IoT Trust Manager
Release notes
September 25, 2024
DigiCert® ONE version: 1.8279.6 | IoT Trust Manager: 1.654.0
Enhancements
Improved certificate renewal validation
We have updated the certificate renewal process with stricter rules to ensure the Subject Distinguished Name (DN) remains consistent with the original certificate. Any changes to the Subject DN, such as common name or organizational details, are now rejected to maintain certificate integrity. This change applies to both UI and API certificate renewals.
Extended regular expression support
The character limit for regular expressions in registered value containers has been increased to allow for more complex configurations.
Increased certificate authority return limit
The List assignable ICAs endpoint for returning assignable Certificate Authorities (CAs) now supports more than 1,000 CAs. This provides better management capabilities for customers with large environments.
Fixes
Registered values page load issue
Fixed an issue where the Registered values details page would not load if an associated enrollment profile was disabled. The page now loads correctly regardless of the profile status.
Corrected SAN DNS condition handling
Resolved a problem where certificate requests were rejected if the SAN DNS field met specific ends with conditions. Requests now process correctly, ensuring accurate validation.
Trust bundle download issue
Fixed an issue that prevented trust bundle downloads where multiple certificates shared the same common name. Trust bundles can now be downloaded without errors.
Modified access to trust bundle download link
The trust bundle download URL now allows direct access without needing to sign in. This simplifies the download process.
July 31, 2024
DigiCert® ONE version: 1.7827.6 | IoT Trust Manager: 1.639.0
Enhancements
Terminology update in notification banner
The term Certificate policy in the notification banner has been updated to Certificate management policy to align with our adoption of new industry standard terminology.
Support for excluding AKI/SKI extensions
Added the ability to exclude Authority Key Identifier (AKI) and Subject Key Identifier (SKI) extensions in certificates based on template settings. This allows for more precise control over certificate attributes.
Now when you add AKI/SKI extensions to a template with the include
parameter set to no
, these extensions will be excluded from the generated certificates.
Example
{ "extensions": { "ski_extension": { "include": "no" }, "aki_extension": { "include": "no" } } }
Improved handling of certificate request values
Blank values: Blank values in a certificate request will override CSR values, allowing for precise control over final certificate attributes.
Subject values: For renewals, the subject values from the original certificate are used. Values in the CSR are ignored. This prevents unintended changes to the certificate’s subject information.
Fixes
Report download issue
Resolved an issue where reports generated successfully but failed to download due to recent memory patch fixes. This fix ensures that reports can now be downloaded successfully.
July 10, 2024
DigiCert® ONE version: 1.7827.2 | IoT Trust Manager: 1.627.0
Enhancements
Enhanced reporting performance
We have improved our reporting functionality to use memory more efficiently, especially for larger reports, ensuring smoother and more reliable performance.
Learn more link added to name changes banner on dashboard
A Learn more link has been added to the name changes banner on the dashboard, providing users with detailed information about upcoming product name changes.
Enhanced Logging for EST Protocol Enrollment Method
Following updates to CMPv2 protocol logging, we have enhanced logging for the EST protocol:
Key changes:
Additional object information:
Enrollment profile information included.
Authentication information section:
For passcode authentication, logs will show the username (if present) and passcode (partially obscured).
For certificate authentication, logs will include details of the authentication certificate.
Request information section:
Subject DN and CSR from the request included.
These enhancements improve transparency and traceability for better auditing and troubleshooting.
Fixes
Incorrect decryption output in batch jobs with PGP encryption
Fixed an issue where decrypted files incorrectly contained the PGP public key instead of the generated private key in batch jobs using server-side key generation and JSON output format.
Certificate request with MLDSA key type failed
Resolved an issue where certificate requests using the MLDSA key type failed with an unsupported_public_key_algorithm
error. Certificate requests using MLDSA key type will now be processed successfully.
May 29, 2024
DigiCert® ONE version: 1.7460.4 | IoT Trust Manager: 1.623.0
New
Registered value conditions
Introduced an advanced feature allowing solution operators to set specific conditions for certificate fields within enrollment profiles. This ensures certificate requests meet predefined criteria and provides detailed logs for rejected requests.
Customizable validation conditions: You are now able to define conditions for certificate fields (for example, common name) with criteria such as character limits and required prefixes. You can also set different allowed values for various enrollment profiles to cater to different product lines and groups.
Support for regular expressions: You can now use regular expressions for precise and complex validation rules.
Certificate request validation: Certificate requests are now automatically verified against defined conditions and non-compliant requests will be rejected.
Detailed rejection logging: Comprehensive logs of rejected requests for troubleshooting and rule refinement are now available.
Enhancements
Batch report and output file naming
Improved clarity and organization of batch reports and output files by including the batch job name and its UUID in their names.
Batch report naming: Updated batch report names to include the batch job name followed by its UUID.
Batch output file naming: Updated batch output file names (ZIP and JSON formats) to include the batch job name and its UUID.
Additional field for CMS encryption
Introduced the ASN1_Algorithm
field in the certificate issuance API, allowing users to specify the ASN.1 algorithm directly.
New field: ASN1_Algorithm: Added the
ASN1_Algorithm
field to the certificate issuance API for direct specification of the ASN.1 algorithm.Behavior change for
RSA_OAEP
: Changed CMS encryption method fromCMSAlgorithm.AES256_CBC
toCMSAlgorithm.RSA_OAEP
whenASN1_Algorithm
is set toRSA_OAEP
.
Fixes
License count issue
Enhanced system defenses to ensure accurate license counts, especially during device and certificate failures.
April 3, 2024
DigiCert® ONE version: 1.7277.0 | IoT Trust Manager: 1.616.0
Fixes
User permission fixes
Users with the appropriate permissions now have the ability not only to create and edit, but also to disable and delete custom certificate templates directly from their account.
Enhanced logging for CMPv2
Upgraded CMPv2 with additional logging capabilities to provide more in-depth insights into its operations and interactions.
March 27, 2024
DigiCert® ONE version: 1.7083.5 | IoT Trust Manager: 1.614.0
Fixes
Dilithium key support
Implemented code changes in IoT Trust Manager to unify the naming conventions for Post Quantum Crypto Dilithium across CA Manager and the server-side key generation for Dilithium keys. This adjustment ensures IoT Trust Manager continues to support certificate requests for Dilithium type keys and algorithms, alongside introducing server-side Dilithium key generation capabilities.
Authentication certificate signature algorithm mismatch
Addressed an issue where mismatches between the signature algorithms of authentication certificates and their issuing CA, designated as the “authentication CA” in IoT Trust Manager, led to authentication failures. This correction prevents failed certificate requests stemming from the rejection of authentication certificates due to algorithm mismatches.
March 20, 2024
DigiCert® ONE version: 1.7083.4 | IoT Trust Manager: 1.610.0
New
Disassociation of registered values and enrollment profiles
Users now have the ability to easily remove the association between a registered values object and an enrollment profile, offering greater flexibility in managing the configuration and lifecycle of enrollment profiles.
Enhancements
Registered values enrollment profile management improvements
Assignment limitation Updated to restrict the assignment to only one registered values object per enrollment profile, streamlining the setup process.
Assignment flexibility Enhanced to allow a registered values object to be linked with multiple enrollment profiles, offering more versatility in configurations.
List view enhancement Introduced a new column in the Enrollment Profile List page that shows the registered values object associated with each profile, improving oversight.
Filtering update Launched advanced filtering options on the Enrollment Profiles List page, enabling users to filter profiles based on the registered values object assigned, facilitating easier management.
Fixes
CSV template download correction in registered values
Addressed a bug in the CSV template download functionality within the Registered values details page. The fix ensures that the downloaded CSV template accurately mirrors the certificate values specific to the dataset being managed, fixing an issue where a generic template was received, leading to inconsistencies.
Service user identification in batch download notifications
Resolved an issue where email notifications for batch downloads incorrectly displayed 'null null' for the Service User. Notifications now include the Service User's email (friendly name), providing clear identification.
Batch job report accuracy
Fixed a problem where batch job reports erroneously indicated no successful records, even when jobs were completed successfully. Reports now accurately reflect the success of job executions and document any issues or errors, enhancing trust in the system's reporting capabilities.
Corrected status display for rejected batches
Implemented a correction for a misrepresentation issue where batch enrollments marked as 'Rejected' inaccurately showed records as having been processed successfully. The system now correctly reflects the actual status of each record in rejected batches.
March 13, 2024
DigiCert® ONE version: 1.7083.2 | IoT Trust Manager: 1.606.0
New
Enhanced scalability and reliability with pre-termination hook
In this update, we're introducing a significant enhancement to our container management system: the pre-termination hook. This new feature is designed to give you more control and predictability over how your containers shut down—ensuring a smoother, more reliable system operation.
Key features
Enhanced control Pre-termination hook triggers right before a container shutdown, ensuring essential tasks are neatly wrapped up. This timely intervention allows for a smoother transition and a more graceful system behavior.
Predictability across operations Regardless of what initiates a container's termination—be it API requests, management events, or other system conditions—the pre-termination hook provides a reliable and predictable way to manage the shutdown process, enhancing system stability.
Seamless system integration Pre-termination hook does not delay container termination process. The termination grace period begins prior to the hook's activation, guaranteeing that containers will terminate within their allotted time, regardless of the hook's actions.
March 6, 2024
DigiCert® ONE version: 1.7083.0 | IoT Trust Manager: 1.603.0
New
Registered values
Implemented registered values in IoT Trust Manager to enhancing certificate issuance control. Registered values ensure that certificate request values adhere to predefined criteria, including lists of allowed values and conditions. This enhancement enables stricter validation of certificate fields according to specific requirements.
Registered values can also be managed and viewed by all divisions within an account or restricted to specific divisions only. This allows for the assignment of a registered values container to specific divisions.
To start using registered values, sign in to your DigiCert ONE IoT Trust Manager account and go to Certificates > Registered values.
Enhancements
IP address range blocking
Adding the entire IP range, specifically from 0.0.0.0 to 255.255.255.255, to the list of allowed IP addresses is no longer possible. This change addresses potential security risks by preventing these broad ranges from being used.
Toggle switch for IP limitations
A new toggle switch feature allows you to easily control the limitations on IP address entries. This provides flexibility between restricted and unrestricted IP address entries.
Fixes
Batch email sending issue
Resolved a bug that prevented sending batch external emails via API.
February 14, 2024
DigiCert® ONE version: 1.6887.2 | IoT Trust Manager: 1.593.0
Fixes
Zipped file uploads
Resolved an issue that prevented zipped files from uploading correctly, allowing users to upload zipped trust bundles without errors.
P7B file support
Fixed an issue to enable successful uploading of P7B files.
Certificate profile creation
Addressed an issue that caused files with whitespaces in their names to fail during upload.
Certificate profile creation
Fixed an issue where the signature algorithm was not correctly applied when creating a certificate profile for CMPv2.
February 7, 2024
DigiCert® ONE version: 1.6887.0 | IoT Trust Manager: 1.587.0
New
Trust bundle division access feature
Introduced trust bundle division access feature to enhance security and access control, allowing trust bundles to be limited by divisions for granular access control.
Added PQC support
Initiated integration of Post-Quantum Cryptography (PQC) support with the incorporation of the Dilithium algorithm, marking a step towards enhanced security.
Important
Because the standard for Dilithium has not been finalized, this should not be used in production environments.
Enhancements
Gateway installation download flexibility
Enhanced gateway installation process to allow for unlimited downloads and introduced a predefined expiration period of 3 days (72 hours) for the download link.
Validity and signature algorithm in CMPv2 requests
Introduced enhancements to CMPv2 functionality, enabling users to specify certificate validity duration and signature algorithm selection directly in CMPv2 requests.
MAC address verification for Digicert Gateway
Added a configuration option to enable or disable MAC address verification for DigiCert Gateway, catering to deployments in environments with dynamic MAC addresses, like Kubernetes containers.
January 10, 2024
DigiCert® ONE version: 1.6665.2 | IoT Trust Manager: 1.578.0
New
Trust bundle management
A trust bundle is an essential collection of certificates used to establish trust within digital environments. A trust bundle can include various types of certificates such as root CAs, intermediate CAs, code signing certificates, and others required for distribution into trust stores. Our system supports adding up to 100 certificates in a single trust bundle.
You can easily manage these trust bundles in the IoT Trust Manager console, where you can perform the action listed below. These actions enhance your ability to manage trust bundles effectively, ensuring that you can maintain the necessary digital trust and security for your operations. For detailed instructions or additional support, please refer to our documentation or contact our support team
Download trust bundle
Copy trust bundle download link
Delete trust bundle
Disable trust bundle
Enable trust bundle
Enhancements
CMPv2 alternative (shorter) URL
These CMPv2 updates address the CMPv2 directory value limitation and enhance the enrollment profile interface for EST/SCEP/CMPv2 methods.
CMPv2 directory value issue
Resolves the issue for clients where the CMPv2 URL value is limited to 32 characters by adding alternative enroll/reenroll URLs for EST/SCEP/CMPv2 enrollment methods in the enrollment profile details. View alternative URLs under the enrollment profile details.
Reference ID for passcodes
Introduces a Reference ID field on the passcodes details page for CMPv2 enrollment method passcodes. Reference IDs are available on the passcode's details page for CMPv2 enrollments.
Certificate template creation with RSA 1024-bit
Certificate template creation with RSA 1024-bit
Users can now create certificate templates that include RSA 1024-bit in the list of allowed key types.
This enhancement allows for greater flexibility and customization in certificate management and caters to specific security requirements and compliance standards.
Server-side key generation support for RSA 1024-bit
Our platform now supports server-side generation of RSA 1024-bit keys. This update ensures stronger security protocols and aligns with the latest industry practices in key generation.
This update works for the following:
Batch Request Processing
Single Certificate Requests
API integration
Support for PQC Dlithium keys
We now support Post-Quantum Cryptography (PQC) Dilithium keys as a part of our commitment to providing advanced security features and keeping up with evolving industry standards.
By integrating PQC Dilithium keys, we are enhancing our platform's security and preparing for the quantum-resistant future of cybersecurity. This update empowers our users to adopt stronger cryptographic standards, ensuring the longevity and integrity of their security measures.
New features
Certificate template creation with PQC Dilithium keys
Users can now create certificate templates with PQC Dilithium keys as one of the allowed key types. This enhances flexibility and customization in certificate management and allows users to stay ahead in the security landscape.
This update caters to advanced security requirements and compliance with future-proofing standards.
Server-side key generation support for PQC Dilithium keys
We updated our platform to support the server-side generation of PQC Dilithium keys. This addition fortifies our security protocols and ensures alignment with cutting-edge key generation practices.
The support for PQC Dilithium keys extends across various functionalities, including:
Batch Request Processing
Single Certificate Requests
API integrations
Enhanced exception handling for batch generation
Customers have expressed the need for clearer visibility into potential exceptions that may occur during the batch generation processes. The lack of detailed feedback when batch generation fails leaves customers uncertain about the nature and stage of the failure.
Therefore, we enhanced our exception-handling protocols to provide more informative and specific error feedback during batch-generation failures. Customers will now receive detailed error messages indicating the stage at which the batch process failed.
Examples of updated messages:
"Batch failed. Key generation failed."
"Batch failed. Unable to store parts."
Possible error codes
To further assist in troubleshooting, the following error codes will be provided, detailing the nature of the exception:
INVALID_REQUEST
- "Invalid request"CERTIFICATE_CREATION_ERROR
- "Certificate creation error"CERTIFICATE_AUTHORITY_ERROR
- "Certificate authority error"DATABASE_ERROR
- "Database error"ENCRYPTION_ERROR
- "Encryption error"ENTITY_NOT_FOUND_ERROR
- "Entity not found error"INPUT_FILE_READ_ERROR
- "Input file read error"INTERNAL_SERVER_ERROR
- "Internal server error"
Fixes
Update batch certificate CSV template
Issue: CSV template missing the CSR column
The downloaded CSV template does not include a CSR column.
Select I have the keypairs and will provide the CSRs or public keys in the request.
Select I will upload CSV with request info.
Select Download template.
Fix: Updated the logic in the create batch page to handle the template request correctly
Now, when the client-side key generation is selected and the user requests a template download, the system will send the option “client_side” in the request. In all other cases, the system will default to the “server_side” option.
This change ensures the correct template, including the CSR column, is provided, aligning with the user's selection.