IoT Trust Manager

Batch jobs now terminate early if inconsistencies are detected between generated amounts and input values.

This prevents partial processing, accelerates error feedback, and safeguards data integrity.

Resolved an issue where, under certain retry conditions, previously issued items in a batch could be retried again, potentially causing duplicate certificates.

Updated Java and Bouncy Castle libraries to the latest versions to address the potential security concerns in previous releases.

Enhanced the batch process robustness by introducing separate queues for in-progress jobs.

Resolved an issue preventing modifications to enrollment profiles.

Added support for configuring encryption algorithms in SCEP enrollment profiles. Supported algorithms include aes128WithCBC, aes256WithCBC, and desEDEWith3CBC.

This setting is stored in the enrollment profile and applies only to profiles using the SCEP method.

Added support for configuring key usage values in the template for unmanaged intermediate CAs.

This provides greater flexibility and alignment with organizational requirements.

Enhanced the certificate search and filtering functionality. With this improvement:

These enhancements improve the ability to locate and analyze certificates using key metadata fields.

Resolved an issue where colons were being removed from MAC addresses in Common Names (CN).

MAC addresses now retain their correct format, for example, AA:BB:CC:DD:EE:FF.

The GetCACert response can now return CA certificates in DER format. This improves compatibility with clients that expect a specific MIME type.

Fixed an issue that stopped the deletion of authentication certificates in the portal.

Fixed an issue with re-downloading certificates using the download API.

Fixed an authentication issue when a passcode is repeated in an enrollment profile.

The Batch Enrollment flow now supports the specification of Product/Organizational Unit (OU) by the enrolling administrator. This functionality was only available in single certificate requests, and is now consistent across both certificate request types - single certificate requests and batch certificate requests.

Added a new Boolean flag for enrollment profiles. This flag allows users to specify whether the CA certificate response for SCEP should be returned in DER format. It can be set during the enrollment profile creation through the wizard, and is visible on both the Details and Edit pages.

Added a PEM file extension support for SMPB delivery method in batch downloads, enhancing certificate handling and compatibility.

Fixed an error in generating digital signing certificates during enrollment profile creation with digital signing enabled. The process now completes successfully.

Resolved SCEP payload parsing issues caused by extra newline characters. These are now automatically removed for proper handling.

IOT Trust Manager now supports the inclusion and processing of the Pseudonym attribute in X.509 certificates, identified by the Object Identifier (OID) 2.5.4.65.

This enhancement enables the representation of a subject’s pseudonym within the Distinguished Name (DN) of the certificate.

Key changes:

Added Post-Quantum Cryptography support with SLH-DSA (SPHINCS+) and FN-DSA (FALCON) keys and algorithms.

Added support for Post-Quantum Cryptography (PQC) with composite MLDSA keys and algorithms.

Added a new REST API endpoint to download certificates by subject common name. If multiple certificates share the same common name, the response will include up to 100 matching certificates.

Added pagination to the list pages for Certificates, Devices, Audit Log, Passcodes, Auth Certificates, and Certificate Requests for improved usability.

A new job has been introduced to populate missing device value fields that were overlooked during migration. Records where the device value identifier is missing have been updated. This ensures clients can reliably filter and search using the device value.

Certificate renewals now correctly retain the Subject Directory Attribute from the original certificate. This fix helps maintain required attributes for compliance and interoperability.

When requesting a certificate with server-side key generation, users are now redirected properly:

Weekly scheduled reports now include all necessary certificate data.

The enrollment process for the ACME Lego client using the EC256 key type has been corrected:

On the Create Enrollment Profile page, the Certificate Profile dropdown now behaves as expected:

A search/filter option has been added to the Enrollment Profile dropdown on the Start batch certificate request form:

The Allow use of pre-generated keys checkbox now accurately reflects its current state during profile editing:

The search functionality for Common Name (CN) has been reverted to its original behavior:

The deployment YAML file has been reverted to its previous configuration to ensure proper functionality when smtpAuth is enabled:

The certificate templates filter has been updated to display only relevant options for for applicable user roles. For most users, only the custom certificate template type is shown. System administrators can still view system certificate template types.

A new certificate template designed specifically for Matter use cases has been introduced. This template enables the issuance of certificates compatible with Matter environments.

A new flag has been introduced, allowing DigiCert​​®​​ to internally disable audit logging on a per-enrollment profile basis. This feature helps prevent excessive logging for clients who repeatedly submit invalid or malformed certificate requests, reducing unnecessary database writes.

Read and write speeds have been optimized, leading to faster certificate issuance rates. These improvements enhance system efficiency and allow for better handling of high-concurrency scenarios. Users will experience reduced latency and increased throughput, particularly during peak loads.

A critical issue that caused the Gateway service to fail during startup due to a decryption error has been resolved. An updated Gateway JAR file is now available for download.