Trust Lifecycle Manager
Release notesRSS
November 13, 2024
DigiCert® ONE version: 1.8663.4 | Trust Lifecycle Manager: 1.3579.0
New
Public S/MIME - Mailbox-validated certificate types
We currently support the issuance of Legacy-generation/Sponsor-validated certificates from CertCentral using various enrollment methods (REST API
, Browser PKCS12
, DigiCert Trust Assistant
, CSR
, or Microsoft Autoenrollment
) after DigiCert validates the organization and email domains.
From this release, we also support Legacy-generation/Mailbox-validated certificate types, allowing issuance of Public S/MIME certificates for non-validated email domains, if the user proves ownership of the email address or mailbox. The email challenge originates from CertCentral, not DigiCert ONE, because CertCentral secures the public issuing CAs for issuing S/MIME certificates.
The issued certificate is tagged with Certificate Policy OID: 2.23.140.1.5.1.1
, as per the S/MIME Baseline Requirements standard for publicly trusted certificates.
The profiles must be linked to the CertCentral Secure Email for Individual product type, which supports the following web-based enrollment and authentication methods, and optionally, the Cloud Key Escrow feature:
Enrollment method | Authentication method |
---|---|
|
|
Note
Renewal of Mailbox-validated certificates will be supported in a future release.
Enhancements
Revocation reasons for Delete Seat API requests
The Delete Seat API endpoint now supports specifying a revocation reason, rather than defaulting to "Cessation of operation." If no reason code is provided, "Cessation of operation" will continue to be used. For details, see the API endpoint documentation.
Supported reason codes that apply to both private and public certificates:
key_compromise
affiliation_changed
superseded
cessation_of_operation
CSR support for CertCentral Server Certificate and Microsoft CA Private Server Certificate templates
The Private CertCentral Server Certificate
and the Microsoft CA Private Server Certificate
templates now support the CSR
enrollment method for web-based enrollment flows, along with all associated authentication methods:
Manual approval
Enrollment code
SAML IdP
The Authentication enrollment fields section is now enabled, allowing profile administrators to set custom optional or required fields on enrollment pages. Users can fill out these fields, and the submitted data will be visible to administrators on the enrollment details page, helping them decide whether to approve or reject the enrollments.
Authenticated self-service portal enhancements
The authenticated self-service portal (Inventory tab) now displays not only user-owned certificates but also retrieves the server and device certificates linked to the SAML-authenticated user. This is done by matching the logged-in user’s email address with the email address in the certificate.
Note
In a future release, the portal will display certificates issued to the user who submitted the request, based on portal authentication, without requiring an email match in the certificate.
Fixes
API returns the incorrect key size
Resolved issue with the API response returning the incorrect key size in the certificate profile.
Broken link for DER certificate downloads
Resolved the issue of broken links when trying to download a certificate in DER format. This occurred for certificates issued from profiles using the CertCentral Public Server Certificate
template.
Duplicate CertCentral certificates
Resolved an issue that caused duplicate certificate entries in CertCentral when users reopened the same pickup URL and attempted to regenerate a previously issued certificate.
CSR with "BEGIN NEW CERTIFICATE" tag
Resolved an issue where web enrollment pages did not accept CSRs with the ---BEGIN NEW CERTIFICATE REQUEST---
tag, only accepting ---BEGIN CERTIFICATE REQUEST---
(without “NEW”). Validation checks and error messages have been improved for clarity.
November 6, 2024
DigiCert® ONE version: 1.8663.1 | Trust Lifecycle Manager: 1.3538.0
New
View CSR in the enrollment details page
For profiles using the CSR
enrollment method and Manual approval
authentication method, administrators can now see a View CSR link on the enrollment details page. This link provides access to the:
CSR
Public key algorithm
Public key size
Subject DN and SAN fields and their values as used by the profile
Bulk automation workflows
To simplify certificate management and enhance agility during revocation or distrust events, Trust Lifecycle Manager now offers improved bulk automation workflows to:
Reissue or renew multiple certificates from the same CA.
Switch multiple certificates to a different CA supported by Trust Lifecycle Manager.
With the new bulk automation workflows, administrators can:
Reissue or switch multiple certificates set for auto-renewal without canceling or adjusting the auto-renew schedules.
Edit the selection of certificates before submitting the job.
Assign a preferred certificate profile or CA for the job.
View any issues with automation triggers in advance.
Monitor job progress in the inventory by filtering with the job name.
For more information, see Bulk manage multiple certificate deployments.
HashiCorp Vault integration with DigiCert
The DigiCert HashiCorp Vault integration offers a streamlined solution for enrolling, collecting, and revoking TLS/SSL certificates through Trust Lifecycle Manager. This integration is provided as a custom DigiCert Vault PKI plugin, allowing Vault to continue as a centralized distribution and access point while leveraging Vault’s automation capabilities for DevOps.
The DigiCert Vault PKI plugin acts as a bridge between Vault and your certificate authorities (CAs). Rather than using Vault’s native PKI secrets engine, the plugin is configured in the Vault plugin directory to route certificate requests to Trust Lifecycle Manager, returning signed certificates to Vault. Key features of the plugin include:
Generate and sign certificate signing requests (CSRs).
Store and track certificates issued by Trust Lifecycle Manager within Vault.
The integration supports both generating and storing new TLS/SSL certificates in Vault. It allows for requesting different types of certificates by providing relevant configuration options. Built using Vault’s plugin architecture, the DigiCert Vault PKI Plugin provides security and development teams with:
Connectivity between Vault and any public or private CAs supported by Trust Lifecycle Manager.
Assurance that all certificates meet company policy and audit requirements.
The ability to issue certificates from any supported CA using native Vault workflows.
For more information, see the HashiCorp Vault connector guide.
Enhancements
CertCentral connector deletion enhancements
Enhanced the user experience when deleting a CertCentral connector to prevent unnecessary operational errors. Key updates include:
New confirmation message: When you delete a CertCentral connector, a new confirmation message displays, outlining the impact of the deletion. This message includes a list of affected certificate profiles, allowing you to confirm or cancel the deletion.
Post-deletion actions: If you proceed with the deletion, the following changes will occur:
Affected profiles will have their status set to “Action needed,” and a message on the profile page will prompt you to select a new CertCentral connector from the dropdown list. If no other connector is available, you will be advised to create a new one.
An alert email will be sent to all administrators on the account.
Fixes
Custom certificate report
Resolved issue with custom certificate reports failing intermittently.
Network scan "run now" button not working
Resolved issue with the network scan "run now" action not working, as accessed via the "play" button on the scan details page.
Known issues
Bulk automation on Azure Key Vault
Azure Key Vault bulk flows may not work under the following conditions:
Common name versioning is enabled on the connector.
A vault contains two certificates with the same name.
Issue: If both certificates are automated simultaneously, Azure Key Vault will fail one of the requests because it does not support multiple pending requests for the same certificate.
Solution: Automate each certificate version one at a time.
October 28, 2024
DigiCert® ONE version: 1.8480.10 | Trust Lifecycle Manager: 1.3519.0
Fixes
Verify "Scan name" filter functionality in the Unique Certificates view on the Inventory page
Resolved an issue where the Scan name filter was not working correctly, occasionally displaying duplicate records.
Network scan not displaying all results in certain configurations
Resolved an issue where network scans were missing some FQDNs in SNI-related discovery flows, ensuring all results are now shown in the inventory.
October 23, 2024
DigiCert® ONE version: 1.8480.8 | Trust Lifecycle Manager: 1.3510.0
New
Delete discovery data from inventory
With this release, administrators can delete certificates discovered by Trust Lifecycle Manager. There are three options available to delete discovered certificates from your inventory:
Delete all discovery data (available from Account > Settings).
Delete an individual certificate (available from the Inventory page).
Select and delete multiple certificates (available from the Inventory page).
For more information, see Manage inventory.
Enhancements
Additional certificate download format in the authenticated self-service portal
The SAML-authenticated self-service portal now supports an option to download the certificate in X.509
format, in addition to the existing PKCS#7
format.
New fields for custom reports
Added support for the following new fields within the certificate custom reports:
Server management details section:
Application
andInstances
Other details section:
DigiCert ONE user
Subject Alternative Name (SAN) details section:
SANs
Fixes
Duplicate certificates not working for public S/MIME
Resolved an issue where the duplicate certificate profile option was not applied for profiles created using the Public S/MIME Secure Email (via CertCentral)
template.
Approval email notifications
Resolved an issue where approval emails were sent to all users in the account.
CertCentral Public Server Certificate - DNS name
Resolved an issue with CertCentral Public Server Certificate
profiles using the CSR
enrollment method, where the public enrollment page ignored the optional status of the SAN: DNS name field.
ACME-based issuance not working for CertCentral certificates
Resolved an issue that prevented automated issuance of certificates from CertCentral profiles using the DigiCert agent
or 3rd-party ACME client
enrollment methods. Note: This fix was released in Trust Lifecycle Manager patch version 1.3511.0
.
October 21, 2024
DigiCert® ONE version: 1.8480.7 | Trust Lifecycle Manager: 1.3495.0
Enhancements
Authenticated self-service portal enhancement
The SAML-authenticated self-service portal now supports a Common name field that is displayed under the Certificate pickup URLs tab.
October 17, 2024
DigiCert® ONE version: 1.8480.5 | Trust Lifecycle Manager: 1.3490.0
New
Microsoft Intune connector
You can now centrally configure a new Microsoft Intune connector with your Intune tenant credential details, and use it to:
Configure S/MIME certificate profiles to push escrowed certificates to Intune for distribution to registered user devices.
Configure Intune SCEP-based certificate profiles with the applicable Intune tenant credentials for the issuance of private authentication certificates.
The Microsoft Intune connector is available under the Unified endpoint management category on the Integrations > Connectors > Add connector page.
Certificate recovery and push to Intune
The new Microsoft Intune connector enables S/MIME certificates to be pushed into a customer Intune tenant via an asynchronous job for distribution to user devices by the Intune unified endpoint management (UEM) platform.
This feature is available for S/MIME certificate profiles configured with the DigiCert Cloud Key Escrow option. You select the Microsoft Intune connector from a dropdown list, which allows Intune to deliver the same escrowed S/MIME certificate to multiple devices so the user can decrypt emails on any of them. Use the following base templates to create your S/MIME certificate profiles and select one of the supported enrollment methods of Browser PKCS12
, DigiCert Trust Assistant
, or REST API
.
Template name | Seat type |
---|---|
| |
|
Note
This solution requires deploying Microsoft's PFX Connector application on a supported Windows domain-joined server, which is a necessary Microsoft dependency. However, no DigiCert on-premises component is needed because we provide a cloud-to-cloud solution.
Certificate issuance via SCEP
You can use the same Microsoft Intune connector to configure profiles for issuance of private authentication certificates from the two Intune templates:
Template name | Seat type |
---|---|
| |
|
Note
If you already have an Intune certificate profile in your account, a default Intune connector named Microsoft Intune is automatically created for you using the Intune credentials from that profile.
For more information about how to set up and use the new connector type, see the Microsoft Intune connector guide.
Unique certificates view in inventory
A new Unique certificates
system view on the Inventory page shows a list of unique certificates by the certificate Thumbprint (SHA256)
. With the new view, administrators can:
View a list of unique certificates.
Filter the certificates by available columns and filters.
Drill down to one or more instances where the certificate is found.
Enhancements
Simplified UI for the branding settings page
You can now use the simplified branding settings page (Account > Settings > Branding) to choose between a custom logo (or the DigiCert default) or an organization name. These will appear on public enrollment pages and emails.
CSR viewer for enrollment requests
You can now view the CSR content for profiles using the CSR
enrollment method. Select the Show details link under the CSR text area before submitting the request. This feature helps prevent errors with incorrect CSRs. You can also select Hide details to collapse the section.
The Show details section displays the following information from the CSR:
Public key algorithm
Key size
All Subject DN and SAN fields configured in the profile with a
From CSR
source. If the fields are not configured in the profile, the CSR details are ignored and not shown under Show details.
Authentication enrollment fields for CertCentral Public Server Certificate template
The CertCentral Public Server Certificate
template now supports the Authentication enrollment fields section in the profile. This allows administrators to set custom optional or required fields that users must complete on the enrollment pages. The submitted data will be visible to administrators on the enrollment details page for enrollment approval or rejection.
Azure Key Vault rollback for common name versioning
The Admin web request
enrollment method now supports automatic cleanup of partial records in Azure Key Vault during automation failures. If a failure occurs and the user cancels the request, the system automatically removes the partial record from the key vault.
DigiCert Trust Assistant support for BitLocker
DigiCert Trust Assistant now supports the Windows BitLocker Data Recovery Agent
template for the following authentication methods:
Manual approval
Enrollment code
SAML IdP
Note
The DigiCert ONE Login
authentication method is not yet supported.
Fixes
Edit network scan failing due to duplicate name error
Resolved issue where administrators could not edit and save a scan due to a duplicate name error.
AWS unified connector unable to retrieve more than 20 accounts
Resolved issue with the AWS unified connector, enabling it to retrieve all accounts within an organization.
Azure Key Vault enrollment failing for ECDSA
Resolved support for ECDSA in the key vault for the Admin web request
enrollment method.
Blank SAML error page
Resolved issue where the browser displayed a blank page when a SAML identity provider (IdP) displayed an access denied error.
Blocked profile creation for accounts with over-consumption enabled
Resolved issue where profiles could not be created or saved for accounts with the over-consumption feature enabled.
Recovery of imported certificates through self-service portal
Resolved issue that prevented authenticated users from recovering imported certificates (in PKCS12 format) through the self-service portal, even when the recovery option was enabled by the administrator.
DigiCert Certificate Import Tool fails to support multiple tags
Resolved an issue with the DigiCert Certificate Import Tool that prevented support for multiple tags on the same uploaded certificate, whether bound to a Discovery or Imported seat.
Email templates
Resolved the following issues:
The
{{#commentsToUser}}
variable was missing from the Enrollment status change email template.The
{{#certResumptionDate}}
value was missing from customized emails sent to users.The blue "Action Required" header was incorrectly displayed in emails using the Your certificate is revoked template. It has been removed, as no user action is needed—only information is provided.
October 3, 2024
DigiCert® ONE version: 1.8480.1 | Trust Lifecycle Manager: 1.3446.0
New
SAML authorization
For profiles using SAML identity provider (IdP) authentication, we now support authorizing SAML assertions by reading pre-configured SAML attributes and values in a new side panel. This allows you to control which user groups are eligible to receive a certificate after authentication and verifying authorization parameters within the profile.
Captcha support for revocation requests on the self-service portal
A new captcha feature has been added to user-initiated revocation requests on the open self-service portal to prevent bulk requests from bots.
Note
An administrator must enable the revocation feature within the open self-service portal settings.
Fixes
Inconsistent Intune revocation processing
The Intune revocation job logic has been updated to include retries when DigiCert's certificates in the Microsoft Intune queue are not revoked successfully.
September 25, 2024
DigiCert® ONE version: 1.8279.6 | Trust Lifecycle Manager: 1.3421.0
Enhancements
Enrollment API response - support for enrollment URL
The POST /mpki/api/v1/enrollment
API endpoint response now includes the enrollment URL for private certificates issued using DigiCert® CA Manager. This enhancement applies to profiles configured using the Enrollment Code
authentication method.
For details, see the API endpoint documentation.
User-friendly error message based on SAML callback errors
The new Trust Lifecycle Manager-branded web page now displays a user-friendly error message based on SAML callback errors from assertions sent by a SAML identity provider (IdP).
Fixes
Incorrect protocol displayed in profile warning message
Fixed the issue where the warning message incorrectly showed SCEP for profiles using EST with the global enrollment code. The message now correctly displays EST for EST enrollments.
September 18, 2024
DigiCert® ONE version: 1.8279.3 | Trust Lifecycle Manager: 1.3395.0
Enhancements
Branding settings - logo size
The maximum file size for uploaded images has been increased from 40 KB to 100 KB to allow for better-quality logos.
Fixes
Complete certificate chain in CertCentral REST API enrollment method
The REST API
enrollment method now returns the complete certificate chain in its response for both CertCentral public and private certificate enrollments.
Azure Key Vault automation issue
Resolved the issue of Admin web request
enrollment method failing when the connector uses versioning and the original certificate is deleted. The cause is now displayed, and users must either restore the certificate in Azure Key Vault or use a unique name for the connector.
No actions displayed for empty seat names
Resolved issue on the Seats list page where seats with empty names were missing the actions (three dots) menu and quick edit option. Empty seat names now display a dash (—) and names with only spaces are not accepted. Seat names must have at least one non-space character.
September 11, 2024
DigiCert® ONE version: 1.8279.2 | Trust Lifecycle Manager: 1.3374.0
New
DigiCert Trust Assistant release v1.2.0
Starting with DigiCert® Trust Assistant v1.2.0, customers can configure profiles for autoenrollment and autorenewal of certificates. After creating and authenticating a user in Account Manager using SAML or OpenID Connect (OIDC), which is a one-time process, a device certificate is automatically issued. This allows DigiCert® Trust Assistant (DTA) to seamlessly retrieve profiles and handle certificate autoenrollment and autorenewal without user intervention (zero-touch).
The DTA client shows the following new menu options after users successfully join their IdP account with DigiCert ONE:
Certificate profiles page: Displays the profiles that the user is eligible to enroll in, either manually or automatically, if an administrator has configured them using the new autoenrollment feature.
Device page: Located under the Advanced mode, it displays device certificate information needed for the new autoenrollment and autorenewal features.
Prerequisites
You must configure profiles with the
DigiCert ONE Login
authentication method to start using profiles.Configure Single sign-on (SSO) settings for your account using SAML or OIDC.
Ensure that the required attributes are included as part of the Claims ID (for OIDC) and Assertion (for SAML) responses to create a user in DigiCert ONE. The required user attributes (case insensitive) are the following:
Email: email
First name: Use any of these values—
given_name
,first_name
,firstname
, orgivenname
Last name: Use any of these values—
last_name
,lastname
,familyname
,family_name
, orsurname
Some identity providers may provide these attributes by default, but ensure that they are included in the authentication response.
Request your DigiCert or Platform representative to configure the following, which requires System Administrator credentials.
Enable the DigiCert Trust Assistant for your account.
Add your company's email domains to the Allow user creation via SSO option in your account. Your organization must own the domains. You can configure this setting only after SSO sign-in is set up with SAML or OIDC, so ensure SSO is configured first.
Note
Customers using a local Active Directory (AD) for user storage must configure AD Federation Services (FS) as their SAML IdP provider. See Setting Up Active Directory Federation Services.
Additional enhancements
Notifications : Use the bell icon located at the top of the dashboard to view the following notifications:
Information: When DTA completes an action.
Example: When a certificate is issued or renewed successfully as a background process.
Action required: When DTA detects an action required by a user. The assistant displays an "action" link that you can click to trigger the required action.
Example: If there is a newer version of the DTA provider, a notification is shown with an Upgrade required action link to initiate the upgrade process.
Error: When an error is detected, DTA sends a notification with details of the issue, including which process was responsible for the error and possible causes—for example, network or connectivity issues.
Diagnostics file: A user-generated, password-protected ZIP file containing logs and configuration files for troubleshooting and sharing with your Support team.
SHA3 algorithms: Support for SHA3 signing algorithms for both the DigiCert Software Keystore and compatible hardware tokens.
Session validity for PIN-protected keystores: A new feature for supported keystores, such as hardware tokens and the DigiCert Software Keystore, allowing users to enter their PIN once per session (default is 5 minutes). The DigiCert Trust Assistant configuration file (
config.json
) now includes a parameter (loginSessionValidity
) to control session duration. Each token-based action resets the session to the configured time.Unregister and upgrade DigiCert provider and token: Users can now quickly unregister and upgrade the DigiCert Software Keystore crypto provider.
DigiCert Software Keystore Provider v1.0.4:
Removed the dependency for the Visual C++ Redistributable to be installed as a prerequisite. It is now included in this new provider version.
Updated the license to use the DigiCert Master Services Agreement (MSA).
Changed installation from per-user to per-machine. You must completely remove the previous installation before installing the latest one, which is automatically handled by the new Upgrade provider functionality in DTA.
Token v1.0.1: Updated the license to use the DigiCert Master Services Agreement (MSA).
For more information, see the DigiCert Trust Assistant guide.
Issuance of PQC composite certificates
Support is now available for issuance and lifecycle operations (revoke, suspend/resume, or recover) of Post Quantum Cryptography (PQC) "composite" certificates, which combine PQC with traditional RSA/ECDSA algorithms. This ensures compatibility with both PQC-enabled systems and those still using traditional encryption methods.
In this initial release, PQC composite certificates support the following key types, sizes, and signing algorithms:
Key type | Key size | Signing algorithm |
---|---|---|
| | |
| | |
| | |
| | |
| | |
| | |
Issuance is supported for profiles configured from the following templates and enrollment methods:
Templates | Enrollment methods |
---|---|
|
|
|
|
For more information and CSRs/keys for testing, see Issue PQC composite certificates.
BitLocker Data Recovery Agent template
The new Windows BitLocker Data Recovery Agent
template is now available, supporting the issuance of private certificates that meet Windows requirements of BitLocker Data Recovery Agent
certificates. This template allows the encryption and recovery of data within a Windows workstation.
The user template supports the following enrollment and authentication methods:
Enrollment method | Authentication method |
---|---|
|
|
|
|
|
|
The template also supports the following extensions:
Microsoft Application Certificate Policies extension, containing the following policy identifiers, but available only for the "Microsoft Autoenrollment" enrollment method:
Key Recovery Agent
BitLocker Drive Encryption
BitLocker Data Recovery Agent
S/MIME Capability extension, containing the following
Policy Identifier
values:XCN_OID_RSA_DES_EDE3_CBC => 1.2.840.113549.3.7
XCN_OID_RSA_SMIMEalgCMS3DESwrap => 1.2.840.113549.1.9.16.3.6
XCN_OID_NIST_AES128_CBC => 2.16.840.1.101.3.4.1.2
XCN_OID_NIST_AES192_CBC => 2.16.840.1.101.3.4.1.22
XCN_OID_NIST_AES256_CBC => 2.16.840.1.101.3.4.1.42
XCN_OID_NIST_AES128_WRAP => 2.16.840.1.101.3.4.1.5
XCN_OID_NIST_AES192_WRAP => 2.16.840.1.101.3.4.1.25
XCN_OID_NIST_AES256_WRAP = 2.16.840.1.101.3.4.1.45
Extended Key Usage (EKU) extensions set as default:
Key Recovery Agent
BitLocker Drive Encryption
BitLocker Data Recovery Agent
Certificate Template Information extension with the following preset values:
Template = 1.3.6.1.4.1.311.21.8.5794885.9824176.5194890.16550107.10406594.143.6622342.10289763
Major Version Number = 100
Minor Version Number = 4
Enhancements
Mapping of SAML assertion attributes to authentication fields
For profiles using SAML identity provider (IdP) authentication with manual approval enabled, you can now map custom authentication enrollment fields to SAML attributes. These values appear on the Enrollment Details page, allowing the administrator to approve or reject the enrollment request.
Optional removal of SKI/AKI extensions
You can now optionally remove either the Subject Key Identifier (SKI) or the Authority Key Identifier (AKI), or both extensions from the profile wizard of all the three Generic templates:
Generic User Certificate
Generic Device Certificate
Generic Server Certificate
Existing profiles will automatically show the SKI/AKI extensions by default.
Avertissement
Do not remove these extensions unless absolutely necessary.
Certificate preview for external CAs
Account administrators with profile creation or editing permissions can now preview certificate details in the profile wizard when configuring profiles with external issuing CAs, such as CertCentral, Microsoft, and AWS.
Fixes
Limit the SAML Enrollment page to the same browser session
Resolved issue about loading the authenticated SAML enrollment page across browsers. You must reauthenticate if you open the enrollment link in a new browser or in the same browser, but running Incognito mode.
September 4, 2024
DigiCert® ONE version: 1.8279.1 | Trust Lifecycle Manager: 1.3342.0
Enhancements
Rounding certificate valid-from and valid-to dates
Certificate profiles for private issuing CAs in DigiCert ONE now offer a checkbox under expiration options to set the certificate start and end times to full UTC days (that is, from 00:00:00 UTC to 23:59:59 UTC) instead of using the actual issue time. This feature benefits customers with services across different time zones and those using Intune services.
User ID support for "Generic Device Certificate" template
The User identifier
field is now included in the Subject DN for the Generic Device Certificate template.
Fixes
SAML authorization error
Resolved issue about a JSON-based internal service error message that appears when the user's SAML identity provider (IdP) delivers a failed authorization assertion to the DigiCert SAML service provider (SP). The authorization failure response now displays a more user-friendly error message on the authenticated self-service portal.
August 28, 2024
DigiCert® ONE version: 1.8094.6 | Trust Lifecycle Manager: 1.3321.0
Enhancements
Quick edit of agent, sensor, and network scan names
Authorized users can now quickly edit the agent, sensor, and network scan names from their respective list and details pages.
August 21, 2024
DigiCert® ONE version: 1.8094.5 | Trust Lifecycle Manager: 1.3299.0
New
ServiceNow app v1.5.0
ServiceNow app version 1.5.0 released for Trust Lifecycle Manager, which adds support for issuance of private certificates from a Microsoft CA using certificate profiles created from one of the following base templates and configured for one of the supported enrollment/authentication method combinations:
Template name | Seat type | Enrollment / Authentication methods |
---|---|---|
|
| |
|
|
With this release, the following base templates now also support the CSR
enrollment method with Manual Approval
authentication for use with the ServiceNow app:
Generic Private Server Certificate
Generic User Certificate
CertCentral Public Server Certificate
Public Client Authentication (via CertCentral)
Public S/MIME Secure Email (via CertCentral)
Important
Moving forward, use the CSR
enrollment method with Manual Approval
authentication in all your manual approval flow certificate profiles for ServiceNow, as we plan to deprecate support for the REST API
enrollment method in these profiles.
For more information, see the ServiceNow integration guide.
Enhancements
Multiple key sizes for CertCentral profiles
For CertCentral certificate profiles configured with the CSR
, REST API
, or SCEP
enrollment method, you can now select one or multiple key sizes to allow when requesting a certificate.
Fixes
Comma-separated SANs not being honored in Admin web request
Resolved issue with SANs been ignored in the final certificate when entered as comma-separated values using the Admin web request
enrollment method.
Issuance failing when certificate already exists in database
Resolved issue with ACME-based issuance failing due to thumbprint conflict when certificate is present from a different source.
Internal notes for SAML IdP manual approval flow
Resolved issue with not being able to submit and store internal notes on the enrollment details page, for certificate profiles configured with the SAML IdP
authentication method that have the "Enforce manual approval flow" checkbox enabled.
Authenticated self-service portal - issues with allowed actions
Resolved the following known issues reported in the previous release:
Recovery
action did not appear on the authenticated user portal when the operation was enabled by an authorized self-service portal administrator.Enroll
action appeared on the authenticated user portal regardless of whether the operation had been enabled by an authorized self-service portal administrator or not.
August 14, 2024
DigiCert® ONE version: 1.8094.4 | Trust Lifecycle Manager: 1.3282.0
New
Self-service portal operations per profile and UI enhancements
From this release, authorized administrators can configure allowed self-service operations per certificate profile instead of being account-wide operations for all profiles with the self-service portal option enabled. Available operations:
From the open portal:
Revoke
: Allows users to request revocation of their certificates, which triggers an email challenge to prove ownership of the email address before confirming the revocation operation. Note: Enable this feature with caution, understanding the risk of being able to revoke someone else’s certificate if you have access to their email account.
From the authenticated portal, after users authenticate against your SAML identity provider:
Recover
: Recover certificates for profiles configured with the "Cloud Key Escrow" option.Renew
: Renew certificates issued from DigiCert that are bound to a certificate profile and within the renewal window configured in the profile.Revoke
: Revoke certificates and specify a revocation reason as part of the revocation operation.Suspend/Resume
: Suspend or resume private certificates only.
In addition, as part of the announced initiative in the previous release to improve the navigation and usability of the product, the Self-service portal
menu option has been moved under the Account > Settings page.
Enhancements
REST API support for "Microsoft CA User Certificate" template
You can now configure profiles from the Microsoft CA User Certificate
base template using the REST API
enrollment method and associated 3rd Party app
authentication method to issue user certificates from your Microsoft CA. You can also invoke certificate management operations such as revocation.
SCEP support for "CertCentral Public Server Certificate" template
The CertCentral Public Server Certificate
template has now been qualified to support the SCEP
enrollment method, allowing servers to enroll and renew public TLS server certificates using SCEP (Simple Certificate Enrollment Protocol).
Certificate profile descriptions
New optional customer-defined field allows administrators to add a user-friendly profile description (maximum 256 characters) when creating or editing a certificate profile. The profile description is displayed as an optional column on the Inventory page, and is also visible to end users from the self-service portal.
Fixes
Optional fields from SAML assertion
Resolved issue with certificate profiles configured with optional Subject DN attributes using values sourced from a SAML assertion, where the enrollment process failed due to an error stating a required value was not present.
Known issues
Authenticated self-service portal - issues with allowed actions
Recovery
action does not appear on the authenticated user portal when the operation is enabled by an authorized self-service portal administrator.Enroll
action appears on the authenticated user portal regardless of whether the operation has been enabled by an authorized self-service portal administrator or not.
PQC discovery not working on RHEL 7.x
The discovery service does not find post-quantum cryptography (PQC) certificates on RHEL 7.x systems. As a workaround, upgrade to RHEL 8.x on these systems.
August 7, 2024
DigiCert® ONE version: 1.8094.1 | Trust Lifecycle Manager: 1.3255.0
New
Certificate delivery to DigiCert ACME agent
Added support for delivering certificates to servers with the DigiCert ACME agent. This feature extends the Admin web request
enrollment method, available for Azure KeyVault and AWS ACM, supporting certificate formats: x.509, p7b, PKCS12, and Java Keystore (JKS). Access this feature via the updated Admin web request flow on the Enrollments page.
Discovery support for post-quantum cryptography (PQC) certificates
Extended network discovery capabilities to include PQC certificates. New and existing scans can now identify PQC certificates on the network, viewable on the Inventory page.
DigiCert One Login for CertCentral connector
Enabled DigiCert One Login for CertCentral connector, allowing users to add new connectors using One Login authentication. Existing authentication methods remain available for users not on One Login.
Puppet integration
Added support for integrating Trust Lifecycle Manager with Puppet environments. Documentation and sample scripts for using Trust Lifecycle Manager certificates in Puppet are available under the Integrations > Connectors > Add connector.
Enhancements
Main navigation update
This update includes a streamlined navigation interface, intuitive menu structure, and enhanced accessibility, making it easier than ever to find what you need.
Streamlined interface and intuitive menu structure for easier access.
Reduced clicks to reach pages, improving workflow efficiency.
Simplified structure for new users.
Descriptive labels clarify menu items.
Settings page update
Newly redesigned Settings page, crafted to enhance usability and provide a more intuitive user experience.
Clear, concise labels and descriptions.
Logically grouped settings on a single page for easy navigation.
Consolidated related settings to match user workflows.
“Self-service portal” menu option to be moved inside the new Settings page in a future release.
Fixed prefix for OU fields
Enhanced the profile wizard to allow configuring a fixed prefix for OU fields. This feature is available for all three Generic templates. By selectin the Entered by user with prefix source field, the prefix is added to dynamically created OU values with a dash.
For example, a profile with a prefix “Department” and an API-submitted OU value “Sales” will issue a certificate with “Department - Sales” in the OU field.
Quick edit feature for Seats
Extended quick edit feature to allow authorized users to edit Seat names using the Seat List and Seat Details pages.
Multiple data formats for Unique Identifier field
Extended support for selecting data types (BitString or PrintableString) for the Unique Identifier SDN field in Generic Device Certificate and Generic User Certificate templates. Existing profiles continue as-is, with new options available by reconfiguring the field.
Fixes
Seat ID mapping issue with SCEP/EST profiles
Fixed issue where certificates weren’t issued when SAN attributes like RFC822name or DNS name were selected for Seat ID mapping with SCEP or EST enrollment methods.
Custom email templates
Resolved issue where custom email templates weren’t retained when editing profiles.
July 31, 2024
DigiCert® ONE version: 1.7827.6 | Trust Lifecycle Manager: 1.3215.0
New
Adobe AATL certificates for individuals and organizations
Support for issuance of Adobe RSA or ECDSA certificates for individuals and organizations that chain up to root CAs recognized by the Adobe Approved Trust List (AATL) and used to digitally sign documents that are trusted by Adobe products (for example, PDF documents). The certificates get issued from your CertCentral account via a CertCentral CA connector configured in Trust Lifecycle Manager.
Adobe Individual in Organization (via CertCentral)
: Linked to User seats, this template enables end-users to digitally sign Adobe PDFs locally. Profiles created from this template will be automatically configured to use the DigiCert Trust Assistant enrollment method, which will enforce the use of a hardware token for the creation and storage of keys. Compliance with the DigiCert Master Services Agreement and Adobe’s requirements is the customer’s responsibility.Adobe Organization (via CertCentral)
: Linked to Organization seats, this template allows an organization to sign PDFs with a branded certificate. The private key must be securely hosted on a hardware security module (HSM) and used for all document signing.
The following table shows the new base templates used to create certificate profiles for issuing the two types of Adobe AATL certificates, along with the supported enrollment and authentication methods for each template, the corresponding certificate product that must be enabled in your CertCentral account, and the root/intermediate CAs for each CertCentral region.
Template | Seat type | Enrollment method | Authentication methods | CertCentral product type | Trust anchors |
---|---|---|---|---|---|
| DigiCert Trust Assistant |
| Document Signing for Business - Employee | CertCentral Europe Root CA: CertCentral USA Root CA: Intermediate CA: | |
| CSR |
| Document Signing for Business - Group | ||
REST API |
|
Important
Both Adobe certificate templates are "limited" and must be explicitly assigned to your Trust Lifecycle Manager account. If you do not see the templates listed on the Policies > Base templates page, contact your DigiCert account representative or system administrator to assign them and inform you of your Adobe obligations. These obligations include verifying the identity of end-users using a face-to-face process, and keeping evidence of that process, before allowing them to enroll for an Adobe certificate. See Section 27 of DigiCert Certificate Terms of Use for more details.
To issue Adobe certificates, your CertCentral account must be enabled with the corresponding product type (as shown in the above table) and certificate units.
Public S/MIME certificates via SCEP protocol
Support for issuance of Public S/MIME sponsor-validated non-escrow RSA certificates from CertCentral using SCEP as the provisioning protocol using certificate profiles created from the following base template.
Existing template
Public S/MIME Secure Email (via CertCentral)
now supports enrollment methodSCEP
with authentication methodEnrollment Code
for issuance of non-escrowed certificates.
Important
On-premises DigiCert ONE users must create a private CA with common name DCONE-TLM-PUBLIC-SMIME-SCEP-DECRYPT-CA
to use this feature.
Enhancements
Quick edit feature
Introduced a quick edit feature that allows authorized users to easily change the names of Business units and Connectors directly from their respective List and Details pages. To edit Business units, go to Manage > Business units. For Connectors, go to Integrations > Connectors.
Fixes
Approval emails
Resolved issue with approval emails being sent out to all users in an account instead of only those users bound to the business unit linked to the certificate profile configured for manual approval.
ServiceNow CMDB import issue
Resolved an issue where Discovery and Imported certificates not bound to a profile were failing to push to ServiceNow CMDB.
CA Discovery import fails with spaces in name
Resolved issue where Microsoft CA discovery import failed when the CA name (CN of the Microsoft CA) had space characters.
CertCentral profile key size mismatch
Resolved an issue with the CertCentral Public Server Certificate
profile when using a 4096 key size. The REST API enrollment failed a policy check because the profile's default private key size was set to 2048, causing a mismatch with the 4096 key size specified in the CSR.
July 24, 2024
DigiCert® ONE version: 1.7827.5 | Trust Lifecycle Manager: 1.3166.0
Fixes
Install validation failure for IIS SNI configuration
Fixed agent-based certificate automation issue with install validation failing for the IIS web server on SNI sites.
July 18, 2024
DigiCert® ONE version: 1.7827.3 | Trust Lifecycle Manager: 1.3140.0
New
Issuance of PQC Falcon certificates
Support for issuance and lifecycle operations (revoke, suspend/resume, or recover) of post-quantum cryptography (PQC) Falcon certificates with the below key sizes and signing algorithms, using certificate profiles created from any of the three "Generic" base templates or the Private S/MIME Secure Email
template:
Key type | Key sizes / Signing algorithms |
---|---|
FNDSA |
|
Issuance supports the following enrollment methods and associated authentication methods, depending on the base template used to create the certificate profile:
Templates | Enrollment methods |
---|---|
|
|
|
|
For more information and CSRs/keys for testing, see Issue PQC Falcon certificates.
System scans
With this release, Trust Lifecycle Manager introduces the ability to find certificates and cryptographic keys on host systems running the DigiCert agent.
Administrators can use system scans to search for:
Certificates in the file system, operating system store, archive files, and keystores.
Keys in the file system. A hash of the key is returned to Trust Lifecycle Manager along with information about whether the key is password protected or not.
When configuring system scans, administrators have the flexibility to:
Create agent groups to manage scans for multiple agents at once.
Run a one-time scan or schedule it to repeat at regular intervals.
Control what to scan for by:
Selecting which types of items to retrieve for a specific scan.
Configuring a global blocklist with drives, folders, and files to skip for all scans.
Certificates discovered through system scans are available from the "All certificates" and "Discovery" views on the Inventory page. Keys are surfaced in the new "Keys" view.
For more information, see System scans.
AWS unified connector
Introducing the new AWS unified connector with this release. This new connector type allows users to:
Connect to an AWS organization and traverse the organization hierarchy from Trust Lifecycle Manager.
Discover certificates in AWS Certificate Manager (ACM) for all AWS accounts in a connected organization.
Enroll new certificates in Trust Lifecycle Manager with automated delivery to ACM in one or more AWS accounts.
AWS unified connectors can also be configured with account scope, to import and deliver certificates to a specific AWS account.
For more information, see Connect to a network appliance or cloud service.
SCEP support for the "External Private CA" template
The External Private CA
template now supports the issuance and renewal of private CA certificates via the SCEP provisioning protocol for TLS inspection appliances that support SCEP.
HTTP proxy support for outgoing traffic to ServiceNow CMDB
For DigiCert ONE platform owners with the HTTP proxy functionality enabled, the ServiceNow connector in Trust Lifecycle Manager now routes outgoing traffic to ServiceNow via the configured HTTP proxy settings in the "global" section of the DigiCert ONE values file.
Enhancements
Support for up to 250 duplicate certificates
Profiles with the "Allow duplicate certificates" option enabled now support a maximum of 250 duplicate certificates. Existing profiles inherit this change without the need to create a new profile.
New Microsoft CA connector
With this release, we are enhancing the existing Microsoft CA connector to remove the need for installing the MCARS software on the Microsoft CA server. The new connector design allows the DigiCert sensor to interact directly with the Microsoft CA server for discovery and management operations.
The new Microsoft CA connector requires a Windows-based DigiCert sensor. It cannot be configured using the Linux or Docker versions of the sensor.
Avertissement
Users can no longer add MCARS-based connectors after this release. Users with existing MCARS-based connectors can continue to use them, however DigiCert recommends replacing your legacy MCARS-based connectors at your convenience with the new Microsoft CA connectors.
For more information, see the Microsoft CA connector guide.
Agent release 3.0.13
New DigiCert agent release adds support for:
System scans.
Plugin manager log rotation.
Fixes
"Download AE config file" button is disabled
Resolved issue with the Download AE config file button being disabled on the Profiles page when there are existing profiles with the Microsoft Autoenrollment
enrollment method enabled.
Let's Encrypt integration not working with Cloudflare DNS
Resolved issue with the Let's Encrypt CA connector not being able to issue certificates using the Cloudflare DNS service for domain validation.
July 10, 2024
DigiCert® ONE version: 1.7827.2 | Trust Lifecycle Manager: 1.3103.0
New
Entrust discovery connector
With this release, Trust Lifecycle Manager is adding a new connector type to import certificates issued by the Entrust CA. The new Entrust discovery connector allows administrators to:
Import certificates from an Entrust account into Trust Lifecycle Manager inventory.
Select whether to import expired or revoked certificates in addition to active/valid ones.
Schedule ongoing incremental certificate imports from the Entrust account.
For more information, see Entrust discovery.
Enhancements
Non-repudiation KU for Public Client Authentication (via CertCentral) template
For customers who need to issue public client authentication certificates from CertCentral, you can now select a new "Authentication Only - Non-Repudiation" option in the certificate type dropdown list when creating a certificate profile from the Public Client Authentication (via CertCentral)
base template.
July 3, 2024
DigiCert® ONE version: 1.7827.1 | Trust Lifecycle Manager: 1.3090.0
New
Issuance of PQC SPHINCS+ certificates
Support for issuance and lifecycle operations (revoke, suspend/resume, or recover) of post-quantum cryptography (PQC) SPHINCS+ certificates with the below key sizes and signing algorithms, using certificate profiles created from any of the three "Generic" base templates or the Private S/MIME Secure Email
template:
Key type | Key sizes / Signing algorithms | |
---|---|---|
SLHDSA |
|
|
Issuance supports the following enrollment methods and associated authentication methods, depending on the base template used to create the certificate profile:
Templates | Enrollment methods |
---|---|
|
|
|
|
For more information and CSRs/keys for testing, see Issue PQC SPHINCS+ certificates.
ServiceNow app support for new certificate types
The ServiceNow app for Trust Lifecycle Manager now supports issuance of public S/SMIME and client authentication certificates from Trust Lifecycle Manager certificate profiles created from the following base templates:
Template name | Issuing CA | Enrollment / Authentication methods |
---|---|---|
| CertCentral |
|
| CertCentral |
|
Issuing these certificate types requires minimum ServiceNow app version 1.4.0 released on June 26, 2024.
For more information, see the ServiceNow integration guide.
Enhancements
Intune template - support for duplicate certificates
Updated the Device Authentication for Microsoft Intune (SCEP)
template to support issuance of duplicate certificates (same Subject DN, but different keys and serial number) up to a maximum of 10 valid duplicate certificates.
Discovery and reporting analytics updates
Trust Lifecycle Manager now collects cipher information from F5 network appliances during configuration updates.
Analytics data for certificates found via automation connectors now includes CA vendor, chaining, and security rating information.
Sensor release 3.9.2
New DigiCert sensor release with bug fixes to remove SOAP dependencies.
June 19, 2024
DigiCert® ONE version: 1.7645.2 | Trust Lifecycle Manager: 1.3030.0
New
Custom Enhanced Key Usage (EKU) extensions for private certificates
Private trust certificate profiles now allow for configuration of an Enhanced Key Usage (EKU) extension with custom OID values that will be added at the time of certificate signing by the DigiCert® CA Manager application.
This feature is only supported for private certificates. The custom EKU OID values cannot match any standard EKU OID value that is not allowed by the base certificate template.
Chef integration
Chef is a configuration management and IT automation tool.
With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of a Chef recipe. Sample scripts and procedures for ACME and API-based integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.
For more information, see the Chef connector guide.
Microsoft CA certificates via API
Added support for requesting Microsoft CA certificates via the Trust Lifecycle Manager REST API, using certificate profiles created from the Microsoft CA Private Server Certificate
base template and configured with the REST API
enrollment method.
Enhancements
Revocation data in certificate details
The certificate details page now shows revocation data (date/time and revocation reason) for certificates that have been revoked.
Agent release 3.0.11
New DigiCert agent release with the following updates:
Fixed issue with custom script paths. All custom scripts should now be placed in the user-scripts folder in the agent install directory.
Plugin manager ports are now configurable for the agent. Defaults: StompPort = 61613 and ControlPort = 58080.
Important
These ports are used for inter-process communication on the local system only. They do not need to be opened on the external firewall.
June 12, 2024
DigiCert® ONE version: 1.7645.1 | Trust Lifecycle Manager: 1.2994.0
Enhancements
Profiles management
Profile rename options
From this release, profiles can be quickly renamed using the "pencil" icon inside the Profiles list and details pages without going through all the profile wizard steps.
LDAP toggle from list
New option to enable/disable the LDAP feature directly from the Profiles list page without going through all the profile wizard steps.
Self-service portal enhancements
Discovery/Imported certificates option
Added a new configuration option to the Settings page for the self-service portal to allow users to search and download Discovery/Imported certificates from both the open and authenticated portals. To enable this feature, select the Allow management of discovered or imported certificates checkbox under the portal settings.
Revocation operation for open portal
Added a new configuration option to the Settings page for the self-service portal to allow users to request revocation of their certificates from the open portal. If enabled, open portal users can submit a certificate revocation request and DigiCert will send an email challenge to the email address listed within the certificate being revoked. The end user (owning the email account for the email address) must click on the link in the email and then enter a revocation reason and confirm the revocation.
Avertissement
Enable this feature with caution, understanding the risk of being able to revoke someone else’s certificate if you have access to their email account.
F5 BIG-IP LTM connector updates
When adding a new connector, the F5 BIG-IP LTM connector type now supports the ability to:
Change the private key storage location.
Use the existing client profiles in the Local Traffic Manager (LTM) appliance instead of creating new ones.
Create unique ICA files for each automation.
Modify the filename format used to create the LTM certificate profile and private key.
June 5, 2024
DigiCert® ONE version: 1.7645.0 | Trust Lifecycle Manager: 1.2971.0
New
Audit log manual integrity check
From this release, all audit log events inside the Audit logs page show a new Check data integrity action that will check the integrity of the log entry. Manually triggering the action will deliver three possible responses:
Success: The audit log passed the data integrity check.
Failure: The audit log failed to pass the data integrity check.
Not available: The audit log data integrity check is not available for this record. This will be delivered for log entries that were generated prior to this release.
Enhancements
Public TLS Server (from CC) support for CSR web-based flow
Updated the CertCentral Public Server Certificate
template to support a web-based CSR
enrollment method that can be authenticated using the below authentication methods:
Enrollment Code
Manual Approval
SAML IdP
Public S/MIME certificate delivery options
For certificate profiles created from the Public S/MIME Secure Email (via CertCentral)
template and configured with the non-escrow option, you can now get the issued certificates in either X.509
or PKCS#7
format by selecting it in the Certificate delivery format section of the profile wizard.
Application version via API
New API unauthenticated endpoint (GET /mpki/api/v1/version
) to retrieve the Trust Lifecycle Manager application version. The current application version is also displayed at the top of the API documentation.
Certificate import API enhancement to support multiple tags
Enhanced the certificate import API endpoint (POST /mpki/api/v1/certificate-import
) to support multiple tags. The previous implementation only supported a single tag for each imported certificate. From this release, tags can be assigned as a single string value (for backward compatibility) or an array of string values.
Inline help for connector configuration
Added contextual help for add and edit connector flows to guide users about prerequisites, installation, and configuration steps.
Additional DNS integrations for Let's Encrypt CA connector
Extended the following DNS integrations to support automated domain control validation for Let's Encrypt CA connectors:
Digital Ocean
Google DNS
Sensor release 3.9.1
New DigiCert sensor release with enhancements and fixes to support new sensor-based integrations.
Agent release 3.0.10
New DigiCert agent release with fixes and SNI script support.
Fixes
User seats with added timestamp for CMP flow
Resolved issue with User seats being created with an appended timestamp for public S/MIME certificates issued from profiles based on the Public S/MIME Secure Email using CMP (via CertCentral)
certificate template.
Incorrect validity period when renewing certificate via API
Resolved issue with incorrect validity period when renewing a certificate via REST API, provided the validity period in the profile was modified before submitting the renewal request.
Expiration graph issue
Resolved issue with the expiration graph in the Dashboard page not showing data for Discovery certificates not yet bound to a business unit.
Duplicate certificate issue via SCEP flow
Resolved issue with duplicate certificates not being issued via the SCEP enrollment flow.
PKI Platform 8 integration issues
Resolved public S/MIME synchronization issue with PKI Platform 8. Resolved issue with using Seat GUID instead of Seat ID.
Imported certificates suspension issue
Resolved issue with not being able to suspend certificates that were bound to an Imported seat type.
May 22, 2024
DigiCert® ONE version: 1.7460.3 | Trust Lifecycle Manager: 1.2904.0
Enhancements
Azure Key Vault versioning support
With this release, the Azure Key Vault connector type allows users to configure how certificates should be delivered to the vault using the following options:
Unique names: Use a unique identifier for each certificate delivered.
Common names: Use common names to group certificates issued over time.
iOS-iPadOS enrollment flow for Safari only
For users enrolling for certificates via the iOS-iPadOS enrollment method, an error message will now be displayed on the Apple device if using a non-Safari web browser.
Profile API endpoint documentation update
Updated the API documentation for the POST profile
API endpoint to include the IDs for the three supported "Generic" certificate templates that can be used to create profiles with this API endpoint.
Fixes
Public S/MIME revocation issue
Resolved issue with not being able to revoke a public S/MIME certificate issued from CertCentral.
Duplicate device certificates via SCEP
Resolved issue with not being able to issue duplicate device certificates via the SCEP protocol. A new certificate was being issued instead.
May 8, 2024
DigiCert® ONE version: 1.7460.1 | Trust Lifecycle Manager: 1.2855.0
New
Issuance of PQC Dilithium certificates
Support for issuance and lifecycle operations (revoke, suspend/resume, or recover) of post-quantum cryptography (PQC) Dilithium certificates with the below key sizes and signing algorithms, using certificate profiles created from any of the three "Generic" base templates or the Private S/MIME Secure Email
template:
Key type | Key sizes / Signing algorithms |
---|---|
MLDSA |
|
Issuance supports the following enrollment methods and associated authentication methods, depending on the base template used to create the certificate profile:
Templates | Enrollment methods |
---|---|
|
|
|
|
For more information and CSRs/keys for testing, see Issue PQC Dilithium certificates.
iOS enrollment method for web authentication
New iOS
enrollment method to support a web-based solution for direct provisioning of certificates to Apple iOS/iPadOS devices without the need to deploy a full-scale MDM/UEM solution.
For the initial release, administrators can specify the Web Authentication use case, which triggers the installation of a digitally signed .mobileConfig file on the target Apple device. Subsequent releases will support additional use cases including VPN, WiFi, and ActiveSync.
For more information, see Configure iOS/iPadOS enrollment via SCEP.
ServiceNow CMDB integration
New integration supports pushing and synchronizing certificates to the ServiceNow configuration management database (CMDB) via two different methods that can be enabled by account administrators:
Copy certificates to the CMDB table when requested and approved through the ServiceNow app.
Copy certificates from the Trust Lifecycle Manager inventory to the ServiceNow CMDB table.
The CMDB integration features require minimum version 1.3.0 of the ServiceNow app for Trust Lifecycle Manager.
For more information, see the ServiceNow integration guide.
Self-service portal (SAML-authenticated)
The self-service portal now allows users to perform lifecycle management actions on certificates they own after authenticating against their SAML identity provider (IdP). Authentication relies on a unique email address being sent by the SAML IdP to DigiCert’s SAML service provider and used to search for certificates that contain that email address in the SDN:email
or SAN:rfc822Name
fields.
Account administrators can configure the lifecycle actions that end users are allowed to perform on their certificates. Depending on the type of certificate, available actions may include:
Revoke
Suspend/Resume
Recover
To be visible, certificates must be issued from a profile with the self-service portal option enabled and one of the following enrollment methods:
Browser PKCS12
CMP
CSR
DigiCert Trust Assistant
EST
Microsoft Autoenrollment
REST API
SCEP
In addition, authenticated users can enroll their own certificates and pick up an approved certificate from the self-service portal for web-based profiles that have the self-service portal feature enabled and one of the following authentication methods:
Enrollment code
Manual approval
SAML IdP
Authorized administrators with the SSP manager
role can configure the self-service portal from the Trust Lifecycle Manager Settings menu, where they can enable/disable either the open or authenticated self-service portal, manage the allowed actions for the authenticated portal, and get the portal URLs and QR codes to share with end users.
Note
A future release will include a "Renewal" action and the ability to manage Discovery/Imported certificates from the self-service portal.
API endpoint for profile creation
New POST profile
REST API endpoint allows for creation of certificate profiles from the "Generic" base templates and configured for the REST API
enrollment method and 3rd Party app
authentication method.
For details, see the API endpoint documentation.
DigiCert Trust Assistant qualification for macOS Ventura and Sonoma
DigiCert Trust Assistant v1.1.5 has been formally qualified with both macOS Ventura and Sonoma releases.
SaltStack support
SaltStalk is a configuration management and orchestration tool. With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of a Salt automation script. Sample scripts for ACME and API-based integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.
For more information, see the SaltStack connector guide.
Ansible integration
Ansible is a suite of software tools that enables infrastructure as code. It is open-source and includes software provisioning, configuration management, and application deployment functionalities.
With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of an Ansible playbook. A sample playbook and instructions for including it in your Ansible projects are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.
For more information, see the Ansible connector guide.
mTLS integration with Istio using cert-manager
DevOps administrators can now integrate their Kubernetes workloads to be configured with mTLS for certificates for pod-to-pod communication using Istio and cert-manager. Trust Lifecycle Manager integrates with cert-manager over ACME to issue private certificates from DigiCert® CA Manager for automated service mesh configuration via Istio.
To support this integration, administrators can create a certificate profile from the new CA Manager Private mTLS Certificate
base template. A sample configuration file and instructions for enabling the integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.
For more information, see the Istio connector guide.
Policy notifications for discovered certificates
As part of this release, we introduced the ability for administrators to define notification policies for discovered certificates. Any newly discovered certificates matching the user-defined criteria will trigger a notification. To select certificates to notify about, administrators can apply boolean operators against a list of options including the:
Subject DN
Common name/SAN
CA vendor
Security rating
Signature algorithm (e.g SHA256WITHRSA)
Key size
Cipher
Tags
Issuing CA
Administrators can clone
the default discovery notification template to define specific criteria, recipients, and email content. They also have an option to combine multiple events in one email. This allows users to configure multiple polices to identify exceptions. The above criteria are also extended to existing expiry notices for discovered certificates from the following notification templates:
Discovered certificate
(New)Discovered certificate expiring
Discovered certificate expired
Enhancements
Duplicate certificates option for Public S/MIME Secure Email (via CertCentral) template
Certificate profiles created from the Public S/MIME Secure Email (via CertCentral)
base template now allow configuration of the “Allow duplicate certificates” option. Previously, the option was set to “Yes” and could not be disabled.
IAN extension for web-based enrollment flows
From this release, we extend support for the Issuer Alternative Name (IAN) extension to the following web-based enrollment flows:
Browser PKCS12
CSR
DigiCert Trust Assistant
Note
The IAN extension is only supported by the Generic User Certificate
base template. Previously, it was only enabled when using the REST API
enrollment method with 3rd Party app
authentication.
Self-service portal enhancements
Added the ability to enable or disable the self-service portal (SSP) option from the main Profiles table, instead of having to edit each profile individually.
Added the ability to view/copy the self-service portal URL from the profile details page (Advanced settings > Self-service portal section) when the feature is enabled.
Added more detailed instructions to the self-service portal page to help end users search for and download their certificates.
SAML service provider enhancements
From this release, we support the following SAML service provider (SP) enhancements for profiles configured with the SAML IdP
authentication method and the new SAML-authenticated self-service portal.
Signing options
Two new SAML service provider signing options are displayed for profiles configured with the SAML IdP
authentication method:
Sign SAML assertion
Sign SAML response
The default configuration has both options checked, but they can be unchecked. However, not every SAML IdP vendor supports receiving unsigned SAML assertions and responses from service providers. If in doubt, check with your SAML IdP vendor before configuring these options.
Generate new SAML Service Provider certificate
A new Generate new SAML SP certificate button is displayed on the profile details SAML configuration options section. This button can be used at any time to generate a new DigiCert SAML service provider (SP) certificate and view its expiration period. When selected, a warning message prompts the user for confirmation before revoking the current SP certificate and issuing a new one.
For profiles configured with the SAML IdP
authentication methods, the profile will go into Action needed
state when the SAML SP certificate expires. To restore the profile to active status, use the new Generate new SAML SP certificate function to get a new certificate.
Avertissement
After generating a new SAML SP certificate, the profile will stop authenticating requests against your SAML identity provider (IdP) until you reconfigure your IdP settings with the new SAML SP certificate. It will also stop working if the SAML SP certificate expires without your due attention.
Custom certificate report enhancements
Enhanced the custom certificate CSV reports with three new fields, under two of the sections:
Other extensions
Security Identifier
Issuer Alternative Name
(containing a directory name value)
Subject Alternative Name (SAN) extension
Directory name
Profile wizard - custom extensions
Enhanced the Custom extensions section in the profile wizard (used by the "Generic" templates) to deliver a better user experience and only show the details of the custom extension section if a user selects the new Add custom extensions button.
Fixes
DigiCert Trust Assistant - S/MIME decryption failures
Resolved an issue with encrypted emails not being able to be decrypted via the DigiCert Trust Assistant client, for which version 1.1.6 is required.
Incorrect authentication method for CMP template
Resolved regression bug with incorrectly showing an authentication method that is not supported by the Public S/MIME Secure Email using CMP (via CertCentral)
limited template.
Profile creation issue with Public Client Authentication template
Resolved an issue with not being able to create new profiles based on the Public Client Authentication (via CertCentral)
template.
Stale data in seat and certificate graphs
Resolved an issue with showing stale data in the seat and certificate usage graphs on the Dashboard page.
April 3, 2024
DigiCert® ONE version: 1.7277.0 | Trust Lifecycle Manager: 1.2722.0
New
"Uploaded certificates expiration" email notification
New Uploaded certificates expiration email notification template that can be used to send renewal email reminders for certificates uploaded into Trust Lifecycle Manager from an external system using the REST API or DigiCert Certificate Import Tool (available upon request). The renewal reminder gets triggered at configurable notice windows based on "tags" applied to the uploaded certificates.
This new notification replaces the functionality previously available from the Settings > Uploaded certificates expiration page for customers with Imported or Discovery seats.
For more information, see Configure custom email notifications for certificate expiration.
SHA3 signing algorithms
Added SHA3 support for the following certificate templates and enrollment methods:
Templates | Enrollment methods | SHA3 signing algorithms |
---|---|---|
|
|
|
Azure Key Vault - discovery
New options to enable key vault discovery when adding or editing an Azure Key Vault connector in Trust Lifecycle Manager. This feature allows users to discover certificates in one or more key vaults associated with the connector. When enabled, users can:
Discover all valid and expired certificates in key vaults.
Update status of deleted and recovered certificates.
Azure Key Vault - remove
New option in the Inventory view to remove certificate from a key vault. Administrators can access this option from the actions (three dots) menu for certificates present in a key vault.
Let's Encrypt - revoke certificate
Administrators can now revoke certificates issued via Let's Encrypt CA connectors. Certificates can be revoked via:
The Trust Lifecycle Manager Inventory view.
A third-party ACME client.
Enhancements
Profile wizard - certificate preview
Ability to preview the content of a certificate as you work though the profile wizard steps, including the entire CA hierarchy that will be used to sign the certificate, for certificate profiles that use issuing CAs hosted in the DigiCert® CA Manager application.
EST authentication
New EST authentication options available for all three "Generic" certificate templates (Generic Device
, Generic Private Server
, and Generic User
):
Global enrollment code
Extended the enrollment code authentication method to optionally allow the configuration of a global enrollment code that can be used to authenticate all incoming EST client requests.
Certificate-based authentication
Added support for certificate-based client authentication via a new authentication method called TLS Certificate Auth
. This option requires that you first upload the certificates of CAs trusted to issue client authentication certificates, via the Account > Root CAs page. To authenticate, EST clients must present a certificate signed by one of these trusted CAs.
For more information, see Configure and test EST.
DigiCert Trust Assistant release v1.1.5
New DigiCert Trust Assistant release with the following updates.
Client enhancements:
Import/Export of PKCS#12 / PKCS#7 / GLCK certificate with CA(s) on Windows CAPI will import CA chain certificates to respective trusted root and intermediate CA stores in CAPI with various configurable options (Windows only).
Functionality to rerun the post-processing scripts associated with a certificate/profile in case the scripts fail to execute at the time of certificate enrollment/renewal.
Added new system-level notifications (via a notification message within the client) to inform users about failed post-processing scripts, with enhanced error messaging about the script failures in the DigiCert Trust Assistant user interface and logs.
Enhanced software auto update flow to reduce the number of alerts in case of network communication failures.
Outlook post-processing script — multiple accounts:
Enhanced the Outlook system post-processing script to support Outlook instances with more than one configured email account, based on email matching from the certificate SubjectDN:email and/or SAN rfc822Name fields.
Mixed key types for CA and end-entity certificates:
DigiCert Trust Assistant can now handle certificate issuance/renewal flows with the below CA/end-entity key type combinations, for DigiCert Trust Assistant profiles configured with an:
RSA CA and end-entity certificates with key types of RSA, RSAPSS or ECDSA.
ECDSA CA and end-entity certificates with key types of RSA or ECDSA.
Non-supported browsers:
If a DigiCert Trust Assistant-based enrollment or renewal is attempted on a browser that is not officially supported by DigiCert, a warning message will be shown on the enrollment/renewal page. The flow will not be blocked, just a warning message.
Certificate delivery format:
When configuring a DigiCert Trust Assistant non-escrow profile from any of the Public S/MIME templates, the default certificate delivery format will now be PKCS#7.
For profiles configured with delivery of the certificate with the CA chain, DigiCert Trust Assistant will automatically install the root/intermediate CA certificates into the respective Windows stores in CAPI.
Fixes
Public S/MIME profile creation
Resolved issue with not being able to create certificate profiles from the Public S/MIME templates.
CertCentral connector
Addressed a problem where users were unable to add a new CertCentral connector using username and password credentials. This update restores the functionality, allowing for seamless CertCentral connector configurations.
Tomcat automation failing
Resolved certificate lifecycle automation issue with Apache Tomcat on Windows.
March 20, 2024
DigiCert® ONE version: 1.7083.4 | Trust Lifecycle Manager: 1.2674.0
New
Sensor release v3.9.0
New DigiCert sensor release with the following updates:
Refactored sensor-to-Trust Lifecycle Manager communication from SOAP to REST.
Stability fixes.
Enhancements
Enhanced automation actions
Optimized certificate lifecycle workflow actions on the Inventory page:
Switch
action allows switching a deployed certificate to any supported CA (previously "Switch to DigiCert").Request a certificate
action allows users to issue a new certificate from the same CA.Renew/Reissue
actions remain unchanged for CAs that support them.
Streamlined SAML web enrollment flow
Streamlined the SAML-based web enrollment flows to bypass the “Create enrollment” step if no user input is required and the “Cloud Key Escrow” option is disabled in the profile. This streamlined SAML enrollment flow only presents a single page ("Install certificate").
If the “Cloud Key Escrow” option is enabled in the profile (e.g. for S/MIME use-cases) we will continue to show an intermediate page with a warning to the user alerting about the private key being escrowed in the cloud, hence not bypassing this page. We renamed this page from "Create enrollment" to "Enrollment request" and the button from "Create" to "Submit".
"Enrollment status change" email template for enrollment code flows
Profiles configured with the Enrollment code
authentication method now have access to an additional email template that can be enabled in the Email configuration and notifications section of the profile to notify end users when their enrollment status changes from "created" to "rejected", "expired", or "redeemed". We renamed this notification type from "Enrollment status is either rejected or expired" to Enrollment status change (rejected, expired, redeemed).
Fixes
Inventory page issue due to deleted profiles
Resolved issue with the Inventory page not loading properly when encountering certificate profiles that had been deleted.
Certificate delivery format for Public S/MIME (via CertCentral) API requests
Resolved issue with incorrect certificate delivery format for profiles configured from the Public S/MIME Secure Email (via CertCentral)
template using the "REST API" enrollment method and with the “Cloud Key Escrow” option disabled (i.e. non-escrow).
SCEP URL with additional "/" character
Resolved issue with the SCEP service no longer accepting SCEP requests containing a “/
” character at the end of the "pkiclient.exe" resource inside the URL (e.g. "https://one.digicert.com/mpki/api/v1/scep/<profile-guid>/cgi-bin/pkiclient.exe/
?operation=GetCACert").
Sensor list not being sent to agent
Resolved issue with sensor list not getting updated to agents when a sensor is added or removed. This fix ensures that proxied agents have the latest sensor list available for failover scenarios.
Unable to change "start now" scan to scheduled
Resolved issue with being unable to edit a "start now" network scan to use the "schedule for later" option instead.
March 13, 2024
DigiCert® ONE version: 1.7083.2 | Trust Lifecycle Manager: 1.2639.0
Enhancements
Multiple CertCentral connectors
Added support for more than one CertCentral CA connector:
Connect to multiple CertCentral accounts across US and EU regions.
For each connector, map the CertCentral divisions for imported certificates to respective business units in Trust Lifecycle Manager.
When creating certificate profiles from a CertCentral CA connector, set the CertCentral division to use to issue new certificates from each profile.
For more information, see DigiCert CertCentral.
Fixes
Duplicate certificate issue
Resolved issue with issuing duplicate certificates for public products when passing the orderid
in the request URL.
March 7, 2024
DigiCert® ONE version: 1.7083.1 | Trust Lifecycle Manager: 1.2616.0
Fixes
Disabled enrollment methods
Resolved issue with not being able to create profiles from the "Generic" and "Private S/MIME" certificate templates due to the enrollment method dropdown being disabled.
March 6, 2024
DigiCert® ONE version: 1.7083.0 | Trust Lifecycle Manager: 1.2609.0
New
Self-service portal
New public-facing web portal allows end users to search for and download certificates associated with profiles for which the Self-service portal option has been enabled by an authorized administrator.
Profiles configured with the following web-based enrollment methods support this new self-service option:
Browser PKCS12
CSR
DigiCert Trust Assistant
EST
Microsoft Autoenrollment
REST API
SCEP
Authorized administrators can use the Account > Settings > Self-service portal menu function to enable or disable access to the self-service portal and get the portal URL or QR code to share with end users.
The self-service portal can also inherit custom branding configured via the Account > Settings > Branding menu function.
Avis
The Self-service portal feature must be enabled on your account.
Currently, the self-service portal is only available in English. Support for additional languages will be added soon.
For more information, see Self-service portal.
Sensor release v3.8.66
New DigiCert sensor release with the following updates:
Bug and stability fixes for F5 BIG-IP network appliances.
Enhancements
DigiCert Autoenrollment Server enhancements
Updated the DigiCert Autoenrollment Server to version 2.24.2.0 with the following enhancements:
Custom private extensions that can be used to dynamically retrieve values from Active Directory based on the profile configuration.
New Subject Distinguished Name (DN) fields:
Title
Given name
Surname
DN qualifier
For more information, see the DigiCert Autoenrollment Server guide.
Upload PKCS12 certificates
Enhanced the REST API certificate-import
endpoint and the DigiCert Import Tool (available from your DigiCert representative upon request) to support uploading end-entity escrowed certificates (PKCS#12 files with their passwords) into a specified business unit, with or without their issuing CA being previously loaded and configured into your account.
Uploaded certificates get automatically bound to one of the below seat types based on whether the issuing CA is available in your account or not:
Imported seats: For certificates (whether escrowed or not) with their associated issuing CAs available in your account. Authorized administrators can manage lifecycle operations for these certificates in Trust Lifecycle Manager (for example, revoke, suspend/resume, or recover). Available management actions depend on the type of certificate uploaded.
Discovery seats: For certificates without their associated issuing CAs available in you account. Authorized administrators with the appropriate Key Recovery role can download and recover this type of certificate in Trust Lifecycle Manager.
For more information, see Import externally issued certificates using the API.
eIDAS Natural Person - additional Subject DN fields
Added support for the Organization Identifier
and Organization Unit
Subject Distinguished Name (DN) fields to the following two eIDAS Natural Person certificate templates:
eIDAS Electronic Signature Certificate (Natural Person with QSCD)
eIDAS Electronic Signature Certificate (Natural Person)
Avis
Contact your administrator if these certificate templates are not available in your account and you need access to them.
Certificate delivery format profile enhancement
For profiles configured to use a self-signed issuing CA, we enhanced the Additional options: Certificate delivery format step in the profile configuration wizard to dynamically hide the Include CA chain with Root CA
and Include CA chain without Root CA
PKCS#7 options.
Cause and solution for agent automation errors
Enhanced error messaging to show errors and recommended solutions to help users quickly remediate and retry issues with certificate lifecycle automations managed via DigiCert agents.
Support for CertCentral duplicate certificates
Added support for issuing duplicate certificates from CertCentral during automation events, by selecting the new "get duplicate certificate" option when scheduling the automation. If selected, the request is passed on to CertCentral and the CA there will issue a duplicate if a matching certificate is found. If no match is found, a new order gets created instead.
This feature must be enabled on a per-account basis and is available for certificate profiles configured with the following enrollment methods:
Admin web request
DigiCert agent
DigiCert sensor
3rd-party ACME client
Avis
To issue a duplicate certificate from an existing CertCentral order, make sure all these conditions are met:
Order is active, already had a certificate issued, and has enough remaining validity to fulfill the request.
Selected certificate profile is for the same product and organization, and organization is currently validated.
Requested common name matches the order, and any requested SANs match or are a subset of the order.
None of the requested domains include wildcards.
Fixes
Profile cloning issue with SCEP
Resolved issue with SCEP-based cloned profiles not retaining all the SCEP configuration.
February 21, 2024
DigiCert® ONE version: 1.6887.3 | Trust Lifecycle Manager: 1.2554.0
Fixes
Scheduled report issue
Resolved the issue with not being able to generate scheduled certificate reports.
Issuer Alternative Name (IAN) issue
Resolved an issue with signing certificates with an empty value inside the Issuer Alternative Name (IAN) extension, for certificate profiles configured from templates that support this extension.
ServiceNow app
Version 1.2.1
Released ServiceNow Trust Lifecycle Manager app version 1.2.1 to support Washington version.
This release also resolves the issue with DigiCert email notifications getting sent out when creating approvals for any source table.
For more details, check the app listing in the ServiceNow Store.
February 14, 2024
DigiCert® ONE version: 1.6887.2 | Trust Lifecycle Manager: 1.2527.0
Enhancements
Public Client Authentication (via CertCentral) template
Enhanced the Public Client Authentication (via CertCentral)
template to support a new CertCentral product type called Client Authentication Email Subject:
Added support for additional Subject Distinguished Name (DN) fields:
Email
Organization unit
(multiple)
Added support for the
CSR
enrollment method.Checked and disabled the
Key usage
andExtended key usage
fields, since they will always be included by the new CertCentral product type.
Avertissement
Important Notes
In order to support these new fields, you must enable the new CertCentral Client Authentication Email Subject product type and have enough certificate units assigned to it, matching the required User seats in Trust Lifecycle Manager.
Existing certificate profiles in Trust Lifecycle Manager will continue to work, but we strongly recommend that you contact your DigiCert representative to reassign your CertCentral certificate units to the new product type and benefit from the new features.
This release also resolves the known issue raised in the previous release related to the SAN:rfc822Name
value not being included within the signed certificate.
Audit logs for CMP protocol
Enhanced the Audit logs to support certificate lifecycle operations carried over from the CMP protocol using existing audit log resources and event types from the Public S/MIME Secure Email using CMP (via CertCentral)
template ("Limited" scope).
Fixes
Certificate renewal issue
Resolved regression issue that prevented the renewal of certificates that contained a State
field within the Subject Distinguished Name (DN).
Issuer Alternative Name (IAN) issue
Resolved issue with not being able to include the Issuer Alternative Name (IAN) extension in signed certificates.
February 7, 2024
DigiCert® ONE version: 1.6887.0 | Trust Lifecycle Manager: 1.2499.0
New
New CA support - Let's Encrypt
Added support for issuance of public TLS certificates from the Let's Encrypt CA using the following enrollment methods:
DigiCert agent
(all supported applications)DigiCert sensor
(support for F5 BigIP LTM, AWS ELB, and AWS Cloudfront)3rd-party ACME client
Added a new certificate template (Let's Encrypt Public Server Certificate
), a new Let's Encrypt connector, and a new Sensor release (v3.8.65) to support automation flows for Let's Encrypt certificates.
To learn more, see Let's Encrypt.
Avertissement
Known limitation: Sensor-based automation using Let’s Encrypt is not supported for A10 or Citrix ADC network appliances.
Branding - themes
Extended our branding capabilities, allowing further customization of public-facing enrollment pages with different color themes based on the following configurable items:
Font family
Base font size
Info/helper text color
Link color
Footer text color
An enhanced preview functionality is also available to show the look and feel after applying the theme configuration.
Configure this new feature from the Settings > Branding > Theme selection page.
Fixes
Public S/MIME using CMP issue
Resolved an issue with certificates not being issued when using the Public S/MIME Secure Email using CMP (via CertCentral)
template.
REST API certificate issuance issue
Resolved an issue that prevented certificate issuance when the REST API-based certificate profiles were set with a mix of fixed and dynamic Subject DN fields.
February 2, 2024
DigiCert® ONE version: 1.6665.8 | Trust Lifecycle Manager: 1.2472.0
Fixes
Sensor-based automation of CertCentral certificates
Resolved an issue with CertCentral CA connectors impacting sensor-based automation flows.
February 1, 2024
DigiCert® ONE version: 1.6665.7 | Trust Lifecycle Manager: 1.2469.0
New
Citrix Federated Authentication Service (FAS) integration
New set of certificate templates available to support integration with Citrix Federated Authentication Service (FAS) for issuance of private authentication certificates onto virtual machines via the DigiCert Autoenrollment Server (version 2.24.1.0 required).
The integration requires three certificate profiles in Trust Lifecycle Manager, one each created from the three new templates:
Citrix FAS Registration Authority Manual Authorization
(Server seat type): Enables Citrix Federated Authentication Service to issue “Citrix FAS Registration Authority” certificates. This template is not used during the integration but is required to proceed.Citrix FAS Registration Authority
(Server seat type): Enables Citrix Federated Authentication Service to issue certificates on behalf of Citrix users in your Active Directory domain.Citrix FAS Smartcard Logon
(User seat type): Enables Citrix Federated Authentication Service to issue certificates to Citrix users in your Active Directory domain.
For details about how to set up the integration, see Citrix FAS.
Cloud key escrow and recovery for “Public S/MIME Secure Email (via CertCentral)” template
Support for cloud key escrow and recovery of end-user public S/MIME sponsor-validated certificates issued from CertCentral using the existing Public S/MIME Secure Email (via CertCentral)
template, for these enrollment methods:
Browser PKCS12
DigiCert Trust Assistant
REST API
Key recovery can be initiated by authorized administrators or API users with the Trust Lifecycle Manager "Recovery manager" role enabled. Certificate profiles can be configured to force a dual-admin recovery flow, where two account administrators (or API users) are required to complete the recovery of an end-user escrowed certificate.
Public client authentication
Support for issuance of public client authentication certificates issued from a CertCentral-shared issuing CA that chains up to a trusted root CA, using the new Public Client Authentication (via CertCentral)
template in Trust Lifecycle Manager. This template consumes CertCentral certificate units from the "Authentication Plus" product type and supports the following enrollment methods and their associated authentication methods:
Browser PKCS12
DigiCert Trust Assistant
Microsoft Autoenrollment
REST API
Avis
When using the Public Client Authentication (via CertCentral)
template, the location-based Subject DN fields get automatically retrieved from your CertCentral account's validated organization details and added to the issued certificates.
Avertissement
Known limitation: This template only supports one Subject Distinguished Name field: the Common Name. Support for multiple OU fields will be included in a subsequent release.
Known issue: The SAN:rfc822name field is mandatory and an email value must be provided by end users or API, however it is not currently being included within the signed certificate.
Enhancements
Seat ID mappings
Enhanced the list of unique fields supported by the Seat ID Mapping dropdown in the profile creation wizard. The two new fields are:
User identifier
Pseudonym
Fixes
Duplicate certificate issue
Resolved issue that prevented the successful signing of duplicate certificates with profiles configured with Subject Distinguished Name (SDN) optional fields set as 'multi-value' when the certificate request did not contain the matching 'multi-value' fields in the SDN.
Renewal issue
Resolved issue that prevented the renewal of certificates that contained a State (ST) field within the Subject Distinguished Name (SDN).
January 24, 2024
DigiCert® ONE version: 1.6665.5 | Trust Lifecycle Manager: 1.2446.0
Enhancements
CertCentral connectors: default import frequency updated to 24 hours
Updated the default certificate import frequency for CertCentral connectors to 24 hours (from 15 minutes previously). You can still change it to any desired value, as before.
Managed automation for Microsoft CA can now add first SAN as the CN in certificates
DigiCert agent-based automation flows now support adding the first SAN as the CN in certificates issued via Microsoft CA.
To enable this, use the Windows Server certutil
command to update the Microsoft CA configuration to allow override of the CN in certificates, as follows:
certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT
Restart the Microsoft CA service after making this command for changes to take effect.
January 18, 2024
DigiCert® ONE version: 1.6665.4 | Trust Lifecycle Manager: 1.2428.0
Fixes
Issue with "Next" button when configuring custom extensions
Resolved issue where the Next button was disabled when configuring custom extensions in a certificate profile.
Renewal issues
Resolved some issues with not being able to renew certificates.
January 17, 2024
DigiCert® ONE version: 1.6665.3 | Trust Lifecycle Manager: 1.2424.0
Enhancements
Certificate import REST API
Updated the Inventory controller certificate-import
REST API endpoint to support the equal (=) symbol as part of the Subject DN Common Name (CN) field.
January 10, 2024
DigiCert® ONE version: 1.6665.2 | Trust Lifecycle Manager: 1.2402.0
New
Optional overconsumption of seats/certificates
Added a new "overconsumption" feature that allows for the overconsumption of seats and certificate issuance from business units in Trust Lifecycle Manager. DigiCert ONE system administrators can enable this feature from the Account Manager application.
Sensor release v3.8.64
New DigiCert sensor release with the following updates:
Stability enhancements.
Bug fixes for A10 load balancer.
Enhancements
LDAP searches by email address
Enhanced the LDAP service to support searching certificates (via an LDAP client) using email addresses contained within the SAN:rfc822Name
extension.
Custom labels for multiple fields
Added support for custom labels when configuring a certificate profile with a field (for example, OU
) that has a multiple checkbox set. This allows each individual field to show a different custom label in public-facing pages, in multiple languages if required.
Updates to "Generic Device Certificate" template
Added support for the “Non repudiation” key usage and SAN:userPrincipalName
(UPN) extensions to the Generic Device Certificate template.
eIDAS templates
Updated the eIDAS Natural and Legal Person templates to support a wider set of key usage combinations, following ETSI guidelines.
Honor CA Manager allowlist settings for 3rd-party ACME enrollment
Extended the ability to allowlist domains and IP addresses for the 3rd-party ACME client
enrollment method from the CA Manager Private Server Certificate template.
Lifecycle actions for certificates enrolled via "Admin web request"
Added lifecycle actions for certificates originally enrolled through the admin web request workflow. This allows administrators to renew or reissue these certificates from their Inventory views.
Fixes
Public S/MIME profile issue when using CertCentral in Europe
Resolved issue with not being able to create certificate profiles from the Public S/MIME Secure Email (via CertCentral) template, for DigiCert ONE in Netherlands and Switzerland using the European CertCentral platform.