Release notes

This release adds native support for ACME in DigiCert Private CA, enabling automated certificate enrollment and lifecycle operations for devices and infrastructure systems. ACME supports certificate enrollment, and revocation. The protocol support is built directly into the Private CA stack, ensuring seamless interoperability with existing CA hierarchies, HSMs, and certificate policies. This allows organizations to deploy and automate certificate workflows across diverse enterprise, network, and IoT environments without additional components or configuration overhead.

Revocation capabilities have been enhanced to support the "cACompromise" reason code for end entity (EE) certificates. Previously limited to CA certificates, this revocation reason is now available for EE certificates as well. As part of this update, the applicable EE revocation endpoints have been updated, and the user interface now enables users to revoke EE certificates using the “cACompromise” reason code.

The OCSP responder certificate workflow now lets you specify a custom Common Name (CN) when generating an OCSP responder CSR. Previously, the responder CN was automatically derived from the issuing CA’s CN, which often led to confusion—especially when the CA name was exactly 64 characters and produced identical responder names. This enhancement enables clearer identification and more reliable management of OCSP responder certificates.

DigiCert® Private CA has introduced End-Entity (EE) Certificate Inventory for it On-Prem variant, giving users a centralized, scalable, and intuitive way to manage issued certificates.

DigiCert Private CA now enables administrators to revoke intermediate CA certificates directly through the On-Prem CA user interface. Administrators can initiate revocation by selecting a reason (for example, key compromise, cessation of operation) and completing a dual-admin approval process. The UI clearly displays the CA being revoked along with the effective date. Once revoked, the system automatically updates the revocation status in both the UI and API responses and logs the action for audit purposes, ensuring secure and compliant lifecycle management.

The OCSP certificate generation process has been enhanced by relaxing key size validation for CSRs. This enhancement allows users to create new OCSP requests even when the responder key is larger than the signing CA key, ensuring smoother certificate renewals and better compatibility with legacy Root CAs.

LDAP support for CRLDPs has been enhanced to improve compatibility and reliability. URLs are now properly encoded to handle spaces, commas, and backslashes, and Private CA correctly includes the ;binary suffix where required. These changes align with legacy behavior and ensure consistent operation across older systems.

The profile list page has been updated to improve clarity around template identification. Previously, TemplateIDs were displayed in hexadecimal, which could be confusing for users. Going forward, TemplateIDs are mapped to descriptive, user-friendly names, making it easier to understand and identify profiles at a glance.

Resolved an issue with email notifications in On-Prem Private CA. The expiring certificate email template has been corrected to align with the intended design. Additionally, the system now correctly sends notifications according to all configured frequency settings for End-Entity certificates, ensuring users receive timely alerts for upcoming expirations.

Resolved an issue with end-entity certificate creation where only UTF8String was supported for custom extensions. Private CA now supports BMPString in addition to UTF8String, providing greater flexibility when defining custom certificate fields.

This release introduces enhancements to profile logic to provide a more consistent and secure user experience. These improvements ensure that profile behavior now dynamically adapts based on:

These updates streamline the profile experience, reduce configuration errors, and ensure that users see only the features intended for their role and environment.

Resolved an issue that caused OCSP validation to fail when certificates were imported with improperly formatted serial numbers. Previously, some imported serials included leading zeros, which were stored without trimming. During OCSP validation, the ASN.1 decoder correctly normalized these values, resulting in mismatches and unauthorized responses. The import process has now been updated to properly trim and normalize serial numbers before they are added to the database, ensuring accurate OCSP lookups and consistent validation behavior.

Added support for additional Subject DN attributes and certificate extensions from incoming EST and SCEP requests.

Fixed an issue that caused errors when certificates were issued directly from a root CA during protocol-based enrollment.

This release adds native support for SCEP, EST, and CMPv2 in DigiCert Private CA, enabling automated certificate enrollment and lifecycle operations for devices and infrastructure systems. CMPv2 now fully supports certificate enrollment, renewal, and revocation. EST and SCEP support enrollment and renewal, with revocation available via API or UI. Protocol support is built directly into the Private CA stack, ensuring seamless interoperability with existing CA hierarchies, HSMs, and certificate policies. This allows organizations to deploy and automate certificate workflows across diverse enterprise, network, and IoT environments without additional components or configuration overhead.

For more information, see Enrollment protocols.

This release includes support for LDAP-based CRL Distribution Points (CRLDPs) for private certificates, allowing organizations to reference externally hosted CRLs using LDAP URIs. This enhancement ensures standards-compliant LDAP CRL locations, simplifies entry by automatically handling LDAP URI formatting, and adds LDAP as a selectable scheme specifically for CRL URLs.

Issue

When importing a valid CRL blob, the operation could fail with the following misleading error message, even though the CRL was correctly signed by the issuing CA:

CRL is signed by another CA

Fix

CRL import validation logic in DigiCert Private CA has been updated, and users will no longer encounter this incorrect error message during CRL import.

This update enhances the maximum supported length for the Subject Distinguished Name (SDN) fields: unstructuredName and unstructuredAddress. The limit has been expanded from 40 to 255 characters.

This release includes improvements in user access management, aimed at enhancing control across key CA operations.

This release introduces support for email notifications in the On-Prem Private CA to improve visibility and enable proactive management of critical events. The system now sends alerts for certificate expirations, revocations, and upcoming license expiries, helping administrators and end users take timely action to maintain CA service integrity. Integration logic has also been enhanced to prevent duplicate alerts when the On-Prem Private CA is connected to external tools like DigiCert​​®​​ Trust Lifecycle Manager, ensuring a streamlined and coordinated notification experience.

This update addresses an issue in the Create CRL workflow where a CRL could be unintentionally uploaded after a warning message appeared, even without user confirmation. This behavior resulted in incorrect CRL configurations being stored and blocked subsequent uploads. The fix ensures CRLs are only created or uploaded after explicit user action, preventing unintended uploads and maintaining configuration accuracy.

This update resolves a Swagger schema validation error that occurred when accessing the DC1/CA Manager API documentation. The affected definitions have been corrected, restoring full access to the Swagger UI and ensuring accurate API documentation rendering.

This update fixes an issue that prevented users linked to multiple accounts from viewing OCSP Responder and AIA (Authority Information Access) details on the CA details page. The issue occurred due to incorrect handling of the account context during API calls, which blocked the related CA data from appearing. With this release, users who have access to multiple accounts can now properly view all associated OCSP and AIA information for their assigned accounts.

This update resolves an issue where OCSP responders using externally issued responder certificates returned an Unauthorized (6) error to OCSP clients. The issue was caused by incorrect validation of externally signed responder certificates.

Customers on the new licensing model can now view a detailed breakdown of license usage directly in DigiCert® Private CA. Instead of only seeing a single total on Account > Licenses page, you can now see how Roots, ICAs, and different types of End-Entity (EE) certificates (including PQC) contribute to your overall usage. For each type, Private CA displays both the number of certificates issued and the units consumed, making it easier to understand and reconcile your license usage.

Improved display of Create and Import options in DigiCert Private CA based on user permissions. The Create button now appears when you have the appropriate CA creation permissions, while the Import button appears if you have either CA creation or key-linking permissions. These updates ensure that users only see the options relevant to their permissions, making the experience simpler and more consistent.

When using Safari, clicking Preview while generating a Root or Intermediate CA could mistakenly create a real certificate instead of just showing a preview of the certificate. This has now been fixed, and Safari users will see the correct preview behavior.

Added Microsoft test roots as public trusted roots of DigiCert® Private CA to support workflows for Microsoft Project.

DigiCert® Private CA now supports adding custom OIDs in the Subject Distinguished Name (DN) of EE certificates. Certificate requestors can supply values for these custom OIDs when requesting a certificate.

Key points

Issue

Certificate requests containing long DNS names in the Subject Alternative Name (SAN) field failed with the following error message:

{"status":"invalid_domain_name_underscore"}

While similar certificates had been issued successfully in the past, validation logic incorrectly blocked DNS names longer than 63 characters, despite their being valid under RFC standards.

Fix

DNS name validation in DigiCert Private CA has been updated to comply with RFC requirements. Certificates can now include DNS SANs up to 255 characters in total length, with each label (part) allowed up to 63 characters.

The Accounts column has been hidden from the Custom Templates list view for On-Prem CA. This simplifies the interface by ensuring that only relevant information is shown to On-Prem Private CA users.

Issue

The Private CA previously blocked the use of Zimbabwe’s country code, which prevented customers from issuing certificates with this value.

Fix

Updated the Private CA to allow Zimbabwe’s country code, enabling certificate issuance for entities in this region, subject to legal and compliance approvals.

Issue

In the Provider.loadPartition function, partition loading failed when the API Key name and Actor name did not match due to incorrect logic enforcing a name match.

Fix

The logic has been updated to correctly load partitions regardless of API Key and Actor name alignment, ensuring consistent partition access as supported by Crypto4A HSM.

Issue

When creating an Intermediate CA (ICA) with a PQC CSR (SLH-DSA or ML-DSA) using the Provide a CSR signed by your own CA option, the system previously populated the Allowed signature algorithms field with all available algorithms.

Fix

This has been fixed so that, for PQC ICAs, the Allowed signature algorithms field now contains only the single algorithm that matches the ICA key size, ensuring correct configuration.

This release adds improved scalability for CRL management by allowing automatic generation of sequenced CRL partitions for an Issuing Certificate Authority. New partitions are created based on user-defined thresholds, such as the number of issued certificates or the estimated size of the CRL file.

This release enhances traceability and operational visibility in CA Manager by adding previously missing actions. It closes existing gaps, enabling users to monitor and validate activities more effectively for compliance and audit needs.

This release addresses an issue where, after re-certifying the issuing root of an Intermediate CA (ICA) and subsequently re-certifying the ICA itself, the re-certified ICA incorrectly retained the issuer serial number from the original root certificate. With this fix, the re-certified ICA now correctly reflects the serial number of the updated (re-certified) root, ensuring accurate certificate chaining and improved trust path integrity.

Issue

Following the upgrade to Luna client version 10.9, CRL generation for Ed25519 keys started failing. This was due to a change in the key type identifier—Ed25519 now uses key type value 64 instead of the previous identifier (CKK_EC_EDWARDS).

Fix

Code has been updated to recognize and use key type 64 for Ed25519, restoring CRL generation functionality.

The on-premise DigiCert® Private CA now enforces license limits for the creation of Root and Intermediate CAs (ICAs), aligning with the enforcement model used in DigiCert DC1/CA Manager. License limits are embedded in the license payload and are validated during installation, updates, and CA creation. If a user attempts to create a CA beyond the licensed limit, the system blocks the operation and displays a clear, actionable error message.

The on-premise DigiCert® Private CA now extends HSM support to include:

A new certificate preview feature has been added to allow users to verify certificate content prior to signing. This preview certificate is returned for display, enabling users to review the final output before executing a real signing operation. The same preview capability remains available after signing as well.

With this release, On-Prem Private CA now allows OCSP responses to be served and the latest published CRL to remain accessible even after the license expires, enhancing the reliability of certificate validation. This implementation aligns On-Prem CA functionality with CA Manager, ensuring that validation services continue to operate for already issued certificates.

This implementation aligns On-Prem CA functionality with CA Manager, ensuring that validation services continue to operate for certificates that have already been issued.

The system now enforces automatic revocation of all prior CAs when a renewed (recertified) Private CA is revoked to strengthen certificate lifecycle consistency. This ensures that the entire CA chain is properly invalidated, reducing the risk of trust misconfiguration or misuse of older CA certificates.

This release introduces support for delegated OCSP responders to enhance flexibility in signing OCSP responses, particularly in environments where root and intermediate certificate authorities (ICA) are offline or where key protection requirements mandate delegation.

Resolved an issue that prevented recertification of CAs created using MLDSA and SLHDSA root templates. Users can now successfully recertify root and intermediate CAs based on these Post-Quantum algorithms using the Recertify option on the CA details page.

Resolved an issue where the Number of ICAs column in the Root CA list incorrectly displayed 0 for all Root CAs, despite each having associated Intermediate CAs. The correct ICA count now loads immediately without requiring the user to click into each Root CA.

With this release, the on-premise DigiCert® Private CA now supports Linux operating systems with 64-bit binaries on AMD64 architecture, in addition to traditional Kubernetes-based deployments. This offers greater flexibility for customers standardizing on Linux-based infrastructure. The core features and deployment models remain the same.

When issuing private trust certificates, DigiCert® Private CA now supports Subject Alternative Name (SAN) entries of type dNSName that begin with an underscore (_).

Fixed an issue where the custom template editor failed to load in air-gapped on-premises environments due to external resource dependencies. All required files (for example, Monaco Editor) are now bundled locally, ensuring full offline functionality.

DigiCert Private CA now allows you to issue Elliptical Curve Cryptography (ECC) certificates with the KeyEncipherment and DataEncipherment key usages (KUs), enabling compatibility with third-party tools require the key usages.

"key_usage": {
  "critical": true,
  "skip_validation": true,
  "required_usages": {
    "ECC": [
      "digital_signature",
      "non_repudiation",
      "key_encipherment",
      "data_encipherment"
  }
}

The "signature algorithm" selection for template-based CRL creation under offline root or intermediate certificate authorities (CAs) is now restricted to match the issuer’s key algorithm to ensure cryptographic consistency. This change prevents misconfiguration by disallowing incompatible combinations, such as using a different ML-DSA variant than the CA’s key for CRL signing.

We updated the Multi-use AATL Signing ICA profile in Ceremony Manager to align with the latest specifications effective after May 1, 2025. Key changes include the following:

These updates ensure the profile adheres to revised compliance and usage requirements across AATL, Microsoft, and general signing use cases.

The audit log now captures CRL scope changes by recording both the previous and updated scope values (for example, “Partition” to “Complete”). This enhancement improves traceability and accountability, ensuring that any scope changes impacting certificate revocation visibility can be accurately audited and attributed.

Fixed an issue where the Organization Name field was not populated in the database when generating an Intermediate CA certificate CSR (certificate signing request) for offline signing. This bug caused sorting and display inconsistencies after the signed certificate was imported back. The Organization Name field is now correctly stored during CSR creation, ensuring consistent behavior across offline ICA workflows.

This release introduces support for Crypto4A hardware security modules (HSMs) within DigiCert® Private CA, enabling hardware-backed Post-Quantum Cryptography (PQC) starting with the finalized ML-DSA algorithm. The integration ensures production readiness for PQC use cases while maintaining a path for future algorithm expansion. It also adds certificate revocation list (CRL) support for PQC certificates issued via Crypto4A, reinforcing our commitment to secure, standards-compliant certificate lifecycle management.

Feature highlights:

With this release, we updated the CA Manager user interface (UI) to provide better visibility and management of Certificate Authorities by displaying the organization name derived from the CA certificate subject.

Enhancement features:

CA Manager now supports SubjectDN order configuration for Unmanaged CAs.

Enhancement features:

Why this SubjectDN change matters

Certain industry specifications and protocols require SubjectDN attributes to be encoded in a specific order. This update ensures compliance in such scenarios, reducing the risk of interoperability issues with consuming systems.

CA Manager now supports configurable Authority Key Identifier (AKI) extensions for Root and Intermediate CA (ICA) certificates.

Enhancement features:

With this release, we introduce support for deploying on-premise DigiCert® Private CA in Kubernetes using a Helm chart that includes MariaDB as a managed dependency, enabling streamlined, self-contained deployment without requiring external database configuration, reducing complexity, and improving portability.

Key features:

We resolved a limitation preventing custom Key Usages from being used when issuing Root or Intermediate CA certificates. Previously, certificate templates could not override default Key Usage values, restricting flexibility in configuring CA roles.

Enhancement features:

This release improves validation and error handling for CAs using post-quantum algorithms. The release includes enhanced messaging, better handling of unsupported configurations, and safeguards to prevent invalid setup during CA creation.

DigiCert Private CA now supports custom JSON-based certificate templates, enabling users to define, manage, and reuse certificate policies/configurations for Root, Intermediate CA (ICA), and End Entity certificates.

Custom template features:

In this release, we introduce Recertification for Certificate Authorities (ICAs or Roots), enabling seamless continuation of certificate issuance as CAs approach expiration. With Recertification, also referred to as Renewal in prior versions, we standardized the naming, using "recertify/recertification" across the system.

Recertification features:

Post recertification features:

Limitations:

Certificate Revocation List (CRL) now supports ML-DSA (Multi-Lattice Digital Signature Algorithm) certificates, enabling standards-compliant revocation handling for post-quantum certificates. You can now add ML-DSA certificates to CRLs, which are correctly signed using an approved ML-DSA algorithm and fully comply with RFC 5280, including proper DER encoding and structure. The crlDistributionPoints extension is also correctly populated in all ML-DSA certificates, ensuring compatibility with standard revocation-checking mechanisms.

Ceremony Manager (CM) now supports offline issuance of new End-Entity (EE) certificates specifically for the DigiCert Timestamping service, in compliance with the latest Baseline Requirements (BRS) mandating that the issuer private key be stored offline. Ceremony Manager includes a new EE profile named Timestamp Unit (TSU), enabling the creation of offline EE requests without relying on templates.

Additional enhancement features:

We added a new certificate listing endpoint for DigiCert® Private CA, designed to simplify and automate certificate management through enhanced filtering and scheduling capabilities.

Certificate listing endpoint features:

This update empowers seamless, policy-driven discovery and management through DigiCert ONE Trust Lifecycle Manager for on-premise DigiCert® Private CA environments.

As part of our ongoing commitment to evolving cryptographic standards, we're introducing the following updates related to Post-Quantum Cryptography:

These changes are part of our proactive approach to ensuring secure, standards-aligned cryptographic practices across all DigiCert CA platforms.

With this release, we added license expiry enforcement to the DigiCert Private CA system by validating the end_date specified in the license. Once the license expires, the application will restrict access, automatically shut down, and block any restart attempts. To maintain consistent behavior across time zones, license validation is based on Coordinated Universal Time (UTC). Any attempts to tamper with the license content will cause it to be rejected. This update ensures the system can only be accessed and operated with valid, time-limited licenses.

CA Manager now supports clients who bring their own Hardware Security Modules (HSMs) for dedicated key management. This release enables clients to continue using keys previously managed by other Certificate Authorities—such as for code signing—without rekeying or migration delays.

Key capabilities:

Current restrictions:

The Swagger API documentation is now integrated into the on-premise DigiCert® Private CA, improving visibility, usability, and developer experience.

Key Updates:

We've made several user interface (UI) improvements to streamline the ceremony creation experience, especially for externally hosted ICAs. These changes improve usability and reduce visual clutter in the workflow:

In DigiCert Private CA, when visiting the Root Certificate Authorities and Intermediate Certificate Authorities pages, you can now view the certificates Organization Name (O=) from the Subject Distinguished Name (SubjectDN). Before the update, you had to go to the Root or Intermediate CA certificate's details page to find this information.

We fixed an issue where navigating between related CA instances (for example, from an intermediate certificate authority (ICA) certificate to its parent Root CA or from a Root CA to a child ICA certificate) from the details page did not trigger a fetch request for Online Certificate Status Protocol (OCSP) responders. As a result, the details page incorrectly displayed OCSP responders from a previously opened CA instance.

Now, when opening a different CA instance, the application correctly sends a request to fetch the associated OCSP responders and displays the correct responders for the selected CA, if available.

The Digicert On-Prem CA has been upgraded to utilize the latest Common UI version 9 and ANTD version 5, incorporating breaking changes that required updates across the application.

A default signature algorithm is now pre-selected in the "Signature Algorithm" field across all OCSP responder generation paths.

Changes to note

Issue

After successfully importing an offline Intermediate CA (ICA) with the "Revocation Checking Only" option, the application incorrectly displayed the success message: "Root CA imported” instead of the correct message: "Intermediate CA imported".

Fix

The success message now correctly reflects the imported CA type, ensuring clarity and preventing confusion.

Summary

To improve operational visibility and prevent unexpected outages caused by full HSM partitions, we've added a new partition monitoring feature to the CA Manager GUI.

Enhancement details

To proactively monitor partition usage, the CA Manager GUI now includes a new capability for SafeNet HSMs:

This enhancement helps prevent downtime by enabling early detection of storage issues and allows the PKI OPS team to manage partition capacity more effectively.

Background

Both Chrome and Mozilla now mandate that Certificate Authorities issue publicly trusted TLS certificates from intermediates that are purpose-restricted to Server Authentication only. To support this policy shift, we've made the following adjustments to our default certificate profiles.

Summary

To align with updated root store policies from Chrome and Mozilla, we have updated default TLS certificate profiles to ensure compliance with the new requirement: TLS certificates must chain to a TLS-only hierarchy. These changes take effect for certificates issued starting March 15, 2025.

You can now issue external delegated OCSP responder certificates for use on external systems. These certificates are hosted outside DigiCert ONE, with clients responsible for routing and responding to OCSP requests.

We added user interface (UI) and API support, including a new request form, CSR upload option, and enhanced API documentation.

New Relic metrics in the sandbox environment now include SQL statements and connection types for better observability and performance analysis. The New Relic wrapped database driver is now conditionally loaded only when New Relic is specifically configured, preventing unnecessary dependencies and potential overhead.

Issue: The registeredID Subject Alternative Name (SAN) was encoded incorrectly as an ASCII string by CA Manager instead of a DER-encoded OBJECT IDENTIFIER (OID).

Fix: The encoding logic has been corrected to properly encode registeredID SANs as DER-encoded OIDs, ensuring compliance with RFC 5280 and interoperability with standards-compliant clients and applications.

Previously, when assigning a hardware security module (HSM) partition to a "Selected Account" via the frontend (FE), users were required to select at least one "Allowed Use" (New CA Keys, New OCSP Responder Keys, or Key Escrow). However, this restriction was not enforced when registering or editing a partition via the backend (BE) API.

Change

We aligned the backend behavior with the frontend by enforcing the "Allowed Uses" restriction when assigning an HSM partition to a "Selected Account" via the API. This change ensures consistent validation across both interfaces and prevents misconfigurations.

Impact

Now, API users must specify at least one "Allowed Use" when assigning an HSM partition to a "Selected Account."

The Digicert’s On-Prem CA will be a private Certificate Authority (CA) for secure and automated X.509 certificate management that provides full control over certificate issuance, lifecycle management, and security policies, ensuring compliance with enterprise security requirements.

Underscores are now supported in the SAN:dnsName files for private certificates.

RSA public exponents will support keys for the range 2¹⁶  < e < 2²⁵⁶ for private certificates.

As part of our ongoing security and compliance measures, we are going to push this change blocking OCSP responders that include the OCSP No-Check extension (id-pkix-ocsp-nocheck as defined in RFC 6960, Section 4.2.2.2) when marked as a critical extension. The OCSP No-Checkextension is designed to exempt OCSP responder certificates from revocation checking. While this may be necessary for long-lived OCSP responders, marking this extension as critical enforces the revocation bypass, potentially introducing security risks. Specifically, a compromised responder with this extension marked as critical could remain trusted indefinitely, undermining certificate validation mechanisms.

Impact:

To enhance performance and efficiency, a new caching module has been introduced to reduce database and HSM calls during certificate issuance.

A performance analysis of signing functionality with an escrowed key revealed frequent HSM lookups for the public key, causing inefficiencies. To optimize performance, the public key will now be cached alongside the signing key.

The update job polling cycle is now configurable, improving test automation and allowing users to disable caching if needed.

This release introduces an optimization to prevent the unnecessary generation of OCSP responder certificates when the OCSP responder’s valid_to is within 10 seconds of the CA certificate's valid_to.

Previous behavior

New Behavior

Set the criticality of the ocsp no check extension in the OCSP responder cert to false.

The fix allows users to view and access the Authcode when adding a new proxy app. The Authcode is required to set up a connection between the CA manager and the remote proxy app.

Ability to import RSA, ECC, or EdDSA keypairs from a registered HSM partition into CA Manager keypair records for use in signing processes within Software Trust Manager workflows for LUNA Safenet systems.

Capability to create a pre-certificate for PUBLIC TLS that can be submitted to CT logs for signing, and subsequently retrieve the signed version for issuance.

Minor fixes to PathLen modification flows during certifcate creation.