Skip to main content

Trust Lifecycle Manager

Release notesRSS

December 17, 2024

DigiCert® ONE version: 1.8893.10 | Trust Lifecycle Manager: 1.3717.0

New

Custom reports - user permissions

The custom report wizard now includes a new Permissions section, giving report administrators control over who can access a generated custom report:

  • Only me: Restricts access to the user creating the report (current behavior).

  • Only specified users: Grants access to selected users within the DigiCert ONE account.

Enhancements

Masking global enrollment code

For profiles using a "global enrollment code," the code will now appear partially masked in the profile details and edit pages, displaying only the last three characters.

When updating the code, administrators will see a warning pop-up highlighting the risk of failure for existing or non-redeemed enrollments due to an incorrect global enrollment code. Administrators must confirm the update to proceed.

Given Name and Surname maximum sizes

Increased the maximum allowed size for the Subject DN Given Name and Surname fields to 64 characters.

Note

For Public S/MIME certificates issued from CertCentral, the concatenated Given Name and Surname values in the Common Name field cannot exceed 64 characters. If this limit is exceeded, the certificate request will fail with an error and will not be signed.

Fixes

Authorization error in profile details page

  • Resolved an “Authorization error” on the Profile details page for profiles created using the Public S/MIME Secure Email (via PKI Platform 8) template when users with only the "View only" role accessed the page.

  • Resolved an “Authorization error” on the Profile details page for profiles with the self-service portal feature disabled when users without the SSP manager role attempted to access the page.

Renewal options text

Updated the text in the Renewal options section of the profile wizard to remove any references to renewing a certificate after it has expired.

Inventory pagination issue

Resolved an issue where the pagination on the Inventory page was unresponsive.

Admin web request flow - AWS ACM regions

Resolved an issue where AWS Certificate Manager (ACM) regions were not displayed in the Admin web request flow in certain cases.

Issuing CA visibility for CertCentral profiles

Resolved an issue where the CertCentral issuing CA was not displayed when creating or editing a profile from a CertCentral-based template if no private root CAs were available in CA Manager for the account. This dependency has been removed.

December 11, 2024

DigiCert® ONE version: 1.8893.5 | Trust Lifecycle Manager: 1.3696.0

New

Support for TDS protocol in network scans

Network scans now support the Tabular Data Stream (TDS) protocol used by database servers, such as Microsoft SQL Server. Administrators can enable this for new or existing scans using the default port or custom ports.

Note

TDS protocol scanning requires sensor version 3.9.5 or later.

Enhancements

Certificate renewal logic

This enhancement prevents renewal errors caused by changes to a profile’s Subject DN configuration.

For certificates within the renewal window and associated with User, Device, Server, or Organization seat types, the renewal process will now replicate the Subject DN fields of the original certificate, without referencing the profile configuration.

If the profile is modified with new Subject DN fields, a new certificate must be issued. Renewed certificates after the profile change will retain the original Subject DN fields, not the updated ones.

Sensor release 3.9.5

New DigiCert sensor release with the following updates:

  • Enable TDS protocol scanning for database servers.

  • Prepare for upcoming enhancements, including support for Server-Sent Events (to be enabled in the future on Trust Lifecycle Manager).

Additional certificate delivery formats

In the previous release, additional certificate delivery formats were supported for profiles created from the CertCentral Public or Private Server Certificate templates. Support for additional certificate delivery formats is now extended to profiles configured using the CSR enrollment method and any supported authentication method from the following templates:

  • Generic User Certificate

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Private S/MIME Secure Email

  • Windows BitLocker Data Recovery Agent

  • All GSMA templates (only supported by DigiCert-hosted platforms)

Self-service portal enhancements

The following improvements are now introduced to the SAML-authenticated user self-service portal:

  • Updated tab labels:

    • Enrollment URLs is now labeled Certificate requests for better clarity.

    • Certificate pickup URLs is now labeled Manage requests.

  • Enhanced the Manage requests tab:

    • A new Status column displays the status of each request, such as Pending, Approved, Rejected, or Pending second approval.

    • Users can take actions based on the request status, such canceling an approved certificate request.

Self-service portal administrators can now configure whether to display the Certificate requests and/or Manage requests tabs on the user self-service portal.

DigiCert cloud key escrow support for Generic User Certificate template

The Generic User Certificate template now includes support for cloud key escrow and recovery flows. Administrators can configure the DigiCert Cloud Key Escrow option when creating a profile from this template, similar to the functionality available in the Public and Private S/MIME templates.

DigiCert ONE Login authentication for Adobe and BitLocker templates

The Adobe Individual Organization (via CertCentral) template and the BitLocker Data Recovery Agent template now support the DigiCert ONE Login authentication method.

Fixes

Self-service portal - Public Server Certificate download in p7b format

Resolved an issue where Public Server TLS certificates downloaded from the user self-service portal did not include the CA chain.

December 4, 2024

DigiCert® ONE version: 1.8893.1 | Trust Lifecycle Manager: 1.3656.0

New

Custom certificate report data

When creating custom certificate reports, users can now select a date range to limit the data included in the report. For recurring reports, users can choose from predefined date ranges up to one year before report generation. For one-time reports, users have the additional option to specify a custom date range. The following table lists all the available date ranges by report type.

Report type

Custom report data

  • Run once

  • Specific date

  • Last 7 days from generation date

  • Last 14 days from generation date

  • Last 30 days from generation date

  • Last 60 days from generation date

  • Last one year from generation date

  • Custom dates (from-to) from generation date

  • Weekly

  • Monthly

  • Last 7 days from generation date

  • Last 14 days from generation date

  • Last 30 days from generation date

  • Last 60 days from generation date

  • Last one year from generation date

New data type for custom extension

Support has been added for a new DER ENCODED data type in the JSON-based configuration for custom extensions within the profile wizard.

Enhancements

Option to recover an existing certificate

For certificate profiles configured with Cloud Key Escrow and the Allow duplicate certificates setting enabled, a new default option allows recovering the same issued certificate instead of creating a new duplicate. For new profiles, this option is enabled by default. For existing profiles, it remains disabled to preserve the current behavior of issuing new duplicates.

Note

This feature is available for certificate profiles configured with the following enrollment methods:

  • Browser PKCS12

  • REST API

Support for UTF8String in Subject DN User ID

The Subject DN User ID field now uses UTF8String instead of PrintableString.

System administrators can manage business units

System administrator accounts now include the Manage business units permission by default, so DigiCert system administrators can edit business units and adjust seat allocations or removals across multiple units.

Delete discovered certificates configured for automation

Trust Lifecycle Manager now supports deleting discovered certificates that are configured for automation, along with any associated endpoint data for the discovered certificates.

Unique certificates view default in inventory

The Unique certificates view is now the default view in Trust Lifecycle Manager inventory.

  • This view shows up to 50,000 unique certificates as compared to 1,000 certificate instances shown in other views.

  • Dashboard shortcuts in the Certificates expired or expiring and Certificates by CA vendor widgets now launch the Unique certificates view, pre-filtered to the applicable certificate records.

Note

This change applies to all Trust Lifecycle Manager customers unless a custom default view has already been set.

Extend "Replaced external" status to network discovery

Network discovery now marks certificates identified as replaced during subsequent scans with the Replaced external status.

Filters retained in Inventory navigation

Filters applied in the Inventory view are now retained when navigating between different pages.

Scan name added to certificate details

The scan name is now displayed as a field under the Additional details tab on the certificate details page.

Retrieve hostname during network scans

Network scans now perform a reverse lookup to retrieve the DNS hostname of the scanned target. A new Host name column and associated filters are added to the All certificates and Discovery views.

Note

To retrieve hostnames for previously discovered deployments, run the network scan again.

Fixes

Duplicate certificates with country code

Resolved an issue where duplicate certificates were issued for profiles configured to disallow them, specifically when the Country field was included in the Subject DN.

Dashboard certificate usage graph

Resolved an issue where the certificate usage graph on the dashboard displayed inaccurate data.

Enrollment details permission issue

Resolved an authorization permission issue on the enrollment details page by adding the View profile permission to the User and certificate manager user role.

November 20, 2024

DigiCert® ONE version: 1.8663.5 | Trust Lifecycle Manager: 1.3603.0

New

DigiCert Trust Assistant release v1.2.1

The DigiCert​​®​​ Trust Assistant v1.2.1 is now fully compatible with macOS Sequoia. Administrators can download the new client from the Discovery & automation tools > Client tools menu option, while end users can access it during the enrollment process. This release includes security updates and the following enhancements:

  • Renamed option: Download is now Export in certificate management.

  • Configurable timeout duration: Added a new configuration parameter setting.dcTlsClient.timeoutSec to configure the timeout duration for DigiCert ONE Login access. Refer to Configuration parameters for all the available configuration parameters.

  • Hardware token synchronization: Added a message prompting users to remove and reinsert hardware tokens to synchronize certificates with macOS.

  • Automatic YubiKey synchronization: Certificates on YubiKey tokens now synchronize automatically with Windows.

  • OS-level notifications:

    1. Added more notifications for actions such as:

      1. Renewal reminders

      2. Silent issuance of new or renewed certificates

      3. Assignment of new profiles for manual enrollment

      4. Availability of new client version

      5. Unread notifications detected

    2. Action buttons in OS notifications now work like notifications inside the application, allowing users to perform actions directly. Refer to Notifications for more information.

For more information about the enhancements, see the DigiCert Trust Assistant guide.

Additional certificate delivery options

For profiles using CertCentral as the issuing CA and configured with the CSR enrollment method and Manual approval authentication, administrators can now enable the Enable additional delivery formats checkbox in the profile wizard. When enabled, this option allows end users to download the certificate in multiple formats by selecting More options... from the dropdown list on the Download certificate page.

Admin renewal comments for "resend renewal email" action

When resending a renewal email for certificates within the renewal window, administrators can add a comment. This comment will be included in the renewal email sent to the end user.

Support for Step CA

With this release, Trust Lifecycle Manager introduces support for Step CA as a new certificate authority (CA) for certificate issuance and automated lifecycle management, using the following enrollment methods:

  • Admin web request

  • DigiCert sensor

  • REST API

Administrators can set up their step-ca server and integrate it with Trust Lifecycle Manager using the new Step CA connector type. After adding the connector, administrators can use the Step CA private server certificate base template to create certificate profiles for issuing and automating certificates from the connected Step CA.

Notice

To set up this integration, the Step CA feature must be enabled for your account. Contact your DigiCert account representative to verify or enable this feature.

Enhancements

Self-service portal enhancements

The user self-service portal has been updated with the following enhancements:

  • Inventory tab renamed: The Inventory tab is now labeled Certificates for improved usability.

  • Enhanced certificate visibility for SAML users: In the SAML-authenticated self-service portal, the Certificates tab now displays all certificate requests submitted by the logged-in user based on their SAML NameID attribute. This removes the previous dependency on the user’s email address being included in the certificate.

Certificate details page - SHA1 thumbprint

The certificate details page now displays the SHA1 thumbprint (hash) alongside the existing SHA256 thumbprint for enhanced visibility.

Custom extensions on the profile details page

The profile details page now displays custom extensions and Enhanced Key Usage (EKU) extensions for supported profiles. This includes the custom extensions' JSON configuration and the configured EKU OIDs.

Non-addressable virtual IP addresses for NetScaler

Trust Lifecycle Manager now supports automation for non-addressable virtual IP addresses (0.0.0.0:0) on NetScaler.

Fixes

DigiCert Trust Assistant v1.2.1 fixes

  • Unauthenticated HTTP proxy: Resolved an issue where the DigiCert​​®​​ Trust Assistant could not handle unauthenticated HTTP proxies.

    Note

    For authenticated HTTP proxies, you can configure your proxy to bypass authentication for specific DigiCert FQDNs until full support is added.

  • Software KeyStore issue: Resolved an issue with DigiCert Software KeyStore not loading properly.

November 13, 2024

DigiCert® ONE version: 1.8663.4 | Trust Lifecycle Manager: 1.3579.0

New

Public S/MIME - Mailbox-validated certificate types

We currently support the issuance of Legacy-generation/Sponsor-validated certificates from CertCentral using various enrollment methods (REST API, Browser PKCS12, DigiCert Trust Assistant, CSR, or Microsoft Autoenrollment) after DigiCert validates the organization and email domains.

From this release, we also support Legacy-generation/Mailbox-validated certificate types, allowing issuance of Public S/MIME certificates for non-validated email domains, if the user proves ownership of the email address or mailbox. The email challenge originates from CertCentral, not DigiCert ONE, because CertCentral secures the public issuing CAs for issuing S/MIME certificates.

The issued certificate is tagged with Certificate Policy OID: 2.23.140.1.5.1.1, as per the S/MIME Baseline Requirements standard for publicly trusted certificates.

The profiles must be linked to the CertCentral Secure Email for Individual product type, which supports the following web-based enrollment and authentication methods, and optionally, the Cloud Key Escrow feature:

Enrollment method

Authentication method

  • Browser PKCS12

  • CSR

  • DigiCert Trust Assistant

  • Enrollment code

  • Manual approval

  • SAML IdP

Note

Renewal of Mailbox-validated certificates will be supported in a future release.

Enhancements

Revocation reasons for Delete Seat API requests

The Delete Seat API endpoint now supports specifying a revocation reason, rather than defaulting to "Cessation of operation." If no reason code is provided, "Cessation of operation" will continue to be used. For details, see the API endpoint documentation.

Supported reason codes that apply to both private and public certificates:

  • key_compromise

  • affiliation_changed

  • superseded

  • cessation_of_operation

CSR support for CertCentral Server Certificate and Microsoft CA Private Server Certificate templates

The Private CertCentral Server Certificate and the Microsoft CA Private Server Certificate templates now support the CSR enrollment method for web-based enrollment flows, along with all associated authentication methods:

  • Manual approval

  • Enrollment code

  • SAML IdP

The Authentication enrollment fields section is now enabled, allowing profile administrators to set custom optional or required fields on enrollment pages. Users can fill out these fields, and the submitted data will be visible to administrators on the enrollment details page, helping them decide whether to approve or reject the enrollments.

Authenticated self-service portal enhancements

The authenticated self-service portal (Inventory tab) now displays not only user-owned certificates but also retrieves the server and device certificates linked to the SAML-authenticated user. This is done by matching the logged-in user’s email address with the email address in the certificate.

Note

In a future release, the portal will display certificates issued to the user who submitted the request, based on portal authentication, without requiring an email match in the certificate.

Fixes

API returns the incorrect key size

Resolved issue with the API response returning the incorrect key size in the certificate profile.

Duplicate CertCentral certificates

Resolved an issue that caused duplicate certificate entries in CertCentral when users reopened the same pickup URL and attempted to regenerate a previously issued certificate.

CSR with "BEGIN NEW CERTIFICATE" tag

Resolved an issue where web enrollment pages did not accept CSRs with the ---BEGIN NEW CERTIFICATE REQUEST--- tag, only accepting ---BEGIN CERTIFICATE REQUEST--- (without “NEW”). Validation checks and error messages have been improved for clarity.

November 6, 2024

DigiCert® ONE version: 1.8663.1 | Trust Lifecycle Manager: 1.3538.0

New

View CSR in the enrollment details page

For profiles using the CSR enrollment method and Manual approval authentication method, administrators can now see a View CSR link on the enrollment details page. This link provides access to the:

  • CSR

  • Public key algorithm

  • Public key size

  • Subject DN and SAN fields and their values as used by the profile

Bulk automation workflows

To simplify certificate management and enhance agility during revocation or distrust events, Trust Lifecycle Manager now offers improved bulk automation workflows to:

  • Reissue or renew multiple certificates from the same CA.

  • Switch multiple certificates to a different CA supported by Trust Lifecycle Manager.

With the new bulk automation workflows, administrators can:

  • Reissue or switch multiple certificates set for auto-renewal without canceling or adjusting the auto-renew schedules.

  • Edit the selection of certificates before submitting the job.

  • Assign a preferred certificate profile or CA for the job.

  • View any issues with automation triggers in advance.

  • Monitor job progress in the inventory by filtering with the job name.

For more information, see Bulk manage multiple certificate deployments.

HashiCorp Vault integration with DigiCert

The DigiCert HashiCorp Vault integration offers a streamlined solution for enrolling, collecting, and revoking TLS/SSL certificates through Trust Lifecycle Manager. This integration is provided as a custom DigiCert Vault PKI plugin, allowing Vault to continue as a centralized distribution and access point while leveraging Vault’s automation capabilities for DevOps.

The DigiCert Vault PKI plugin acts as a bridge between Vault and your certificate authorities (CAs). Rather than using Vault’s native PKI secrets engine, the plugin is configured in the Vault plugin directory to route certificate requests to Trust Lifecycle Manager, returning signed certificates to Vault. Key features of the plugin include:

  • Generate and sign certificate signing requests (CSRs).

  • Store and track certificates issued by Trust Lifecycle Manager within Vault.

The integration supports both generating and storing new TLS/SSL certificates in Vault. It allows for requesting different types of certificates by providing relevant configuration options. Built using Vault’s plugin architecture, the DigiCert Vault PKI Plugin provides security and development teams with:

  • Connectivity between Vault and any public or private CAs supported by Trust Lifecycle Manager.

  • Assurance that all certificates meet company policy and audit requirements.

  • The ability to issue certificates from any supported CA using native Vault workflows.

For more information, see the HashiCorp Vault connector guide.

Enhancements

CertCentral connector deletion enhancements

Enhanced the user experience when deleting a CertCentral connector to prevent unnecessary operational errors. Key updates include:

  • New confirmation message: When you delete a CertCentral connector, a new confirmation message displays, outlining the impact of the deletion. This message includes a list of affected certificate profiles, allowing you to confirm or cancel the deletion.

  • Post-deletion actions: If you proceed with the deletion, the following changes will occur:

    • Affected profiles will have their status set to “Action needed,” and a message on the profile page will prompt you to select a new CertCentral connector from the dropdown list. If no other connector is available, you will be advised to create a new one.

    • An alert email will be sent to all administrators on the account.

Fixes

Custom certificate report

Resolved issue with custom certificate reports failing intermittently.

Network scan "run now" button not working

Resolved issue with the network scan "run now" action not working, as accessed via the "play" button on the scan details page.

Known issues

Bulk automation on Azure Key Vault

Azure Key Vault bulk flows may not work under the following conditions:

  • Common name versioning is enabled on the connector.

  • A vault contains two certificates with the same name.

Issue: If both certificates are automated simultaneously, Azure Key Vault will fail one of the requests because it does not support multiple pending requests for the same certificate.

Solution: Automate each certificate version one at a time.

October 28, 2024

DigiCert® ONE version: 1.8480.10 | Trust Lifecycle Manager: 1.3519.0

Fixes

Verify "Scan name" filter functionality in the Unique Certificates view on the Inventory page

Resolved an issue where the Scan name filter was not working correctly, occasionally displaying duplicate records.

Network scan not displaying all results in certain configurations

Resolved an issue where network scans were missing some FQDNs in SNI-related discovery flows, ensuring all results are now shown in the inventory.

October 23, 2024

DigiCert® ONE version: 1.8480.8 | Trust Lifecycle Manager: 1.3510.0

New

Delete discovery data from inventory

With this release, administrators can delete certificates discovered by Trust Lifecycle Manager. There are three options available to delete discovered certificates from your inventory:

  • Delete all discovery data (available from Account > Settings).

  • Delete an individual certificate (available from the Inventory page).

  • Select and delete multiple certificates (available from the Inventory page).

For more information, see Manage inventory.

Enhancements

Additional certificate download format in the authenticated self-service portal

The SAML-authenticated self-service portal now supports an option to download the certificate in X.509 format, in addition to the existing PKCS#7 format.

New fields for custom reports

Added support for the following new fields within the certificate custom reports:

  • Server management details section: Application and Instances

  • Other details section: DigiCert ONE user

  • Subject Alternative Name (SAN) details section: SANs

Fixes

Duplicate certificates not working for public S/MIME

Resolved an issue where the duplicate certificate profile option was not applied for profiles created using the Public S/MIME Secure Email (via CertCentral) template.

Approval email notifications

Resolved an issue where approval emails were sent to all users in the account.

CertCentral Public Server Certificate - DNS name

Resolved an issue with CertCentral Public Server Certificate profiles using the CSR enrollment method, where the public enrollment page ignored the optional status of the SAN: DNS name field.

ACME-based issuance not working for CertCentral certificates

Resolved an issue that prevented automated issuance of certificates from CertCentral profiles using the DigiCert agent or 3rd-party ACME client enrollment methods. Note: This fix was released in Trust Lifecycle Manager patch version 1.3511.0.

October 21, 2024

DigiCert® ONE version: 1.8480.7 | Trust Lifecycle Manager: 1.3495.0

Enhancements

Authenticated self-service portal enhancement

The SAML-authenticated self-service portal now supports a Common name field that is displayed under the Certificate pickup URLs tab.

October 17, 2024

DigiCert® ONE version: 1.8480.5 | Trust Lifecycle Manager: 1.3490.0

New

Microsoft Intune connector

You can now centrally configure a new Microsoft Intune connector with your Intune tenant credential details, and use it to:

  • Configure S/MIME certificate profiles to push escrowed certificates to Intune for distribution to registered user devices.

  • Configure Intune SCEP-based certificate profiles with the applicable Intune tenant credentials for the issuance of private authentication certificates.

The Microsoft Intune connector is available under the Unified endpoint management category on the Integrations > Connectors > Add connector page.

Certificate recovery and push to Intune

The new Microsoft Intune connector enables S/MIME certificates to be pushed into a customer Intune tenant via an asynchronous job for distribution to user devices by the Intune unified endpoint management (UEM) platform.

This feature is available for S/MIME certificate profiles configured with the DigiCert Cloud Key Escrow option. You select the Microsoft Intune connector from a dropdown list, which allows Intune to deliver the same escrowed S/MIME certificate to multiple devices so the user can decrypt emails on any of them. Use the following base templates to create your S/MIME certificate profiles and select one of the supported enrollment methods of Browser PKCS12, DigiCert Trust Assistant, or REST API.

Template name

Seat type

Private S/MIME Secure Email

User

Public S/MIME Secure Email (via CertCentral)

User

Note

This solution requires deploying Microsoft's PFX Connector application on a supported Windows domain-joined server, which is a necessary Microsoft dependency. However, no DigiCert on-premises component is needed because we provide a cloud-to-cloud solution.

Certificate issuance via SCEP

You can use the same Microsoft Intune connector to configure profiles for issuance of private authentication certificates from the two Intune templates:

Template name

Seat type

Device Authentication for Microsoft Intune (SCEP)

Device

User Client Authentication for Microsoft Intune (SCEP)

User

Note

If you already have an Intune certificate profile in your account, a default Intune connector named Microsoft Intune is automatically created for you using the Intune credentials from that profile.

For more information about how to set up and use the new connector type, see the Microsoft Intune connector guide.

Unique certificates view in inventory

A new Unique certificates system view on the Inventory page shows a list of unique certificates by the certificate Thumbprint (SHA256). With the new view, administrators can:

  • View a list of unique certificates.

  • Filter the certificates by available columns and filters.

  • Drill down to one or more instances where the certificate is found.

Enhancements

Simplified UI for the branding settings page

You can now use the simplified branding settings page (Account > Settings > Branding) to choose between a custom logo (or the DigiCert default) or an organization name. These will appear on public enrollment pages and emails.

CSR viewer for enrollment requests

You can now view the CSR content for profiles using the CSR enrollment method. Select the Show details link under the CSR text area before submitting the request. This feature helps prevent errors with incorrect CSRs. You can also select Hide details to collapse the section.

The Show details section displays the following information from the CSR:

  • Public key algorithm

  • Key size

  • All Subject DN and SAN fields configured in the profile with a From CSR source. If the fields are not configured in the profile, the CSR details are ignored and not shown under Show details.

Authentication enrollment fields for CertCentral Public Server Certificate template

The CertCentral Public Server Certificate template now supports the Authentication enrollment fields section in the profile. This allows administrators to set custom optional or required fields that users must complete on the enrollment pages. The submitted data will be visible to administrators on the enrollment details page for enrollment approval or rejection.

Azure Key Vault rollback for common name versioning

The Admin web request enrollment method now supports automatic cleanup of partial records in Azure Key Vault during automation failures. If a failure occurs and the user cancels the request, the system automatically removes the partial record from the key vault.

DigiCert Trust Assistant support for BitLocker

DigiCert Trust Assistant now supports the Windows BitLocker Data Recovery Agent template for the following authentication methods:

  • Manual approval

  • Enrollment code

  • SAML IdP

Note

The DigiCert ONE Login authentication method is not yet supported.

Fixes

Edit network scan failing due to duplicate name error

Resolved issue where administrators could not edit and save a scan due to a duplicate name error.

AWS unified connector unable to retrieve more than 20 accounts

Resolved issue with the AWS unified connector, enabling it to retrieve all accounts within an organization.

Azure Key Vault enrollment failing for ECDSA

Resolved support for ECDSA in the key vault for the Admin web request enrollment method.

Blank SAML error page

Resolved issue where the browser displayed a blank page when a SAML identity provider (IdP) displayed an access denied error.

Blocked profile creation for accounts with over-consumption enabled

Resolved issue where profiles could not be created or saved for accounts with the over-consumption feature enabled.

Recovery of imported certificates through self-service portal

Resolved issue that prevented authenticated users from recovering imported certificates (in PKCS12 format) through the self-service portal, even when the recovery option was enabled by the administrator.

DigiCert Certificate Import Tool fails to support multiple tags

Resolved an issue with the DigiCert Certificate Import Tool that prevented support for multiple tags on the same uploaded certificate, whether bound to a Discovery or Imported seat.

Email templates

Resolved the following issues:

  • The {{#commentsToUser}} variable was missing from the Enrollment status change email template.

  • The {{#certResumptionDate}} value was missing from customized emails sent to users.

  • The blue "Action Required" header was incorrectly displayed in emails using the Your certificate is revoked template. It has been removed, as no user action is needed—only information is provided.

October 3, 2024

DigiCert® ONE version: 1.8480.1 | Trust Lifecycle Manager: 1.3446.0

New

SAML authorization

For profiles using SAML identity provider (IdP) authentication, we now support authorizing SAML assertions by reading pre-configured SAML attributes and values in a new side panel. This allows you to control which user groups are eligible to receive a certificate after authentication and verifying authorization parameters within the profile.

Captcha support for revocation requests on the self-service portal

A new captcha feature has been added to user-initiated revocation requests on the open self-service portal to prevent bulk requests from bots.

Note

An administrator must enable the revocation feature within the open self-service portal settings.

Fixes

Inconsistent Intune revocation processing

The Intune revocation job logic has been updated to include retries when DigiCert's certificates in the Microsoft Intune queue are not revoked successfully.

September 25, 2024

DigiCert® ONE version: 1.8279.6 | Trust Lifecycle Manager: 1.3421.0

Enhancements

Enrollment API response - support for enrollment URL

The POST /mpki/api/v1/enrollment API endpoint response now includes the enrollment URL for private certificates issued using DigiCert® CA Manager. This enhancement applies to profiles configured using the Enrollment Code authentication method.

For details, see the API endpoint documentation.

User-friendly error message based on SAML callback errors

The new Trust Lifecycle Manager-branded web page now displays a user-friendly error message based on SAML callback errors from assertions sent by a SAML identity provider (IdP).

Fixes

Incorrect protocol displayed in profile warning message

Fixed the issue where the warning message incorrectly showed SCEP for profiles using EST with the global enrollment code. The message now correctly displays EST for EST enrollments.

September 18, 2024

DigiCert® ONE version: 1.8279.3 | Trust Lifecycle Manager: 1.3395.0

Enhancements

Branding settings - logo size

The maximum file size for uploaded images has been increased from 40 KB to 100 KB to allow for better-quality logos.

Fixes

Complete certificate chain in CertCentral REST API enrollment method

The REST API enrollment method now returns the complete certificate chain in its response for both CertCentral public and private certificate enrollments.

Azure Key Vault automation issue

Resolved the issue of Admin web request enrollment method failing when the connector uses versioning and the original certificate is deleted. The cause is now displayed, and users must either restore the certificate in Azure Key Vault or use a unique name for the connector.

No actions displayed for empty seat names

Resolved issue on the Seats list page where seats with empty names were missing the actions (three dots) menu and quick edit option. Empty seat names now display a dash (—) and names with only spaces are not accepted. Seat names must have at least one non-space character.

September 11, 2024

DigiCert® ONE version: 1.8279.2 | Trust Lifecycle Manager: 1.3374.0

New

DigiCert Trust Assistant release v1.2.0

Starting with DigiCert​​®​​ Trust Assistant v1.2.0, customers can configure profiles for autoenrollment and autorenewal of certificates. After creating and authenticating a user in Account Manager using SAML or OpenID Connect (OIDC), which is a one-time process, a device certificate is automatically issued. This allows DigiCert​​®​​ Trust Assistant (DTA) to seamlessly retrieve profiles and handle certificate autoenrollment and autorenewal without user intervention (zero-touch).

The DTA client shows the following new menu options after users successfully join their IdP account with DigiCert ONE:

  • Certificate profiles page: Displays the profiles that the user is eligible to enroll in, either manually or automatically, if an administrator has configured them using the new autoenrollment feature.

  • Device page: Located under the Advanced mode, it displays device certificate information needed for the new autoenrollment and autorenewal features.

Prerequisites
  1. You must configure profiles with the DigiCert ONE Login authentication method to start using profiles.

    • Configure Single sign-on (SSO) settings for your account using SAML or OIDC.

    • Ensure that the required attributes are included as part of the Claims ID (for OIDC) and Assertion (for SAML) responses to create a user in DigiCert ONE. The required user attributes (case insensitive) are the following:

      • Email: email

      • First name: Use any of these values—given_name, first_name, firstname, or givenname

      • Last name: Use any of these values—last_name, lastname, familyname, family_name, or surname

      Some identity providers may provide these attributes by default, but ensure that they are included in the authentication response.

  2. Request your DigiCert or Platform representative to configure the following, which requires System Administrator credentials.

    • Enable the DigiCert Trust Assistant for your account.

    • Add your company's email domains to the Allow user creation via SSO option in your account. Your organization must own the domains. You can configure this setting only after SSO sign-in is set up with SAML or OIDC, so ensure SSO is configured first.

Note

Customers using a local Active Directory (AD) for user storage must configure AD Federation Services (FS) as their SAML IdP provider. See Setting Up Active Directory Federation Services.

Additional enhancements
  • Notifications : Use the bell icon located at the top of the dashboard to view the following notifications:

    • Information: When DTA completes an action.

      Example: When a certificate is issued or renewed successfully as a background process.

    • Action required: When DTA detects an action required by a user. The assistant displays an "action" link that you can click to trigger the required action.

      Example: If there is a newer version of the DTA provider, a notification is shown with an Upgrade required action link to initiate the upgrade process.

    • Error: When an error is detected, DTA sends a notification with details of the issue, including which process was responsible for the error and possible causes—for example, network or connectivity issues.

  • Diagnostics file: A user-generated, password-protected ZIP file containing logs and configuration files for troubleshooting and sharing with your Support team.

  • SHA3 algorithms: Support for SHA3 signing algorithms for both the DigiCert Software Keystore and compatible hardware tokens.

  • Session validity for PIN-protected keystores: A new feature for supported keystores, such as hardware tokens and the DigiCert Software Keystore, allowing users to enter their PIN once per session (default is 5 minutes). The DigiCert Trust Assistant configuration file (config.json) now includes a parameter (loginSessionValidity) to control session duration. Each token-based action resets the session to the configured time.

  • Unregister and upgrade DigiCert provider and token: Users can now quickly unregister and upgrade the DigiCert Software Keystore crypto provider.

  • DigiCert Software Keystore Provider v1.0.4:

    • Removed the dependency for the Visual C++ Redistributable to be installed as a prerequisite. It is now included in this new provider version.

    • Updated the license to use the DigiCert Master Services Agreement (MSA).

    • Changed installation from per-user to per-machine. You must completely remove the previous installation before installing the latest one, which is automatically handled by the new Upgrade provider functionality in DTA.

  • Token v1.0.1: Updated the license to use the DigiCert Master Services Agreement (MSA).

For more information, see the DigiCert Trust Assistant guide.

Issuance of PQC composite certificates

Support is now available for issuance and lifecycle operations (revoke, suspend/resume, or recover) of Post Quantum Cryptography (PQC) "composite" certificates, which combine PQC with traditional RSA/ECDSA algorithms. This ensures compatibility with both PQC-enabled systems and those still using traditional encryption methods.

In this initial release, PQC composite certificates support the following key types, sizes, and signing algorithms:

Key type

Key size

Signing algorithm

id-MLDSA44-RSA2048-PSS-SHA256

MLDSA-44, RSAPSS-2048

id-MLDSA44-RSA2048-PSS-SHA256

id-MLDSA44-RSA2048-PKCS15-SHA256

MLDSA-44, RSA-2048

id-MLDSA44-RSA2048-PKCS15-SHA256

id-MLDSA44-ECDSA-P256-SHA256

MLDSA-44, ECDSA-256

id-MLDSA44-ECDSA-P256-SHA256

id-MLDSA65-RSA3072-PKCS15-SHA512

MLDSA-65, RSA-3072

id-MLDSA65-RSA3072-PKCS15-SHA512

id-MLDSA65-ECDSA-P256-SHA512

MLDSA-65, ECDSA-256

id-MLDSA65-ECDSA-P256-SHA512

id-MLDSA87-ECDSA-P384-SHA512

MLDSA-87, ECDSA-384

id-MLDSA87-ECDSA-P384-SHA512

Issuance is supported for profiles configured from the following templates and enrollment methods:

Templates

Enrollment methods

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Generic User Certificate

  • CSR

  • EST

  • REST API

  • Private S/MIME Secure Email

  • CSR

  • REST API

For more information and CSRs/keys for testing, see Issue PQC composite certificates.

BitLocker Data Recovery Agent template

The new Windows BitLocker Data Recovery Agent template is now available, supporting the issuance of private certificates that meet Windows requirements of BitLocker Data Recovery Agent certificates. This template allows the encryption and recovery of data within a Windows workstation.

The user template supports the following enrollment and authentication methods:

Enrollment method

Authentication method

  • Browser PKCS12

  • CSR

  • Manual Approval (single or dual)

  • Enrollment Code

  • SAML IdP

  • REST API

  • Third-party application

  • Enrollment Code

  • Microsoft Autoenrollment

  • Active Directory

The template also supports the following extensions:

  1. Microsoft Application Certificate Policies extension, containing the following policy identifiers, but available only for the "Microsoft Autoenrollment" enrollment method:

    1. Key Recovery Agent

    2. BitLocker Drive Encryption

    3. BitLocker Data Recovery Agent

  2. S/MIME Capability extension, containing the following Policy Identifier values:

    1. XCN_OID_RSA_DES_EDE3_CBC => 1.2.840.113549.3.7

    2. XCN_OID_RSA_SMIMEalgCMS3DESwrap => 1.2.840.113549.1.9.16.3.6

    3. XCN_OID_NIST_AES128_CBC => 2.16.840.1.101.3.4.1.2

    4. XCN_OID_NIST_AES192_CBC => 2.16.840.1.101.3.4.1.22

    5. XCN_OID_NIST_AES256_CBC => 2.16.840.1.101.3.4.1.42

    6. XCN_OID_NIST_AES128_WRAP => 2.16.840.1.101.3.4.1.5

    7. XCN_OID_NIST_AES192_WRAP => 2.16.840.1.101.3.4.1.25

    8. XCN_OID_NIST_AES256_WRAP = 2.16.840.1.101.3.4.1.45

  3. Extended Key Usage (EKU) extensions set as default:

    1. Key Recovery Agent

    2. BitLocker Drive Encryption

    3. BitLocker Data Recovery Agent

  4. Certificate Template Information extension with the following preset values:

    1. Template = 1.3.6.1.4.1.311.21.8.5794885.9824176.5194890.16550107.10406594.143.6622342.10289763

    2. Major Version Number = 100

    3. Minor Version Number = 4

Enhancements

Mapping of SAML assertion attributes to authentication fields

For profiles using SAML identity provider (IdP) authentication with manual approval enabled, you can now map custom authentication enrollment fields to SAML attributes. These values appear on the Enrollment Details page, allowing the administrator to approve or reject the enrollment request.

Optional removal of SKI/AKI extensions

You can now optionally remove either the Subject Key Identifier (SKI) or the Authority Key Identifier (AKI), or both extensions from the profile wizard of all the three Generic templates:

  • Generic User Certificate

  • Generic Device Certificate

  • Generic Server Certificate

Existing profiles will automatically show the SKI/AKI extensions by default.

Warning

Do not remove these extensions unless absolutely necessary.

Certificate preview for external CAs

Account administrators with profile creation or editing permissions can now preview certificate details in the profile wizard when configuring profiles with external issuing CAs, such as CertCentral, Microsoft, and AWS.

Fixes

Limit the SAML Enrollment page to the same browser session

Resolved issue about loading the authenticated SAML enrollment page across browsers. You must reauthenticate if you open the enrollment link in a new browser or in the same browser, but running Incognito mode.

September 4, 2024

DigiCert® ONE version: 1.8279.1 | Trust Lifecycle Manager: 1.3342.0

Enhancements

Rounding certificate valid-from and valid-to dates

Certificate profiles for private issuing CAs in DigiCert ONE now offer a checkbox under expiration options to set the certificate start and end times to full UTC days (that is, from 00:00:00 UTC to 23:59:59 UTC) instead of using the actual issue time. This feature benefits customers with services across different time zones and those using Intune services.

User ID support for "Generic Device Certificate" template

The User identifier field is now included in the Subject DN for the Generic Device Certificate template.

Fixes

SAML authorization error

Resolved issue about a JSON-based internal service error message that appears when the user's SAML identity provider (IdP) delivers a failed authorization assertion to the DigiCert SAML service provider (SP). The authorization failure response now displays a more user-friendly error message on the authenticated self-service portal.

August 28, 2024

DigiCert® ONE version: 1.8094.6 | Trust Lifecycle Manager: 1.3321.0

Enhancements

Quick edit of agent, sensor, and network scan names

Authorized users can now quickly edit the agent, sensor, and network scan names from their respective list and details pages.

August 21, 2024

DigiCert® ONE version: 1.8094.5 | Trust Lifecycle Manager: 1.3299.0

New

ServiceNow app v1.5.0

ServiceNow app version 1.5.0 released for Trust Lifecycle Manager, which adds support for issuance of private certificates from a Microsoft CA using certificate profiles created from one of the following base templates and configured for one of the supported enrollment/authentication method combinations:

Template name

Seat type

Enrollment / Authentication methods

Microsoft CA Private Server Certificate

Certificate management

  • REST API / 3rd Party app

Microsoft CA User Certificate

Certificate management

  • Browser PKCS12 / Manual Approval

  • CSR / Manual Approval

  • DigiCert Trust Assistant / Manual Approval

With this release, the following base templates now also support the CSR enrollment method with Manual Approval authentication for use with the ServiceNow app:

  • Generic Private Server Certificate

  • Generic User Certificate

  • CertCentral Public Server Certificate

  • Public Client Authentication (via CertCentral)

  • Public S/MIME Secure Email (via CertCentral)

Important

Moving forward, use the CSR enrollment method with Manual Approval authentication in all your manual approval flow certificate profiles for ServiceNow, as we plan to deprecate support for the REST API enrollment method in these profiles.

For more information, see the ServiceNow integration guide.

Enhancements

Multiple key sizes for CertCentral profiles

For CertCentral certificate profiles configured with the CSR, REST API, or SCEP enrollment method, you can now select one or multiple key sizes to allow when requesting a certificate.

Fixes

Comma-separated SANs not being honored in Admin web request

Resolved issue with SANs been ignored in the final certificate when entered as comma-separated values using the Admin web request enrollment method.

Issuance failing when certificate already exists in database

Resolved issue with ACME-based issuance failing due to thumbprint conflict when certificate is present from a different source.

Internal notes for SAML IdP manual approval flow

Resolved issue with not being able to submit and store internal notes on the enrollment details page, for certificate profiles configured with the SAML IdP authentication method that have the "Enforce manual approval flow" checkbox enabled.

Authenticated self-service portal - issues with allowed actions

Resolved the following known issues reported in the previous release:

  • Recovery action did not appear on the authenticated user portal when the operation was enabled by an authorized self-service portal administrator.

  • Enroll action appeared on the authenticated user portal regardless of whether the operation had been enabled by an authorized self-service portal administrator or not.

August 14, 2024

DigiCert® ONE version: 1.8094.4 | Trust Lifecycle Manager: 1.3282.0

New

Self-service portal operations per profile and UI enhancements

From this release, authorized administrators can configure allowed self-service operations per certificate profile instead of being account-wide operations for all profiles with the self-service portal option enabled. Available operations:

  • From the open portal:

    • Revoke: Allows users to request revocation of their certificates, which triggers an email challenge to prove ownership of the email address before confirming the revocation operation. Note: Enable this feature with caution, understanding the risk of being able to revoke someone else’s certificate if you have access to their email account.

  • From the authenticated portal, after users authenticate against your SAML identity provider:

    • Recover: Recover certificates for profiles configured with the "Cloud Key Escrow" option.

    • Renew: Renew certificates issued from DigiCert that are bound to a certificate profile and within the renewal window configured in the profile.

    • Revoke: Revoke certificates and specify a revocation reason as part of the revocation operation.

    • Suspend/Resume: Suspend or resume private certificates only.

In addition, as part of the announced initiative in the previous release to improve the navigation and usability of the product, the Self-service portal menu option has been moved under the Account > Settings page.

Enhancements

REST API support for "Microsoft CA User Certificate" template

You can now configure profiles from the Microsoft CA User Certificate base template using the REST API enrollment method and associated 3rd Party app authentication method to issue user certificates from your Microsoft CA. You can also invoke certificate management operations such as revocation.

SCEP support for "CertCentral Public Server Certificate" template

The CertCentral Public Server Certificate template has now been qualified to support the SCEP enrollment method, allowing servers to enroll and renew public TLS server certificates using SCEP (Simple Certificate Enrollment Protocol).

Certificate profile descriptions

New optional customer-defined field allows administrators to add a user-friendly profile description (maximum 256 characters) when creating or editing a certificate profile. The profile description is displayed as an optional column on the Inventory page, and is also visible to end users from the self-service portal.

Fixes

Optional fields from SAML assertion

Resolved issue with certificate profiles configured with optional Subject DN attributes using values sourced from a SAML assertion, where the enrollment process failed due to an error stating a required value was not present.

Known issues

Authenticated self-service portal - issues with allowed actions

  • Recovery action does not appear on the authenticated user portal when the operation is enabled by an authorized self-service portal administrator.

  • Enroll action appears on the authenticated user portal regardless of whether the operation has been enabled by an authorized self-service portal administrator or not.

PQC discovery not working on RHEL 7.x

The discovery service does not find post-quantum cryptography (PQC) certificates on RHEL 7.x systems. As a workaround, upgrade to RHEL 8.x on these systems.

August 7, 2024

DigiCert® ONE version: 1.8094.1 | Trust Lifecycle Manager: 1.3255.0

New

Certificate delivery to DigiCert ACME agent

Added support for delivering certificates to servers with the DigiCert ACME agent. This feature extends the Admin web request enrollment method, available for Azure KeyVault and AWS ACM, supporting certificate formats: x.509, p7b, PKCS12, and Java Keystore (JKS). Access this feature via the updated Admin web request flow on the Enrollments page.

Discovery support for post-quantum cryptography (PQC) certificates

Extended network discovery capabilities to include PQC certificates. New and existing scans can now identify PQC certificates on the network, viewable on the Inventory page.

DigiCert One Login for CertCentral connector

Enabled DigiCert One Login for CertCentral connector, allowing users to add new connectors using One Login authentication. Existing authentication methods remain available for users not on One Login.

Puppet integration

Added support for integrating Trust Lifecycle Manager with Puppet environments. Documentation and sample scripts for using Trust Lifecycle Manager certificates in Puppet are available under the Integrations > Connectors > Add connector.

Enhancements

Main navigation update

This update includes a streamlined navigation interface, intuitive menu structure, and enhanced accessibility, making it easier than ever to find what you need.

  • Streamlined interface and intuitive menu structure for easier access.

  • Reduced clicks to reach pages, improving workflow efficiency.

  • Simplified structure for new users.

  • Descriptive labels clarify menu items.

Settings page update

Newly redesigned Settings page, crafted to enhance usability and provide a more intuitive user experience.

  • Clear, concise labels and descriptions.

  • Logically grouped settings on a single page for easy navigation.

  • Consolidated related settings to match user workflows.

  • Self-service portal menu option to be moved inside the new Settings page in a future release.

Fixed prefix for OU fields

Enhanced the profile wizard to allow configuring a fixed prefix for OU fields. This feature is available for all three Generic templates. By selectin the Entered by user with prefix source field, the prefix is added to dynamically created OU values with a dash.

For example, a profile with a prefix Department and an API-submitted OU value Sales will issue a certificate with Department - Sales in the OU field.

Quick edit feature for Seats

Extended quick edit feature to allow authorized users to edit Seat names using the Seat List and Seat Details pages.

Multiple data formats for Unique Identifier field

Extended support for selecting data types (BitString or PrintableString) for the Unique Identifier SDN field in Generic Device Certificate and Generic User Certificate templates. Existing profiles continue as-is, with new options available by reconfiguring the field.

Fixes

Seat ID mapping issue with SCEP/EST profiles

Fixed issue where certificates weren’t issued when SAN attributes like RFC822name or DNS name were selected for Seat ID mapping with SCEP or EST enrollment methods.

Custom email templates

Resolved issue where custom email templates weren’t retained when editing profiles.

July 31, 2024

DigiCert® ONE version: 1.7827.6 | Trust Lifecycle Manager: 1.3215.0

New

Adobe AATL certificates for individuals and organizations

Support for issuance of Adobe RSA or ECDSA certificates for individuals and organizations that chain up to root CAs recognized by the Adobe Approved Trust List (AATL) and used to digitally sign documents that are trusted by Adobe products (for example, PDF documents). The certificates get issued from your CertCentral account via a CertCentral CA connector configured in Trust Lifecycle Manager.

  • Adobe Individual in Organization (via CertCentral): Linked to User seats, this template enables end-users to digitally sign Adobe PDFs locally. Profiles created from this template will be automatically configured to use the DigiCert Trust Assistant enrollment method, which will enforce the use of a hardware token for the creation and storage of keys. Compliance with the DigiCert Master Services Agreement and Adobe’s requirements is the customer’s responsibility.

  • Adobe Organization (via CertCentral): Linked to Organization seats, this template allows an organization to sign PDFs with a branded certificate. The private key must be securely hosted on a hardware security module (HSM) and used for all document signing.

The following table shows the new base templates used to create certificate profiles for issuing the two types of Adobe AATL certificates, along with the supported enrollment and authentication methods for each template, the corresponding certificate product that must be enabled in your CertCentral account, and the root/intermediate CAs for each CertCentral region.

Template

Seat type

Enrollment method

Authentication methods

CertCentral product type

Trust anchors

Adobe Individual in Organization (via CertCentral)

User

DigiCert Trust Assistant

  • Manual Approval

  • Enrollment Code

  • SAML IdP

Document Signing for Business - Employee

CertCentral Europe

Root CA: DigiCert Assured G2 Multi Doc Sign EUR RSA4096 SHA384 2023 CA1

CertCentral USA

Root CA: DigiCert Assured ID G2 Multi Doc Signing RSA4096 SHA384 2023

Intermediate CA: DigiCert Test SHA2 Intermediate CA-1

Adobe Organization (via CertCentral)

Organization

CSR

  • Manual Approval

  • Enrollment Code

  • SAML IdP

Document Signing for Business - Group

Organization

REST API

  • 3rd Party app

  • Enrollment Code

Important

Both Adobe certificate templates are "limited" and must be explicitly assigned to your Trust Lifecycle Manager account. If you do not see the templates listed on the Policies > Base templates page, contact your DigiCert account representative or system administrator to assign them and inform you of your Adobe obligations. These obligations include verifying the identity of end-users using a face-to-face process, and keeping evidence of that process, before allowing them to enroll for an Adobe certificate. See Section 27 of DigiCert Certificate Terms of Use for more details.

To issue Adobe certificates, your CertCentral account must be enabled with the corresponding product type (as shown in the above table) and certificate units.

Public S/MIME certificates via SCEP protocol

Support for issuance of Public S/MIME sponsor-validated non-escrow RSA certificates from CertCentral using SCEP as the provisioning protocol using certificate profiles created from the following base template.

  • Existing template Public S/MIME Secure Email (via CertCentral) now supports enrollment method SCEP with authentication method Enrollment Code for issuance of non-escrowed certificates.

Important

On-premises DigiCert ONE users must create a private CA with common name DCONE-TLM-PUBLIC-SMIME-SCEP-DECRYPT-CA to use this feature.

Enhancements

Quick edit feature

Introduced a quick edit feature that allows authorized users to easily change the names of Business units and Connectors directly from their respective List and Details pages. To edit Business units, go to Manage > Business units. For Connectors, go to Integrations > Connectors.

Fixes

Approval emails

Resolved issue with approval emails being sent out to all users in an account instead of only those users bound to the business unit linked to the certificate profile configured for manual approval.

ServiceNow CMDB import issue

Resolved an issue where Discovery and Imported certificates not bound to a profile were failing to push to ServiceNow CMDB.

CA Discovery import fails with spaces in name

Resolved issue where Microsoft CA discovery import failed when the CA name (CN of the Microsoft CA) had space characters.

CertCentral profile key size mismatch

Resolved an issue with the CertCentral Public Server Certificate profile when using a 4096 key size. The REST API enrollment failed a policy check because the profile's default private key size was set to 2048, causing a mismatch with the 4096 key size specified in the CSR.

July 24, 2024

DigiCert® ONE version: 1.7827.5 | Trust Lifecycle Manager: 1.3166.0

Fixes

Install validation failure for IIS SNI configuration

Fixed agent-based certificate automation issue with install validation failing for the IIS web server on SNI sites.

July 18, 2024

DigiCert® ONE version: 1.7827.3 | Trust Lifecycle Manager: 1.3140.0

New

Issuance of PQC Falcon certificates

Support for issuance and lifecycle operations (revoke, suspend/resume, or recover) of post-quantum cryptography (PQC) Falcon certificates with the below key sizes and signing algorithms, using certificate profiles created from any of the three "Generic" base templates or the Private S/MIME Secure Email template:

Key type

Key sizes / Signing algorithms

FNDSA

  • FNDSA-512

  • FNDSA-1024

Issuance supports the following enrollment methods and associated authentication methods, depending on the base template used to create the certificate profile:

Templates

Enrollment methods

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Generic User Certificate

  • CSR

  • EST

  • REST API

  • Private S/MIME Secure Email

  • CSR

  • REST API

For more information and CSRs/keys for testing, see Issue PQC Falcon certificates.

System scans

With this release, Trust Lifecycle Manager introduces the ability to find certificates and cryptographic keys on host systems running the DigiCert agent.

Administrators can use system scans to search for:

  • Certificates in the file system, operating system store, archive files, and keystores.

  • Keys in the file system. A hash of the key is returned to Trust Lifecycle Manager along with information about whether the key is password protected or not.

When configuring system scans, administrators have the flexibility to:

  • Create agent groups to manage scans for multiple agents at once.

  • Run a one-time scan or schedule it to repeat at regular intervals.

  • Control what to scan for by:

    • Selecting which types of items to retrieve for a specific scan.

    • Configuring a global blocklist with drives, folders, and files to skip for all scans.

Certificates discovered through system scans are available from the "All certificates" and "Discovery" views on the Inventory page. Keys are surfaced in the new "Keys" view.

For more information, see System scans.

AWS unified connector

Introducing the new AWS unified connector with this release. This new connector type allows users to:

  • Connect to an AWS organization and traverse the organization hierarchy from Trust Lifecycle Manager.

  • Discover certificates in AWS Certificate Manager (ACM) for all AWS accounts in a connected organization.

  • Enroll new certificates in Trust Lifecycle Manager with automated delivery to ACM in one or more AWS accounts.

AWS unified connectors can also be configured with account scope, to import and deliver certificates to a specific AWS account.

For more information, see Connect to a network appliance or cloud service.

SCEP support for the "External Private CA" template

The External Private CA template now supports the issuance and renewal of private CA certificates via the SCEP provisioning protocol for TLS inspection appliances that support SCEP.

HTTP proxy support for outgoing traffic to ServiceNow CMDB

For DigiCert ONE platform owners with the HTTP proxy functionality enabled, the ServiceNow connector in Trust Lifecycle Manager now routes outgoing traffic to ServiceNow via the configured HTTP proxy settings in the "global" section of the DigiCert ONE values file.

Enhancements

Support for up to 250 duplicate certificates

Profiles with the "Allow duplicate certificates" option enabled now support a maximum of 250 duplicate certificates. Existing profiles inherit this change without the need to create a new profile.

New Microsoft CA connector

With this release, we are enhancing the existing Microsoft CA connector to remove the need for installing the MCARS software on the Microsoft CA server. The new connector design allows the DigiCert sensor to interact directly with the Microsoft CA server for discovery and management operations.

The new Microsoft CA connector requires a Windows-based DigiCert sensor. It cannot be configured using the Linux or Docker versions of the sensor.

Warning

Users can no longer add MCARS-based connectors after this release. Users with existing MCARS-based connectors can continue to use them, however DigiCert recommends replacing your legacy MCARS-based connectors at your convenience with the new Microsoft CA connectors.

For more information, see the Microsoft CA connector guide.

Agent release 3.0.13

New DigiCert agent release adds support for:

  • System scans.

  • Plugin manager log rotation.

Fixes

"Download AE config file" button is disabled

Resolved issue with the Download AE config file button being disabled on the Profiles page when there are existing profiles with the Microsoft Autoenrollment enrollment method enabled.

Let's Encrypt integration not working with Cloudflare DNS

Resolved issue with the Let's Encrypt CA connector not being able to issue certificates using the Cloudflare DNS service for domain validation.

July 10, 2024

DigiCert® ONE version: 1.7827.2 | Trust Lifecycle Manager: 1.3103.0

New

Entrust discovery connector

With this release, Trust Lifecycle Manager is adding a new connector type to import certificates issued by the Entrust CA. The new Entrust discovery connector allows administrators to:

  • Import certificates from an Entrust account into Trust Lifecycle Manager inventory.

  • Select whether to import expired or revoked certificates in addition to active/valid ones.

  • Schedule ongoing incremental certificate imports from the Entrust account.

For more information, see Entrust discovery.

Enhancements

Non-repudiation KU for Public Client Authentication (via CertCentral) template

For customers who need to issue public client authentication certificates from CertCentral, you can now select a new "Authentication Only - Non-Repudiation" option in the certificate type dropdown list when creating a certificate profile from the Public Client Authentication (via CertCentral) base template.

July 3, 2024

DigiCert® ONE version: 1.7827.1 | Trust Lifecycle Manager: 1.3090.0

New

Issuance of PQC SPHINCS+ certificates

Support for issuance and lifecycle operations (revoke, suspend/resume, or recover) of post-quantum cryptography (PQC) SPHINCS+ certificates with the below key sizes and signing algorithms, using certificate profiles created from any of the three "Generic" base templates or the Private S/MIME Secure Email template:

Key type

Key sizes / Signing algorithms

SLHDSA

  • SLHDSA SHA2-128f

  • SLHDSA SHA2-128s

  • SLHDSA SHA2-192f

  • SLHDSA SHA2-192s

  • SLHDSA SHA2-256f

  • SLHDSA SHA2-256s

  • SLHDSA SHAKE-128f

  • SLHDSA SHAKE-128s

  • SLHDSA SHAKE-192f

  • SLHDSA SHAKE-192s

  • SLHDSA SHAKE-256f

  • SLHDSA SHAKE-256s

Issuance supports the following enrollment methods and associated authentication methods, depending on the base template used to create the certificate profile:

Templates

Enrollment methods

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Generic User Certificate

  • CSR

  • EST

  • REST API

  • Private S/MIME Secure Email

  • CSR

  • REST API

For more information and CSRs/keys for testing, see Issue PQC SPHINCS+ certificates.

ServiceNow app support for new certificate types

The ServiceNow app for Trust Lifecycle Manager now supports issuance of public S/SMIME and client authentication certificates from Trust Lifecycle Manager certificate profiles created from the following base templates:

Template name

Issuing CA

Enrollment / Authentication methods

Public Client Authentication (via CertCentral)

CertCentral

  • REST API / 3rd Party app

  • DigiCert Trust Assistant / Manual Approval

Public S/MIME Secure Email (via CertCentral)

CertCentral

  • REST API / 3rd Party app

  • DigiCert Trust Assistant / Manual Approval

Issuing these certificate types requires minimum ServiceNow app version 1.4.0 released on June 26, 2024.

For more information, see the ServiceNow integration guide.

Enhancements

Intune template - support for duplicate certificates

Updated the Device Authentication for Microsoft Intune (SCEP) template to support issuance of duplicate certificates (same Subject DN, but different keys and serial number) up to a maximum of 10 valid duplicate certificates.

Discovery and reporting analytics updates

  • Trust Lifecycle Manager now collects cipher information from F5 network appliances during configuration updates.

  • Analytics data for certificates found via automation connectors now includes CA vendor, chaining, and security rating information.

Sensor release 3.9.2

New DigiCert sensor release with bug fixes to remove SOAP dependencies.

June 19, 2024

DigiCert® ONE version: 1.7645.2 | Trust Lifecycle Manager: 1.3030.0

New

Custom Enhanced Key Usage (EKU) extensions for private certificates

Private trust certificate profiles now allow for configuration of an Enhanced Key Usage (EKU) extension with custom OID values that will be added at the time of certificate signing by the DigiCert® CA Manager application.

This feature is only supported for private certificates. The custom EKU OID values cannot match any standard EKU OID value that is not allowed by the base certificate template.

Chef integration

Chef is a configuration management and IT automation tool.

With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of a Chef recipe. Sample scripts and procedures for ACME and API-based integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the Chef connector guide.

Microsoft CA certificates via API

Added support for requesting Microsoft CA certificates via the Trust Lifecycle Manager REST API, using certificate profiles created from the Microsoft CA Private Server Certificate base template and configured with the REST API enrollment method.

Enhancements

Revocation data in certificate details

The certificate details page now shows revocation data (date/time and revocation reason) for certificates that have been revoked.

Agent release 3.0.11

New DigiCert agent release with the following updates:

  • Fixed issue with custom script paths. All custom scripts should now be placed in the user-scripts folder in the agent install directory.

  • Plugin manager ports are now configurable for the agent. Defaults: StompPort = 61613 and ControlPort = 58080.

    Important

    These ports are used for inter-process communication on the local system only. They do not need to be opened on the external firewall.

June 12, 2024

DigiCert® ONE version: 1.7645.1 | Trust Lifecycle Manager: 1.2994.0

Enhancements

Profiles management

Profile rename options

From this release, profiles can be quickly renamed using the "pencil" icon inside the Profiles list and details pages without going through all the profile wizard steps.

LDAP toggle from list

New option to enable/disable the LDAP feature directly from the Profiles list page without going through all the profile wizard steps.

Self-service portal enhancements

Discovery/Imported certificates option

Added a new configuration option to the Settings page for the self-service portal to allow users to search and download Discovery/Imported certificates from both the open and authenticated portals. To enable this feature, select the Allow management of discovered or imported certificates checkbox under the portal settings.

Revocation operation for open portal

Added a new configuration option to the Settings page for the self-service portal to allow users to request revocation of their certificates from the open portal. If enabled, open portal users can submit a certificate revocation request and DigiCert will send an email challenge to the email address listed within the certificate being revoked. The end user (owning the email account for the email address) must click on the link in the email and then enter a revocation reason and confirm the revocation.

Warning

Enable this feature with caution, understanding the risk of being able to revoke someone else’s certificate if you have access to their email account.

F5 BIG-IP LTM connector updates

When adding a new connector, the F5 BIG-IP LTM connector type now supports the ability to:

  • Change the private key storage location.

  • Use the existing client profiles in the Local Traffic Manager (LTM) appliance instead of creating new ones.

  • Create unique ICA files for each automation.

  • Modify the filename format used to create the LTM certificate profile and private key.

June 5, 2024

DigiCert® ONE version: 1.7645.0 | Trust Lifecycle Manager: 1.2971.0

New

Audit log manual integrity check

From this release, all audit log events inside the Audit logs page show a new Check data integrity action that will check the integrity of the log entry. Manually triggering the action will deliver three possible responses:

  • Success: The audit log passed the data integrity check.

  • Failure: The audit log failed to pass the data integrity check.

  • Not available: The audit log data integrity check is not available for this record. This will be delivered for log entries that were generated prior to this release.

Enhancements

Public TLS Server (from CC) support for CSR web-based flow

Updated the CertCentral Public Server Certificate template to support a web-based CSR enrollment method that can be authenticated using the below authentication methods:

  • Enrollment Code

  • Manual Approval

  • SAML IdP

Public S/MIME certificate delivery options

For certificate profiles created from the Public S/MIME Secure Email (via CertCentral) template and configured with the non-escrow option, you can now get the issued certificates in either X.509 or PKCS#7 format by selecting it in the Certificate delivery format section of the profile wizard.

Application version via API

New API unauthenticated endpoint (GET /mpki/api/v1/version) to retrieve the Trust Lifecycle Manager application version. The current application version is also displayed at the top of the API documentation.

Certificate import API enhancement to support multiple tags

Enhanced the certificate import API endpoint (POST /mpki/api/v1/certificate-import) to support multiple tags. The previous implementation only supported a single tag for each imported certificate. From this release, tags can be assigned as a single string value (for backward compatibility) or an array of string values.

Inline help for connector configuration

Added contextual help for add and edit connector flows to guide users about prerequisites, installation, and configuration steps.

Additional DNS integrations for Let's Encrypt CA connector

Extended the following DNS integrations to support automated domain control validation for Let's Encrypt CA connectors:

  • Digital Ocean

  • Google DNS

Sensor release 3.9.1

New DigiCert sensor release with enhancements and fixes to support new sensor-based integrations.

Agent release 3.0.10

New DigiCert agent release with fixes and SNI script support.

Fixes

User seats with added timestamp for CMP flow

Resolved issue with User seats being created with an appended timestamp for public S/MIME certificates issued from profiles based on the Public S/MIME Secure Email using CMP (via CertCentral) certificate template.

Incorrect validity period when renewing certificate via API

Resolved issue with incorrect validity period when renewing a certificate via REST API, provided the validity period in the profile was modified before submitting the renewal request.

Expiration graph issue

Resolved issue with the expiration graph in the Dashboard page not showing data for Discovery certificates not yet bound to a business unit.

Duplicate certificate issue via SCEP flow

Resolved issue with duplicate certificates not being issued via the SCEP enrollment flow.

PKI Platform 8 integration issues

Resolved public S/MIME synchronization issue with PKI Platform 8. Resolved issue with using Seat GUID instead of Seat ID.

Imported certificates suspension issue

Resolved issue with not being able to suspend certificates that were bound to an Imported seat type.

May 22, 2024

DigiCert® ONE version: 1.7460.3 | Trust Lifecycle Manager: 1.2904.0

Enhancements

Azure Key Vault versioning support

With this release, the Azure Key Vault connector type allows users to configure how certificates should be delivered to the vault using the following options:

  • Unique names: Use a unique identifier for each certificate delivered.

  • Common names: Use common names to group certificates issued over time.

iOS-iPadOS enrollment flow for Safari only

For users enrolling for certificates via the iOS-iPadOS enrollment method, an error message will now be displayed on the Apple device if using a non-Safari web browser.

Profile API endpoint documentation update

Updated the API documentation for the POST profile API endpoint to include the IDs for the three supported "Generic" certificate templates that can be used to create profiles with this API endpoint.

Fixes

Public S/MIME revocation issue

Resolved issue with not being able to revoke a public S/MIME certificate issued from CertCentral.

Duplicate device certificates via SCEP

Resolved issue with not being able to issue duplicate device certificates via the SCEP protocol. A new certificate was being issued instead.

May 8, 2024

DigiCert® ONE version: 1.7460.1 | Trust Lifecycle Manager: 1.2855.0

New

Issuance of PQC Dilithium certificates

Support for issuance and lifecycle operations (revoke, suspend/resume, or recover) of post-quantum cryptography (PQC) Dilithium certificates with the below key sizes and signing algorithms, using certificate profiles created from any of the three "Generic" base templates or the Private S/MIME Secure Email template:

Key type

Key sizes / Signing algorithms

MLDSA

  • MLDSA-44

  • MLDSA-65

  • MLDSA-87

Issuance supports the following enrollment methods and associated authentication methods, depending on the base template used to create the certificate profile:

Templates

Enrollment methods

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Generic User Certificate

  • CSR

  • EST

  • REST API

  • Private S/MIME Secure Email

  • CSR

  • REST API

For more information and CSRs/keys for testing, see Issue PQC Dilithium certificates.

iOS enrollment method for web authentication

New iOS enrollment method to support a web-based solution for direct provisioning of certificates to Apple iOS/iPadOS devices without the need to deploy a full-scale MDM/UEM solution.

For the initial release, administrators can specify the Web Authentication use case, which triggers the installation of a digitally signed .mobileConfig file on the target Apple device. Subsequent releases will support additional use cases including VPN, WiFi, and ActiveSync.

For more information, see Configure iOS/iPadOS enrollment via SCEP.

ServiceNow CMDB integration

New integration supports pushing and synchronizing certificates to the ServiceNow configuration management database (CMDB) via two different methods that can be enabled by account administrators:

  • Copy certificates to the CMDB table when requested and approved through the ServiceNow app.

  • Copy certificates from the Trust Lifecycle Manager inventory to the ServiceNow CMDB table.

The CMDB integration features require minimum version 1.3.0 of the ServiceNow app for Trust Lifecycle Manager.

For more information, see the ServiceNow integration guide.

Self-service portal (SAML-authenticated)

The self-service portal now allows users to perform lifecycle management actions on certificates they own after authenticating against their SAML identity provider (IdP). Authentication relies on a unique email address being sent by the SAML IdP to DigiCert’s SAML service provider and used to search for certificates that contain that email address in the SDN:email or SAN:rfc822Name fields.

Account administrators can configure the lifecycle actions that end users are allowed to perform on their certificates. Depending on the type of certificate, available actions may include:

  • Revoke

  • Suspend/Resume

  • Recover

To be visible, certificates must be issued from a profile with the self-service portal option enabled and one of the following enrollment methods:

  • Browser PKCS12

  • CMP

  • CSR

  • DigiCert Trust Assistant

  • EST

  • Microsoft Autoenrollment

  • REST API

  • SCEP

In addition, authenticated users can enroll their own certificates and pick up an approved certificate from the self-service portal for web-based profiles that have the self-service portal feature enabled and one of the following authentication methods:

  • Enrollment code

  • Manual approval

  • SAML IdP

Authorized administrators with the SSP manager role can configure the self-service portal from the Trust Lifecycle Manager Settings menu, where they can enable/disable either the open or authenticated self-service portal, manage the allowed actions for the authenticated portal, and get the portal URLs and QR codes to share with end users.

Note

A future release will include a "Renewal" action and the ability to manage Discovery/Imported certificates from the self-service portal.

API endpoint for profile creation

New POST profile REST API endpoint allows for creation of certificate profiles from the "Generic" base templates and configured for the REST API enrollment method and 3rd Party app authentication method.

For details, see the API endpoint documentation.

DigiCert Trust Assistant qualification for macOS Ventura and Sonoma

DigiCert Trust Assistant v1.1.5 has been formally qualified with both macOS Ventura and Sonoma releases.

SaltStack support

SaltStalk is a configuration management and orchestration tool. With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of a Salt automation script. Sample scripts for ACME and API-based integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the SaltStack connector guide.

Ansible integration

Ansible is a suite of software tools that enables infrastructure as code. It is open-source and includes software provisioning, configuration management, and application deployment functionalities.

With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of an Ansible playbook. A sample playbook and instructions for including it in your Ansible projects are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the Ansible connector guide.

mTLS integration with Istio using cert-manager

DevOps administrators can now integrate their Kubernetes workloads to be configured with mTLS for certificates for pod-to-pod communication using Istio and cert-manager. Trust Lifecycle Manager integrates with cert-manager over ACME to issue private certificates from DigiCert® CA Manager for automated service mesh configuration via Istio.

To support this integration, administrators can create a certificate profile from the new CA Manager Private mTLS Certificate base template. A sample configuration file and instructions for enabling the integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the Istio connector guide.

Policy notifications for discovered certificates

As part of this release, we introduced the ability for administrators to define notification policies for discovered certificates. Any newly discovered certificates matching the user-defined criteria will trigger a notification. To select certificates to notify about, administrators can apply boolean operators against a list of options including the:

  • Subject DN

  • Common name/SAN

  • CA vendor

  • Security rating

  • Signature algorithm (e.g SHA256WITHRSA)

  • Key size

  • Cipher

  • Tags

  • Issuing CA

Administrators can clone the default discovery notification template to define specific criteria, recipients, and email content. They also have an option to combine multiple events in one email. This allows users to configure multiple polices to identify exceptions. The above criteria are also extended to existing expiry notices for discovered certificates from the following notification templates:

  • Discovered certificate (New)

  • Discovered certificate expiring

  • Discovered certificate expired

Enhancements

Duplicate certificates option for Public S/MIME Secure Email (via CertCentral) template

Certificate profiles created from the Public S/MIME Secure Email (via CertCentral) base template now allow configuration of the “Allow duplicate certificates” option. Previously, the option was set to “Yes” and could not be disabled.

IAN extension for web-based enrollment flows

From this release, we extend support for the Issuer Alternative Name (IAN) extension to the following web-based enrollment flows:

  • Browser PKCS12

  • CSR

  • DigiCert Trust Assistant

Note

The IAN extension is only supported by the Generic User Certificate base template. Previously, it was only enabled when using the REST API enrollment method with 3rd Party app authentication.

Self-service portal enhancements

  • Added the ability to enable or disable the self-service portal (SSP) option from the main Profiles table, instead of having to edit each profile individually.

  • Added the ability to view/copy the self-service portal URL from the profile details page (Advanced settings > Self-service portal section) when the feature is enabled.

  • Added more detailed instructions to the self-service portal page to help end users search for and download their certificates.

SAML service provider enhancements

From this release, we support the following SAML service provider (SP) enhancements for profiles configured with the SAML IdP authentication method and the new SAML-authenticated self-service portal.

Signing options

Two new SAML service provider signing options are displayed for profiles configured with the SAML IdP authentication method:

  • Sign SAML assertion

  • Sign SAML response

The default configuration has both options checked, but they can be unchecked. However, not every SAML IdP vendor supports receiving unsigned SAML assertions and responses from service providers. If in doubt, check with your SAML IdP vendor before configuring these options.

Generate new SAML Service Provider certificate

A new Generate new SAML SP certificate button is displayed on the profile details SAML configuration options section. This button can be used at any time to generate a new DigiCert SAML service provider (SP) certificate and view its expiration period. When selected, a warning message prompts the user for confirmation before revoking the current SP certificate and issuing a new one.

For profiles configured with the SAML IdP authentication methods, the profile will go into Action needed state when the SAML SP certificate expires. To restore the profile to active status, use the new Generate new SAML SP certificate function to get a new certificate.

Warning

After generating a new SAML SP certificate, the profile will stop authenticating requests against your SAML identity provider (IdP) until you reconfigure your IdP settings with the new SAML SP certificate. It will also stop working if the SAML SP certificate expires without your due attention.

Custom certificate report enhancements

Enhanced the custom certificate CSV reports with three new fields, under two of the sections:

Other extensions

  • Security Identifier

  • Issuer Alternative Name (containing a directory name value)

Subject Alternative Name (SAN) extension

  • Directory name

Profile wizard - custom extensions

Enhanced the Custom extensions section in the profile wizard (used by the "Generic" templates) to deliver a better user experience and only show the details of the custom extension section if a user selects the new Add custom extensions button.

Fixes

DigiCert Trust Assistant - S/MIME decryption failures

Resolved an issue with encrypted emails not being able to be decrypted via the DigiCert Trust Assistant client, for which version 1.1.6 is required.

Incorrect authentication method for CMP template

Resolved regression bug with incorrectly showing an authentication method that is not supported by the Public S/MIME Secure Email using CMP (via CertCentral) limited template.

Profile creation issue with Public Client Authentication template

Resolved an issue with not being able to create new profiles based on the Public Client Authentication (via CertCentral) template.

Stale data in seat and certificate graphs

Resolved an issue with showing stale data in the seat and certificate usage graphs on the Dashboard page.

April 3, 2024

DigiCert® ONE version: 1.7277.0 | Trust Lifecycle Manager: 1.2722.0

New

"Uploaded certificates expiration" email notification

New Uploaded certificates expiration email notification template that can be used to send renewal email reminders for certificates uploaded into Trust Lifecycle Manager from an external system using the REST API or DigiCert Certificate Import Tool (available upon request). The renewal reminder gets triggered at configurable notice windows based on "tags" applied to the uploaded certificates.

This new notification replaces the functionality previously available from the Settings > Uploaded certificates expiration page for customers with Imported or Discovery seats.

For more information, see Configure custom email notifications for certificate expiration.

SHA3 signing algorithms

Added SHA3 support for the following certificate templates and enrollment methods:

Templates

Enrollment methods

SHA3 signing algorithms

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Generic User Certificate

  • CSR

  • EST

  • REST API

  • SCEP

  • SHA3_256withRSA

  • SHA3_384withRSA

  • SHA3_512withRSA

Azure Key Vault - discovery

New options to enable key vault discovery when adding or editing an Azure Key Vault connector in Trust Lifecycle Manager. This feature allows users to discover certificates in one or more key vaults associated with the connector. When enabled, users can:

  • Discover all valid and expired certificates in key vaults.

  • Update status of deleted and recovered certificates.

Azure Key Vault - remove

New option in the Inventory view to remove certificate from a key vault. Administrators can access this option from the actions (three dots) menu for certificates present in a key vault.

Let's Encrypt - revoke certificate

Administrators can now revoke certificates issued via Let's Encrypt CA connectors. Certificates can be revoked via:

  • The Trust Lifecycle Manager Inventory view.

  • A third-party ACME client.

Enhancements

Profile wizard - certificate preview

Ability to preview the content of a certificate as you work though the profile wizard steps, including the entire CA hierarchy that will be used to sign the certificate, for certificate profiles that use issuing CAs hosted in the DigiCert® CA Manager application.

EST authentication

New EST authentication options available for all three "Generic" certificate templates (Generic Device, Generic Private Server, and Generic User):

Global enrollment code

Extended the enrollment code authentication method to optionally allow the configuration of a global enrollment code that can be used to authenticate all incoming EST client requests.

Certificate-based authentication

Added support for certificate-based client authentication via a new authentication method called TLS Certificate Auth. This option requires that you first upload the certificates of CAs trusted to issue client authentication certificates, via the Account > Root CAs page. To authenticate, EST clients must present a certificate signed by one of these trusted CAs.

For more information, see Configure and test EST.

DigiCert Trust Assistant release v1.1.5

New DigiCert Trust Assistant release with the following updates.

Client enhancements:

  • Import/Export of PKCS#12 / PKCS#7 / GLCK certificate with CA(s) on Windows CAPI will import CA chain certificates to respective trusted root and intermediate CA stores in CAPI with various configurable options (Windows only).

  • Functionality to rerun the post-processing scripts associated with a certificate/profile in case the scripts fail to execute at the time of certificate enrollment/renewal.

  • Added new system-level notifications (via a notification message within the client) to inform users about failed post-processing scripts, with enhanced error messaging about the script failures in the DigiCert Trust Assistant user interface and logs.

  • Enhanced software auto update flow to reduce the number of alerts in case of network communication failures.

Outlook post-processing script — multiple accounts:

  • Enhanced the Outlook system post-processing script to support Outlook instances with more than one configured email account, based on email matching from the certificate SubjectDN:email and/or SAN rfc822Name fields.

Mixed key types for CA and end-entity certificates:

  • DigiCert Trust Assistant can now handle certificate issuance/renewal flows with the below CA/end-entity key type combinations, for DigiCert Trust Assistant profiles configured with an:

    • RSA CA and end-entity certificates with key types of RSA, RSAPSS or ECDSA.

    • ECDSA CA and end-entity certificates with key types of RSA or ECDSA.

Non-supported browsers:

  • If a DigiCert Trust Assistant-based enrollment or renewal is attempted on a browser that is not officially supported by DigiCert, a warning message will be shown on the enrollment/renewal page. The flow will not be blocked, just a warning message.

Certificate delivery format:

  • When configuring a DigiCert Trust Assistant non-escrow profile from any of the Public S/MIME templates, the default certificate delivery format will now be PKCS#7.

  • For profiles configured with delivery of the certificate with the CA chain, DigiCert Trust Assistant will automatically install the root/intermediate CA certificates into the respective Windows stores in CAPI.

Fixes

Public S/MIME profile creation

Resolved issue with not being able to create certificate profiles from the Public S/MIME templates.

CertCentral connector

Addressed a problem where users were unable to add a new CertCentral connector using username and password credentials. This update restores the functionality, allowing for seamless CertCentral connector configurations.

Tomcat automation failing

Resolved certificate lifecycle automation issue with Apache Tomcat on Windows.

March 20, 2024

DigiCert® ONE version: 1.7083.4 | Trust Lifecycle Manager: 1.2674.0

New

Sensor release v3.9.0

New DigiCert sensor release with the following updates:

  • Refactored sensor-to-Trust Lifecycle Manager communication from SOAP to REST.

  • Stability fixes.

Enhancements

Enhanced automation actions

Optimized certificate lifecycle workflow actions on the Inventory page:

  • Switch action allows switching a deployed certificate to any supported CA (previously "Switch to DigiCert").

  • Request a certificate action allows users to issue a new certificate from the same CA.

  • Renew/Reissue actions remain unchanged for CAs that support them.

Streamlined SAML web enrollment flow

Streamlined the SAML-based web enrollment flows to bypass the “Create enrollment” step if no user input is required and the “Cloud Key Escrow” option is disabled in the profile. This streamlined SAML enrollment flow only presents a single page ("Install certificate").

If the “Cloud Key Escrow” option is enabled in the profile (e.g. for S/MIME use-cases) we will continue to show an intermediate page with a warning to the user alerting about the private key being escrowed in the cloud, hence not bypassing this page. We renamed this page from "Create enrollment" to "Enrollment request" and the button from "Create" to "Submit".

"Enrollment status change" email template for enrollment code flows

Profiles configured with the Enrollment code authentication method now have access to an additional email template that can be enabled in the Email configuration and notifications section of the profile to notify end users when their enrollment status changes from "created" to "rejected", "expired", or "redeemed". We renamed this notification type from "Enrollment status is either rejected or expired" to Enrollment status change (rejected, expired, redeemed).

Fixes

Inventory page issue due to deleted profiles

Resolved issue with the Inventory page not loading properly when encountering certificate profiles that had been deleted.

Certificate delivery format for Public S/MIME (via CertCentral) API requests

Resolved issue with incorrect certificate delivery format for profiles configured from the Public S/MIME Secure Email (via CertCentral) template using the "REST API" enrollment method and with the “Cloud Key Escrow” option disabled (i.e. non-escrow).

SCEP URL with additional "/" character

Resolved issue with the SCEP service no longer accepting SCEP requests containing a “/” character at the end of the "pkiclient.exe" resource inside the URL (e.g. "https://one.digicert.com/mpki/api/v1/scep/<profile-guid>/cgi-bin/pkiclient.exe/?operation=GetCACert").

Sensor list not being sent to agent

Resolved issue with sensor list not getting updated to agents when a sensor is added or removed. This fix ensures that proxied agents have the latest sensor list available for failover scenarios.

Unable to change "start now" scan to scheduled

Resolved issue with being unable to edit a "start now" network scan to use the "schedule for later" option instead.

March 13, 2024

DigiCert® ONE version: 1.7083.2 | Trust Lifecycle Manager: 1.2639.0

Enhancements

Multiple CertCentral connectors

Added support for more than one CertCentral CA connector:

  • Connect to multiple CertCentral accounts across US and EU regions.

  • For each connector, map the CertCentral divisions for imported certificates to respective business units in Trust Lifecycle Manager.

  • When creating certificate profiles from a CertCentral CA connector, set the CertCentral division to use to issue new certificates from each profile.

For more information, see DigiCert CertCentral.

Fixes

Duplicate certificate issue

Resolved issue with issuing duplicate certificates for public products when passing the orderid in the request URL.

March 7, 2024

DigiCert® ONE version: 1.7083.1 | Trust Lifecycle Manager: 1.2616.0

Fixes

Disabled enrollment methods

Resolved issue with not being able to create profiles from the "Generic" and "Private S/MIME" certificate templates due to the enrollment method dropdown being disabled.

March 6, 2024

DigiCert® ONE version: 1.7083.0 | Trust Lifecycle Manager: 1.2609.0

New

Self-service portal

New public-facing web portal allows end users to search for and download certificates associated with profiles for which the Self-service portal option has been enabled by an authorized administrator.

Profiles configured with the following web-based enrollment methods support this new self-service option:

  • Browser PKCS12

  • CSR

  • DigiCert Trust Assistant

  • EST

  • Microsoft Autoenrollment

  • REST API

  • SCEP

Authorized administrators can use the Account > Settings > Self-service portal menu function to enable or disable access to the self-service portal and get the portal URL or QR code to share with end users.

The self-service portal can also inherit custom branding configured via the Account > Settings > Branding menu function.

Notice

The Self-service portal feature must be enabled on your account.

Currently, the self-service portal is only available in English. Support for additional languages will be added soon.

For more information, see Self-service portal.

Sensor release v3.8.66

New DigiCert sensor release with the following updates:

  • Bug and stability fixes for F5 BIG-IP network appliances.

Enhancements

DigiCert Autoenrollment Server enhancements

Updated the DigiCert Autoenrollment Server to version 2.24.2.0 with the following enhancements:

  • Custom private extensions that can be used to dynamically retrieve values from Active Directory based on the profile configuration.

  • New Subject Distinguished Name (DN) fields:

    • Title

    • Given name

    • Surname

    • DN qualifier

For more information, see the DigiCert Autoenrollment Server guide.

Upload PKCS12 certificates

Enhanced the REST API certificate-import endpoint and the DigiCert Import Tool (available from your DigiCert representative upon request) to support uploading end-entity escrowed certificates (PKCS#12 files with their passwords) into a specified business unit, with or without their issuing CA being previously loaded and configured into your account.

Uploaded certificates get automatically bound to one of the below seat types based on whether the issuing CA is available in your account or not:

  • Imported seats: For certificates (whether escrowed or not) with their associated issuing CAs available in your account. Authorized administrators can manage lifecycle operations for these certificates in Trust Lifecycle Manager (for example, revoke, suspend/resume, or recover). Available management actions depend on the type of certificate uploaded.

  • Discovery seats: For certificates without their associated issuing CAs available in you account. Authorized administrators with the appropriate Key Recovery role can download and recover this type of certificate in Trust Lifecycle Manager.

For more information, see Import externally issued certificates using the API.

eIDAS Natural Person - additional Subject DN fields

Added support for the Organization Identifier and Organization Unit Subject Distinguished Name (DN) fields to the following two eIDAS Natural Person certificate templates:

  • eIDAS Electronic Signature Certificate (Natural Person with QSCD)

  • eIDAS Electronic Signature Certificate (Natural Person)

Notice

Contact your administrator if these certificate templates are not available in your account and you need access to them.

Certificate delivery format profile enhancement

For profiles configured to use a self-signed issuing CA, we enhanced the Additional options: Certificate delivery format step in the profile configuration wizard to dynamically hide the Include CA chain with Root CA and Include CA chain without Root CA PKCS#7 options.

Cause and solution for agent automation errors

Enhanced error messaging to show errors and recommended solutions to help users quickly remediate and retry issues with certificate lifecycle automations managed via DigiCert agents.

Support for CertCentral duplicate certificates

Added support for issuing duplicate certificates from CertCentral during automation events, by selecting the new "get duplicate certificate" option when scheduling the automation. If selected, the request is passed on to CertCentral and the CA there will issue a duplicate if a matching certificate is found. If no match is found, a new order gets created instead.

This feature must be enabled on a per-account basis and is available for certificate profiles configured with the following enrollment methods:

  • Admin web request

  • DigiCert agent

  • DigiCert sensor

  • 3rd-party ACME client

Notice

To issue a duplicate certificate from an existing CertCentral order, make sure all these conditions are met:

  • Order is active, already had a certificate issued, and has enough remaining validity to fulfill the request.

  • Selected certificate profile is for the same product and organization, and organization is currently validated.

  • Requested common name matches the order, and any requested SANs match or are a subset of the order.

  • None of the requested domains include wildcards.

Fixes

Profile cloning issue with SCEP

Resolved issue with SCEP-based cloned profiles not retaining all the SCEP configuration.

February 21, 2024

DigiCert® ONE version: 1.6887.3 | Trust Lifecycle Manager: 1.2554.0

Fixes

Scheduled report issue

Resolved the issue with not being able to generate scheduled certificate reports.

Issuer Alternative Name (IAN) issue

Resolved an issue with signing certificates with an empty value inside the Issuer Alternative Name (IAN) extension, for certificate profiles configured from templates that support this extension.

ServiceNow app

Version 1.2.1

Released ServiceNow Trust Lifecycle Manager app version 1.2.1 to support Washington version.

This release also resolves the issue with DigiCert email notifications getting sent out when creating approvals for any source table.

For more details, check the app listing in the ServiceNow Store.

February 14, 2024

DigiCert® ONE version: 1.6887.2 | Trust Lifecycle Manager: 1.2527.0

Enhancements

Public Client Authentication (via CertCentral) template

Enhanced the Public Client Authentication (via CertCentral) template to support a new CertCentral product type called Client Authentication Email Subject:

  1. Added support for additional Subject Distinguished Name (DN) fields:

    • Email

    • Organization unit (multiple)

  2. Added support for the CSR enrollment method.

  3. Checked and disabled the Key usage and Extended key usage fields, since they will always be included by the new CertCentral product type.

Warning

Important Notes

  • In order to support these new fields, you must enable the new CertCentral Client Authentication Email Subject product type and have enough certificate units assigned to it, matching the required User seats in Trust Lifecycle Manager.

  • Existing certificate profiles in Trust Lifecycle Manager will continue to work, but we strongly recommend that you contact your DigiCert representative to reassign your CertCentral certificate units to the new product type and benefit from the new features.

This release also resolves the known issue raised in the previous release related to the SAN:rfc822Name value not being included within the signed certificate.

Audit logs for CMP protocol

Enhanced the Audit logs to support certificate lifecycle operations carried over from the CMP protocol using existing audit log resources and event types from the Public S/MIME Secure Email using CMP (via CertCentral) template ("Limited" scope).

Fixes

Certificate renewal issue

Resolved regression issue that prevented the renewal of certificates that contained a State field within the Subject Distinguished Name (DN).

Issuer Alternative Name (IAN) issue

Resolved issue with not being able to include the Issuer Alternative Name (IAN) extension in signed certificates.

February 7, 2024

DigiCert® ONE version: 1.6887.0 | Trust Lifecycle Manager: 1.2499.0

New

New CA support - Let's Encrypt

Added support for issuance of public TLS certificates from the Let's Encrypt CA using the following enrollment methods:

  • DigiCert agent (all supported applications)

  • DigiCert sensor (support for F5 BigIP LTM, AWS ELB, and AWS Cloudfront)

  • 3rd-party ACME client

Added a new certificate template (Let's Encrypt Public Server Certificate), a new Let's Encrypt connector, and a new Sensor release (v3.8.65) to support automation flows for Let's Encrypt certificates.

To learn more, see Let's Encrypt.

Warning

Known limitation: Sensor-based automation using Let’s Encrypt is not supported for A10 or Citrix ADC network appliances.

Branding - themes

Extended our branding capabilities, allowing further customization of public-facing enrollment pages with different color themes based on the following configurable items:

  • Font family

  • Base font size

  • Info/helper text color

  • Link color

  • Footer text color

An enhanced preview functionality is also available to show the look and feel after applying the theme configuration.

Configure this new feature from the Settings > Branding > Theme selection page.

Fixes

Public S/MIME using CMP issue

Resolved an issue with certificates not being issued when using the Public S/MIME Secure Email using CMP (via CertCentral) template.

REST API certificate issuance issue

Resolved an issue that prevented certificate issuance when the REST API-based certificate profiles were set with a mix of fixed and dynamic Subject DN fields.

February 2, 2024

DigiCert® ONE version: 1.6665.8 | Trust Lifecycle Manager: 1.2472.0

Fixes

Sensor-based automation of CertCentral certificates

Resolved an issue with CertCentral CA connectors impacting sensor-based automation flows.

February 1, 2024

DigiCert® ONE version: 1.6665.7 | Trust Lifecycle Manager: 1.2469.0

New

Citrix Federated Authentication Service (FAS) integration

New set of certificate templates available to support integration with Citrix Federated Authentication Service (FAS) for issuance of private authentication certificates onto virtual machines via the DigiCert Autoenrollment Server (version 2.24.1.0 required).

The integration requires three certificate profiles in Trust Lifecycle Manager, one each created from the three new templates:

  • Citrix FAS Registration Authority Manual Authorization (Server seat type): Enables Citrix Federated Authentication Service to issue “Citrix FAS Registration Authority” certificates. This template is not used during the integration but is required to proceed.

  • Citrix FAS Registration Authority (Server seat type): Enables Citrix Federated Authentication Service to issue certificates on behalf of Citrix users in your Active Directory domain.

  • Citrix FAS Smartcard Logon (User seat type): Enables Citrix Federated Authentication Service to issue certificates to Citrix users in your Active Directory domain.

For details about how to set up the integration, see Citrix FAS.

Cloud key escrow and recovery for “Public S/MIME Secure Email (via CertCentral)” template

Support for cloud key escrow and recovery of end-user public S/MIME sponsor-validated certificates issued from CertCentral using the existing Public S/MIME Secure Email (via CertCentral) template, for these enrollment methods:

  • Browser PKCS12

  • DigiCert Trust Assistant

  • REST API

Key recovery can be initiated by authorized administrators or API users with the Trust Lifecycle Manager "Recovery manager" role enabled. Certificate profiles can be configured to force a dual-admin recovery flow, where two account administrators (or API users) are required to complete the recovery of an end-user escrowed certificate.

Public client authentication

Support for issuance of public client authentication certificates issued from a CertCentral-shared issuing CA that chains up to a trusted root CA, using the new Public Client Authentication (via CertCentral) template in Trust Lifecycle Manager. This template consumes CertCentral certificate units from the "Authentication Plus" product type and supports the following enrollment methods and their associated authentication methods:

  • Browser PKCS12

  • DigiCert Trust Assistant

  • Microsoft Autoenrollment

  • REST API

Notice

When using the Public Client Authentication (via CertCentral) template, the location-based Subject DN fields get automatically retrieved from your CertCentral account's validated organization details and added to the issued certificates.

Warning

Known limitation: This template only supports one Subject Distinguished Name field: the Common Name. Support for multiple OU fields will be included in a subsequent release.

Known issue: The SAN:rfc822name field is mandatory and an email value must be provided by end users or API, however it is not currently being included within the signed certificate.

Enhancements

Seat ID mappings

Enhanced the list of unique fields supported by the Seat ID Mapping dropdown in the profile creation wizard. The two new fields are:

  • User identifier

  • Pseudonym

Fixes

Duplicate certificate issue

Resolved issue that prevented the successful signing of duplicate certificates with profiles configured with Subject Distinguished Name (SDN) optional fields set as 'multi-value' when the certificate request did not contain the matching 'multi-value' fields in the SDN.

Renewal issue

Resolved issue that prevented the renewal of certificates that contained a State (ST) field within the Subject Distinguished Name (SDN).

January 24, 2024

DigiCert® ONE version: 1.6665.5 | Trust Lifecycle Manager: 1.2446.0

Enhancements

CertCentral connectors: default import frequency updated to 24 hours

Updated the default certificate import frequency for CertCentral connectors to 24 hours (from 15 minutes previously). You can still change it to any desired value, as before.

Managed automation for Microsoft CA can now add first SAN as the CN in certificates

DigiCert agent-based automation flows now support adding the first SAN as the CN in certificates issued via Microsoft CA.

To enable this, use the Windows Server certutil command to update the Microsoft CA configuration to allow override of the CN in certificates, as follows:

certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

Restart the Microsoft CA service after making this command for changes to take effect.

January 18, 2024

DigiCert® ONE version: 1.6665.4 | Trust Lifecycle Manager: 1.2428.0

Fixes

Issue with "Next" button when configuring custom extensions

Resolved issue where the Next button was disabled when configuring custom extensions in a certificate profile.

Renewal issues

Resolved some issues with not being able to renew certificates.

January 17, 2024

DigiCert® ONE version: 1.6665.3 | Trust Lifecycle Manager: 1.2424.0

Enhancements

Certificate import REST API

Updated the Inventory controller certificate-import REST API endpoint to support the equal (=) symbol as part of the Subject DN Common Name (CN) field.

January 10, 2024

DigiCert® ONE version: 1.6665.2 | Trust Lifecycle Manager: 1.2402.0

New

Optional overconsumption of seats/certificates

Added a new "overconsumption" feature that allows for the overconsumption of seats and certificate issuance from business units in Trust Lifecycle Manager. DigiCert ONE system administrators can enable this feature from the Account Manager application.

Sensor release v3.8.64

New DigiCert sensor release with the following updates:

  • Stability enhancements.

  • Bug fixes for A10 load balancer.

Enhancements

LDAP searches by email address

Enhanced the LDAP service to support searching certificates (via an LDAP client) using email addresses contained within the SAN:rfc822Name extension.

Custom labels for multiple fields

Added support for custom labels when configuring a certificate profile with a field (for example, OU) that has a multiple checkbox set. This allows each individual field to show a different custom label in public-facing pages, in multiple languages if required.

Updates to "Generic Device Certificate" template

Added support for the “Non repudiation” key usage and SAN:userPrincipalName (UPN) extensions to the Generic Device Certificate template.

eIDAS templates

Updated the eIDAS Natural and Legal Person templates to support a wider set of key usage combinations, following ETSI guidelines.

Honor CA Manager allowlist settings for 3rd-party ACME enrollment

Extended the ability to allowlist domains and IP addresses for the 3rd-party ACME client enrollment method from the CA Manager Private Server Certificate template.

Lifecycle actions for certificates enrolled via "Admin web request"

Added lifecycle actions for certificates originally enrolled through the admin web request workflow. This allows administrators to renew or reissue these certificates from their Inventory views.

Fixes

Public S/MIME profile issue when using CertCentral in Europe

Resolved issue with not being able to create certificate profiles from the Public S/MIME Secure Email (via CertCentral) template, for DigiCert ONE in Netherlands and Switzerland using the European CertCentral platform.