Trust Lifecycle Manager

DigiCert​​®​​ Trust Lifecycle Manager now supports CyberArk in the Secrets manager connector category. This integration enables Trust Lifecycle Manager connectors to securely retrieve credentials from CyberArk, which are used during certificate delivery and automation workflows. It eliminates the need for hard-coded or locally stored passwords and ensures authentication leverages centrally managed, rotated secrets. This connector supports integration with CyberArk using the Central Credential Provider (CCP) service and client-based authentication.

This release enables the F5 connector and the AWS unified connector to authenticate using CyberArk-managed credentials for secure, enterprise-grade certificate lifecycle management. For more information, see the CyberArk connector guide.

This agent update introduces the ability for admins to change the proxy configuration for an existing agent.

Resolved an issue where the Total certificates count in Inventory > Certificates tab did not match the maximum number of records shown at the bottom of the data grid.

Resolved an issue with generating custom certificate reports when the Expires in (days) field was selected from the Inventory page.

Resolved an issue where the SAML service provider (SP) metadata could not be downloaded from the Account > Settings > Self-service portal page for the authenticated self-service portal .

Resolved an issue where edited custom certificate reports did not retain the original filter conditions.

Resolved an issue where the Public server trust type was missing from the authenticated self-service portal's Certificate request > Trust type dropdown. Additionally, resolved an issue where only 10 profiles were displayed in the table. The portal now displays up to 5,000 profiles.

Starting with this release, DigiCert​​®​​ Trust Lifecycle Manager introduces enhanced automation to keep renewal schedules aligned with real-world certificate changes. The system now continuously monitors refreshed and newly discovered certificates, automatically adjusting renewal timing whenever changes are detected. This new feature includes the following:

To improve visibility into agent availability, a new Last seen column has been added to the Discovery & automation tools > Agents page. This column displays when an agent was last active and includes advanced filtering options. This allows you to quickly identify agents that have and haven’t been seen within a specified number of days or hours.

With this release, Trust Lifecycle Manager supports the Operating system and Ciphers columns that you can include in your custom reports. Select these columns in the Server management details section of the Create custom report wizard.

With this release, the following improvements are made to the Extensions screen of the Create certificate profile wizard:

Profiles created using the Public S/MIME Secure Email (via CertCentral) base template can now be configured with the Other recipients field. This allows administrators to receive a copy of all certificate lifecycle emails enabled on the profile.

Enhanced the POST /mpki/api/v1/certificate REST API endpoint to support setting the seat email value (seat_email) without having to use a separate seat endpoint request.

This sensor update includes the following:

Resolved an issue where custom reports generated from the default All certificates view show duplicate entries and don’t match the certificate inventory. This issue occurred because the All certificates view displayed a filtered view of certificates while the custom report retrieved certificates irrespective of whether the same certificate was issued, discovered, or imported into the inventory.

With this release, if the selected column matches the All certificates view column set, the system executes the same unique inventory query so that the results match. If additional columns are selected in the custom report, the system falls back to the original reporting query. This query retrieves all certificates matching the filter criteria, regardless of duplicate certificates.

Resolved an issue with not being able to upload a CSV file that contains the security_identifier field.

Resolved an issue where duplicate certificate entries were displayed in the custom reports.

Resolved an issue with not being able to download an AEConfig file for profiles that don't have an Extension key usage (EKU) extension configured.

Resolved an issue where renewals associated with the Citrix FAS Smartcard Logon profiles would fail with a duplicate certificate error. This issue occurred when the renewal window configured was less than 50% of the certificate validity period. Follow the profile configuration changes listed in the Troubleshooting topic to resolve this issue.

Resolved an issue where end-users didn’t receive renewal email notifications for profiles configured with the iOS/iPadOS enrollment method. This issue occurred because the renewal email template was missing from the profile configuration.

Resolved an issue where certificates issued through the Admin web request enrollment method displayed an IP address in the DNS name field, for profiles configured using the CA Manager Private Server Certificate base template.

Resolved an issue where the Tenable connector would remain in the Running state when there is an error.

DigiCert​​®​​ Trust Lifecycle Manager now supports secure credential retrieval from BeyondTrust vaults for authenticating AWS Certificate Manager (ACM) automation flows using the AWS unified connector. This eliminates the need for hard-coded secrets, enabling the use of centrally managed secrets stored in the BeyondTrust privileged access management (PAM) platform.

For more details, see the AWS unified connector guide.

Administrators can now manually trigger automation for sites that already have a scheduled automation flow. This can be done without canceling the existing automation schedule or affecting future auto-renewals. This enhancement also provides greater flexibility to accommodate ad hoc changes while preserving the planned automation lifecycle.

A new Stop refresh action has been introduced this release to help manage agents that remain in the Refreshing configuration state for an extended period. This allows administrators to cancel the existing refresh operation when required.

Resolved an issue where the organizational unit (OU) field was missing from the subject JSON block (subject.organizational_units) in responses from the GET /mpki/api/v1/certificate/{serial} endpoint.

Resolved an issue with certificate profiles configured with the CSR enrollment method and the optional Subject DN Email field, where enrollments failed if the CSR didn't contain a matching Email attribute.

Resolved an issue where automation notifications configured in the certificate profile weren’t being sent to the certificate owner(s) defined in the profile.

Resolved an issue where the Microsoft CA connector went into the Action needed state every few hours due to a synchronization issue with the Trust Lifecycle Manager plugin manager.

Resolved an issue with the Tenable connector was not importing all the certificate data.

In this release, DigiCert​​®​​ Trust Lifecycle Manager introduces the BeyondTrust connector that can be be accessed from the new Secrets manager category on the Integrations > Connectors > Add connector page. This connector allows Trust Lifecycle Manager connectors to securely retrieve and use credentials stored in the BeyondTrust vault during delivery and automation flows. This eliminates the need for hard-coded or locally stored passwords, and ensures endpoint authentication uses centrally managed and rotated secrets from the customer's vault.

This release also includes the ability for the F5 BIG-IP LTM connector to use credentials stored in the BeyondTrust vault. For more information, see the BeyondTrust connector guide.

In this release, the Public Client Authentication (via CertCentral) base template has been updated to support the DigiCert ONE Login authentication method for certificate profiles configured with the DigiCert Trust Assistant enrollment method.

With this release, administrators can define a custom Qualys server URL. This enhancement enables organizations to direct scans and integrations to their own Qualys deployments, in addition to the standard Qualys cloud environments.

This agent update includes the following:

This sensor update includes the following:

Resolved an issue that prevented editing or saving a certificate profile when the Required checkbox was toggled and the source for the field's value was set to Fixed value.

Updated an incorrect Japanese label in the Certificate options > Renewal options section of the certificate profile configuration wizard.

Resolved an issue where the Browser PKCS12 certificate renewal process with the Manual approval authentication method fails when a tag is assigned to the certificate.

Resolved an issue with not being able to filter owners in the Account > Settings > Contacts > Certificate owners page.

Resolved an issue where certificate enrollment would fail if the submitted certificate signing request (CSR) included fields that were not defined in the certificate profile. Starting from this release, additional fields no longer trigger errors, and the request is forwarded to the defined Microsoft CA for issuance. The issued certificate may or may not include the additional fields.

Resolved an issue that prevented external email addresses from appearing in the notification recipients list.

With this release, the DigiCert​​®​​ Trust Assistant Active Directory (AD) Publisher system script has been updated to support the Generic User Certificate base template. This enhancement allows you to push the issued certificate to your AD.

Updated the CT logs monitoring feature to instantly discover certificates when they appear in the Certificate Transparency (CT) logs.

With this release, DigiCert​​®​​ Trust Lifecycle Manager introduces the monitoring of Certificate Transparency (CT) logs for proactive discovery of public certificates issued across your organization's domains. Benefits of CT logs monitoring:

CT logs monitoring gets configured at the account level from your global discovery settings. For more information, see CT logs monitoring.

In addition to the existing System scripts feature, this release introduces a new feature called Custom scripts. This new feature enables profile administrators to upload and manage their own scripts. Each uploaded script is automatically scanned for basic malware and executed after DigiCert​​®​​ Trust Assistant completes certificate enrollment, renewal, or recovery operations.

Custom scripts allow profile administrators to deliver 'last mile integrations' following successful certificate provisioning, such as configuring a Wi-Fi access point or VPN client. This enables a seamless, end-to-end, zero-touch experience for end users while supporting various certificate-based use cases.

With this release, a new account-level setting is added to the Account > Settings > Tool deployment page to enable or disable software auto-updates for agents.

With this release, administrators can filter their inventory using discovered cipher data available in Trust Lifecycle Manager. This enhancement enables the identification of sites using weak ciphers, allowing administrators to manage and strengthen their security posture.

Resolved an issue where certificate requests submitted using REST API failed when a certificate profile's Unique identifier field was configured with a fixed value as it's source.

Resolved an issue where filters on the Inventory page do not change when switching between saved views.

Resolved an issue where the delete profile action would time out. This error was because the system fetched all enrollments associated with the profile, regardless of enrollment status, instead of only retrieving the pending enrollments. Pending enrollments are canceled before the profile deletion process is completed.

Resolved an intermittent issue with the creation of certificate owners through REST API.

Resolved an issue where the automation process failed to copy the virtualhost configuration when switching from port 80 (HTTP) to port 443 (HTTPS).

Resolved an issue where notifications were not being sent to email addresses configured under Account > Settings > Contacts > Admin.

Resolved an issue where Microsoft Outlook post-processing script failed to match emails for DigiCert​​®​​ Trust Assistant when running on a non-English language OS.

The default ACME Renewal Information (ARI) window has been updated to better align with shorter certificate lifecycles.

DigiCert​​®​​ Trust Lifecycle Manager now supports integration with Sectigo Certificate Management (SCM) via a new Sectigo CA connector. This integration enables you to:

The new Sectigo Public CA Server Certificate template in Trust Lifecycle Manager supports the following enrollment and authentication methods:

For more information, see the Sectigo CA connector guide.

With this release, Trust Lifecycle Manager allows self-service portal administrators to configure the Authenticated portal with SAML attributes. This applies to each SSP-enabled certificate profile that uses either the SAML IdP or Manual approval authentication method.

Users accessing the Authenticated portal can be configured in your IdP with attributes that are sent to DigiCert​​®​​ as part of SAML assertion. These attributes can be used to authorize access by displaying the certificate profiles the user is permitted to view and enroll in.

To configure SAML attributes, go to Settings > Self-service portal and select the edit icon in the new Attributes column of the Portal-enabled certificate profiles table. You can then enter one or more attributes that are evaluated as OR conditions. For more information, see Self-service portal.

Starting with this release, the new audit log GET /mpki/api/audit-log/count API endpoint retrieves the total number of events and records for a filtered request. See the API documentation for more information.

With this release, Trust Lifecycle Manager supports linking DigiCert CertCentral® and UltraDNS accounts to enable continuous automated domain validation. For more information, see Link UltraDNS to CertCentral.

When you create a certificate profile, you can now select User Info as a source for the Security Identifier (SID) extension. This allows the SID value to be automatically retrieved from your IdP during certificate issuance.

Updated the Public Client Authentication (via CertCentral) base template to support these additional Subject Distinguished Name (DN) fields:

With this release, a new Order Id column and filter has been added to the Inventory > Certificates page, allowing you to filter CertCentral certificate records by their order id. The order id is displayed on the Certificate details page, and can also be included in custom reports.

New DigiCert sensor release with the following updates:

With this release, the CertCentral integration is enhanced to allow full imports to be triggered at any time. When a full import is triggered, Trust Lifecycle Manager retrieves all certificate data from CertCentral based on configured import settings.

Resolved an issue where custom certificate reports were missing data when using DigiCert Agents operating on restricted ports.

Resolved an issue with certificates not getting installed on iOS devices for profiles configured with iOS/ipadOS enrollment method. This was caused by an internal timeout during the certificate installation process.

Resolved an issue with the A10 integration where intermediate CA certificates appeared in the Trust Lifecycle Manager inventory instead of the end-entity certificates.

Resolved an issue where the discovery count was duplicated when the same certificate was detected from different sources.

Resolved an issue where a random string was incorrectly appended to Azure Key Vault's certificate reference.

Resolved an issue where a CertCentral connector goes into the Action needed state when the user triggers a Run now action and there are no certificates to import.

Updated the Public Client Authentication (via CertCentral) base template to enable a new certificate product type called Client Auth, which supports the following additional Subject Distinguished Name (DN) and Subject Alternative Name (SAN) attributes under Certificate options. If there are multiple issuing CAs in your CertCentral account, you can now select the one that meets your requirements under Primary options.

With this release, the following Adobe base templates now support the Subject DN email attribute, which can be added when creating or editing a profile from either template:

With this release, we are introducing enhanced extensibility capabilities that empower teams beyond engineering to create and manage custom sensor-based integrations. This functionality is available through the Developer role in DigiCert​​®​​ Trust Lifecycle Manager, enabling developers to:

To help you get started we provide an example plugin repository, so you can focus on the unique aspects of your integration rather than the initial project setup.

With this release, you can now customize profiles created from any of the three generic base templates using these two new features:

Updated the following base templates to support the SAML IdP authentication method, allowing you to externalize the authentication of certificate requests to your SAML IdP provider:

Updated the following CertCentral base templates to support the Browser PKCS12 enrollment method, allowing issuance of certificates into a PKCS12 file with its associated password:

New DigiCert sensor release resolves a URL encoding issue when acting as a SCEP proxy.

Resolved an issue where the DigiCert sensor was not proxying SCEP requests correctly due to URL-encoding the target SCEP Server URL. This occurred when using the Certmonger client. This fix is included in sensor version 3.9.11.

Resolved an issue with public-facing enrollment pages not auto-resizing on mobile devices.

Resolved an internal server error when filtering by the Scan status column on the Discovery & automation tools > Agents page.

Resolved an automation issue where certificate installation failed on IIS when a hostname was configured for a site.

Starting on September 23, 2025, users in the United States DigiCert® ONE production instance experienced issues with invalidated DigiCert​​®​​ Trust Assistant login sessions, affecting customers with a certificate profile configured with DigiCert Trust Assistant and the DigiCert ONE Login authentication method.

This issue was resolved with the September 26, 2025, release. All users logged in during the time of the issue must re-login to continue using the auto-enrollment and auto-renewal features for DigiCert Trust Assistant.

A new ACME client is now available for all new and upgraded DigiCert agents.

The agent is also updated to retain proxy configuration if no DigiCert sensor is available.

Resolved an issue where enrollment emails associated with the CertCentral Public Server Certificate and CertCentral Private Server Certificate base templates were not sent to the requester email value, but to the seat email value. With this fix, the enrollment emails are sent to the requester email value.

Resolved an issue where custom certificate reports were not being initiated when filtering by Tags or CA vendor from the Inventory page.

Resolved an issue with not being able to override the validity period for profiles configured from the Microsoft CA Private Server Certificate base template with the Manual Approval authentication method. This is because the DigiCert​​®​​ Trust Lifecycle Manager profiles dynamically read the validity period from the Microsoft CA templates and cannot be changed at the time of admin approval. The option to override the validity period is now removed.

Resolved an issue where large-sized file scans caused delays in DigiCert agent automation operations and uploads. From this release, automation tasks for DigiCert agents can now run concurrently while system scans are in progress, reducing bottlenecks and improving overall agent efficiency.

Enhanced the bindings section under Inventory > Endpoints to show the domain name used to identify the Server Name Indication (SNI) site. This enhancement allows administrators to identify sites more accurately.

Resolved an issue where duplicate certificate requests (outside the renewal window) weren't detected at the time of request submission for profiles configured with the Manual Approval authentication method.

Resolved an issue where non-supported prefix characters in the Security Identifier (SID) extension were included in the CSR generated with Microsoft's certreq tool, which the DigiCert® Private CA platform was trapping and stopping certificate issuance. From this release, DigiCert​​®​​ Trust Lifecycle Manager will trim any leading characters encountered before the SID (S-x-x-...) value.

Reordered the steps to download the PKCS12 certificate. From this release, the Download button is enabled only after you copy the PKCS12 password to the clipboard.

Fixed an issue with the Scan status filter.

Corrected the filter count by including revoked certificates to show the accurate number of total certificates.

Enhanced the PKI Platform 8 CA connector to include a retry process for failed imports of recovery certificates.

Resolved an issue where a data discrepancy was discovered in the PKI Platform CA connector process.

Resolved an issue with certificate issuance using Azure GCC High Intune integration.

Resolved an issue where administrators were unable to use the Admin web request method to enroll a certificate with automated delivery.

Enhanced the On-prem CA connector to support the three generic base templates (Device, Server or User) for issuing non-escrow certificates through the enrollment and authentication methods defined by each template, as listed in the following table:

For more information, see DigiCert On-prem CA connector guide.

The DigiCert​​®​​ Trust Assistant version 1.2.7 release introduces the following new features and fixes:

Enhanced the PKI Platform 8 connector to support three new options for imported/recovered PKCS12 certificates when selecting the recovery option in the connector:

Resolved an issue with the Edit Report functionality where previously configured schedules and permission settings were not retained. All configurations now remain intact when editing existing custom reports.

Resolved an issue where DNS Name values entered with leading or trailing whitespaces caused validation failures during web-based enrollment. The system now trims any whitespace before or after the DNS Name value to prevent such errors.

Resolved an issue where the deep link included in report notification emails failed to download large custom reports with multiple entries in the database.

Resolved an issue with data inconsistencies in custom certificate reports, where only the last partition of the report was streamed back to the UI during download.

Resolved an issue where the steps on the certificate pickup page appeared in the wrong order for non-English languages when using the Browser PKCS12 enrollment method.

Resolved an issue where profiles did not retain the key type and key size(s) values set by a profile administrator upon saving the profile, and instead used the default key type and size(s).

Resolved an issue where the Health Check API intermittently returned 5xx error codes, specifically 503 Service Unavailable, caused by response times exceeding 15 seconds due to downstream service calls.

Resolved an issue where DigiCert agents got stuck in the REFRESHING_CONFIG status during the internal daily batch refresh job.

This release of the DigiCert AutoEnrollment Server supports the following:

In this release, a new GET /custom-attributes/certificate API endpoint is introduced to retrieve the list of custom attributes for a specific certificate ID. For details, see the API endpoint documentation.

Updated DigiCert​​®​​ Trust Lifecycle Manager Inventory views to improve accuracy and clarity. Certificates marked as Replaced or Replaced external no longer appear in the active inventory. Instead, they are moved to the respective endpoint’s history, ensuring that only active certificates are displayed in the Inventory while maintaining full traceability in historical records.

With this release, the CA Manager Private Server Certificate profile is enhanced to support adding a Domain Controller as a Microsoft certificate template name extension while issuing certificates through a third-party ACME flow.

Resolved an issue where the Seat usage by seat type widget in the dashboard displayed an incorrect Discovery seat value.

Resolved an issue where suspended profiles could not be activated.

Resolved an issue where custom seat reports were not being generated successfully.

With this release, Trust Lifecycle Manager introduces streamlined management and secure distribution of agent scripts that significantly reduces manual effort and improves operational efficiency in agent-related workflows. Key features:

For more information, see Agent scripts.

This agent update includes enhancements to support the new script management system with automatic script distribution.

Microsoft Outlook configuration script now supports both the 32-bit and 64-bit versions of the Microsoft Outlook application.

For all Extended Key Usage (EKU) extension values configured within a profile, the OID value is now displayed alongside its friendly name.

Resolved an issue where an administrator-initiated certificate recovery flow generated the same PKCS12 password for different certificates when performed in the same browser tab, instead of creating unique PKCS12 passwords.

Resolved an issue where custom email templates did not include the value for the {{userFullName}} variable in emails delivered to users.

Resolved an issue where an error displayed on the Inventory page when filtering by profiles with duplicate names.

Resolved an issue where the Seat usage by seat type widget displayed an incorrect Discovery seat value in the Dashboard.

With this release, Trust Lifecycle Manager introduces a new cloud-based scanning capability that enables you to discover TLS certificates on your public internet-facing infrastructure without the need to deploy any sensors. This feature leverages DigiCert’s cloud scanning infrastructure to provide you with early visibility into your TLS environments. Key features of the cloud scanner include:

This agent update includes stability enhancements and resolves upgrade issues, including improvements related to ACME client support.

This sensor update includes a fix for a Citrix ADC installation issue that occurs when the sensor does not have access to all nodes in a high availability (HA) configuration.

The SCEP integration for Jamf Pro now supports automatic creation of seats in Trust Lifecycle Manager when Jamf-managed devices enroll certificates. This simplifies the configuration process by eliminating the need to manually create seats in advance.

For details about setting up the Jamf Pro SCEP integration with automatic seat creation, see SCEP integration guide.

Resolved an issue where the button to download the DigiCert Trust Assistant client did not appear on the web page when it was not installed on the user’s computer.

Resolved an issue where the DigiCert Trust Assistant automation script failed to publish to Active Directory when executed on macOS.

Resolved an issue where certificate profiles configured with optional SAN:dnsName and/or SAN:ipAddress fields, along with an allowed/blocked list, triggered validation errors when those fields were missing from the certificate request.

Resolved an issue where the Seat usage by seat type widget displayed inaccurate Discovery seat values in the Dashboard.

Enhanced all public-facing web enrollment pages with a new UI design. This enhancement delivers a new user experience, eliminates white space on the right-hand side of the page, optimizes page components to use a more appealing look and feel, and allows further control over both the branding and content being displayed on the page. Key enhancements include:

With this release, DigiCert​​®​​ Trust Lifecycle Manager automatically synchronizes the revocation status of certificates revoked in CertCentral. The updated status is reflected in the Trust Lifecycle Manager Inventory, ensuring accurate and up-to-date certificate tracking.

The SAN dnsServer field logic has been updated to support the underscore (_) character at the beginning of a hostname for private certificates only.

Resolved an issue where Intune-based profiles did not update to the Action needed status when the Intune secret was invalid. This issue affected test connection functionality and all certificate lifecycle operations, including enroll, import, and revoke.

From this release, when an invalid Intune secret is detected, all associated Intune profiles will be updated to the Action needed status. Profile administrators are notified by email and must update the secret before resuming all Intune operations.

This release includes a fix for an issue where the GCP unified connector could remain stuck in a Running status if a misconfigured load balancer was encountered during discovery. The connector now handles such scenarios and completes the discovery process as expected.

With this release, the Intune base template supports issuing certificates from a Microsoft CA via Intune. To configure this feature, create a profile, select the Azure Auth authentication method, and choose your Intune connector.

With this release, administrators can now configure the AWS unified connector to reuse existing ARNs by reimporting renewed certificates. This eliminates the need to update bindings across AWS resources such as ELBs and EC2 instances. This allows you to:

For Microsoft CA profiles configured with the SCEP enrollment method, a new Re-generate RA Certificate button is now available on the Profile details page. This will help you regenerate the RA certificate used by the solution to decrypt SCEP requests before submitting request to the Microsoft CA for certificate issuance. This enhancement helps you to:

A new option in the profile wizard allows you to select a smaller serial number size (16 to 19 bytes) instead of the default 20 bytes (40 hexadecimal characters) for profiles configured with any of the three generic base templates.

This feature is useful when you want to reduce the size of a certificate, particularly in IoT use cases. However, DigiCert recommends using the default serial number size of 20 bytes, as it offers better security and reduces the possibility of serial number collisions.

Enhanced the DigiCert​​®​​ Trust Assistant's Discovery & Automation tools > Scripts page to support a new Profiles configured with this script action. This action is added for every script and shows all the associated profiles configured with that script.

New Trust Lifecycle Manager sensor release with the following updates:

Resolved an issue that prevented deleting a certificate owner if the contact being deleted had the email address of a previously removed contact.

Resolved UI issue when updating certificate owners via the Inventory > Certificate details page.

Resolved an issue that was preventing bulk revocation of certificates when using Inventory 2.0 from the new certificate list page.

Resolved an issue that prevented bulk revocation of certificates when using the new Inventory UI -certificate list page.

Resolved issue where users were unable to download custom or scheduled certificate reports after they were generated.

Resolved an issue where the duplicate check did not consider seat type or profile, causing issuance to fail for the same DN across different seat types. The logic now includes seat type or profile when performing duplicate checks.

Resolved an issue where CertCentral subdomains were not allowed to be submitted as part of web-based enrollment requests, even though the parent base domain had already been approved in CertCentral. The issue was introduced in the July 16 release, which implemented upfront CertCentral domain validation but considered only base domains.

Resolved an issue where DV flow was failing for the Linux sensor or agent.

With this release, DigiCert​​®​​ Trust Lifecycle Manager introduces the new Inventory page, delivering enhanced functionality and a more intuitive user experience. Access to the Inventory page is available only if the feature is enabled for your account. This includes the following:

For more information, refer to Inventory.

The new table component has also been implemented on most other pages that display lists in table format.

The DigiCert​​®​​ Trust Assistant v1.2.6 release introduces the following new features:

For CertCentral public TLS Server CSR-based certificate requests, the submitted domain(s) are now validated against the list of validated domains in your CertCentral account. If all the domains are found in the validated list, the enrollment process continues. Otherwise, an error is displayed indicating the domain(s) that have not been validated.

Enhanced custom attributes of the Dropdown field type to support setting multiple values via the UI and REST API.

Additionally, REST API-enabled profiles can now be configured with custom attributes of both Text field and Dropdown types. As part of this release, existing API endpoints have been enhanced and new endpoints introduced, as follows:

For more details, refer to API documentation.

Resolved an issue where manual enrollments were not being issued after approval if large internal notes were present. This has been fixed by splitting the Internal notes section under the Certificate details > Additional details tab into two separate sections:

Resolved an issue where PUT requests failed when cookies were not accepted during login to Trust Lifecycle Manager. For example, saving a profile or approving an enrollment request failed.

With this release, Trust Lifecycle Manager introduces new version v3 of the GET profiles API endpoints to address inconsistencies in the Subject DN metadata for profiles based on the Public S/MIME Secure Email via CertCentral base template. With the v3 endpoints, these profiles now return multiple=true for the Subject DN given_name and surname fields, ensuring consistency with all other profile types.

For organizations with profiles based on the Public S/MIME Secure Email via CertCentral base template, DigiCert recommends switching to version v3 of the GET profiles endpoints to ensure consistent results and avoid data conversion issues that may impact certificate issuance workflows.

For more information, refer to the API reference.

DigiCert​​®​​ Trust Lifecycle Manager now supports 150+ new DNS integrations that you can use for domain validation in automation flows for both DigiCert agents and sensors.

These new DNS integrations include Akamai EdgeDNS, Azure DNS, Constellix, Google Cloud, Sonic, and many more.

Updated the three "Generic" base templates to support the following Extended Key Usages (EKUs) for profiles configured with the ECDSA key type:

Enhanced the public-facing and self-service portal pages to display the email addresses of certificate owners.

As an administrator, you can now remove custom identifiers when adding or updating a certificate owner from the Account > Settings > Contacts > Certificate owners page.

Updated the Public S/MIME Secure Email for Intune (via CertCentral) base template to support the Secure Email for Business (sponsor-validated) certificate type for both Multipurpose and Strict generation certificates.

Enhanced the Inventory > Certificate details pages to show internal notes added by administrators for enrollment requests that are manually reviewed and either approved or rejected. These notes are shown in the Additional details > Internal notes section of the certificate details.

Resolved an issue where the unlimited expiration setting for enrollment codes was not applied to enrollments submitted through the CSV upload flow.

Resolved an issue where network scans remained stuck in the In progress status and failed to complete as expected.

Resolved an issue where certificate delivery to AWS Certificate Manager (ACM) failed with error message CSR Generation failed when using the Admin web request enrollment method with the ECDSA key algorithm.

Updated the Public S/MIME Secure Email for Intune (via CertCentral) base template to support Multipurpose generation certificates prior to the deprecation of Legacy generation certificates. Currently, Multipurpose generation only works with the organization-validated CertCentral Secure Email for Organization product type, where the Subject DN common name (CN) field will contain your validated email address.

Updated the CSR parsing logic for profiles configured with the CSR enrollment method and Manual Approval authentication method. The system now performs upfront validation of the following items at the time of request submission, instead of failing at the time of issuance or when downloading the certificate after approval:

Resolved an issue where requests for private server certificates through a Microsoft CA connector failed with the following error message:

Exception occurred while fetching the MS CA certificate, Please try again!

Resolved an issue where the seat creation time sometimes showed a time in the future. Seat creation times are now shown in GMT format.

Resolved an issue where the Intune connector type was not available unless the Automation account feature was enabled for your account. From this release, Intune connectors only require the Connectors account feature.

Resolved an issue with the profile details page not responding due to an incorrect internal permission.

With this release, Trust Lifecycle Manager introduces a new feature under Policies > Rules that allows administrators to configure rules to conditionally assign custom attributes, certificate owners, and tags to discovered or imported certificates.

Each rule defines the following options:

Once the rule is created, all subsequent import or discovery operations on the defined targets will automatically apply the metadata assignments to any certificates that match the conditions.

For more information, see Assignment rules.

DigiCert ONE​​ Clients 1.2.0 is now available for download from the Discovery & Automation Tools > Client Tools page.

For more details, refer to DigiCert ONE Clients release notes.

Automation actions are now enabled for endpoints listed in the Inventory > Unsecured view with an IP Unreachable automation status. This allows users to proceed with automation workflows on such endpoints, even if certificate discovery is unsuccessful.

While automating an unsecured endpoint on a Citrix appliance, the automation flow previously required a Redirect port, as Citrix uses this to convert HTTP to HTTPS (using the redirect URL as a bridge). However, since 443 is the default HTTPS port, users typically do not create HTTP endpoints on port 443. Additionally, in some cases, an HTTPS endpoint might already exist on port 443 without a certificate, requiring a certificate to be installed on the same port.

With this release, the Redirect port field has been removed from the Create automation page for Citrix endpoints using port 443.

Resolved an issue where users were unable to download certificates from the self-service portal when selecting a certificate format under the Show additional download options section.

Resolved an issue where certificate issuance failed for CertCentral Public Server Certificate profiles using the CSR enrollment method if the submitted CSR did not include a SAN:dnsName. The issue was addressed by adding a checkbox in the profile configuration wizard to specify whether the SAN:dnsName field is required or optional (default is required). From this release, the certificate will be issued if the SAN:dnsName field is configured as optional, regardless of the source.

Resolved an issue where users encountered an "Internal server error" when requesting a CertCentral Public Server Certificate for one or more domains in the pending validation state. These requests now display a friendly error to identify the cause of the error and indicate the domains that are pending validation.

From this release, the Intune integration now supports issuance of private server certificates via SCEP. To enable this, you need:

In the Intune portal, you need a SCEP profile that corresponds to the certificate profile in Trust Lifecycle Manager.

For more details, refer to the Microsoft Intune SCEP integration guide.

Announcing the tight API integration of Jamf Pro with Trust Lifecycle Manager, in addition to the existing SCEP integration. Both integrations work to facilitate certificate issuance through your Jamf Pro mobile device management (MDM) environment.

For detailed setup instructions, refer to the Jamf Pro integration guide.

Added a new Comments section to the certificate renewal page for manual approvals. When you receive the Your certificate is about to expire email (sent according to the profile configuration), you can now provide comments directly as part of the renewal process.

Resolved timeout issues when requesting Public S/MIME certificates via instant flows, such as profiles configured with the REST API enrollment method.

Resolved an issue that prevented creating or editing profiles using the EST enrollment method and Enrollment Code authentication method when no IP address was set in the allowed or blocked list.

Resolved an issue where revocation emails were not received by end users when certificates were revoked via API and Seat IDs contained non-email values. The system now checks for valid email addresses in other seat metadata (for example, Seat Email) or certificate fields (for example, SDN:email, SAN:rfc822Name), if available, instead of failing.

Resolved an issue with the SAN:dnsName field being added to signed certificates associated with the CertCentral Public Certificate or CertCentral Private Certificate templates, even when the profile had the field set as optional. To address this issue, the profile configuration has been enhanced with the following functionality:

Resolved an issue where Adobe Individual certificate requests failed when the profile was configured with the Given Name (GN) or Surname (SN) fields set to Multiple (the default configuration), but the request contained a single value.

From this release, the Multiple checkbox for GN and SN fields in Adobe Individual profiles has been removed. These fields now only support single values, as CertCentral supports only one value per field. For API requests that include an array of values, only the first value will be processed and all others will be ignored.

Enhanced the DigiCert® PKI Platform 8 connector to support selecting the PKI Platform 8 system: either Production or Partner Lab. The Partner Lab option is available for customers with access to a test account in the Partner Lab environment.

Added support for IP allowlisting on profiles configured with the EST enrollment method and the Enrollment Code authentication method. Devices submitting certificate requests via the EST protocol and authenticating with an enrollment code (passcode) can now be checked against an allowlist of valid IP addresses before certificate issuance. Configure the allowed devices in the Valid list of IP addresses section of the profile wizard.

Updated the Certificate Signing Request (CSR) details pop-up to include the Public key thumbprint and CSR SHA-256 hash values. This pop-up is accessible from the Enrollment > Enrollment details pages (used by admins to manage enrollment requests) and from the public-facing enrollment pages.

The Inventory > Certificate details pages have also been updated to include a new property field called Thumbprint (SHA-256).

Enhanced the Audit logs > Audit event details pages to reduce the amount of data stored per log event. Certificate-specific details are now available in a new siderail, allowing users to access this information separately. To open this new siderail, select the View certificate details link at the bottom of the event details page for a certificate.

Resolved an issue where certificate requests created using the CertCentral Public Server Certificate base template displayed an incorrect Trust type value under the Certificate requests tab in the authenticated self-service portal.

Announcing the release of the DigiCert Terraform Provider, enabling DevOps and platform engineering teams to seamlessly automate and manage the full lifecycle of DigiCert digital certificates using Infrastructure as Code (IaC) practices with Terraform.

Key features

Use cases

With this release, the CertCentral Public Server Certificate template supports a new flow option to set the Duplicate minimum validity days. This option allows users to specify the minimum number of days a duplicate certificate must be valid when requested from CertCentral.

The following enrollment methods support this new option:

Certificate times in the self-service portal are now displayed in 24-hour format.

Audit logs now include the Seat ID value in failure events related to duplicate seat creation errors during SCEP operations.

Introduced an option to select Not available in the tag filter to display certificates that do not have any tags attached.

Introduced an option to select key type and key size for 3rd-party ACME client flows in profiles created from the CA Manager Private Server Certificate template. This enables users to select additional key usages when available. For example, if the key type is set as RSA, users can select "Key encipherment" as a key usage.

Resolved an issue where users assigned the User and certificate manager role encountered a generic permissions error when attempting to view certificate profiles or approve enrollment requests.

Resolved an issue with adding the common name (CN) as a SAN in Microsoft CA AWR flows.

Resolved an issue where the Certificates by CA vendor dashboard chart was not clickable and did not support drill-down into the Inventory view.

Updated the supported Dilithium ML-DSA OIDs to the final/approved set:

This agent update includes stability fixes and foundational enhancements to support future updates aimed at improving automation capabilities.

Resolved an issue where custom seat reports failed to generate when a Seat type filter was applied from the Seats page.

Resolved an issue where custom certificate reports did not apply the CA vendor filter when selected from the Inventory page.

Resolved an issue where 4096-bit key size enrollment failed for Microsoft CA certificate profiles due to the system incorrectly expecting a 2048-bit key size.

With this release, DigiCert​​®​​ Trust Lifecycle Manager introduces support for DigiCert On-prem CA as a new certificate authority (CA) connector. You can use this connector to issue and revoke certificates from your DigiCert On-premises Private CA, using the following profiles:

The DigiCert On-Prem CA connector also supports certificate discovery from the on-premises CA through:

For profiles created from the Public S/MIME Secure Email (via CertCentral) base template, the profile wizard's clone and edit pages have been enhanced to allow all fields to be edited, including the Generation type. This enhancement allows selection of the Multipurpose or Strict generation types. These replace the soon-to-be-deprecated Legacy generation type.

Enhanced the custom reports for seats to support the Email address and Consumed fields.

Resolved an issue where duplicate records appeared in the inventory when a network scan or agent discovered the same certificate.

Resolved an issue where setting the Basic Constraints extension with a Path length of 0 (indicating the end of the certification chain) was not supported. Additionally, a tooltip has been added to provide information about this value. It indicates that if the Path length value is left empty, the Path length will have a value of none.

Removed support for Composite and Falcon post-quantum cryptography (PQC) certificates, as these algorithms are still under active development and considered experimental. To learn more or test these PQC certificate types, visit the DigiCert LABS website.

Resolved issue with loading the Enrollments page for customers issuing certificates from profiles configured with EST enrollment and the TLS Certificate Auth authentication method.

ServiceNow app version 1.7.0 released for DigiCert​​®​​ Trust Lifecycle Manager with the following new features and enhancements:

This release of the DigiCert AutoEnrollment Server includes:

Enhanced the certificate and recover API endpoints to allow the recovery of escrowed certificates for profiles that do not use the REST API enrollment method but have the DigiCert Cloud Key Escrow feature enabled.

For profiles configured with the below settings, a new option labeled Deliver the escrowed certificate for matching enrollment requests is now available under the Flow Options > Key escrow options > DigiCert Cloud Key Escrow section to allow delivery of the same escrowed certificate to end users for matching enrollment requests:

Enhanced the web-based enrollment flow for public TLS server certificates requested from CertCentral to verify whether the requested domains have been prevalidated. If not, the following error is displayed before submitting the request:

Domains in email addresses must match a prevalidated domain in the CertCentral account. Check the following email address and try again: <email-address>

Enhanced the DigiCert® PKI Platform 8 connector to match the Seat ID values from PKI Platform 8 when importing certificates into Trust Lifecycle Manager. Previously, Trust Lifecycle Manager assigned seat IDs for imported certificates using the common name plus a timestamp.

Resolved issue where common name (CN) and SAN:dnsServer values were truncated on the Enrollment details page for enrollment requests for certificate profiles that use the Manual Approval authentication flow.

This sensor update includes the following fixes:

This agent update resolves an issue where the TPM would enter a panic state in specific conditions.

Resolved issue where users were unable to delete or cancel enrollments when the associated profile had been deleted. Users can now cancel the request.

Resolved issue where the agent failed to process large domain lists returned from custom SNI scripts.

With this release, DigiCert​​®​​ Trust Lifecycle Manager introduces a new feature that allows authorized administrators and users to create and manage certificate owners as additional contacts that can be associated with a certificate. This feature is supported for certificates associated with the following seat types:

The email address of the certificate owner will be used to send certificate lifecycle notifications, such as renewal emails.

Where can I configure contact information for certificate owners?

You configure certificate owners from the Account > Settings > Contacts page, which now includes the following two tabs:

Who can view, create, and manage certificate owners?

The Account > Settings > Contacts > Certificate owners tab is visible only to users with the View certificate owners permission. Only administrators with the Manage certificate owners permission can create, edit, or delete certificate owners.

Trust Lifecycle Manager now includes a new Certificate owners manager user role. This role includes the Manage certificate owners permission and can be assigned to users who need to manage certificate owners.

How can I assign owners to a certificate?

You can assign owners to certificates in the following ways:

What will happen when I renew my certificate?

When you renew a certificate, it inherits certificate owners from the following sources:

For more information, see Certificate owners.

Updated the CertCentral Public Server Certificate base template to support the PKCS#7 certificate delivery option for profiles configured with the REST API enrollment method. This option was previously supported for other web-based enrollment methods.

Enhanced the Qualys connector to import only end-entity certificates into inventory, excluding individual root and intermediate certificates.

Resolved issue where submitting a hello API request to a client-auth-enabled endpoint responded successfully even when no client certificate was included in the HTTP header. The endpoint now returns the error message JWS token is not provided if the certificate is missing.

Resolved issue with the character length limit that previously blocked the issuance of more than 18 DNS SANs. The new limit is now 100 SANs.

Resolved issue where the Admin web request enrollment flow failed to generate a CSR when the Subject DN contained an O field with a "/" character.

Resolved issue where the Security rating was incorrectly evaluated for user, code signing, and user certificates.

Fixed regression issue where the Trust Lifecycle Manager web console did not allow adding new recipients to agent, sensor, scan, and connector notifications.

Resolved issue where automation notifications were not being sent if the "Requester" was removed from the recipient list.

Resolved issue where managed certificates were incorrectly appearing under the "Discovered" category in the connector details page.

From this release, the Google Cloud Platform (GCP) unified connector now supports an additional authentication option to allow users to configure the application default credentials so the sensor can use one of the following sources configured on the sensor host:

This approach enables users to manage credentials locally on the sensor used for integration. When configuring the connector, select Authentication type > Application default credentials.

This enhancement applies only when the Automation feature is enabled for your account.

Added the CertCentral order ID for each certificate issued through the linked CertCentral account. To view the order ID in your Trust Lifecycle Manager inventory, select the certificate > Automation.

Added a new Add button to allow users to explicitly add SAN attributes without using the Enter key. This update applies to both certificate delivery and lifecycle automation flows.

Resolved issue where certificate renewal reminder emails were sent 90 days before expiry, even when the default renewal window in the profile wizard was set to 30 days.

Resolved issue where the Entrust connector would fail if one of the certificates being imported had an issue. The connector has been updated to skip such certificates and proceed with importing the others.

Resolved issue where Microsoft CA issuance was failing for the REST API enrollment method.

Resolved issue with the recovery of public S/MIME escrow certificates that failed due to an internal parsing error in enrollment flows configured with the Digicert cloud key escrow profile option.

Added support for the DigiCert cloud key escrow feature for post-quantum cryptography (PQC) certificates issued through Trust Lifecycle Manager. Supported PQC key types and algorithms include:

To enable the cloud key escrow option for PQC certificates, create certificate profiles from one of the following base templates. Enable escrow in the Flow options section of the profile.

With this release, Trust Lifecycle Manager introduces support for UltraDNS as a DNS integration. The UltraDNS connector can be used to automate domain validation for the same enrollment methods as the other DNS connectors.

The Microsoft CA Private Server Certificate template now supports Email and IP address attributes in the Subject DN and SAN fields.

Resolved issue where DigiCert​​®​​ Trust Assistant scripts were not removable from associated profiles.

Resolved issue where the Manage profile permission was incorrectly required to use the Add connector flow.

Resolved issue with the chaining logic when multiple intermediate CAs (ICAs) are present and signed by the same private CA root.

Resolved issue with CA connectors where the connector remained in the Running status when the certificate Import option was disabled on the configured connector.

As part of the Public S/MIME initiative to remove support for Legacy generation certificates on July 1, 2025 (see Knowledgebase article), the profile creation wizard now displays a warning if you select the Legacy generation option when creating a Public S/MIME certificate profile. The warning reminds users of the sunset date for Legacy certificates and strongly recommends choosing Multipurpose or Strict generation instead.

Resolved issue with accessing the authenticated self-service portal where, after successfully authenticating via single sign-on (SSO) to an identity provider (IdP), the portal was displaying a blank page with an im_auth_error messsage.

Announcing the formal qualification of Omnissa’s WorkSpace ONE integration with DigiCert​​®​​ Trust Lifecycle Manager, supporting a tight API integration for issuance of escrowed certificates.

For more details, see API integration guide.

Updated the Citrix FAS Smartcard Logon based template to support the issuance of certificates including a Security Identifier (SID) extension (OID: 1.3.6.1.4.1.311.25.2).

Enhanced the Microsoft Intune connector to capture error flows that occur after deleting a secret from the Azure portal and attempting to sync devices. From this release, the associated profiles are updated to the Action needed status. Failure audit log events are generated with the following message:

Unexpected error occurred during validation – update connector.

Resolved issue with the Subject DN and SAN fields section not being shown after editing a profile configured with the CSR enrollment method, using the CertCentral Private Server Certificate template.

Resolved an issue where import attributes were not allowed in a new connector if they were set in a previous connector in an inactive state.

Updated the Public S/MIME (Digital Signature only) for Intune (via CertCentral) template and renamed it to Public S/MIME for Intune (via CertCentral). This template now supports issuance of non-escrowed encryption certificates in addition to digital signature certificates. The template scope is now set to Unlimited, making it accessible to all customers.

Removed the Public S/MIME Secure Email (via PKI Platform 8) base template, as PKI Platform 8 no longer supports the issuance of Public S/MIME certificates. From this release, Public S/MIME certificates must be issued using the equivalent base templates available in CertCentral. These templates use trusted public issuing CAs configured on real CertCentral accounts. Ensure your system is connected using a DigiCert CertCentral connector. For setup information, see Link to CertCentral.

Additional validations have been added when setting the certificate validity period in a profile. If the defined validity period is more than the validity allowed by the base template and the expiration date of the associated issuing CA, then the following error message is displayed:

You have exceeded the max validity period for the certificate template or the issuing CA. We will round the value to match the maximum validity period.

You can now add multiple CertCentral connectors for different CertCentral accounts via DigiCert single login. This enhancement allows admins to connect Trust Lifecycle Manager to multiple CertCentral accounts available from their DigiCert single login account.

The Google Cloud Platform (GCP) unified connector now supports automating TLS certificate deployments for HTTP-to-HTTPS redirects for the following GCP load balancer types:

Updated the list of allowed profile fields for creating a Seat to include support for the SAN:URI (Uniform Resource Identifier) extension value.

Resolved issue with the Subject DN and SAN fields section not being shown after editing a profile configured with the CSR enrollment method, using the CertCentral Private Server Certificate template.

GCP Unified Connector now supports certificate delivery to certificate maps configured in GCP Certificate Manager using the Admin web request function. With the enhanced GCP unified connector, user can deliver the certificate using the following options:

You can now use letters (a–z, A–Z), numbers (0–9), number signs (#), spaces, colons (:), periods (.), ampersands (&), and at symbols (@) in addition to the existing characters, when setting tags . This enhancement helps you easily identify and manage certificates issued from specific profiles.

With this release, DigiCert​​®​​ Trust Lifecycle Manager introduces a new option under system Settings to enable and configure account-level system scans. This feature triggers a system scan on any newly provisioned agent. The scan runs only once after provisioning is complete, while subsequent scans can be configured in the same way as before this release.

A user can take ownership of a discovered certificate by assigning it to their business unit. With this update, they can also move discovered certificates out of their business unit by unassigning them in case the assignment was made by mistake.

Qualys connector configuration is enhanced to support additional special characters in the Username field. You can now use the following characters:

The Microsoft Intune Connector now includes enhanced validation logic for the Platform URL field. Administrators are required to enter only the domain, immediately following https://. This will avoid any misconfigurations of the URL upfront.

Resolved issue with adding ADC connector when there is only one sensor in the account.

Resolved issue with the sensor heartbeat interval update, ensuring users are informed when an update is in progress.

Resolved an issue where the agent installed on Ubuntu 22 failed to issue or renew certificates using NGINX due to missing client dependencies required for automation.

Improved Intune service to support GCCH solution. The same Intune templates can be used for both standard Azure and GCCH platforms. However, you must enter the appropriate platform URL when configuring the Intune connector.

Updated the Microsoft CA templates listed below to support the SCEP enrollment method for issuing private certificates from a customer’s Microsoft CA via DigiCert sensor technology:

Prerequisites

Ensure the following requirements are met:

Additional information

Support for the creation of custom reports from the Seats list page

From this release, you can now edit existing custom reports from the reports library page, enabling you to add or remove fields without the need to create a new report.

You can now create custom reports from the Account > Seats page. Use the seat table filters to list the applicable seat records, then select the download icon above the table and select the Create custom report button in the siderail that opens. You can customize which fields to include in the report and whether to run it once or on a recurring schedule.

From this release, you can also edit existing custom reports from the Reporting > Report library page. This allows you to add or remove fields without the need to create a new report.

Enhanced the self-service portal to support a new optional filter, allowing end-users to distinguish between private and public certificates that chain up to a publicly trusted root CA. The new column/filter currently supports these two values:

Resolved an issue preventing the issuance of duplicate certificates across profiles associated with the Public S/MIME Secure Email (via CertCentral) template.

Resolved issue with the Subject DN and SAN fields section not being shown after editing a profile configured with the CSR enrollment method, using the CertCentral Private Server Certificate template.

Resolved an issue causing SAML errors for the authenticated self-service portal users during enrollment.

Resolved issue with creating instant enrollments reports.

Resolved an issue where DigiCert​​®​​ Trust Assistant failed to connect with the backend server during SSO sign-in when multiple proxy URLs were specified in the PAC file.

Resolved an issue with auto-enroll/renew timeouts by implementing an automatic retry mechanism that checks every 5 minutes.

Resolved a timeout issue with the post-processing script by increasing the timeout to 30 seconds.

Resolved an issue where a tmp.node file was being created under the system's temp folder during DigiCert​​®​​ Trust Assistant boot when using AppLocker.

Resolved an issue where the diagnostic zip file could not be saved on non-english Windows operating systems.

Resolved an issue where a TypeError occurred during PowerShell calls invoked from post-processing scripts.

DigiCert​​®​​ Trust Lifecycle Manager now includes a Google Cloud Platform (GCP) connector for certificate discovery and lifecycle management.

With the new GCP unified connector, users can:

Supported load balancers for automation:

The maximum certificate validity period for profiles created from the following templates is now 3 years:

Resolved the login authorization error during certificate renewal for profiles using an outdated SAML authentication configuration.

Resolved the "Certificate template is not registered with the server" issue for clients requesting unregistered templates in the Autoenrollment Server.

Resolved an issue in the self-service portal where the .p7b certificate download did not include the full CA chain for profiles with the “advanced certificate delivery” option enabled.

This release of the DigiCert AutoEnrollment Server includes:

For details, see Autoenrollment Server.

For profiles using SAML IdP authentication, you can now map a SAML attribute (for example, Name ID) to the Seat ID. The system retrieves the attribute's value from the SAML assertion and assigns it as the Seat ID.

Qualified support for Intune services on the Government Community Cloud High (GCCH) platform.

Admins assigned to one or more business units now see dashboard data only for their assigned units. The business unit dropdown at the top of the page will also display only the units they have access.

The SCEP enrollment method is no longer supported by the Public S/MIME Secure Email (via CertCentral) template.

From this release, issuance of Public S/MIME certificates will be supported via the following flows:

Resolved encoding issue with the SAN:registeredID field.

Resolved an issue where the Intune connector remained stuck in the “Action needed” status.

Resolved an issue where the renewal reminder job failed to process deleted non-REST profiles.

CertCentral now supports issuing Public S/MIME sponsor-validated, non-escrowed RSA certificates via Intune SCEP profiles.

A new limited template called Public S/MIME (Digital Signature only) for Intune (via CertCentral) is now available for DigiCert-hosted platforms. Contact your DigiCert representative to assign this template to your account.

To configure Azure authentication, you need a Microsoft Intune connector in Trust Lifecycle Manager. For connector configuration details, see Microsoft Intune connector.

Authorized administrators can now manually override the validity period for Public and Private TLS Server certificate requests in CertCentral that require review and approval.

New REST API endpoints allow you to create, read, and delete custom attributes.

For details, see API endpoint documentation.

The Generic User, Device, and Server certificate templates now support a maximum validity of 20 years, up from the previous 10-year limit.

Updated the Adobe CDS private/limited template to support the SAML IdP authentication method.

Improved audit log failure events for:

Resolved an issue where profile tags were:

Resolved an issue where the Intune certificate import flow stopped working after importing more than 100 users.

Increased the maximum number of custom attributes to be configured per account from 10 to 15.

Resolved an issue where the Cert-Delivery plugin could not download certificate files via proxy when the agent was provisioned through a sensor. A new plugin has been created to resolve this issue.

Resolved an issue where certificate installation failed on A10 load balancers due to a limitation in handling chunked ICA uploads for files larger than 4 KB. The chunk size has been increased to 16 KB, allowing up to six intermediates (each 2.5 KB), ensuring successful ICA binding for larger files.

Resolved an issue where certificate revocation requests failed in the open self-service portal for customers with the revocation feature enabled.

Resolved an issue where the profile response API endpoint did not return the correct values for the following parameters when configured in a profile:

The following Microsoft CA templates now support the EST enrollment method, enabling private certificate issuance from a customer’s Microsoft CA through DigiCert sensor technology:

New REST API endpoints enable administrators to be assigned or removed from a business unit using their GUID. Here are the new endpoints and links to the Swagger API reference documentation for them:

Added new email notification templates to notify customers about profile status changes, including:

These notifications can be enabled or disabled and customized from the Policies > Notifications page in Trust Lifecycle Manager, filtering for Profile management in the Category column.

Enhanced the Adobe Individual in Organization (via CertCentral) template to support the REST API enrollment method and allow API-based integrations for the issuance of private Adobe CDS certificates and lifecycle operations.

The Adobe CDS template now supports the DigiCert ONE Login authentication method. This enables integration with IdP users via SAML or OIDC, linking them to a DigiCert ONE account for advanced DigiCert​​®​​ Trust Assistant auto-enroll and auto-renew features.

Starting with this release, all Enrollment over Secure Transport (EST) enrollment and renewal URLs have been shortened to accommodate devices with size or format restrictions and better comply with RFC standards.

Here are the example URLs illustrating the changes:

For EST enrollment URL:

For EST server renewal URL:

For EST server renewal URL using “clientauth” endpoint:

When importing certificates from a Microsoft CA connector using the option to import from Specific templates on the Microsoft CA, Trust Lifecycle Manager will not import any certificates unless there is at least one matching user-specified template. Previously, all certificates were imported when there was no matching template.

Enhancements to the Admin web request enrollment method:

Added a User ID field to the authenticated self-service portal, which automatically maps to the SAML NameID value from the SAML assertion.

Key details:

This release introduces support for the underscore (_) character in the SAN:dnsName field for certificate profiles using a private issuing CA in DigiCert® Private CA.

Resolved an issue where certificate imports failed for PKI Platform 8 accounts without a sub-account. Previously, customers had to create a placeholder sub-account as a workaround, but this is no longer necessary.

AI Assist is a new AI-powered chatbot designed to help DigiCert​​®​​ Trust Lifecycle Manager administrators. It provides answers to product usage, onboarding, configuration, installation, and API integration queries by sourcing relevant information from our documentation websites: DigiCert product documentation, DigiCert developer portal, and DigiCert ONE.

Features of the AI chatbot:

Where can I find the AI chatbot?

You can access AI Assist by selecting the question mark in the top-right corner of the DigiCert​​®​​ Trust Lifecycle Manager administration screen. The chatbot will open on the same screen.

Who can use the AI chatbot?

AI Assist is available to all Trust Lifecycle Manager users with Account Admin access.

Can I chat with live customer support?

No, AI Assist does not support live chat with customer support. For assistance, contact support via email, phone, or a support ticket.

The new custom attributes feature allows customers to create and manage up to 10 custom attributes per account. These attributes can be linked to profiles or certificates, depending on user permissions.

Access and permissions

Configuration and attribute types

Custom attributes are configured in Account > Settings > General > Custom attributes and can be set as:

Using custom attributes

Once an authorized administrator configures custom attributes, they can be assigned to profiles.

Custom attribute operations

Authorized administrators can manage custom attributes and the following actions are available:

For details, see Custom attributes.

Added support for the new strict and multipurpose generation certificates for the following templates:

The following changes align with the Public S/MIME CAB Forum standard:

The DigiCert​​®​​ Trust Assistant v1.2.2 release includes the following new features and enhancements.

Manual and auto recovery of escrowed certificates

A new feature that allows end users to manually or automatically recover certificates that were issued and escrowed in the DigiCert cloud.

Key recovery prerequisites

The profile must be configured as follows:

For more details, see Manual and auto recovery of escrowed certificates.

Sign-out functionality

Use this feature to sign out of DigiCert​​®​​ Trust Assistant and return to the logged-out state. All the features of DigiCert​​®​​ Trust Assistant described in Signing in with DigiCert ONE will not be available after signing out.

The new Sign-out functionality is available from the DigiCert​​®​​ Trust Assistant context menu (avatar icon at the top-right of the dashboard).

After signing out, you can sign in again as the same user or as a different user. To sign back in, see Signing in with DigiCert ONE .

For more details, see Sign out of DigiCert Trust Assistant.

UI enhancements

Admin web request flows for agent certificate delivery now support a post-script option. Administrators can configure the agent to execute a script after certificate delivery, enabling customization and extending capabilities to bind certificates to unsupported applications and use cases.

Administrators can:

The DigiCert® PKI Platform 8 CA connector now supports the automatic import of:

Administrators can control imports using filters based on account, sub-account, profile, and certificate status.

Key details:

Import functionality for the connector

To enable the import functionality for the connector, contact your platform administrator and enable the PKI8 Connector - import attributes feature in the Account Manager application.

For more details, see DigiCert PKI Platform 8.

Updated the GET business unit API endpoint to include the following data for the responses:

Here's an example response:

{
    "id": "67faf4c0-45a4-42e1-8f8a-b723d0d50262",
    "name": "Default Business Unit",
    "active": true,
    "created_at": "2024-12-17",
    "account": {
        "id": "3392fd77-19b4-43b4-afec-f796c1cc5896",
        "name": "Marseille_Seaport_Account"
    },
    "admins": [
        {
            "id": "28dc6055-e83b-4549-b8c4-f024ce41cbdb",
            "name": "admin001 admin",
            "email": "admin001@yopmail.com"
        },
        {
            "id": "a18cc97a-4b45-4f07-989d-e3448ecfc7b0",
            "name": "Edmond Dantès",
            "email": "edmond.dantes@yopmail.com"
        }
    ],
    "available_seats_stats": [
        {
            "type": "USER_SEAT",
            "display_name": "User seat",
            "licensed_amount": 1000,
            "allocated_amount": 3,
            "created_amount": 4,
            "pending_enrollment": 0,
            "in_progress_enrollment": 0
        },
        {
            "type": "DEVICE_SEAT",
            "display_name": "Device seat",
            "licensed_amount": 1000,
            "allocated_amount": 0,
            "created_amount": 0,
            "pending_enrollment": 0,
            "in_progress_enrollment": 0
        }
  }

DigiCert AutoEnrollment Server qualification of the Luna HSM Client 10.7.2-16 for both SafeNet Network HSM and SafeNet DPoD (Data Protection on Demand) Cloud HSM. For more details, see SafeNet HSM installation and configuration.

Certificate Management seat-type templates now allow selecting multiple key sizes when creating a profile. This enables administrators to issue certificates with different key sizes without cloning the profile.

This option is available for the following enrollment methods:

This option is available for the following CAs:

With sensor version 3.9.5, DigiCert​​®​​ Trust Lifecycle Manager sensors now support server-sent events for near real-time responses to job requests.

This feature can be enabled under Advanced settings on the Sensor details page.

The OpenSSL packages have been updated to v3.0.15, and are now included in the automation package used by the agent.

Resolved issue with revocation operations failing for users via the open self-service portal.

Resolved an issue where renewal email notifications were sent a day earlier than configured. The calculation logic caused the discrepancy, which excluded both the current day and the "valid to" date, leading to incorrect scheduling.

Resolved an issue where MSCA templates appeared as undefined due to misconfiguration on the CA side. Logic has been added to ignore such templates.

Resolved an issue where the installation step in the automation flow failed due to a malformed response for root and intermediate certificates.

Resolved an issue with the serial number column not showing correctly in the report.

Resolved issue by removing the replace external filter status when the user drills down from dashboard.

Resolved an issue where certificates with the replace external status were showing incorrectly. Removed the replace external filter when users drill down from the dashboard.

Resolved an issue with the issuance of duplicate certificates for profiles configured with the SCEP enrollment method.

A new Adobe CDS 'limited' template is now available for issuing private certificates. This template is tied to the User seat type and includes the following two EKUs:

Any private CA can use this template. To enable it for your DigiCert ONE account, contact your account representative.

The self-service portal now supports additional certificate delivery options for all certificate types. Users can access these by selecting the Show additional download options link inside the Download certificate pop-up and switch back to standard options by selecting Show standard download options.

Audit logs now include failure events for cases where no seats are available in the business unit tied to the profile used for certificate issuance.

DigiCert​​®​​ Trust Lifecycle Manager users with Pending status in the Account Manager can now be assigned to or unassigned from business units as needed.

The Pending status users are now displayed in the Manage account users dropdown under Business Unit settings, allowing administrators to manage their assignments.

Resolved an issue where certificate revocation requests sent from Inventory failed when a profile was configured to send a revocation email to the certificate owner, but no email address was found associated with the requester, enrollment, or seat.

From this release, revocations will succeed even if no email address is associated with the requester, and the transaction will not be rolled back.

Resolved an issue where SAML IdP-initiated enrollment and renewal flows failed with a Null error due to a missing URL in the required SAML parameters.

ServiceNow app version 1.6.0 released for DigiCert​​®​​ Trust Lifecycle Manager introducing new features, enhancements, and fixes:

Certificate renewals

Multiple key sizes

Profiles with multiple key sizes now display all supported options during the certificate request process. Requesters can submit CSRs for any supported key size.

DigiCert ONE platform configuration for admins

ServiceNow administrators can configure the DigiCert ONE platform URL the app connects to, regardless of the ServiceNow instance type. Options include selecting a DigiCert ONE instance from a dropdown or selecting the Others option manually to specify a custom DigiCert ONE domain, such as, for locally hosted instances.

Pending certificate request enhancements

The Pending certificate requests page now defaults to displaying requests in the Pending approval state. Status updates are supported post-approval, such as reflecting a Failed status if issues arise.

Improved navigation

Users can now seamlessly navigate from Pending certificate requests > Certificate request # > Certificate information > View certificate for better accessibility.

Certificates as attachments

Certificates issued through REST API enrollment requests are now included as attachments in ServiceNow emails, making them easier for end-users to access.

Fixed value issue for SAN/SDN fields

Resolved issues with fixed values in Subject Alternative Name (SAN) and Subject Distinguished Name (SDN) fields.

Support for additional certificate delivery formats has been extended to the following templates for profiles using the CSR enrollment method with any supported authentication method if the feature is enabled:

The self-service portal now supports additional certificate delivery options for all certificate types downloaded through the portal.

Resolved an issue with CertCentral Domain Validated (DV) product types in the CSR/Manual approval flow. DV products have been removed from the list of selectable options when creating profiles using CertCentral Public or Private Server Certificate templates because they do not support this flow. Use a non-DV CertCentral product type instead.

Renewal emails will now also reach seats with a specified Seat Email value set. This ensures that customers can set a new email address for a Seat object even if the original requester has left the organization.

Resolved an issue in agent details where selecting "Unsecured IP/ports" caused the display to briefly switch to secured ports before returning to "Unsecured IP/ports."

The Delete option is now restricted to the Discovery view, ensuring it applies only to discovered certificates.