Trust Lifecycle Manager

Certificate profiles for private issuing CAs in DigiCert ONE now offer a checkbox under expiration options to set the certificate start and end times to full UTC days (that is, from 00:00:00 UTC to 23:59:59 UTC) instead of using the actual issue time. This feature benefits customers with services across different time zones and those using Intune services.

The User identifier field is now included in the Subject DN for the Generic Device Certificate template.

Resolved issue about a JSON-based internal service error message that appears when the user's SAML identity provider (IdP) delivers a failed authorization assertion to the DigiCert SAML service provider (SP). The authorization failure response now displays a more user-friendly error message on the authenticated self-service portal.

Authorized users can now quickly edit the agent, sensor, and network scan names from their respective list and details pages.

ServiceNow app version 1.5.0 released for Trust Lifecycle Manager, which adds support for issuance of private certificates from a Microsoft CA using certificate profiles created from one of the following base templates and configured for one of the supported enrollment/authentication method combinations:

With this release, the following base templates now also support the CSR enrollment method with Manual Approval authentication for use with the ServiceNow app:

For more information, see the ServiceNow integration guide.

For CertCentral certificate profiles configured with the CSR, REST API, or SCEP enrollment method, you can now select one or multiple key sizes to allow when requesting a certificate.

Resolved issue with SANs been ignored in the final certificate when entered as comma-separated values using the Admin web request enrollment method.

Resolved issue with ACME-based issuance failing due to thumbprint conflict when certificate is present from a different source.

Resolved issue with not being able to submit and store internal notes on the enrollment details page, for certificate profiles configured with the SAML IdP authentication method that have the "Enforce manual approval flow" checkbox enabled.

Resolved the following known issues reported in the previous release:

From this release, authorized administrators can configure allowed self-service operations per certificate profile instead of being account-wide operations for all profiles with the self-service portal option enabled. Available operations:

In addition, as part of the announced initiative in the previous release to improve the navigation and usability of the product, the Self-service portal menu option has been moved under the Account > Settings page.

You can now configure profiles from the Microsoft CA User Certificate base template using the REST API enrollment method and associated 3rd Party app authentication method to issue user certificates from your Microsoft CA. You can also invoke certificate management operations such as revocation.

The CertCentral Public Server Certificate template has now been qualified to support the SCEP enrollment method, allowing servers to enroll and renew public TLS server certificates using SCEP (Simple Certificate Enrollment Protocol).

New optional customer-defined field allows administrators to add a user-friendly profile description (maximum 256 characters) when creating or editing a certificate profile. The profile description is displayed as an optional column on the Inventory page, and is also visible to end users from the self-service portal.

Resolved issue with certificate profiles configured with optional Subject DN attributes using values sourced from a SAML assertion, where the enrollment process failed due to an error stating a required value was not present.

The discovery service does not find post-quantum cryptography (PQC) certificates on RHEL 7.x systems. As a workaround, upgrade to RHEL 8.x on these systems.

Added support for delivering certificates to servers with the DigiCert ACME agent. This feature extends the Admin web request enrollment method, available for Azure KeyVault and AWS ACM, supporting certificate formats: x.509, p7b, PKCS12, and Java Keystore (JKS). Access this feature via the updated Admin web request flow on the Enrollments page.

Extended network discovery capabilities to include PQC certificates. New and existing scans can now identify PQC certificates on the network, viewable on the Inventory page.

Enabled DigiCert One Login for CertCentral connector, allowing users to add new connectors using One Login authentication. Existing authentication methods remain available for users not on One Login.

Added support for integrating Trust Lifecycle Manager with Puppet environments. Documentation and sample scripts for using Trust Lifecycle Manager certificates in Puppet are available under the Integrations > Connectors > Add connector.

This update includes a streamlined navigation interface, intuitive menu structure, and enhanced accessibility, making it easier than ever to find what you need.

Newly redesigned Settings page, crafted to enhance usability and provide a more intuitive user experience.

Enhanced the profile wizard to allow configuring a fixed prefix for OU fields. This feature is available for all three Generic templates. By selectin the Entered by user with prefix source field, the prefix is added to dynamically created OU values with a dash.

For example, a profile with a prefix “Department” and an API-submitted OU value “Sales” will issue a certificate with “Department - Sales” in the OU field.

Extended quick edit feature to allow authorized users to edit Seat names using the Seat List and Seat Details pages.

Extended support for selecting data types (BitString or PrintableString) for the Unique Identifier SDN field in Generic Device Certificate and Generic User Certificate templates. Existing profiles continue as-is, with new options available by reconfiguring the field.

Fixed issue where certificates weren’t issued when SAN attributes like RFC822name or DNS name were selected for Seat ID mapping with SCEP or EST enrollment methods.

Resolved issue where custom email templates weren’t retained when editing profiles.

Support for issuance of Adobe RSA or ECDSA certificates for individuals and organizations that chain up to root CAs recognized by the Adobe Approved Trust List (AATL) and used to digitally sign documents that are trusted by Adobe products (for example, PDF documents). The certificates get issued from your CertCentral account via a CertCentral CA connector configured in Trust Lifecycle Manager.

The following table shows the new base templates used to create certificate profiles for issuing the two types of Adobe AATL certificates, along with the supported enrollment and authentication methods for each template, the corresponding certificate product that must be enabled in your CertCentral account, and the root/intermediate CAs for each CertCentral region.

Support for issuance of Public S/MIME sponsor-validated non-escrow RSA certificates from CertCentral using SCEP as the provisioning protocol using certificate profiles created from the following base template.

Introduced a quick edit feature that allows authorized users to easily change the names of Business units and Connectors directly from their respective List and Details pages. To edit Business units, go to Manage > Business units. For Connectors, go to Integrations > Connectors.

Resolved issue with approval emails being sent out to all users in an account instead of only those users bound to the business unit linked to the certificate profile configured for manual approval.

Resolved an issue where Discovery and Imported certificates not bound to a profile were failing to push to ServiceNow CMDB.

Resolved issue where Microsoft CA discovery import failed when the CA name (CN of the Microsoft CA) had space characters.

Resolved an issue with the CertCentral Public Server Certificate profile when using a 4096 key size. The REST API enrollment failed a policy check because the profile's default private key size was set to 2048, causing a mismatch with the 4096 key size specified in the CSR.

Fixed agent-based certificate automation issue with install validation failing for the IIS web server on SNI sites.

Support for issuance and lifecycle operations (revoke, suspend/resume, or recover) of post-quantum cryptography (PQC) Falcon certificates with the below key sizes and signing algorithms, using certificate profiles created from any of the three "Generic" base templates or the Private S/MIME Secure Email template:

Issuance supports the following enrollment methods and associated authentication methods, depending on the base template used to create the certificate profile:

For more information and CSRs/keys for testing, see Issue PQC Falcon certificates.

With this release, Trust Lifecycle Manager introduces the ability to find certificates and cryptographic keys on host systems running the DigiCert agent.

Administrators can use system scans to search for:

When configuring system scans, administrators have the flexibility to:

Certificates discovered through system scans are available from the "All certificates" and "Discovery" views on the Inventory page. Keys are surfaced in the new "Keys" view.

For more information, see System scans.

Introducing the new AWS unified connector with this release. This new connector type allows users to:

AWS unified connectors can also be configured with account scope, to import and deliver certificates to a specific AWS account.

For more information, see Connect to a network appliance or cloud service.

The External Private CA template now supports the issuance and renewal of private CA certificates via the SCEP provisioning protocol for TLS inspection appliances that support SCEP.

For DigiCert ONE platform owners with the HTTP proxy functionality enabled, the ServiceNow connector in Trust Lifecycle Manager now routes outgoing traffic to ServiceNow via the configured HTTP proxy settings in the "global" section of the DigiCert ONE values file.

Profiles with the "Allow duplicate certificates" option enabled now support a maximum of 250 duplicate certificates. Existing profiles inherit this change without the need to create a new profile.

With this release, we are enhancing the existing Microsoft CA connector to remove the need for installing the MCARS software on the Microsoft CA server. The new connector design allows the DigiCert sensor to interact directly with the Microsoft CA server for discovery and management operations.

The new Microsoft CA connector requires a Windows-based DigiCert sensor. It cannot be configured using the Linux or Docker versions of the sensor.

For more information, see the Microsoft CA connector guide.

New DigiCert agent release adds support for:

Resolved issue with the Download AE config file button being disabled on the Profiles page when there are existing profiles with the Microsoft Autoenrollment enrollment method enabled.

Resolved issue with the Let's Encrypt CA connector not being able to issue certificates using the Cloudflare DNS service for domain validation.

With this release, Trust Lifecycle Manager is adding a new connector type to import certificates issued by the Entrust CA. The new Entrust discovery connector allows administrators to:

For more information, see Entrust discovery.

For customers who need to issue public client authentication certificates from CertCentral, you can now select a new "Authentication Only - Non-Repudiation" option in the certificate type dropdown list when creating a certificate profile from the Public Client Authentication (via CertCentral) base template.

Support for issuance and lifecycle operations (revoke, suspend/resume, or recover) of post-quantum cryptography (PQC) SPHINCS+ certificates with the below key sizes and signing algorithms, using certificate profiles created from any of the three "Generic" base templates or the Private S/MIME Secure Email template:

Issuance supports the following enrollment methods and associated authentication methods, depending on the base template used to create the certificate profile:

For more information and CSRs/keys for testing, see Issue PQC SPHINCS+ certificates.

The ServiceNow app for Trust Lifecycle Manager now supports issuance of public S/SMIME and client authentication certificates from Trust Lifecycle Manager certificate profiles created from the following base templates:

Issuing these certificate types requires minimum ServiceNow app version 1.4.0 released on June 26, 2024.

For more information, see the ServiceNow integration guide.

Updated the Device Authentication for Microsoft Intune (SCEP) template to support issuance of duplicate certificates (same Subject DN, but different keys and serial number) up to a maximum of 10 valid duplicate certificates.

New DigiCert sensor release with bug fixes to remove SOAP dependencies.

Private trust certificate profiles now allow for configuration of an Enhanced Key Usage (EKU) extension with custom OID values that will be added at the time of certificate signing by the DigiCert® CA Manager application.

This feature is only supported for private certificates. The custom EKU OID values cannot match any standard EKU OID value that is not allowed by the base certificate template.

Chef is a configuration management and IT automation tool.

With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of a Chef recipe. Sample scripts and procedures for ACME and API-based integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the Chef connector guide.

Added support for requesting Microsoft CA certificates via the Trust Lifecycle Manager REST API, using certificate profiles created from the Microsoft CA Private Server Certificate base template and configured with the REST API enrollment method.

The certificate details page now shows revocation data (date/time and revocation reason) for certificates that have been revoked.

New DigiCert agent release with the following updates:

When adding a new connector, the F5 BIG-IP LTM connector type now supports the ability to:

From this release, all audit log events inside the Audit logs page show a new Check data integrity action that will check the integrity of the log entry. Manually triggering the action will deliver three possible responses:

Updated the CertCentral Public Server Certificate template to support a web-based CSR enrollment method that can be authenticated using the below authentication methods:

For certificate profiles created from the Public S/MIME Secure Email (via CertCentral) template and configured with the non-escrow option, you can now get the issued certificates in either X.509 or PKCS#7 format by selecting it in the Certificate delivery format section of the profile wizard.

New API unauthenticated endpoint (GET /mpki/api/v1/version) to retrieve the Trust Lifecycle Manager application version. The current application version is also displayed at the top of the API documentation.

Enhanced the certificate import API endpoint (POST /mpki/api/v1/certificate-import) to support multiple tags. The previous implementation only supported a single tag for each imported certificate. From this release, tags can be assigned as a single string value (for backward compatibility) or an array of string values.

Added contextual help for add and edit connector flows to guide users about prerequisites, installation, and configuration steps.

Extended the following DNS integrations to support automated domain control validation for Let's Encrypt CA connectors:

New DigiCert sensor release with enhancements and fixes to support new sensor-based integrations.

New DigiCert agent release with fixes and SNI script support.

Resolved issue with User seats being created with an appended timestamp for public S/MIME certificates issued from profiles based on the Public S/MIME Secure Email using CMP (via CertCentral) certificate template.

Resolved issue with incorrect validity period when renewing a certificate via REST API, provided the validity period in the profile was modified before submitting the renewal request.

Resolved issue with the expiration graph in the Dashboard page not showing data for Discovery certificates not yet bound to a business unit.

Resolved issue with duplicate certificates not being issued via the SCEP enrollment flow.

Resolved public S/MIME synchronization issue with PKI Platform 8. Resolved issue with using Seat GUID instead of Seat ID.

Resolved issue with not being able to suspend certificates that were bound to an Imported seat type.

With this release, the Azure Key Vault connector type allows users to configure how certificates should be delivered to the vault using the following options:

For users enrolling for certificates via the iOS-iPadOS enrollment method, an error message will now be displayed on the Apple device if using a non-Safari web browser.

Updated the API documentation for the POST profile API endpoint to include the IDs for the three supported "Generic" certificate templates that can be used to create profiles with this API endpoint.

Resolved issue with not being able to revoke a public S/MIME certificate issued from CertCentral.

Resolved issue with not being able to issue duplicate device certificates via the SCEP protocol. A new certificate was being issued instead.

Support for issuance and lifecycle operations (revoke, suspend/resume, or recover) of post-quantum cryptography (PQC) Dilithium certificates with the below key sizes and signing algorithms, using certificate profiles created from any of the three "Generic" base templates or the Private S/MIME Secure Email template:

Issuance supports the following enrollment methods and associated authentication methods, depending on the base template used to create the certificate profile:

For more information and CSRs/keys for testing, see Issue PQC Dilithium certificates.

New iOS enrollment method to support a web-based solution for direct provisioning of certificates to Apple iOS/iPadOS devices without the need to deploy a full-scale MDM/UEM solution.

For the initial release, administrators can specify the Web Authentication use case, which triggers the installation of a digitally signed .mobileConfig file on the target Apple device. Subsequent releases will support additional use cases including VPN, WiFi, and ActiveSync.

For more information, see Configure iOS/iPadOS enrollment via SCEP.

New integration supports pushing and synchronizing certificates to the ServiceNow configuration management database (CMDB) via two different methods that can be enabled by account administrators:

The CMDB integration features require minimum version 1.3.0 of the ServiceNow app for Trust Lifecycle Manager.

For more information, see the ServiceNow integration guide.

The self-service portal now allows users to perform lifecycle management actions on certificates they own after authenticating against their SAML identity provider (IdP). Authentication relies on a unique email address being sent by the SAML IdP to DigiCert’s SAML service provider and used to search for certificates that contain that email address in the SDN:email or SAN:rfc822Name fields.

Account administrators can configure the lifecycle actions that end users are allowed to perform on their certificates. Depending on the type of certificate, available actions may include:

To be visible, certificates must be issued from a profile with the self-service portal option enabled and one of the following enrollment methods:

In addition, authenticated users can enroll their own certificates and pick up an approved certificate from the self-service portal for web-based profiles that have the self-service portal feature enabled and one of the following authentication methods:

Authorized administrators with the SSP manager role can configure the self-service portal from the Trust Lifecycle Manager Settings menu, where they can enable/disable either the open or authenticated self-service portal, manage the allowed actions for the authenticated portal, and get the portal URLs and QR codes to share with end users.

New POST profile REST API endpoint allows for creation of certificate profiles from the "Generic" base templates and configured for the REST API enrollment method and 3rd Party app authentication method.

For details, see the API endpoint documentation.

DigiCert Trust Assistant v1.1.5 has been formally qualified with both macOS Ventura and Sonoma releases.

SaltStalk is a configuration management and orchestration tool. With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of a Salt automation script. Sample scripts for ACME and API-based integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the SaltStack connector guide.

Ansible is a suite of software tools that enables infrastructure as code. It is open-source and includes software provisioning, configuration management, and application deployment functionalities.

With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of an Ansible playbook. A sample playbook and instructions for including it in your Ansible projects are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the Ansible connector guide.

DevOps administrators can now integrate their Kubernetes workloads to be configured with mTLS for certificates for pod-to-pod communication using Istio and cert-manager. Trust Lifecycle Manager integrates with cert-manager over ACME to issue private certificates from DigiCert® CA Manager for automated service mesh configuration via Istio.

To support this integration, administrators can create a certificate profile from the new CA Manager Private mTLS Certificate base template. A sample configuration file and instructions for enabling the integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the Istio connector guide.

As part of this release, we introduced the ability for administrators to define notification policies for discovered certificates. Any newly discovered certificates matching the user-defined criteria will trigger a notification. To select certificates to notify about, administrators can apply boolean operators against a list of options including the:

Administrators can clone the default discovery notification template to define specific criteria, recipients, and email content. They also have an option to combine multiple events in one email. This allows users to configure multiple polices to identify exceptions. The above criteria are also extended to existing expiry notices for discovered certificates from the following notification templates:

Certificate profiles created from the Public S/MIME Secure Email (via CertCentral) base template now allow configuration of the “Allow duplicate certificates” option. Previously, the option was set to “Yes” and could not be disabled.

From this release, we extend support for the Issuer Alternative Name (IAN) extension to the following web-based enrollment flows:

From this release, we support the following SAML service provider (SP) enhancements for profiles configured with the SAML IdP authentication method and the new SAML-authenticated self-service portal.

Signing options

Two new SAML service provider signing options are displayed for profiles configured with the SAML IdP authentication method:

The default configuration has both options checked, but they can be unchecked. However, not every SAML IdP vendor supports receiving unsigned SAML assertions and responses from service providers. If in doubt, check with your SAML IdP vendor before configuring these options.

Generate new SAML Service Provider certificate

A new Generate new SAML SP certificate button is displayed on the profile details SAML configuration options section. This button can be used at any time to generate a new DigiCert SAML service provider (SP) certificate and view its expiration period. When selected, a warning message prompts the user for confirmation before revoking the current SP certificate and issuing a new one.

For profiles configured with the SAML IdP authentication methods, the profile will go into Action needed state when the SAML SP certificate expires. To restore the profile to active status, use the new Generate new SAML SP certificate function to get a new certificate.

Enhanced the custom certificate CSV reports with three new fields, under two of the sections:

Other extensions

Subject Alternative Name (SAN) extension

Enhanced the Custom extensions section in the profile wizard (used by the "Generic" templates) to deliver a better user experience and only show the details of the custom extension section if a user selects the new Add custom extensions button.

Resolved an issue with encrypted emails not being able to be decrypted via the DigiCert Trust Assistant client, for which version 1.1.6 is required.

Resolved regression bug with incorrectly showing an authentication method that is not supported by the Public S/MIME Secure Email using CMP (via CertCentral) limited template.

Resolved an issue with not being able to create new profiles based on the Public Client Authentication (via CertCentral) template.

Resolved an issue with showing stale data in the seat and certificate usage graphs on the Dashboard page.

New Uploaded certificates expiration email notification template that can be used to send renewal email reminders for certificates uploaded into Trust Lifecycle Manager from an external system using the REST API or DigiCert Certificate Import Tool (available upon request). The renewal reminder gets triggered at configurable notice windows based on "tags" applied to the uploaded certificates.

This new notification replaces the functionality previously available from the Settings > Uploaded certificates expiration page for customers with Imported or Discovery seats.

For more information, see Configure custom email notifications for certificate expiration.

Added SHA3 support for the following certificate templates and enrollment methods:

New options to enable key vault discovery when adding or editing an Azure Key Vault connector in Trust Lifecycle Manager. This feature allows users to discover certificates in one or more key vaults associated with the connector. When enabled, users can:

New option in the Inventory view to remove certificate from a key vault. Administrators can access this option from the actions (three dots) menu for certificates present in a key vault.

Administrators can now revoke certificates issued via Let's Encrypt CA connectors. Certificates can be revoked via:

Ability to preview the content of a certificate as you work though the profile wizard steps, including the entire CA hierarchy that will be used to sign the certificate, for certificate profiles that use issuing CAs hosted in the DigiCert® CA Manager application.

New EST authentication options available for all three "Generic" certificate templates (Generic Device, Generic Private Server, and Generic User):

Resolved issue with not being able to create certificate profiles from the Public S/MIME templates.

Addressed a problem where users were unable to add a new CertCentral connector using username and password credentials. This update restores the functionality, allowing for seamless CertCentral connector configurations.

Resolved certificate lifecycle automation issue with Apache Tomcat on Windows.

New DigiCert sensor release with the following updates:

Optimized certificate lifecycle workflow actions on the Inventory page:

Streamlined the SAML-based web enrollment flows to bypass the “Create enrollment” step if no user input is required and the “Cloud Key Escrow” option is disabled in the profile. This streamlined SAML enrollment flow only presents a single page ("Install certificate").

If the “Cloud Key Escrow” option is enabled in the profile (e.g. for S/MIME use-cases) we will continue to show an intermediate page with a warning to the user alerting about the private key being escrowed in the cloud, hence not bypassing this page. We renamed this page from "Create enrollment" to "Enrollment request" and the button from "Create" to "Submit".

Profiles configured with the Enrollment code authentication method now have access to an additional email template that can be enabled in the Email configuration and notifications section of the profile to notify end users when their enrollment status changes from "created" to "rejected", "expired", or "redeemed". We renamed this notification type from "Enrollment status is either rejected or expired" to Enrollment status change (rejected, expired, redeemed).

Resolved issue with the Inventory page not loading properly when encountering certificate profiles that had been deleted.

Resolved issue with incorrect certificate delivery format for profiles configured from the Public S/MIME Secure Email (via CertCentral) template using the "REST API" enrollment method and with the “Cloud Key Escrow” option disabled (i.e. non-escrow).

Resolved issue with the SCEP service no longer accepting SCEP requests containing a “/” character at the end of the "pkiclient.exe" resource inside the URL (e.g. "https://one.digicert.com/mpki/api/v1/scep/<profile-guid>/cgi-bin/pkiclient.exe/?operation=GetCACert").

Resolved issue with sensor list not getting updated to agents when a sensor is added or removed. This fix ensures that proxied agents have the latest sensor list available for failover scenarios.

Resolved issue with being unable to edit a "start now" network scan to use the "schedule for later" option instead.

Added support for more than one CertCentral CA connector:

For more information, see DigiCert CertCentral.

Resolved issue with issuing duplicate certificates for public products when passing the orderid in the request URL.

Resolved issue with not being able to create profiles from the "Generic" and "Private S/MIME" certificate templates due to the enrollment method dropdown being disabled.

New public-facing web portal allows end users to search for and download certificates associated with profiles for which the Self-service portal option has been enabled by an authorized administrator.

Profiles configured with the following web-based enrollment methods support this new self-service option:

Authorized administrators can use the Account > Self-service portal menu function to enable or disable access to the self-service portal and get the portal URL or QR code to share with end users.

The self-service portal can also inherit custom branding configured via the Account > Settings > Branding menu function.

For more information, see Self-service portal.

New DigiCert sensor release with the following updates:

Updated the DigiCert Autoenrollment Server to version 2.24.2.0 with the following enhancements:

For more information, see the DigiCert Autoenrollment Server guide.DigiCert Autoenrollment Server

Enhanced the REST API certificate-import endpoint and the DigiCert Import Tool (available from your DigiCert representative upon request) to support uploading end-entity escrowed certificates (PKCS#12 files with their passwords) into a specified business unit, with or without their issuing CA being previously loaded and configured into your account.

Uploaded certificates get automatically bound to one of the below seat types based on whether the issuing CA is available in your account or not:

For more information, see Import externally issued certificates using the API.

Added support for the Organization Identifier and Organization Unit Subject Distinguished Name (DN) fields to the following two eIDAS Natural Person certificate templates:

For profiles configured to use a self-signed issuing CA, we enhanced the Additional options: Certificate delivery format step in the profile configuration wizard to dynamically hide the Include CA chain with Root CA and Include CA chain without Root CA PKCS#7 options.

Enhanced error messaging to show errors and recommended solutions to help users quickly remediate and retry issues with certificate lifecycle automations managed via DigiCert agents.

Added support for issuing duplicate certificates from CertCentral during automation events, by selecting the new "get duplicate certificate" option when scheduling the automation. If selected, the request is passed on to CertCentral and the CA there will issue a duplicate if a matching certificate is found. If no match is found, a new order gets created instead.

This feature must be enabled on a per-account basis and is available for certificate profiles configured with the following enrollment methods:

Resolved issue with SCEP-based cloned profiles not retaining all the SCEP configuration.

Resolved the issue with not being able to generate scheduled certificate reports.

Resolved an issue with signing certificates with an empty value inside the Issuer Alternative Name (IAN) extension, for certificate profiles configured from templates that support this extension.

Released ServiceNow Trust Lifecycle Manager app version 1.2.1 to support Washington version.

This release also resolves the issue with DigiCert email notifications getting sent out when creating approvals for any source table.

For more details, check the app listing in the ServiceNow Store.

Enhanced the Public Client Authentication (via CertCentral) template to support a new CertCentral product type called Client Authentication Email Subject:

This release also resolves the known issue raised in the previous release related to the SAN:rfc822Name value not being included within the signed certificate.

Enhanced the Audit logs to support certificate lifecycle operations carried over from the CMP protocol using existing audit log resources and event types from the Public S/MIME Secure Email using CMP (via CertCentral) template ("Limited" scope).

Resolved regression issue that prevented the renewal of certificates that contained a State field within the Subject Distinguished Name (DN).

Resolved issue with not being able to include the Issuer Alternative Name (IAN) extension in signed certificates.

Added support for issuance of public TLS certificates from the Let's Encrypt CA using the following enrollment methods:

Added a new certificate template (Let's Encrypt Public Server Certificate), a new Let's Encrypt connector, and a new Sensor release (v3.8.65) to support automation flows for Let's Encrypt certificates.

To learn more, see Let's Encrypt.

Extended our branding capabilities, allowing further customization of public-facing enrollment pages with different color themes based on the following configurable items:

An enhanced preview functionality is also available to show the look and feel after applying the theme configuration.

Configure this new feature from the Settings > Branding > Theme selection page.

Resolved an issue with certificates not being issued when using the Public S/MIME Secure Email using CMP (via CertCentral) template.

Resolved an issue that prevented certificate issuance when the REST API-based certificate profiles were set with a mix of fixed and dynamic Subject DN fields.

Resolved an issue with CertCentral CA connectors impacting sensor-based automation flows.

New set of certificate templates available to support integration with Citrix Federated Authentication Service (FAS) for issuance of private authentication certificates onto virtual machines via the DigiCert Autoenrollment Server (version 2.24.1.0 required).

The integration requires three certificate profiles in Trust Lifecycle Manager, one each created from the three new templates:

For details about how to set up the integration, see Citrix FAS.

Support for cloud key escrow and recovery of end-user public S/MIME sponsor-validated certificates issued from CertCentral using the existing Public S/MIME Secure Email (via CertCentral) template, for these enrollment methods:

Key recovery can be initiated by authorized administrators or API users with the Trust Lifecycle Manager "Recovery manager" role enabled. Certificate profiles can be configured to force a dual-admin recovery flow, where two account administrators (or API users) are required to complete the recovery of an end-user escrowed certificate.

Support for issuance of public client authentication certificates issued from a CertCentral-shared issuing CA that chains up to a trusted root CA, using the new Public Client Authentication (via CertCentral) template in Trust Lifecycle Manager. This template consumes CertCentral certificate units from the "Authentication Plus" product type and supports the following enrollment methods and their associated authentication methods:

Enhanced the list of unique fields supported by the Seat ID Mapping dropdown in the profile creation wizard. The two new fields are:

Resolved issue that prevented the successful signing of duplicate certificates with profiles configured with Subject Distinguished Name (SDN) optional fields set as 'multi-value' when the certificate request did not contain the matching 'multi-value' fields in the SDN.

Resolved issue that prevented the renewal of certificates that contained a State (ST) field within the Subject Distinguished Name (SDN).

Updated the default certificate import frequency for CertCentral connectors to 24 hours (from 15 minutes previously). You can still change it to any desired value, as before.

DigiCert agent-based automation flows now support adding the first SAN as the CN in certificates issued via Microsoft CA.

To enable this, use the Windows Server certutil command to update the Microsoft CA configuration to allow override of the CN in certificates, as follows:

certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

Restart the Microsoft CA service after making this command for changes to take effect.

Resolved issue where the Next button was disabled when configuring custom extensions in a certificate profile.

Resolved some issues with not being able to renew certificates.

Updated the Inventory controller certificate-import REST API endpoint to support the equal (=) symbol as part of the Subject DN Common Name (CN) field.

Added a new "overconsumption" feature that allows for the overconsumption of seats and certificate issuance from business units in Trust Lifecycle Manager. DigiCert ONE system administrators can enable this feature from the Account Manager application.

New DigiCert sensor release with the following updates:

Enhanced the LDAP service to support searching certificates (via an LDAP client) using email addresses contained within the SAN:rfc822Name extension.

Added support for custom labels when configuring a certificate profile with a field (for example, OU) that has a multiple checkbox set. This allows each individual field to show a different custom label in public-facing pages, in multiple languages if required.

Added support for the “Non repudiation” key usage and SAN:userPrincipalName (UPN) extensions to the Generic Device Certificate template.

Updated the eIDAS Natural and Legal Person templates to support a wider set of key usage combinations, following ETSI guidelines.

Extended the ability to allowlist domains and IP addresses for the 3rd-party ACME client enrollment method from the CA Manager Private Server Certificate template.

Added lifecycle actions for certificates originally enrolled through the admin web request workflow. This allows administrators to renew or reissue these certificates from their Inventory views.

Resolved issue with not being able to create certificate profiles from the Public S/MIME Secure Email (via CertCentral) template, for DigiCert ONE in Netherlands and Switzerland using the European CertCentral platform.