware HSMs that are PQC enabled.

Enhancements

Action Menu added to HSM partition list

Table record display now conforms to our common user interface.

Fixes

Imported Third-party roots made offline

Corrected an issue where imported third-party roots were turned offline. They now remain online.

API response only returned a subset of the Subject DN submitted

The response to a submission containing a set of Subject fields, only displayed a subset of those fields in response, despite processing the full set. The response now matches the submission for improved clarity.

HSM URLs not validated for duplicates

When adding or editing a HSM URL, CA Services now verifies that no duplicate exists before accepting.

Known issues

Post-quantum algorithms are for test only

Implementations are subject to change.

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms (Dilithium, SPHINCS+, Falcon) are for testing purposes only, and features are still rough around the edges.

March 13, 2024

DigiCert® ONE version: 1.7083.2 | CA Manager: 1.675.0

Enhancements

Support single or multiple values in Subject Alternative Name: Registered ID

Managers are now able to submit single or multiple values for Registered ID.

Fixes

Pagination fixed on Remote proxy list page

Additional pages are no longer indicated when the list is less than 2 pages.

Various minor usabilty fixes and improvements

Known issues

Post-quantum algorithms are for test only

Implementations are subject to change.

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms (Dilithium, SPHINCS+, Falcon) are for testing purposes only, and features are still rough around the edges.

March 6, 2024

DigiCert® ONE version: 1.7083.0 | CA Manager: 1.672.0

New

SPHINCS+ post-quantum algorithm support

Roots and CAs may now be generated using the SPHINCS+ algorithms - on the PQC-enabled hardware HSM partitions. SoftHSM will be supported in a future release.

Known issues: Given the size of the keys, timeouts may be experienced during creation. Check back after 10-15 minutes to verify the CA has been added to the root or ICA listings (SLDHSA-SHA2-128f, SLDHSA-SHA2-128fs, and SLDHSA-SHA2-192f are generally the fastest). We will be adding asynchronous support in future releases.

Falcon post-quantum algorithm support

Roots, ICAs, and End-entity certificates may now be generated on the PQC-enabled hardware HSM partition. SoftHSM will be supported in a future release.

Enhancements

Root and CA list pages

These pages now share consistent layouts, filtering, and options to improve usability.

Known issues

Post-quantum algorithms are for test only

Implementations are subject to change.

NIST has not codified final versions yet, nor have PKI standards bodies defined standards. The use of PQC algorithms (Dilithium, SPHINCS+, Falcon) is for testing purposes only, and features are still rough around the edges.

February 28, 2024

DigiCert® ONE version: 1.6887.4 | CA Manager: 1.670.0

Enhancements

Qualified Natural Person templates support two additional fields.

Qualified Natural Persons templates now support Organizational Unit and Organization ID fields in the Subject.

Fixes

Minor user interface (UI) and bug fixes.

February 21, 2024

DigiCert® ONE version: 1.6887.3 | CA Manager: 1.667.0

Enhancements

Domain used for CRLs of issued certificates may not have the CRL usage removed

To prevent breaking CRLDPs, a domain with the usage “CRL” may not have that usage removed if certificates have been issued using that domain.

NIST acronyms now used for Post-Quantum Cryptography (PQC) algorithms

Dilithium is now referred to as MLDSA.

Minor user experience (UX) enhancements

Fixes

Unable to create wildcard certificates

Wildcard certificates can be created once again.

Minor bug fixes

February 14, 2024

DigiCert® ONE version: 1.6887.2 | CA Manager: 1.663.0

New

Issue Dilithium PQC Roots and ICAs from SoftHSM

The SoftHSM can now be used to issue test PQC certificates.

Fixes

Minor Bugfixes

Corrections to non-user-facing issues.

February 7, 2024

DigiCert® ONE version: 1.6887.0 | CA Manager: 1.661.0

New

Qualified Certificates do not require an EKU

To conform with ETSI specs, qualified end-entities no longer require an EKU.

Enhancements

Domains cannot be edited if they are assigned

To prevent the breaking of CRLs and OCSPs, if a domain has been assigned to certificates, then it may not be edited. A new version must be created, or the domain unassigned to each certificate.

Fixes

Discovered a possible SQL injection vulnerability when getting all partitions

This vulnerability has been corrected.

Uploading Root CAs via the “Import intermediate CA” feature

Clients could mistakenly upload a root. The feature now blocks upload and returns an error.

February 1, 2024

DigiCert® ONE version: 1.6665.7 | CA Manager: 1.660.0

Fixes

ICAs created with default settings cannot issue end-entities

These settings have been corrected, and issue end-entities is again enabled by default.

CRL Scope not enforced via API

The API now enforces the same requirements and capabilities as the user interface (UI).

January 10, 2024

DigiCert® ONE version: 1.6665.2 | CA Services: 1.650.0

New

Initial PQC support

For CA and end-entity issuance only, CRYSTALS-Dilithium algorithm use is now offered for testing. OCSP and CRL creation are not yet supported (errors will be returned on creation attempts).

Note

Only a PQC-enabled HSM may be used for signing; otherwise, an error will be returned. SoftHSM will be supported in February.

Enhancements

Updated logging

Improved logging to include CA disable/enable events, end-entity signing, and other activities.

Fixes

API not enforcing CRL scope

Corrected an issue where the CRL scope set via API was not being honored.

Known issues

PQC “invalid key type” errors

Will be displayed if 1) a non PQC-Capable HSM is selected to use Dilithium keys and 2) CRL or OCSP are attempted to be created for certificates using Dilithium keys.

January 3, 2024

DigiCert® ONE version: 1.6665.1 | CA Services: 1.646.0

Enhancements

Qualified certificate end-entity templates key usages

Removed restrictions on grouping of required Key Usages to allow clients more flexibility.