Trust Lifecycle Manager

Added a new DigiCert Trust Assistant post-processing script enabling the automated publication of a user's X.509 certificate to the userCertificate attribute within the Active Directory.

You can enable the post-processing script for S/MIME certificate templates:

In this release, we expose the internal validation checks required for the Outlook post-processing script to successfully configure Outlook with the installed certificate.

Internal validation checks:

Resolved the Certificate Policy OID validation issue with the five eIDAS templates.

Removed the list of renewal checkboxes within the revocation email template configured within a profile.

Removed the internal profile fields appearing on public-facing pages (for example, we removed the key usage field).

In the latest sensor release, v3.8.63, we fixed the bug in sensor version v3.8.62, restricting agents from using the sensor as a proxy.

When deleting the Azure Key vault connector (and other connectors), the CC connector is no longer marked as Action needed.

Added support for the Ansible ACME Client in the TLM-ACME server.

New feature that allows authorized profile administrators to configure a list of FQDN and IP addresses that are allowed to be included within private server certificate requests and checked against a profile-based ‘allowed list’ before issuance. Certificate request fields that will be checked are:

The list of FQDNs/IPs within the profile can be modified at any time.

Supported template for this feature: Generic Private Server Certificate.

New powerful feature that allows authorized administrators to configure private certificates with custom extensions, defined as a JSON structure inside the Advanced profile wizard step for the three ‘generic’ certificate templates:

Values for the private custom extension can be sourced from all the standard application sources based on the profile’s enrollment method, with the exception of “Microsoft Autoenrollment”, which will be supported in a future release.

For details see: Issue private certificates with custom extensions

Enhanced workflows that allow administrators to customize automation using hooks at various steps of the automation flow.

For more details see: Agent scripts

Profile enhancement that allows an authorized administrator to set multiple key sizes using checkboxes in a single profile, without the need to create separate profiles per key size. This feature is supported for profiles configured with any of the below enrollment methods for most templates, where a user (or a client) can now submit a CSR using any of the allowed key sizes set within the profile:

Extended the "Action needed" functionality to show a profile in this state when the enrollment method associated with the profile is no longer enabled on the account.

Support for a new action for certificates inside a renewal window, allowing an authorized administrator to manually send the renewal email by clicking on the "Resend renewal email" action available from the Inventory page

Support for the Microsoft Autoenrollment enrollment method using the DigiCert AutoEnrollment Server to silently issue Public S/MIME sponsor-validated certificates using a profile created from the Public S/MIME Secure Email (via CertCentral) template.

Support for the Security Identifier (SID) extension (OID - 1.3.6.1.4.1.311.25.2), which Windows uses for authentication (e.g. Windows Logon). Users can manually enter the SID in the user interface or read automatically from an Active Directory attribute using the new DigiCert Autoenrollment Server release (v2.23.2.0), available for download from Resources > Client tools.

The following templates support the SID extension for all enrollment methods:

Trust Lifecycle Manager now automates the certificate request workflow for administrators allowing them to request certificates to be delivered to one or more Azure Key Vaults from within their Trust Lifecycle Manager account.

Enhancements to the “Private S/MIME Secure Email” template to support:

Enhancement to only allow Dual Admin Approvals and Dual Admin Key Recovery options to be enabled in the profile wizard if at least 2 authorized administrators exist in the account.

Extending the support of the post-processing script for Outlook (Windows only) when using a SafeNet eToken (5100, 5110), in addition to previously supported key stores (OS keystore and the DigiCert Software Keystore). This feature continues to be available for the below templates:

Fixed a typo in the Country label for Kuwait, shown on web pages that require a Country field to be selected by an end-user.

Support discovery of certificates from Tenable. We’ve introduced:

TLM Plugin Manager framework

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.

New Grace period option for the “Renewal options” section that allows the addition of the days before expiration to the renewed certificates. If not selected, the renewed certificate takes a strict validity period based on the “Certificate expired in” value.

For example, for a profile configured with the grace period, if renewing a 365-day certificate 20 days before its expiration, the renewed certificate will have a validity period of 385 days. If the option was disabled, the renewed certificate only has a validity period of 365 days.

Ability to create a deployable package with an encrypted API-KEY that can then be distributed using any available tools like GPO push, Ansible, PS Exec, etc. and triggered such that the agent provisions to the account and is ready for automation.

Enhanced the CA vendor dashboard widget to support clicking on the “Others” sector of the graph to redirect to the Inventory page with a filter of all other CA vendor values.

This new certificate template named Public S/MIME Secure Email using CMP (via CertCentral) allows issuance of Public S/MIME sponsor-validated certificates via CertCentral using the Certificate Management Protocol (CMP), is mainly consumed by our Email Gateway service providers.

The template is tagged as “limited”, meaning that a is not available for all accounts. If required, contact an administrator with appropriate access to assign templates to accounts.

Updated the Public S/MIME Secure Email (via CertCentral) template to support:

Added two new variables to the Certificate Renewal Reminder email template:

Fixed an issue with profiles configured with the “Browser PKCS12” enrollment method and using a self-signed Issuing/Root CA, with the include Root CA in the delivery format option, not including the Root CA in the PKCS12 response file.

Resolved an issued with GET profile API response not delivering the profiles bound to the account.

New PQC vulnerable certificate filter that shows whether a certificate within the Inventory (“All certificates” system view) is vulnerable to post-quantum cryptography attacks.

This new seat API endpoint (GET /mpki/api/v1/seat) that allows the retrieval of paginated list of seats based on multiple filtering parameters:

Resolved issue with showing the new onboarding/overview page when visiting the Mange > Profiles page even though there are profiles available on the account. The issue was related to retrieving the first profile in the account as “Inactive”, hence the page thinking there are no profiles available on the account and showing the new onboarding page.

A new set of overview pages, which are displayed when no data is available on a page, provides users:

This is particularly important for users who are onboarding onto the platform for the first time.

A new icon is also displayed next to the page’s title. This icon provides access to the same overview page anytime after the product has been used and data has already been created.

Pages that implement the new overview functionality are:

Support for a new Extension called Legal Entity Identification (LEI), defined in ISO 17442, for the “Generic User Certificate” template.

Discover certificates using the AWS private CA connectors configured in TLM. Admins can either enable discovery when adding a new connector or updating existing ones for discovery. Once enabled, the connector discovers and imports certificates across all the roots configured in the target AWS account.

Enable cipher discovery when setting up a network scan. This allows you to find all the ciphers configured on the system in addition to the handshake cipher information collected.

When enabled, view this cipher information under the certificate details section categorized by protocol and flagged when found to be weak.

Add tags when creating a new profile. Manage tags for a profile. Any certificate issued from that profile inherits the tags assigned to the profile.

Upload roots or ICAs to TLM discovery Trust store such that:

Set of enhancements to the Dashboard:

With CertCentral implementing 2-factor authentication, we are limiting the options for linking TLM to CertCentral such that:

Updated the X509 and PKCS7 download button labels in public-facing web pages to show more user-friendly labels:

Renamed the Certificates page to the Inventory page since DigiCert​​®​​ Trust Lifecycle Manager manages more than just certificates. It is a single ‘book of record’ / inventory page from where you can view and manage all its assets, for example unsecured IPs and ports.

The new Inventory page includes an enhanced views dropdown list and a new collapsible Quick Taskbar, available from the right side of the Inventory page with quick access icons to:

Support for RSASSA-PSS certificate renewals via DigiCert Trust Assistant.

Extended support for additional fields/aliases within the SAN:directoryName and IAN:directoryName extensions:

Fixed issue with not being able to download a user certificate for profiles configured with Browser PKCS12/Enrollment Code methods, which occurs under some specific ‘caching’ circumstances.

Support for issuance of Public S/MIME Legacy sponsor-validated certificate types conformant with the new S/MIME Baseline Requirements making use of the new template called Public S/MIME Secure Email (via CertCentral).

The supported enrollment method for this initial release is: REST API. Web-based enrollment methods will be supported in a future release.

European Trusted Service Providers who are compliant with eIDAS can now issue EU Qualified Certificates to natural and legal persons for the purposes of supporting digital signatures, peer entity authentication, data authentication, and data confidentiality, in accordance with EU Regulation No. 910/2014 [i.9], and ETSI EN 319 412-5 [i.7] for requirements relating to QCStatements.

Two new templates (eIDAS Electronic Signature and Electronic Seal) have been created to support these use cases. The templates are bound to the user seat type and tagged as Limited, meaning that only system administrators with appropriate permissions can explicitly assign them to accounts that require these types of certificates:

DigiCert Trust Assistant now supports the new RSASSA-PSS signing algorithm.

Relaxed the SubjectDN Country field validation rules. Certificates imported into the Trust Lifecycle Manager application via the “certificate-import” API now allow any 2-letter country code.

Issuance of new certificates will continue to be restricted to ISO-compliant country codes.

A new system view available from the Certificates page shows which certificates will be expiring in the next 30 days, and shows the remaining days until expiration in a new table field called “Expiring in (days)”. Users can filter the data further to show expiring certificates by seat type.

Updated the template to set the “Server authentication” Extended Key Usage (EKU) as default.

Updated all email templates to use the Seat ID value instead of User Full Name.

Moved the Link PKI Platform 8 functionality from Settings to Integrations → Connectors to locate it alongside other CA connectors.

For accounts that have no configured connectors, the Add connector page will show when the user selects the Connectors link under Integrations in the left navigation bar.

For certificates discovered or issued using Certificate Lifecycle workflows:

Resolved issue with Seat Usage widget in the dashboard, which was only showing data against all business units and not respecting the business unit selector at the top of the page. Customers using only one business unit would not have noticed the issue.

Updated the Public S/MIME Secure Email (via PKI Platform 8) profile wizard to support the new Legacy generation Sponsor-validated certificate type, as defined in the new CAB Forum S/MIME Baseline Requirements standard.

You need a PKI Platform 8 account and validated email domains to issue Sponsor-validated certificates.

For details about the changes, refer to the Trust Lifecycle Manager section in this knowledgebase article.

Added REST API endpoints to:

Resolved an issue with web-based enrollments associated to a Private S/MIME profile present under very narrow conditions.

For CertCentral orders using third-party ACME methods, when the order goes into reissue pending state for any reason, subsequent requests were returning a “Bad Request” error. This has been updated to return an ACME compliant error.

Removed additional parameter options from Microsoft CA connector as they are not used for connector configurations.

On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.

New plans:

For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.

How does this affect me?

To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.

How the limited-time upgrade works:

Resolved issue with the certificate renewal job not getting completed in a timely fashion.

Resolved issue with blank page appearing when creating a profile from the “Public S/MIME Secure Email (via PKI Platform 8)” template.

Resolved an issue where not all seat types were being automatically allocated to the Default Business Unit.

Added support for choosing a different business unit or issuing CA when cloning a profile. Previously, both fields were locked and could not be modified when cloning a profile. Now, if you have access to additional business units and issuing CAs, you will be able to select them before saving the newly cloned profile.

Intune revocation scheduler job will now run hourly instead of every 3 hours.

Starting from this release, if a template supports the Subject DN Common name field, it will be automatically added to the profile wizard’s second step by default.

The previous Private S/MIME Secure Email template implementation blocked users from modifying the Key Usages extension. Now, both the Digital signature and Key encipherment fields are optional, and account administrators can configure signing-only and/or encryption-only certificates.

Fixed an error where the Refresh configuration action was sending a notification stating that the F5 server cannot be reached. This notification will no longer be triggered.

Fixed an issue that was preventing admins from automating virtual IPs that had no profile. Admins can now automate these IPs.

With this release, administrators can configure and run one or more network scans in Trust Lifecycle Manager:

Allows users to get a new certificate from a different profile when their default automation action is set to reissue or renew.

Allows users to select one or more profiles to check their status and refresh the profile from profile list page.

Relaxed the validation rules for the Tenant Name field in profiles created from Intune templates to allow domain values that are different to just using the default onmicrosoft.com domains.

Removed the Enrollment code report link under the main Reporting and auditing menu option.

Resolved issue with Intune certificate enrollments failing. They now proceed as expected.

Resolved issue with CertCentral profiles showing an “Action needed” status. This now only displays when expected.

Authorized account administrators can now schedule custom Certificate and Enrollment reports to be generated at different intervals:

When creating or editing a profile, users can specify replacements for the default Subject DN and SAN labels with custom labels in multiple languages. Example: The “Common name” field could be customized to show: “Please enter your full name:” (for English), and similar text in other supported languages if set within the profile.

Updated the "Private S/MIME Secure Email" template to support RSA 3072-bit key sizes.

Updated the SAN Directory Name extension functionality, available when creating a profile from a Generic User Certificate template, to support:

Here is a sample SAN Directory Name value using all currently supported tags:

C=US,O=DigiCert,OU=myOU-1,OU=myOU-2,ST=Utha,L=Lehi,GIVENNAME=John M,SURNAME=Doe,TITLE=Product Manager,SERIALNUMBER=00001,ORGID=123456,DESC=my description 1,DESC=my description 2,DC=DigiCert,DC=com

Enhanced the certificate recovery flow for profiles configured with the Cloud Key Escrow option, to include 3 new email templates that can be customized:

When approving/rejecting a second admin recovery operation, the administrator can optionally send a message to the user with the reason for the rejection, or extra information when approving the recovery. The message will also be saved as an internal note for auditing purposes.

Enhanced the profile wizard logic for the first step (“Primary option”) to show warning messages when required enrollment methods are not available on the account. To show these, contact your administrator to ensure your account has the required feature enabled.

Removed the bulk action button placed outside the table in favor of functionality inside the table, to make it consistent with the Certificates List page.

Updated the default Trust Lifecycle Logo included in all email templates.

Fixed issue where SeatID and SeatName variables were omitted from the Certificate Enrollment Status Change email template.

Fixed error displayed in the Enrollments List page caused by enrollments associated with a deleted profile.

Discovery and synchronization actions using CertCentral accounts do not go through the proxy right now, although certificate issuance does.

New suspend and resume email templates have been added. Authorized administrators can configure them when creating/editing a profile from any of the three Generic templates (User/Device/Server).

For profiles configured with the Manual approval authentication method, we now capture the name of the administrator who approves or rejects a certificate request within the internal notes displayed on the enrollment details page.

Fixed a code issue affecting multiple customers where CertCentral CA public server profiles were incorrectly labeled Action needed.

Added support for issuance of user certificates using a Microsoft CA as the issuer with Microsoft certificate templates, which are selected when creating a profile from the new Microsoft CA User Certificate template and will prepopulate most of the profile wizard settings based on the Microsoft template configuration. Customers will still be able to control the SubjectDN and SAN fields to be used when signing the certificate, which will be added to the CSR that is sent to Microsoft CA for signing via the DigiCert MSCA Connector.

Prerequisites: Similar to the already available Microsoft CA support for private certificates, this solution also requires the configuration of a sensor and a Microsoft CA Connector, available under the Integrations menu option.

The Microsoft CA User Certificate template supports the below user enrollment/authentication methods (flows):

Also added support for these certificate lifecycle operations using a Microsoft CA as the signer/issuer:

For more details, see instructions.

On-premises DigiCert ONE customers can now configure their platform with proxy settings to send all outgoing traffic from the Trust Lifecycle Manager application. Both anonymous and authenticated proxy servers are supported. Check documentation for details on how to configure your DigiCert ONE cluster.

This release introduces AWS Private CA as a supported CA to issue and manage certificates using the following enrollment methods:

A new AWS Private CA connector is available to be configured with the user's AWS account. A new AWS CA Private Server Certificate can be configured to issue certificates from one of the AWS private CA roots.

Added ability for users to choose between US and EU CertCentral environments when configuring CertCentral connector.

Added the ability to synchronize revocation status for certificates revoked directly from Microsoft CA outside of Trust Lifecycle Manager.

A new column Enrollment method is added to all certificate views as an additional column.

A new REST API method is available in CertCentral profiles to use with the /mpki/api/v1/certificate API endpoint.

Extended the management of seats in bulk via the upload of a CSV file, supporting bulk update and deletion of Import seat types.

Enhancements to the Extensive Health Check API endpoint (GET {{host}}/mpki/api/v1/health/extensive) to report back on the status of more services and all scheduled jobs for the Trust Lifecycle Manager application.

With this release, we are consolidating sensor connections and connectors in Trust Lifecycle Manager.

All existing sensor connections will show in connectors list page (ensure you have the connectors feature turned on for your account). New connections can be added using the Add Connector flow. All existing references to "sensor connections" will be updated to "connectors" in dashboard, notifications, lifecycle workflow, etc.

Linux sensor installation will now not default to CertCentral but instead prompt the user to check if it should be provisioned to Trust Lifecycle Manager.

Users can now use local names and IP addresses with ACME clients and agents when supported by the client.

Discovery and synchronization actions using CertCentral accounts do not go through the proxy right now, although certificate issuance does.

Improved performance on audit logs page:

Added support for single-host values for the DNS server field (e.g. localhost, my-server) in public-facing and admin enrollment pages.

This fix removes dependency of "CA manager private server certificate" on CertCentral connector, allowing users to use this profile even if CertCentral connector is not present.

Slow audit logs when filtering via Seat ID or Seat GUID for accounts with a very large number of audit log records.

The custom report generation feature has been extended to support the generation of CSV custom reports from the Enrollments page.

Account owners with appropriate reporting permission can create up to 10 Enrollment CSV-based reports to be generated offline/asynchronously and be available for 30 days after creation.

Users can select the Create custom report button, available on the Enrollments page under the Create report icon above the table. The reporting wizard appears to guide you through report creation.

When a report is ready, the user who created it will receive an email.

All created/custom reports are available from the new Report library page inside the Report & Auditing menu option, where you can:

For more details visit Report library (advanced custom reporting).

For the three Generic templates (User/Device/Server), you now have the ability to select Edwards hashedEd25519 curves (key types) for enrollment methods that support such key type:

The seat creation page and API now allow for the creation of “Certificate management” seats individually or in bulk, via the upload of a CSV file. Note that you must have the automation feature enabled on your account.

Migrated the deprecated Intune Azure AD Graph API to use the supported Microsoft Graph API.

Enhancements to the Certificate List page to improve the performance of initial page loading, as well as the searching/filtering responses for the various filters on the table. In order to achieve the performance improvements, we will:

Enhanced the certificate-search API endpoint to support an extra query parameter called enrollment_id, which allows a certificate to be retrieved based on its unique Enrollment ID.

The format of the certificate will depend on the Certificate Delivery format the profile is configured with. Also, the enrollment_id value is returned from the manual-enrollment API response, against profiles configured with the “Manual approval” authentication method.

Fixed an issue where the business unit filter was not working for the unassigned filter value

Fixed an issue where add/edit tags for certificates were not working in All certificate and managed automation views.

Fixed an issue where certificate renewals failed when configuring a profile with 1 year instead of 365 days.

Fixed an issue where he subject title for custom email templates under the “Email and notifications” configuration section in the profile wizard is not showing the dynamic email template variables.

Fixed issue causing IIS automation to fail.

Fixed issue causing a new installation of Sensor v3.8.59 to downgrade current installation and corrupt additional Sensor installation attempts.

Fixed an issue causing enrollment approval to fail when a profile was configured with the manual approval authentication method and fixed fields set in the Subject DN field.

The DigiCert Trust Assistant license file has been removed from within the application and added to the overall platform license. No changes for DigiCert-hosted platforms.

Updates to the Japanese certificate installation instructions web page to make them more accurate and user-friendly.

From this release, Trust Lifecycle Manager will support automatic sensor updates for Windows and Linux sensors.

Users will have the option to set upgrades to manual for one or more sensors. They will be prompted to update whenever an upgrade is available.

Introduced a new email confirmation template. This email template can be enabled and customized when configuring a profile with the “Manual approval” authentication method, where users can option all receive an email confirmation after successfully submitting a certificate enrollment request.

Bulk enrollments action for Enrollments page are now inside the table instead of at the bottom of the page.

Dynamically show the correct log events based on the resource type.

Fixed an issue where CertCentral profiles were set to “Action Needed” even though there was no configuration problem.

The Account Manager application will expose a set of features for the Trust Lifecycle Manager application and can be enabled/disabled per account, enforced by Trust Lifecycle Manager. This is particularly meant to help DigiCert ONE on-premises customers. Features include:

Updated seat creation logic for automation methods (ACME, sensor, agent) to create seats per website (i.e., combination of unique CN+IP+Port) for both server and certificate management seats.

DigiCert Trust Assistant now supports selecting the YubiKey slot where keys are to be created when configuring a profile with the YubiKey hardware token.

The SCEP GetCACaps response now supports the SHA-384 hashing algorithm. Use this URL to check the response: https://one.digicert.com/mpki/api/v1/scep/cgi-bin/pkiclient.exe?operation=GetCACaps

New REST API PUT status endpoint to change the status of enrollment requests from pending to either approve or reject, for enrollments linked to profiles configured with the "Manual approval" authentication flow. See Trust Lifecycle Manager REST API reference.

Connectors are now a separate feature in Account Manager (separated from automation) and can be enabled or disabled for a given account.

Downloaded agents are now preconfigured with the correct environment information (US vs NL, etc.) so that installation can proceed without configuration changes.

Fixed an issue where users were unable to revoke an MSCA issued certificate from the UI.

Fixed an issue where sensor versions were not resolving in Windows and Linux sensors.

Fixed an issue where users were unable to update the heartbeat of an active sensor if the sensor was not assigned to a business unit.

Fixed an issue that was preventing refresh configuration for sensor connections.

For profiles configured with the Manual approval authentication method, you can upload a file with specific instructions that a user can follow when installing a certificate. Examples are: configuring a WiFi or VPN client, configuring Outlook, or accessing a certificate-protected web resource.

Users can download the file from the certificate confirmation and installation web pages.

Added a column to certificate views to filter data by connector name.

Split the first section of fields (certificate, automation, and other fields) into three sections:

Support for new fields to be added as part of the custom certificate report wizard:

Support for an optional seat email address when creating or editing server or device seats via the UI interface.

For large data coming in from Microsoft CA and other plugins, the sensor now supports breaking the upload into smaller chunks so that it can be uploaded via customer proxies. You can configure the chunk size on the sensor.

New Sensor version 3.8.57 released with multiple enhancements and fixes:

Users now have the option to choose 1-day validity for certificates issued from CA Manager for the following enrollment methods:

The column selector on certificate views now shows available options in one or more columns to improve usability.

Fixed performance issues with the Source column. This column is now reintroduced to all certificate views.

Added support for a new token type, DigiCert Software KeyStore, when configuring a profile with the DigiCert Trust Assistant enrollment method. This allows keys and certificates to be protected on the user’s machine within a proprietary software keystore with a user personal identification number (PIN).

A user must initialize DigiCert Software KeyStore after installing the DigiCert Key Store Provider (KSP) using elevated user permissions, e.g. local administrator Windows account.

Added an action to the business unit (BU) list page that allows a BU to be deleted after all profiles and seats bound to that BU are deleted.

Administrators can now automate domain validated (DV) certificate lifecycle operations using the Trust Lifecycle Manager agent.

Replaced a link in the “Overview” section of the Client tools - DigiCert Autoenrollment Server page with a link to DigiCert documentation: https://docs.digicert.com/en/digicert-one/trust-lifecycle-manager/autoenrollment-server.html

Resolved an issue where users were unable to approve certificate requests bound to profiles configured with “Manual approval” authentication method and dual-admin approval flow.

Resolved an issue with slow certificate enrollments for accounts with large amounts of data, which was caused by a reliant database table being locked for writing.

This page allows users to set account level options for the following:

Added sensor details page that will allow users to:

Added agent lifecycle notifications for:

With this release, agents have been enhanced to detect the application version during the initial discovery task. This application type and version will automatically be configured in the UI. Users will have an option to change these settings from the agent details page if needed.

Some third-party ACME clients have an issue where not all error messages are shown on the client CLI. As a workaround for this limitation, TLM has started logging ACME errors in audit logs.

Connectors are currently not supported on Windows and Linux sensors. To use MS CA and Qualys connectors, use the latest Docker sensor.

Trust Lifecycle Manager now supports issuing certificates from the customer's Microsoft CA.

To enable Microsoft CA support, users must install DigiCert Microsoft CA remoting service and DigiCert Sensor. Once configured, to import and issue certificates in Trust Lifecycle Manager, add one Microsoft CA connection for each internally hosted Microsoft CA.

Added a new Microsoft CA private server certificate profile template to create profiles with these enrollment methods: 

Learn more about Microsoft CA integration.Link to Microsoft

Added support for a new Qualys connector to import certificate data discovered using Qualys scans. Imported data is available on the Trust Lifecycle Manager certificates page in line with data from other sources. This data can be used to manage notification and alerting, automated lifecycle management, and perform other tasks.

Learn more about Qualys integration.

Trust Lifecycle Manager now supports automation of the following web servers:

Administrators can install an agent on the target server to facilitate automation flows, similar to that for sensors. Existing profiles have been updated to add a new "agent" enrollment method. You can download agents from the TLM resource page. After installation, agents are managed from the new Agent section in Trust Lifecycle Manager.

Learn more about agent-based automation.

A new custom report generation feature allows account owners with appropriate reporting permission to create up to 10 reports to be generated offline/asynchronously and be available for 30 days after creation.

Users can select the Create custom report button, available on the Certificates page under the Create report icon above the table. The reporting wizard appears to guide you through report creation.

When a report is generated, an email is sent to the user who created the report.

All created/custom reports are available from the new Report library page inside the Report & Auditing menu option, where you can:

Learn more about custom report generation.

Enhanced public-facing pages for enrollments making use of enrollment codes for authentication. These pages now show the number of failed authentication attempts as well as the maximum number of attempts allowed by the profile before locking the enrollment.

Added two new options to the certificate status field:

Added separate view, create, and manage permissions for connector pages.

Trust Lifecycle Manager administrators can now install the DigiCert Sensor on Windows or Linux machines.

Resolved issue with some email templates not being displayed for profiles configured with the SAML IdP authentication method with the Enforce manual approval checkbox enabled.

Resolved issue when uploading certificates from an external system bound to an imported seat type. After suspending the certificate via the UI, the certificate status in Trust Lifecycle Manager was correct (showing a status of Suspended), but the revocation request to CA Manager was not submitted, causing the status to be shown as Valid and validation services not reflecting the correct status.

Added new actions available from the enrollments page, for enrollments linked to a profile configured with an enrollment code authentication method. This allows an authorized administrator to:

Also added a configuration option for profiles configured with the enrollment code authentication method, to set the maximum number of incorrect enrollment code authentication attempts before locking.

For profiles configured from the “Generic Private Server” template, added an Auto-copy from SAN: dnsName checkbox for the Subject DN - Common Name field. This automatically copies the value into the dnsName field, regardless of whether this field is configured in the profile or not.

If a profile is configured with a dnsName field and a certificate request already contains one or multiple dnsName values, the Common Name value will appear automatically at the top of the list.

Customers with unmanaged or imported seat licenses can configure a certificate expiration email to be sent before the uploaded certificate expires. This configuration page is now available under the Settings - Uploaded certificates expiration menu, and will be visible only when an account has been allocated with Unmanaged and/or Imported seats/licenses.

For third-party ACME client-based flows, we added a new parameter option for the client to explicitly ask Trust Lifecycle Manager to issue a new certificate from CertCentral irrespective of the status of the previous certificate. This allows users to enforce a re-enrollment in addition to the already available options to renew, reissue, or get a duplicate certificate.

Sample ACME URL: https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=enroll

Resolved an issue with renewal emails not being sent to end users. We have introduced a 30-second timeout period for the hourly job that takes care of sending renewal email reminders, when not receiving a response from the SMTP server responsible for sending the email.

Resolved issue with not being able to upload unmanaged and imported certificates using a two-digit Subject DN country value in lowercase. We now support the upload of country values as case-insensitive values.

Support for three new X.509 certificate extensions, which users can configure in the profile wizard:

For profiles configured with the “Manual approval” authentication method, you can use the new manual-enrollment API endpoint to submit a certificate request via API and drop it into the queues for authorized administrators to review and manually approve it or reject it.

Once a request has been manually approved, the user will receive an email with instructions on how to download the certificate via the currently supported web-based enrollment methods: CSR, Browser PKCS12, and DigiCert Trust Assistant.

Enables a profile, with the SAML IdP authentication method, to be configured with a SAML single logout URL. This allows an end user to click on a Single Logout link displayed on the public-facing enrollment pages, which forces the logout of all connected SAML sessions on both the Service Provider and the Identity Provider.

DigiCert Trust Assistant support for the issuance of public S/MIME certificates (escrowed or non-escrowed, depending on the profile configuration) from PKI Platform 8 accounts, using the following authentication methods:

Added a Seat type filter to the Profile List page to allow profiles to be filtered by a seat type.

Enhanced the “Valid to” filter inside the Certificates list page to support three new filters, in addition to searching between a date range:

Enabled the Browser PKCS12 enrollment method and associated authentication methods, which are Manual approval, Enrollment code, and SAML IdP.

Resolved a known issue that incorrectly showed the “Create custom report” button on the Certificates, Enrollments, and Seats List pages

Resolved an issue with Certificate and Seat consumption chart widgets within the Dashboard not displaying the correct data.

Resolved issues with errors being displayed on the Certificates and Enrollments pages after the Issuing CA had been unassigned from an account. When the issue occurs on the Certificates page, a Not resolved label now appears in the Issuing CA column.

Added new subject DN field, Organization identifier (OID - 2.5.4.97), to the Generic User Certificate template.

Fixed an error that occurred when using the API to import a certificate.

Fixed an error where the instant reporting button failed to download data.

On the Certificates page, the "Create report" dropdown menu shows an option to "Create custom report," but nothing happens when this is selected. This feature will be implemented in a future release; the button was displayed erroneously.

Translations added for all languages.

Fixed an issue where users were not able to see the page for editing connector details.

Fixed an issue where users were not able to create a CA Manager profile.

Cross-browser and cross-platform client for certificate provisioning and management on software keystores and hardware tokens. This initial release delivers:

The client is available as a new Enrollment Method for the Generic User Certificate template, and supports the following Authentication methods:

Check the Administration and User guides for more information:

A new source column and filter are added to views. Source is defined by how the certificate was discovered (API Discovery, CA connector etc).

Ability to configure a SCEP-enabled profile with a global enrollment code that will be used to automatically issue certificates via SCEP to unregistered devices, without the need to previously create a Seat or an Enrollment.

For the UniqueIdentifier field:

The internal MariaDB version was upgraded and qualified to use 10.6.11. This is of particular interest to DigiCert ONE on-premises customers.

Use IP address in place of domain names for private certificate issuance.

Added the template use cases and description to the initial page when creating or editing a profile.

Updated the breadcrumbs for all the pages under the “Manage” menu item to reflect the correct navigational structure. Approval/rejection emails sent to administrators for profiles configured with the “Manual approval” flow now contain a URL with the word “manage” in the patch.

Updated the DigiCert Autoenrollment Server to version 2.23.1.0 with the below enhancements:

Enhancement to only display the allowed country list with their 2-letter ISO country codes as part of dropdown lists within various application locations:

For all data tables including certificate views, if there is no data for a given row, a hyphen is shown to represent “no data”.

Add validation based on CertCentral product settings for wildcard products and products when they support SANs.

The sensor copyright version changed to 2023.

Removed auto-refresh for all views except Managed Automation view. Streamlined refresh to be inline for the grid alone instead of refreshing the whole page. Auto-refresh preserves user state and ongoing actions.

Fixed deep links from the dashboard graphs to sensor, sensor connections, managed automation, and other pages to filter and align to the data shown in the graphs.

Resolved a miss-configuration issue with the Device Authentication for Microsoft Intune (SCEP) template auto-copying the Common Name value to the DNS Server field and causing errors with CA Manager.

Resolved a connection issue against the Hello API endpoint that was introduced after last month's rebranding.

Resolved issue with not being able to revoke certificates associated with the Imported seat type, which were uploaded to an account via their certificate-import API endpoint.

Key pair generations using ECDSA NIST p-521 curves on Windows and macOS keystores fail with a csr_signature_failed error. Smaller curve sizes work successfully (p-256 and p-384).

Updated all references to Enterprise PKI Manager to reflect the product’s new name: Trust Lifecycle Manager.

Rebranded the Enterprise PKI Manager application to Trust Lifecycle Manager. Assets that have been rebranded include:

Additionally, the “EPKI” certificate view has been removed from the default system views. Customers can make use of the “All Certificate” system view to filter the same certificate data and create their own custom views.

The new Public S/MIME Secure Email (via PKI Platform 8) certificate profile template leverages DigiCert PKI Platform 8 to issue public S/MIME RSA email signing and encryption certificates linked to a user seat.

Certificate requests can be enrolled and authenticated by these methods:

To learn more about this feature, see Public S/MIME Secure Email (via PKI Platform 8) template.

Issue DV certificates on sensor connections managed using certificate lifecycle automation. Create DNS integrations that allow sensors to fulfill DCV challenges to issue DV certificates to appliances and cloud providers.

In case of compromise or account consolidation, select more than one certificate to renew or reissue certificates in bulk.

With this release we are introducing the TLM connectors framework. This framework will help drive integrations in the future.

A new CertCentral connector is being added to:

With introduction of connectors the “Link to CertCentral” feature is rolled into the CertCentral Connector.

Customers can now perform domain control validation (DCV) for pre-validated OV/EV organization Public TLS certificates from CertCentral using ACME.

With this release, clients can demonstrate domain control using either DNS (ACME DNS.01) or HTTP (ACME HTTP.01) methods for their OV/EV requests. This option is only available when other organization and extended validations are already completed.

TLM ACME server is no longer creating challenge requests for prevalidated domains during ACME flows.

This will simplify client-side workflows where a dummy validation needs to be hosted by the client. This in turn means that:

Most appliances such as F5 and Citrix ADC require that an organization be specified when creating a CSR during automation. CA Manager - Private Server has been enhanced to accept an organization that can be used for such automation workflows.

Fixed an issue with the creation of automation certificate profiles.