Skip to main content

CA Manager

Release notes

May 22, 2024

DigiCert® ONE version: 1.7460.3 | CA Manager: 1.702.0


SoftHSM support for Post-Quantum Algorithms

The softHSM option now supports the most recent versions of Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA).

PQC no longer supports hardware HSMs because of performance and version support issues.  CA services will provide support for hardware HSMs later in 2024, after NIST finalization and once native support is provided.


Confusing path length info when creating a CA

We corrected an issue in which the number entry field displayed an incorrect default value of -1 when selecting the "Define a path length over 0" option.

Known issues

Post-quantum algorithms are for test only

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms - Dilithium (ML-DSA), SPHINCS+ (SLH-DSA), and Falcon (FN-DSA) - are for testing purposes only, subject to backward-incompatible updates, and features are still rough around the edges.

May 15, 2024

DigiCert® ONE version: 1.7460.2 | CA Manager: 1.698.0


Create CA form data retention

When a person creating a Root or CA is on a later page in the form, returning to a prior page will now retain and display the previously entered data, no longer requiring reentry.

Feature flagging functionality

We deployed a service that allows features to be deployed and then remotely enabled and disabled. This will allow less disruptive deployments or rollbacks, as well as simplified testing. It will be transparent to customers but should improve the overall experience.

Multiple search filters available in ICA and Root tables

Table filtering on the ICA and Root CA records table now supports filtering by multiple options.


Dutch and Portuguese localization fix

We corrected an issue preventing Dutch and Portuguese languages from displaying when selected from the preferred language dropdown

Third-party roots auto-disabling

We corrected a bug where the application was automatically and silently disabling imported third-party roots.

April 3, 2024

DigiCert® ONE version: 1.7277.0 | CA Manager: 1.686.0


Updated translations

International users should see improved coverage for language localization. We are having an issue with Portuguese refusing to apply properly and are working to fix.

Action menu now available on HSM partition table records

To simplify selecting partitions for registration, an action menu is now available on HSM partition table records.


Changing account filters while creating CAs caused account field to empty

This has been corrected so that the newly selected account is autofilled.

Known issues

Post-quantum algorithms are for test only

Implementations are subject to change.

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms (Dilithium, SPHINCS+, Falcon) are for testing purposes only, and features are still rough around the edges.

March 27, 2024

DigiCert® ONE version: 1.7083.5 | CA Manager: 1.681.0


Account list page not updating when new account filtered

When the account filter is set, the table now updates and displays correctly.

URL duplication check for proxy apps

CA Manager now checks to ensure an entered URL for an HSM Remote Proxy application does not already exist.

March 20, 2024

DigiCert® ONE version: 1.7083.4 | CA Manager: 1.677.0


PQC - Issue Dilithium (MLDSA) certificates from the softHSM

Dilithium (MLDSA)-based End-entities can be issued from softHSM now.

PQC - Sign digest with SPHINCS+ (SLHDSA) and escrow client key on HSM

Digest signing with SPHINCS+ (SLHDSA) post-quantum algorithm is now avaialble.

PCQ - Create SPHINCS+ (SLHDSA) escrow client key on HSM and SoftHSM

SPHINCS+-based escrow client key creation is enabled on both softhsm and hardware HSMs that are PQC enabled.


Action Menu added to HSM partition list

Table record display now conforms to our common user interface.


Imported Third-party roots made offline

Corrected an issue where imported third-party roots were turned offline. They now remain online.

API response only returned a subset of the Subject DN submitted

The response to a submission containing a set of Subject fields, only displayed a subset of those fields in response, despite processing the full set. The response now matches the submission for improved clarity.

HSM URLs not validated for duplicates

When adding or editing a HSM URL, CA Services now verifies that no duplicate exists before accepting.

Known issues

Post-quantum algorithms are for test only

Implementations are subject to change.

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms (Dilithium, SPHINCS+, Falcon) are for testing purposes only, and features are still rough around the edges.

March 13, 2024

DigiCert® ONE version: 1.7083.2 | CA Manager: 1.675.0


Support single or multiple values in Subject Alternative Name: Registered ID

Managers are now able to submit single or multiple values for Registered ID.


Pagination fixed on Remote proxy list page

Additional pages are no longer indicated when the list is less than 2 pages.

Various minor usabilty fixes and improvements

Known issues

Post-quantum algorithms are for test only

Implementations are subject to change.

NIST has not yet codified the final versions of the PQC algorithms, nor have PKI standards bodies defined standards. PQC algorithms (Dilithium, SPHINCS+, Falcon) are for testing purposes only, and features are still rough around the edges.

March 6, 2024

DigiCert® ONE version: 1.7083.0 | CA Manager: 1.672.0


SPHINCS+ post-quantum algorithm support

Roots and CAs may now be generated using the SPHINCS+ algorithms - on the PQC-enabled hardware HSM partitions. SoftHSM will be supported in a future release.

Known issues: Given the size of the keys, timeouts may be experienced during creation. Check back after 10-15 minutes to verify the CA has been added to the root or ICA listings (SLDHSA-SHA2-128f, SLDHSA-SHA2-128fs, and SLDHSA-SHA2-192f are generally the fastest). We will be adding asynchronous support in future releases.

Falcon post-quantum algorithm support

Roots, ICAs, and End-entity certificates may now be generated on the PQC-enabled hardware HSM partition. SoftHSM will be supported in a future release.


Root and CA list pages

These pages now share consistent layouts, filtering, and options to improve usability.

Known issues

Post-quantum algorithms are for test only

Implementations are subject to change.

NIST has not codified final versions yet, nor have PKI standards bodies defined standards. The use of PQC algorithms (Dilithium, SPHINCS+, Falcon) is for testing purposes only, and features are still rough around the edges.

February 28, 2024

DigiCert® ONE version: 1.6887.4 | CA Manager: 1.670.0


Qualified Natural Person templates support two additional fields.

Qualified Natural Persons templates now support Organizational Unit and Organization ID fields in the Subject.


Minor user interface (UI) and bug fixes.

February 21, 2024

DigiCert® ONE version: 1.6887.3 | CA Manager: 1.667.0


Domain used for CRLs of issued certificates may not have the CRL usage removed

To prevent breaking CRLDPs, a domain with the usage “CRL” may not have that usage removed if certificates have been issued using that domain.

NIST acronyms now used for Post-Quantum Cryptography (PQC) algorithms

Dilithium is now referred to as MLDSA.

Minor user experience (UX) enhancements


Unable to create wildcard certificates

Wildcard certificates can be created once again.

Minor bug fixes

February 14, 2024

DigiCert® ONE version: 1.6887.2 | CA Manager: 1.663.0


Issue Dilithium PQC Roots and ICAs from SoftHSM

The SoftHSM can now be used to issue test PQC certificates.


Minor Bugfixes

Corrections to non-user-facing issues.

February 7, 2024

DigiCert® ONE version: 1.6887.0 | CA Manager: 1.661.0


Qualified Certificates do not require an EKU

To conform with ETSI specs, qualified end-entities no longer require an EKU.


Domains cannot be edited if they are assigned

To prevent the breaking of CRLs and OCSPs, if a domain has been assigned to certificates, then it may not be edited. A new version must be created, or the domain unassigned to each certificate.


Discovered a possible SQL injection vulnerability when getting all partitions

This vulnerability has been corrected.

Uploading Root CAs via the “Import intermediate CA” feature

Clients could mistakenly upload a root. The feature now blocks upload and returns an error.

February 1, 2024

DigiCert® ONE version: 1.6665.7 | CA Manager: 1.660.0


ICAs created with default settings cannot issue end-entities

These settings have been corrected, and issue end-entities is again enabled by default.

CRL Scope not enforced via API

The API now enforces the same requirements and capabilities as the user interface (UI).

January 10, 2024

DigiCert® ONE version: 1.6665.2 | CA Services: 1.650.0


Initial PQC support

For CA and end-entity issuance only, CRYSTALS-Dilithium algorithm use is now offered for testing. OCSP and CRL creation are not yet supported (errors will be returned on creation attempts).


Only a PQC-enabled HSM may be used for signing; otherwise, an error will be returned. SoftHSM will be supported in February.


Updated logging

Improved logging to include CA disable/enable events, end-entity signing, and other activities.


API not enforcing CRL scope

Corrected an issue where the CRL scope set via API was not being honored.

Known issues

PQC “invalid key type” errors

Will be displayed if 1) a non PQC-Capable HSM is selected to use Dilithium keys and 2) CRL or OCSP are attempted to be created for certificates using Dilithium keys.

January 3, 2024

DigiCert® ONE version: 1.6665.1 | CA Services: 1.646.0


Qualified certificate end-entity templates key usages

Removed restrictions on grouping of required Key Usages to allow clients more flexibility.

November 29, 2023

DigiCert® ONE version: 1.6392.5 | CA Services: 1.630.0


Client escrow keys expiration now editable via API

This functionality now mirrors the UI.


Provide metadata with escrow keys

DigiCert ONE managers now get additional information about an escrow key when using the GET /hsm/partition API endpoint.


Made consistent the various partition statuses displays

‘Enabled’ is now the common term for active registered partitions, and status boxes all render the same.

Inability to change which partition performs Default escrow options

A bug had blocked changing default partitions, this is now fixed.

Default escrow partition may be reassigned

The partition designated as the default escrow partition is always available to all users.

Additional minor UI and functional fixes

November 15, 2023

DigiCert® ONE version: 1.6392.4 | CA Services: 1.622.0


Disable and Reenable

Roots and ICAs now may be “Disabled” - which suspends any issuance, signing or CRLs and OCSP Responses or other use of the certificate until and unless it is reenabled. Disabled CA certificates show “Disabled” status in the Root or ICA table, and do not appear in dropdown menus.

To disable or reenable a CA, select the option from the 3 dot button on that certificate’s detail page.

Revoke CA

ICAs now may be “Revoked”—this option is selected from the 3 dot button on that certificate's details page.

Revoking is a two-person effort, one admin requests the revocation, supplies the appropriate reason code and any details, and selects an approver. The approver will receive an email with the revocation request and a link. They then can approve or deny the request.

Only private trust CAs revoked with the reason “On Hold” can later be un-revoked. Otherwise the revoke is permanent.


To prevent the system from signing OCSP, CRL or using the revoked CA, the CA will also be disabled as part of the process.

Qualified statement support for private certificates

CA services now supports the full range of qualified statements for use in end-entity certificates

ETSI-compliant Qualified statement support

[On-premises only] Additionally, end-entity templates, following ETSI requirements, exist to support issuance of Qualified Natural Persons and Qualified Legal Persons certificates. OCSP utilizes ArchiveCutoff (with the date set to the parent CA’s notBefore date), and CRLs are full-and-complete. The ExpiredCertsOnCRL extension options (see below) is also an option.

CA revocation results in all child certificates, subordinate CA and End-entities, to be revoked; after which a final CRL is published and then the CA is revoked. As noted above revoking a CA is a request and approval process.


These templates follow ETSI guidelines, but are only Qualified-compliant subject to the on-premises customer passing ETSI audit to function as a QTSP.


CRL extension: ExpiredCertOnCRL

[On-premises only] Private and Qualified trust certificate CRLs now may optionally use the CRL extension ExpiredCertonCRL, that retains the status of certificates for selected durations after they expire. Both Partition scope CRLS and full-and-complete CRLs support this extension. In this first release, the option must be selected during CA creation, from the CRL settings by selecting the checkbox “Include revoked certificates in this CA's CRL even after they expire”


Use of this extension may result in very large CRLs and impact performance.

Known issues

Remote Proxy menu item

This item is displayed due to initial development, but is not in general release yet. Updates to come when we deliver the general release.

November 1, 2023

DigiCert® ONE version: 1.6392.1 | CA Manager: 1.617.0


Two-factor authentication (2FA) requirement

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.


If you use single sign-on (SSO) to access your DigiCert ONE account, the new two-factor authentication requirement does not affect you. However, the requirement will activate if you modify your SSO settings.


  • Partition detail page now includes the ability to adjust the security level setting, providing more direct access for editing these configurations.


  • After updating the AIA using a .P7C file, the audit log will now correctly display the associated filename.

  • UI has been corrected to remove the option to disable an already disabled master escrow key, eliminating the previous redundancy.

Known issues

  • The HSM section currently shows the Remote Proxy menu due to ongoing development. It is not intended for general use at this stage. Expect further updates for its full integration.

October 18, 2023

DigiCert® ONE version: 1.6201.3 | CA Manager: 1.613.0


Multi-partition escrow support and other escrow enhancements

CA services now allows multiple HSM partitions to provide key escrow services—though you should designate one as a fallback/default. Additional improvements have been made to facilitate key escrow activities and information

Partition security level indicator for escrow

HSM partitions designated for escrow also should indicate their level of relative security so that escrow requests from managers can ensure the right HSM is used for escrow needs.

The security levels run from 1 to 3, from lowest to the highest at 3.

  • 1 indicates low security (for example SoftHSM) and 3 (for FIPS-certified HSMs; though not necessarily enabled, such as Luna 7 HSMs).

  • 2 indicates somewhere in between, and would be decided by the customer for their dedicated or on-premises HSMs. All DigiCert attached Lunas are set to 3.

Escrow key and partition information endpoint

Managers may call CA services to obtain information about an escrow key—such as it’s expiry and the security level of the partition that houses it.

Escrow key expiry and deletion

When creating escrow keys, an expiry date may be set so that they are deleted to clear room.

Manager now may delete unused escrow keys directly.

October 12, 2023

DigiCert® ONE version: 1.6201.2 | CA Manager: 1.609.0


CRLs for qualified certificates must be full and complete

Pre-work to support qualified trust certificate issuance by on-premises QTSPs, ensures CRLs created for such certificates be full and complete.


Updated and created dates matching in offline requests

Corrected a problem where updating a request also set that date as the created date. The created date is now preserved.

September 28, 2023

DigiCert ONE version: 1.6074.9 | DigiCert® CA Manager 1.600.0


LEI Extension setting

Corrected an issue where the LEI certificate extension could not be set to “Optional”.

Prevent the revoking of an already revoked certificate

Corrected an error in the API that allowed a revoked cert to have it’s revocation date moved forward. Now only backdating is allowed for public certificates.

Other minor backend bugfixes

October 4, 2023

DigiCert® ONE version: 1.6201.1 | CA Manager: 1.606.0


Reject or Delete an offline request for ceremony

You can now reject or delete offline requests, which returns any allocated keypair to the public pool.

September 20, 2023

DigiCert® ONE version: 1.6074.7 | CA Manager: 1.600.0


Qualified statement support

End-entity certificates may now be issued containing Qualified statements. Additional backend work has been prepared to allow issuance of ETSI-compliant certificates and lifecycle management to come in future releases.

September 13, 2023

DigiCert® ONE version: 1.6074.4 | CA Manager: 1.596.0


User interface updates

Updated user experience to improve accessibility.


HSM connectivity

Fixed bugs that were affecting HSM connectivity.

June 28, 2023

DigiCert® ONE version: 1.5428.8 | CA Manager: 1.573.0


Custom extensions support

DigiCert ONE managers, such as Trust Lifecycle Manager and IOT Trust Manager, now support custom certificate extensions using JSON-based ASN.1 templating. This removes additional steps for certain workflows.

GlobalPlatform certificate revocation

Revocation is enabled for GlobalPlatform certificates through IOT Trust Manager.


Creating a CA with pathLen configured

Fixed an issued where creating a CA with pathLen configured resulted in error.

Data Protection on Demand (DPoD) partitions list

Fixed an issue where no partitions showed as available after a DPoD had been initialized.

Events in logs all action options

The list of the actions available to filter is now shows all actions, instead of a random subset of all actions.

CA services application version in the help menu

Fixed an issue where the application version in the help menu showed a mismatched application version. The help menu now shows the actual version of the application.

Responder generation settings

Fixed an issue where, when editing the responder generation settings if Auto-generate OCSP responder certificates was deselected, the other elements remained modifiable. Those options are no longer modifiable when Auto-generate OCSP responder certificates is deselected.

May 17, 2023

DigiCert® version: 1.5118.6 | CA Manager: 1.555.1


HTTPS OCSP domains

OCSP (Online Certificate Status Protocol) domains now can be registered as HTTPS. Such domains will display with “(HTTPs)” suffixes from the dropdown menu. Domains still must be unique, so HTTP and HTTPS versions cannot both exist. At this time, only OCSP supports HTTPs.

Offline request details include Extended Key Usages

When reviewing offline requests for ceremony, included EKUs from the selected template are now displayed below the Policy Extension OIDs (Object Identifiers).


Long CRL paths overlapping other page data

If an active CRL (Certificate Revocation List) with a long file path was displayed, it would overflow to page details. Now it will indicate truncation and can be viewed in full on mouseover.

April 19, 2023

DigiCert® version: 1.4957.3 | CA Manager: 1.526.0


Incorrect preview of setting in CA details page

The read-view of the CRLDP settings now reflects the updated setting.

Log records for HSM partitions were not helpful

The logs for Hardware Security Module (HSM) partitions are now in common language.

Unable to assign another admin to export certificates

Corrected issue with the API that prevented the display of a list of available admins from the assignment list.

Error on Offline Request form

Date picker no longer overlaps icon.

April 5, 2023

DigiCert® version: 1.4957.1 | CA Manager: 1.526.0


Table configuration menu now auto-hides

Fixed an issue where the table configuration menu did not hide and overlapped a record after changing the configuration.

March 22, 2023

DigiCert® version: 1.4083.6 | CA Manager: 1.522.0


Ceremony Manager for CA renewals

Added Renew option to upload the original certificate for recertification when creating an offline request.


Prevent CRL scope changes from breaking the CRL

Fixed a bug that caused errors when a CRL was changed from full and complete to a "lesser" scope. The interface now does not allow changes that will break the CRL and provides information alerting the requestor.


Breadcrumb placement

Breadcrumbs have been moved below the header.

Error returned when creating duplicate key for escrow wasn’t helpful

A more useful error is returned when a user tries to create an identical escrowed key.

March 9, 2023

DigiCert® version: 1.4803.0 | CA Services: 1.516.0


Subject Alternative Name: dnsName character limit corrected

SAN dnsName now supports up to 255 characters/octets.

Subject Alternative Name incorrectly requires country code

The country code is now optional within private SANs.

IssuerAlternativeName not included without SAN: DirectoryName

Including the IssuerAtlernativeName is no longer dependent on the SAN extension having a DirectoryName.

HSM Register partition dropdown menu shows 10 items max

The dropdown should now show all available partitions no matter the quantity.

Various minor accessibility improvements

Various different minor accessibility improvements were added.

February 8, 2023



Updated icons and names to reflect current branding for DigiCert ONE® services.

Import .p12-formatted responders

CA Manager now allows importing OCSP responders in p12 format.


Hidden CRLs

Corrected an issue where the list of Certificate Revocation Lists (CRLs) assigned to an account would not appear if the view had access to more than one DigiCert ONE account. They should now be visible.