Skip to main content

IoT Trust Manager

Release notes

May 29, 2024

DigiCert® ONE version: 1.7460.4 | IoT Trust Manager: 1.623.0

New

Registered value conditions

Introduced an advanced feature allowing solution operators to set specific conditions for certificate fields within enrollment profiles. This ensures certificate requests meet predefined criteria and provides detailed logs for rejected requests.

  • Customizable validation conditions: You are now able to define conditions for certificate fields (for example, common name) with criteria such as character limits and required prefixes. You can also set different allowed values for various enrollment profiles to cater to different product lines and groups.

  • Support for regular expressions: You can now use regular expressions for precise and complex validation rules.

  • Certificate request validation: Certificate requests are now automatically verified against defined conditions and non-compliant requests will be rejected.

  • Detailed rejection logging: Comprehensive logs of rejected requests for troubleshooting and rule refinement are now available.

Enhancements

Batch report and output file naming

Improved clarity and organization of batch reports and output files by including the batch job name and its UUID in their names.

  • Batch report naming: Updated batch report names to include the batch job name followed by its UUID.

  • Batch output file naming: Updated batch output file names (ZIP and JSON formats) to include the batch job name and its UUID.

Additional field for CMS encryption

Introduced the ASN1_Algorithm field in the certificate issuance API, allowing users to specify the ASN.1 algorithm directly.

  • New field: ASN1_Algorithm: Added the ASN1_Algorithm field to the certificate issuance API for direct specification of the ASN.1 algorithm.

  • Behavior change forRSA_OAEP: Changed CMS encryption method from CMSAlgorithm.AES256_CBC to CMSAlgorithm.RSA_OAEP when ASN1_Algorithm is set to RSA_OAEP.

Fixes

License count issue

Enhanced system defenses to ensure accurate license counts, especially during device and certificate failures.

April 3, 2024

DigiCert® ONE version: 1.7277.0 | IoT Trust Manager: 1.616.0

Fixes

User permission fixes

Users with the appropriate permissions now have the ability not only to create and edit, but also to disable and delete custom certificate templates directly from their account.

Enhanced logging for CMPv2

Upgraded CMPv2 with additional logging capabilities to provide more in-depth insights into its operations and interactions.

March 27, 2024

DigiCert® ONE version: 1.7083.5 | IoT Trust Manager: 1.614.0

Fixes

Dilithium key support

Implemented code changes in IoT Trust Manager to unify the naming conventions for Post Quantum Crypto Dilithium across CA Manager and the server-side key generation for Dilithium keys. This adjustment ensures IoT Trust Manager continues to support certificate requests for Dilithium type keys and algorithms, alongside introducing server-side Dilithium key generation capabilities.

Authentication certificate signature algorithm mismatch

Addressed an issue where mismatches between the signature algorithms of authentication certificates and their issuing CA, designated as the “authentication CA” in IoT Trust Manager, led to authentication failures. This correction prevents failed certificate requests stemming from the rejection of authentication certificates due to algorithm mismatches.

March 20, 2024

DigiCert® ONE version: 1.7083.4 | IoT Trust Manager: 1.610.0

New

Disassociation of registered values and enrollment profiles

Users now have the ability to easily remove the association between a registered values object and an enrollment profile, offering greater flexibility in managing the configuration and lifecycle of enrollment profiles.

Enhancements

Registered values enrollment profile management improvements

  • Assignment limitation Updated to restrict the assignment to only one registered values object per enrollment profile, streamlining the setup process.

  • Assignment flexibility Enhanced to allow a registered values object to be linked with multiple enrollment profiles, offering more versatility in configurations.

  • List view enhancement Introduced a new column in the Enrollment Profile List page that shows the registered values object associated with each profile, improving oversight.

  • Filtering update Launched advanced filtering options on the Enrollment Profiles List page, enabling users to filter profiles based on the registered values object assigned, facilitating easier management.

Fixes

CSV template download correction in registered values

Addressed a bug in the CSV template download functionality within the Registered values details page. The fix ensures that the downloaded CSV template accurately mirrors the certificate values specific to the dataset being managed, fixing an issue where a generic template was received, leading to inconsistencies.

Service user identification in batch download notifications

Resolved an issue where email notifications for batch downloads incorrectly displayed 'null null' for the Service User. Notifications now include the Service User's email (friendly name), providing clear identification.

Batch job report accuracy

Fixed a problem where batch job reports erroneously indicated no successful records, even when jobs were completed successfully. Reports now accurately reflect the success of job executions and document any issues or errors, enhancing trust in the system's reporting capabilities.

Corrected status display for rejected batches

Implemented a correction for a misrepresentation issue where batch enrollments marked as 'Rejected' inaccurately showed records as having been processed successfully. The system now correctly reflects the actual status of each record in rejected batches.

March 13, 2024

DigiCert® ONE version: 1.7083.2 | IoT Trust Manager: 1.606.0

New

Enhanced scalability and reliability with pre-termination hook

In this update, we're introducing a significant enhancement to our container management system: the pre-termination hook. This new feature is designed to give you more control and predictability over how your containers shut down—ensuring a smoother, more reliable system operation.

Key features

  • Enhanced control Pre-termination hook triggers right before a container shutdown, ensuring essential tasks are neatly wrapped up. This timely intervention allows for a smoother transition and a more graceful system behavior.

  • Predictability across operations Regardless of what initiates a container's termination—be it API requests, management events, or other system conditions—the pre-termination hook provides a reliable and predictable way to manage the shutdown process, enhancing system stability.

  • Seamless system integration Pre-termination hook does not delay container termination process. The termination grace period begins prior to the hook's activation, guaranteeing that containers will terminate within their allotted time, regardless of the hook's actions.

March 6, 2024

DigiCert® ONE version: 1.7083.0 | IoT Trust Manager: 1.603.0

New

Registered values

Implemented registered values in IoT Trust Manager to enhancing certificate issuance control. Registered values ensure that certificate request values adhere to predefined criteria, including lists of allowed values and conditions. This enhancement enables stricter validation of certificate fields according to specific requirements.

Registered values can also be managed and viewed by all divisions within an account or restricted to specific divisions only. This allows for the assignment of a registered values container to specific divisions.

To start using registered values, sign in to your DigiCert ONE IoT Trust Manager account and go to Certificates > Registered values.

Enhancements

IP address range blocking

Adding the entire IP range, specifically from 0.0.0.0 to 255.255.255.255, to the list of allowed IP addresses is no longer possible. This change addresses potential security risks by preventing these broad ranges from being used.

Toggle switch for IP limitations

A new toggle switch feature allows you to easily control the limitations on IP address entries. This provides flexibility between restricted and unrestricted IP address entries.

Fixes

Batch email sending issue

Resolved a bug that prevented sending batch external emails via API.

February 14, 2024

DigiCert® ONE version: 1.6887.2 | IoT Trust Manager: 1.593.0

Fixes

Zipped file uploads

Resolved an issue that prevented zipped files from uploading correctly, allowing users to upload zipped trust bundles without errors.

P7B file support

Fixed an issue to enable successful uploading of P7B files.

Certificate profile creation

Addressed an issue that caused files with whitespaces in their names to fail during upload.

Certificate profile creation

Fixed an issue where the signature algorithm was not correctly applied when creating a certificate profile for CMPv2.

February 7, 2024

DigiCert® ONE version: 1.6887.0 | IoT Trust Manager: 1.587.0

New

Trust bundle division access feature

Introduced trust bundle division access feature to enhance security and access control, allowing trust bundles to be limited by divisions for granular access control.

Added PQC support

Initiated integration of Post-Quantum Cryptography (PQC) support with the incorporation of the Dilithium algorithm, marking a step towards enhanced security.

Importante

Because the standard for Dilithium has not been finalized, this should not be used in production environments.

Enhancements

Gateway installation download flexibility

Enhanced gateway installation process to allow for unlimited downloads and introduced a predefined expiration period of 3 days (72 hours) for the download link.

Validity and signature algorithm in CMPv2 requests

Introduced enhancements to CMPv2 functionality, enabling users to specify certificate validity duration and signature algorithm selection directly in CMPv2 requests.

MAC address verification for Digicert Gateway

Added a configuration option to enable or disable MAC address verification for DigiCert Gateway, catering to deployments in environments with dynamic MAC addresses, like Kubernetes containers.

January 10, 2024

DigiCert® ONE version: 1.6665.2 | IoT Trust Manager: 1.578.0

New

Trust bundle management

A trust bundle is an essential collection of certificates used to establish trust within digital environments. A trust bundle can include various types of certificates such as root CAs, intermediate CAs, code signing certificates, and others required for distribution into trust stores. Our system supports adding up to 100 certificates in a single trust bundle.

You can easily manage these trust bundles in the IoT Trust Manager console, where you can perform the action listed below. These actions enhance your ability to manage trust bundles effectively, ensuring that you can maintain the necessary digital trust and security for your operations. For detailed instructions or additional support, please refer to our documentation or contact our support team

  • Download trust bundle

  • Copy trust bundle download link

  • Delete trust bundle

  • Disable trust bundle

  • Enable trust bundle

Enhancements

CMPv2 alternative (shorter) URL

These CMPv2 updates address the CMPv2 directory value limitation and enhance the enrollment profile interface for EST/SCEP/CMPv2 methods.

  • CMPv2 directory value issue

    Resolves the issue for clients where the CMPv2 URL value is limited to 32 characters by adding alternative enroll/reenroll URLs for EST/SCEP/CMPv2 enrollment methods in the enrollment profile details. View alternative URLs under the enrollment profile details.

  • Reference ID for passcodes

    Introduces a Reference ID field on the passcodes details page for CMPv2 enrollment method passcodes. Reference IDs are available on the passcode's details page for CMPv2 enrollments.

Certificate template creation with RSA 1024-bit

  • Certificate template creation with RSA 1024-bit

    Users can now create certificate templates that include RSA 1024-bit in the list of allowed key types.

    This enhancement allows for greater flexibility and customization in certificate management and caters to specific security requirements and compliance standards.

  • Server-side key generation support for RSA 1024-bit

    Our platform now supports server-side generation of RSA 1024-bit keys. This update ensures stronger security protocols and aligns with the latest industry practices in key generation.

    This update works for the following:

    • Batch Request Processing

    • Single Certificate Requests

    • API integration

Support for PQC Dlithium keys

We now support Post-Quantum Cryptography (PQC) Dilithium keys as a part of our commitment to providing advanced security features and keeping up with evolving industry standards.

By integrating PQC Dilithium keys, we are enhancing our platform's security and preparing for the quantum-resistant future of cybersecurity. This update empowers our users to adopt stronger cryptographic standards, ensuring the longevity and integrity of their security measures.

New features

  • Certificate template creation with PQC Dilithium keys

    Users can now create certificate templates with PQC Dilithium keys as one of the allowed key types. This enhances flexibility and customization in certificate management and allows users to stay ahead in the security landscape.

    This update caters to advanced security requirements and compliance with future-proofing standards.

  • Server-side key generation support for PQC Dilithium keys

    We updated our platform to support the server-side generation of PQC Dilithium keys. This addition fortifies our security protocols and ensures alignment with cutting-edge key generation practices.

    The support for PQC Dilithium keys extends across various functionalities, including:

    • Batch Request Processing

    • Single Certificate Requests

    • API integrations

Enhanced exception handling for batch generation

Customers have expressed the need for clearer visibility into potential exceptions that may occur during the batch generation processes. The lack of detailed feedback when batch generation fails leaves customers uncertain about the nature and stage of the failure.

Therefore, we enhanced our exception-handling protocols to provide more informative and specific error feedback during batch-generation failures. Customers will now receive detailed error messages indicating the stage at which the batch process failed.

Examples of updated messages:

  • "Batch failed. Key generation failed."

  • "Batch failed. Unable to store parts."

Possible error codes

To further assist in troubleshooting, the following error codes will be provided, detailing the nature of the exception:

  • INVALID_REQUEST - "Invalid request"

  • CERTIFICATE_CREATION_ERROR - "Certificate creation error"

  • CERTIFICATE_AUTHORITY_ERROR - "Certificate authority error"

  • DATABASE_ERROR - "Database error"

  • ENCRYPTION_ERROR - "Encryption error"

  • ENTITY_NOT_FOUND_ERROR - "Entity not found error"

  • INPUT_FILE_READ_ERROR - "Input file read error"

  • INTERNAL_SERVER_ERROR - "Internal server error"

Fixes

Update batch certificate CSV template

Issue: CSV template missing the CSR column

The downloaded CSV template does not include a CSR column.

  1. Select I have the keypairs and will provide the CSRs or public keys in the request.

  2. Select I will upload CSV with request info.

  3. Select Download template.

Fix: Updated the logic in the create batch page to handle the template request correctly

Now, when the client-side key generation is selected and the user requests a template download, the system will send the option “client_side” in the request. In all other cases, the system will default to the “server_side” option.

This change ensures the correct template, including the CSR column, is provided, aligning with the user's selection.

December 19, 2023

DigiCert® ONE version: 1.6573.3 | IoT Trust Manager: 1.570.0

Fixes

Mandatory field update

Issue details:
  • Problem: In an earlier update to the IoT Trust Manager REST API, the v1/certificate POST request was mistakenly updated to require the response_with_certificate_only parameter in the request body. The response_with_certificate_only field should be optional.

Resolution:
  • Update: This issue has been fixed. Now, on the v1/certificate POST request, the response_with_certificate_only field is correctly set as an optional request parameter.

December 7, 2023

DigiCert® ONE version: 1.6392.5 | IoT Trust Manager: 1.567.0

Enhancements

ACME Credentials Interface enhancement

  • Replaced old eye symbol with a modern icon, enhancing the ACME credentials interface on the Enrollment Profile Details page.

  • Added a sidebar link for quick access to ACME details, improving usability and security.

Certificate Profile UI simplification

  • Removed the "Required" toggle for non-modifiable settings on the Certificate Profile page. Affected settings include:

    • Certificate Signing Request, Certificate Value Field, Force Uniqueness, Key Type, Signature Algorithm, Validity Duration, and Renewal Settings

Enhanced Batch Reporting capabilities

  • New feature allows downloading detailed reports for all jobs, including completed and failed, from the Batch Details page.

  • Reports now provide insights into job outcomes, aiding in troubleshooting and decision-making.

Improved guidance for Enrollment Profile IP restrictions

  • Added informative helper text in the 'Limit by IP Address' section on the Create/Edit Enrollment Profile pages.

  • Text guides users on using IP ranges and wildcard entries, enhancing understanding of new capabilities.

November 8, 2023

DigiCert® ONE version: 1.6392.3 | IoT Trust Manager: 1.553.0

New

Simplified DigiCert Gateway Access Control for Solution Operators

A new feature has been released that enhances the administration of DigiCert Gateway access. Solution Operators can now extend DigiCert Gateway installation privileges to Server Administrators without requiring the latter to log into the DigiCert ONE portal or the Solution Operator to know the installation location in advance.

Feature highlights:

  • Invitation-based installation: Solution Operators can generate an invitation for Server Admins directly from the DigiCert ONE portal. This process involves providing a friendly name for the DigiCert Gateway and the Server Admin’s email address. An optional passcode can be added for added security.

  • Secure tokenized link: An email with a secure, tokenized link is sent to the Server Admin, allowing them to download the necessary encrypted invite file without direct portal access.

  • Complete oversight: Solution Operators are the boss. They can track whether the tokenized link has been used, view the history of invite emails, and resend invitations if necessary. Each new invitation revokes and invalidates the previous token and encrypted file for security purposes.

  • Flexible administration: Change the Server Admin email address at any time, which then triggers a new invitation. You can also delete a DigiCert Gateway record, which invalidates any outstanding invitations, and marks the Gateway as deleted.

  • Recovery options: In the event of a deletion, Solution Operators have the ability to undelete and resend invitations to Server Admins.

Cloning of enrollment profiles

In our latest product update, we have introduced new functionality that significantly streamlines the management of enrollment profiles. You can now effortlessly clone an existing enrollment profile directly from the enrollment list page.

What's new?

With a simple click, you can duplicate any enrollment profile. This feature is particularly useful for creating profiles with similar settings or for testing purposes. This enhancement not only saves time but also reduces the potential for errors that can occur when manually creating multiple profiles with similar configurations. We continue to refine our platform to ensure it meets your evolving needs of our users, making certificate management more efficient than ever.

Enhanced certificate renewal endpoints

In our latest enhancement to the IoT API, we've made the certificate renewal process even more accommodating by allowing the certificate ID to be optional during renewal requests.

Renewal using the certificate’s body:
  • Endpoint for IoT Trust Manager REST API: https://one.digicert.com/iot/api-docs/index.html#/Certificates/renewBySerial

  • Feature: You can now renew a certificate by submitting the certificate_to_renew parameter in the request body. This parameter is mandatory and should contain the full certificate body of the certificate you want to renew.

Renewal using the certificate’s serial number:

These updates are part of our commitment to provide a more versatile and user-friendly API experience. We understand the importance of flexibility in managing IoT certificates and strive to accommodate your varying preferences.

  • Endpoint for IoT Trust Manager REST API: https://one.digicert.com/iot/api-docs/index.html#/Certificates/renewBySerial

  • Feature: This method allows for renewal of a certificate by its unique serial number. The process is streamlined as all parameters in the request body are optional, making it a quick and straightforward option for certificate renewal.

Certificate revocation using device ID

In our latest enhancement to the IoT API, we've made the certificate revocation process even more accommodating by allowing the certificate ID to be optional during revocation requests.

  • Endpoint for IoT Trust Manager REST API: https://one.digicert.com/iot/api-docs/index.html#/Devices%20(v2)/revokeDeviceCertificate_v2

  • Feature: This new endpoint empowers users to securely revoke the certificate associated with a specific device using its unique device ID.

Enhancements

Support for SMPB format for batch certificate generation

The batch certificate generation now includes support for the SMPB certificate format. This enhancement is part of our ongoing effort to expand the capabilities of our certificate management offerings to accommodate a wider range of industry standards.

APIs affected:
What's new?
  • SMPB format option: Users can now specify smpb as an option for the certificate_format parameter when requesting certificates. This addition caters to systems requiring this specific format.

  • Output format adaptation: In alignment with the new format support, our output has been adapted to produce a zip archive with an .smpb extension when the SMPB format is requested.

Output archive contents:
  1. {job-id}.p7m—An encrypted zip containing certificates, private keys, and a summary file.{job-id}.pem - The certificate utilized for the encryption process.{job-id}.txt - A version file for reference.

  2. {job-id}.pem—The certificate utilized for the encryption process.

  3. {job-id}.txt—A version file for reference.

Benefits
  • Extended compatibility: With the inclusion of SMPB format, you benefit from a broader range of certificate output options, ensuring compatibility with multi-platform environments and MPKI8 format requirements.

  • Secure packaging: The .smpb zip archive offers a secure method for the delivery of sensitive key material and associated files, ensuring integrity and confidentiality.

  • Streamlined process: This update provides a seamless and integrated experience for users who require the SMPB format, reducing the need for additional conversion tools or manual processes.

Fixes

Scrolling Issue on enrollment profile details page in Safari

We have addressed and resolved a scrolling issue on the Enrollment Profile Details Page when accessed via the Safari browser.

Issue details:
  • Problem: Users experienced an unintended return to a previously opened section after attempting to scroll up or down on the Enrollment Profile Details page.

  • Browser: This issue was specific to the Safari browser.

Resolution:
  • Update: With the latest fix, you can now smoothly scroll to the bottom of the Enrollment Profile Details page or navigate through different sections without the page snapping back to a previously viewed section.

November 1, 2023

New

Two-factor authentication (2FA) requirement

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.

Nota

If you use single sign-on (SSO) to access your DigiCert ONE account, the new two-factor authentication requirement does not affect you. However, the requirement will activate if you modify your SSO settings.

October 12, 2023

DigiCert® ONE version: 1.6201.2  | IoT Manager: 1.531.0

Fixes

Handling of batch files for duplicate name

In prior versions, a bug was identified that impeded the retry mechanism when storing a portion of a batch file. This bug resulted in an exception being triggered, leading to the incomplete saving of certificates. This exception went unnoticed by users, who would only become aware of the issue when attempting to download the batch results. This issue has been successfully resolved in this release.

Handling of batch files for duplicate name

In the previous version, a bug was identified in which an additional carriage return was automatically inserted at the end of the string representing the PEM certificate. This anomaly occurred infrequently and was specific to certain scenarios, primarily contingent on the size of the PEM file. To be precise, it occurred only when the number of characters was exactly divisible by 64.

This issue has been rectified in the latest release, ensuring the accurate representation of PEM certificates without the extraneous carriage return.

October 4, 2023

DigiCert® ONE version: 1.6201.1 | IoT Trust Manager: 1.528.0

New

Improved batch flow

A new and improved batch workflow has been introduced, offering enhanced flexibility and efficiency for you. Here's what's new:

Opt-in banner

You now have the option to opt-in to the new and improved batch workflow. This option will be presented to you in two sections:

  1. Editing an existing enrollment profile

    When editing an existing enrollment profile, you will encounter a banner inviting you to opt into the new batch workflow. By choosing to opt in, you can take advantage of the improved features.

  2. Requesting a new batch certificate via the portal

    When you request a new batch certificate through the portal, a similar banner appears, allowing you to opt into the new workflow.

New API endpoint

A new API endpoint has been exposed to enable users to switch this opt-in flag on programmatically.

Opt-out option

Users who prefer not to opt-in to the new workflow continue to use the existing workflow. However, please note that all new enrollment profiles created automatically be opted in for the new batch workflow.

New features

The new and improved workflow offers several benefits:

  • Batch approvals: Users can opt in for batch approvals by using the certificate approvals feature in the enrollment profile section. Conversely, clients may opt out by unselecting the certificate approval checkbox.

  • Approver email: Clients can now enter the email addresses of approvers for batch certificates within the certificate approvals section. Approvers will receive email notifications when a batch certificate request requires their approval.

  • No approval mechanism: For situations where no approval mechanism is needed for batch certificates, users have the option of not selecting the certificate approval checkbox.

These enhancements streamline your workflow and improve your experience with the platform.

In the previous workflow, users were able to preview batch workflow results before obtaining approval. However, with this update, batch results will now be accessible exclusively after the batch has been generated and approved. This adjustment means that you no longer have the option to view batch results before the final approval process. Instead, batch results become available once the batch has been successfully generated and has received the necessary approval.

Nota

We strongly recommend that all users migrate to the new workflow, as the existing workflow will be deprecated in the December release.

API Request builder—Divisions

With this update, we have added a dedicated section that helps you effortlessly replicate API calls related to device management. Click an existing division entry to navigate to the section to view the details and edit the page.

  1. Create division

  2. Update division

  3. Enable division

  4. Disable division

  5. Delete division

  6. Undelete division

In this integrated section, you will find all the information you need to perform these API functions. This includes clear documentation on the required payloads and endpoints, ensuring that you can quickly and confidently execute these actions via our APIs.

We believe that this enhancement will greatly expedite your workflow, providing a convenient reference point for managing devices programmatically.

API Request builder—Certificate profile

With this update, we have added a dedicated section that empowers you to effortlessly replicate API calls related to certificate profile creation and updates. Click existing certificate profile entries to navigate to this section to view the details or edit the page. You can then navigate to it using the jump bar on the right.

  1. Create certificate profile

  2. Update certificate profile

  3. Disable certificate profile

  4. Enable: certificate profile

  5. Delete certificate profile

  6. Undelete certificate profile

  7. Assign divisions to certificate profile

  8. Remove divisions from certificate profile

In this integrated section, you will find all the information you need to perform these API functions. This includes clear documentation on the required payloads and endpoints, to make sure that you can quickly and confidently execute these actions via our APIs.

We believe that this enhancement will greatly expedite your workflow, providing a convenient reference point for managing devices programmatically.

Batch results log file now available in JSON format

In previous versions, the batch results could only be downloaded in a CSV format. The result log file provides information about success and failure of the issuance of certificates requested in the batch. To increase interoperability we now allow for the batch response to be returned in a JSON format. This assists users who invoke the batch results programmatically.

Enhancements

Ability to filter ACME credentials by enrollment profile

In prior versions of the IoT Trust Portal, users did not have the capability to filter credentials by enrollment profile. With this update, this functionality has been integrated into the system.

Now, within the ACME credentials section, you can easily filter credentials based on specific enrollment profiles. This improvement simplifies the management and retrieval of credentials associated with particular enrollment profiles, enhancing your overall experience and efficiency within the portal.

Digital signing now available for EJBCA and CertCentral Connectors

Previously, the digital signing of batch certificates was limited to enrollment profiles using the Digicert CA Connector exclusively. This has been expanded to include both the EJBCA and CertCentral connectors.

With this update, users leveraging the EJBCA and CertCentral connectors now have the capability to digitally sign their batch certificates. This added flexibility allows you to align your digital signing preferences with your choice of CA Connector, providing greater versatility and control over your certificate management processes.

Enrollment Profile validation now allows for IP Address ranges

Previously, IoT allowed users to add individual IP addresses for validation in enrollment profiles. To provide more robust functionality, we have optimized this feature to now support the addition of IP address ranges. Importantly, individual IP address validation is still fully supported.

With this update, you now have the flexibility to specify IP address ranges, offering greater convenience and efficiency in IP address management within your enrollment profiles. This enhancement not only streamlines the process but also accommodates a wider range of network configurations.

To illustrate, here are examples of supported IP address ranges:

  • 190-200.160-170.50-100.100-200

  • 192...

  • 192.168.2*., 192.168.40-60.10-100, 192.1.55.100-200

Endpoints affected:

  • https://one.digicert.com/iot/api-docs/index.html#/Enrollment%20profiles/createEnrollmentProfile

  • https://one.digicert.com/iot/api-docs/index.html#/Enrollment%20profiles/updateEnrollmentProfile

Approve and Reject buttons on Request detail page updated

In the previous design, the "approve" and "reject" actions were represented by checkmark and cross symbols. While these icons are commonly used for approval and rejection, we recognized that they could be unclear to some users.

To address this, we have replaced the icons with explicit wording. Now, you will see "Approve" and "Reject" buttons instead of symbols, ensuring greater clarity and leaving no room for confusion during the approval process.

This change simplifies the user interface and aligns with best practices for usability and accessibility.

September 20, 2023

DigiCert® ONE version: 1.6074.7 | IoT Trust Manager: 1.515.0

Fixes

Server side key generation using MAC addresses

In a previous release, a bug was identified in the enrollment profile selection process when utilizing server-side key generation. Specifically, when users attempted to generate a batch using MAC address generation in conjunction with certain enrollment profiles, an error occurred, preventing the intended operation from being completed successfully.

This bug has been resolved in the current release. Users can now select enrollment profiles with server-side key generation and proceed with MAC address generation without encountering this error.

September 13, 2023

DigiCert® ONE version: 1.6074.4 | IoT Trust Manager: 1.514.0

Fixes

Subject directory extraction

Fixed an issue where the subject directory was not being correctly extracted from CSR submissions, potentially leading to an incomplete certificate generated. This now functions as expected.

September 6, 2023

DigiCert® ONE version: 1.6074.1 | IoT Trust Manager: 1.513.0

New

Improved batch workflow

A new batch workflow offers enhanced flexibility and efficiency for our users. Here's what's new:

Opt-In banner

Users now have the option to opt in to the new batch workflow. This option will be presented to users in two sections:

  1. When editing an existing enrollment profile, users will encounter a banner inviting them to opt into the new batch workflow.

  2. Users requesting a new batch certificate through the portal will see a similar banner, allowing them to opt into the new workflow.

New API endpoint

A new API endpoint has been exposed to enable users to switch this opt-in flag on programmatically.

Opt-out option

Users who prefer not to opt in to the new workflow will continue to use the existing workflow. However, all new enrollment profiles will automatically be opted in for the new batch workflow.

New features

The improved workflow offers several benefits:

  • Batch approvals: Users can opt in for batch approvals by selecting the 'certificate approvals' feature in the enrollment profile section. Clients may opt out by unselecting the 'certificate approval' checkbox.

  • Approver email: Clients can now enter the email addresses of approvers for batch certificates within the certificate approvals section. Approvers will receive email notifications when a batch certificate request requires their approval.

  • No approval mechanism: For situations where no approval mechanism is needed for batch certificates, users have the option of not selecting the certificate approval checkbox.

These enhancements will streamline workflows and improve user experience with the platform.

Nota

DigiCert recommends that all users migrate to the new workflow, as the existing workflow will be deprecated in the December release.

API request builder - devices

A button at the top right corner of the Devices table will generate the API request to replicate the table's current view, including all applied filters, date settings, column headers, and data sorting.

This integration empowers users to seamlessly extract data from the table and integrate it into their workflows or applications using the provided API request.

API Request builder - divisions

A button at the top right corner of the Divisions table will generate the API request to replicate the table's current view, including all applied filters, date settings, column headers, and data sorting.

This integration empowers users to seamlessly extract data from the table and integrate it into their workflows or applications using the provided API request.

Enhancements

SEC1 Private key for batch requests

Support has now been added to the SEC1 private key format via the batch API. This includes updates to the following APIs (see links for details):

Added an additional parameter private_key_syntax with the following options:

  • SEC1_OR_PKCS1 - used when clients would like to return the private key with SEC1 encoding as in OpenSSL. PKCS1 is primarily applicable to RSA keys, while SEC1 could be used for both RSA and ECC keys.

  • PKCS8 - returns encoded private key wrapped with PKCS8.

Also added this option to the private_key_option parameter:

  • DER - the binary encoding methods for data (excludes the header and footers).

End entity certificates and Intermediate CA merged into a single page

We have integrated the End Entity Certificates and Intermediate CA pages into a single, unified view. Here's what's new:

  1. Streamlined navigation: Previously, you had to navigate between two separate pages to manage end entity certificates and intermediate CAs. With this update, all certificate management tasks can be performed from a single page.

  2. Enhanced usability: The unified page offers an improved user interface, making it easier to view and manage both end entity certificates and intermediate CAs. You'll find a more intuitive layout and streamlined controls for a smoother user experience.

  3. Single point of access: Users no longer need to switch between different sections to perform actions on end entity certificates or intermediate CAs. All functionalities are now available from one central location.

This consolidation simplifies certificate management, reduces the time spent navigating between pages, and provides a more cohesive user experience.

Batch requests now allow unzipped CSV uploads

Starting with this release, users can now upload both zipped and unzipped CSV files for batch requests.

ACME credentials page update

We have updated the user interface for the ACME credentials page. Here's what's new:

  1. Unified view: The page has undergone a complete makeover, offering a more intuitive and streamlined user experience.

  2. Details page enhancements: This page now has two sections:

    • Key details: This section provides a quick overview of essential ACME credential information.

    • Enrollment profiles: Manage enrollment profiles associated with the ACME credential.

  3. Copy ID functionality: On the Enrollment Profile Details page, we've added a 'Copy ID' feature, allowing you to copy the ID for your use.

  4. Action buttons and jump navigation: Action buttons have been strategically placed on the right side of the Details page, along with jump navigation for easy access to various actions.

  5. Enhanced management capabilities: With this update, you can now:

    • Allocate an ACME credential to one or more enrollment profiles.

    • Specify usage limitations to ensure your ACME credential is used as intended.

    • Add start and end dates to control the validity period of your credential.

    • Define registered values as needed.

Fixes

Aligned endpoints with Swagger documentation

This fix applies to endpoints for unassigning divisions and retrieving batch jobs.

Authentication certificates table

This page is now able to load more than 100 certificates.

August 16, 2023

DigiCert® ONE version: 1.5874.6 | IoT Trust Manager: 1.504.0

Enhancements

Support plans

On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.

New plans:

  • Standard support (free)

  • Business support (mid-level)

  • Premium support (highest-level)

For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.

How does this affect me?

To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.

How the limited-time upgrade works:

  • Platinum support plans are upgraded to Premium support for the duration of the contract.

  • Gold or Platinum-Lite support plans will be upgraded to Premium support for the duration of your contract.

  • Included (non-paid) DigiCert support will be upgraded to Business support for up to one year.

August 2, 2023

DigiCert® ONE version: 1.5874.1 | IoT Trust Manager: 1.503.0

New

Digital signing of batch certificate requests

Users now have the option to digitally sign both batch ZIP files (PEM and DER) as well as JSON files. Users may select/unselect this option upon enrollment profile creation or edit. If a user opts in to digital signing, a dropdown offers a list of DigiCert ONE CAs associated with the account from which the digital signing certificate would be issued. DigiCert creates and manages the digital signing certificate created; however, users are given the option to regenerate a digital signing certificate.

Enhancements

Batch Job ID column now added to end-entity certificates table

The certificate table now contains an additional column, Batch Job ID. Users may filter the certificates upon the batch job ID. The value will not be populated unless the certificate was generated via batch. Reports pertaining to certificates will now also include the Batch Job ID, if selected.

End-entity and Intermediate certificates tabs combined

The End Entity Certificates tab and Intermediate CAs tab will be combined into a single tab labeled Certificates. A filter on the field certificate type may be used to distinguish between the Intermediate or end-entity certificates.

Enrollment profile tables updated to new design

The Authentication CA Templates, Authentication certificates, Source fields and Manage Passcodes sections displayed in the enrollment profile details page now reflect an updated table design. The file uploader of the Source fields section has also been updated to a new, friendlier option.

Certificate type added to batch job details

The API endpoint to get certificate import details (get_import_job_details) now includes the certificate type field. The value of certificate_type would contain either:

  • End entity

  • Intermediate

JSON support added to certificate profile and certificate request

Upon performing the following actions on the certificate profile:

  • Create

  • Edit

  • Clone

When a certificate profile field is of type JSON, a JSON editor will now be rendered, allowing users to easily edit values. Similarly, for JSON fields on the Request details page, a JSON editor will now be used to display the values.

July 24, 2023

DigiCert® ONE version: 1.5658.3 | IoT Trust Manager: 1.498.0

New

SEC1/SECG DER encoding of the private key

Customers are now able to encode their private key in SEC1 format, in alignment with encoding done by OpenSSL, which generates a shorter length key.

An update to the following APIs (see links for details):

Added an additional parameter private_key_syntax with the following options:

  • SEC1_OR_PKCS1 - used when clients would like to return the private key with SEC1 encoding as in OpenSSL. PKCS1 is primarily applicable to RSA keys, while SEC1 could be used for both RSA and ECC keys.

  • PKCS8 - returns encoded private key wrapped with PKCS8.

An additional option has been added to the private_key_option parameter:

  • DER - the binary encoding methods for data (excludes the header and footers)

July 12, 2023

DigiCert® ONE version: 1.5658.1 | IoT Trust Manager: 1.497.0

Enhancements

Ability to parse certificate policy data from a CSR

Customers can now read and extract the certificate policy from the CSR. When creating a certificate template, a user should include Request as a source in their certificate policy JSON configuration. When this is included, a new checkbox will appear under the Certificate template card, allowing users to obtain the certificate policy value from the CSR.

Fixes

Authentication certificate section within enrollment profile

Fixed an issue where sorting and filtering of authentication certificates (under the enrollment profile details page) were not working. Also, the new authentication certificates section now includes a link to a details page, allowing customers to manage their authentication certificates directly (not via enrollment profile details page).

July 5, 2023

DigiCert® ONE version: 1.5658.0 | IoT Trust Manager: 1.494.0

New

API request builder - Issuing CAs

A new button on the Issuing CA table lets customers execute an API call which leads to the same output as shown on the table. A new button is available in the top right corner of the the table. Selecting this button allows users to apply filters, dates, and headers, as well as sort data.

API request builder - Audit logs

A new button on the audit log table lets customers execute an API call which leads to the same output as shown on the table. Selecting this button allows users to apply filters, dates, and headers as well as sort data.

API request builder - Enrollment passcodes

A new button on the enrollment passcode table lets customers execute an API call which leads to the same output as shown on the table. Selecting this button allows users to apply filters, dates, and headers, as well as sort data.

Enhancements

Batch performance improvements

Customers will see an improvement in batch performance. The improvements will be more evident in batch sizes of more than 20,000 records. These improvements lead to more linear growth in time as batch size increases.

JSON type support added to certificate profile

The certificate profile creator now includes a JSON editor has now been included for fields of type JSON. Customers are now able to edit their JSON data.

June 21, 2023

DigiCert® ONE version: 1.5428.7 | IoT Trust Manager: 1.485.0

Fixes

Download button greyed out after clicking

Previously, when downloading a batch file, the download button was not greyed out causing using to click on this button multiple times. The button is now greyed out and the user sees a visual reminder that the download is in progress.

June 7, 2023

DigiCert® ONE version: 1.5428.1 | IoT Trust Manager: 1.477.0

New

EJBCA Connector

DigiCert​​®​​ IoT Trust Manager has now integrated the EJBCA APIs. This allows users of IoT Trust Manager to enjoy the same ease when using the IoT Trust Manager APIs to manage other CAs. IoT Trust Manager offers both single certificate issuance as well as batch from both API and platform.

Enhancements

Batch JSON format

For batch certificate enrollment jobs using server-side key generation, you have an additional download format: JSON. When your job completes, you can download a JSON formatted file that contains a list of certificates and its encrypted private key. This option is available from both API and platform.

Batch using cached, symmetric key

From enrollment profile configuration, you can use the same AES key for a period of time to encrypt PKCS7 certificates. This option currently only applies to the JSON format batch download. It is available from both API and platform.

Fixes

Renewed or revoked certificates removed from alerting reports

Certificates that have been renewed and revoked no longer show on alert reports for expiration.

May 3, 2023

DigiCert® ONE version: 1.5118.1 | IoT Trust Manager: 1.436.0

New

Support for any certificate extension

DigiCert​​®​​ IoT Trust Manager now supports a new set of rules in a format that describes attributes of a certificate template. This defines the policies and rules that a CA uses when a request for a certificate is received. These may not necessarily be in the traditional X509 format, but do give you flexibility in the format of certificates that you receive by the Digicert Certificate Authority.

Option to require both a valid passcode and a valid authentication certificate

You have access to an additional authentication mechanism, which allows the option of using both a passcode and an authentication certificate. This offers an additional layer of security those those who require it.

Enhancements

Batch CSV support for client-side key generation

When generating a client-side key generation batch requests, you can submit a CSV zipped file with a specified template. The template will be available for download from both API and the platform.

Fixes

Remove possibility to create new or delete or disable existing divisions for users limited by division

For users limited by divisions, we now prohibit the following functionality:

  • the ability to create new divisions

  • the ability to change status of division

April 5, 2023

DigiCert® ONE version: 1.4957.1 | IoT Trust Manager: 1.426.0

New

Symmetrical AES encryption

You now have the option to use the same symmetric AES key when decrypting (PKCS7) certificate responses, which is available from both API and the platform. This feature enables clients to operate more efficiently by being less reliant on HSM for decryption and you only have to decrypt one key on an HSM. Afterwards, you can work in a more high performance and cost efficient manner, while maintaining strong end-to-end data encryption.

Support revocation for GlobalPlatform certificates

You can now revoke GlobalPlatform certificates via API or the platform. This allows customers to now follow a similar workflow as is currently available for X509 certificates.

Enhancements

Certificate approval workflow

You now have the option to create an enrollment profile with an additional option, which allows the issuance of a certificate only with approval from a specified user. The user or list of users who can approve the issuing of this certificate are defined in the enrollment profile. By default, the the enrollment profile does not require approval, unless specified.

In the case where approval is not required, certificates will automatically move to an Auto approved state. If approval is required, the certificate request will be in Pending approval status, until approved by an entrusted approver. A user can go to the request tab to view a table of certificate requests. These will include those that have been auto-approved and those who are pending approval.

This option is available via both API and the platform.

API request builder for certificate requests

You may now easily view the correct way to structure and execute API calls. The portal offers a friendly user interface that maps out the blueprint for APIs. The structure is comprehensible for both developers and non-developers. The API request builder generates interactive and easily testable calls.

March 9, 2023

DigiCert® version: 1.4803.0 | IoT Trust Manager: 1.415.0

Enhancements

Batch requests using API now support .csv file containing CSRs

With this improvement an API user can start a batch certificate request using a comma-separated values file (.csv) containing Certificate Signing Requests (CSRs).

API endpoint to search for enrollment passwords and enrollment authentication certificates

Added external API endpoints to search for enrollment passwords and enrollment authentication certificates.

Added certificate policy filter to the end entity certificates table

Users can now apply a filter on the end entity certificates table for certificate policy.

External APIs to manage OCSP groups

Online Certificate Status Protocol (OCSP) groups can be added, edited, and deleted through API endpoints. There is also an API endpoint for searching through OCSP groups.

Fixes

Applied filters with long column names are truncated

Fixed an issue that truncated column names when a filter is applied. The full filter is now visible.

Report status not updated after a report is run

Fixed an issue where report status was not updating after a report was run. It now displays as expected.

Disabled/deleted authentication CA templates should not be allowed for authentication

Fixed an issue that allowed enrollment with an authentication certificate even after the corresponding authentication CA template was disabled or deleted in the enrollment profile. Now deleting or disabling the authentication CA template in an enrollment profile will also prevent the authentication certificates from being used for certificate enrollment.

Report creation for the certificates table fails when a filter on enrollment profile is applied to the table

Fixed an issue that blocked report generation when a user applied a filter to the enrollment profile table. Report generation now runs as expected.

March 8, 2023

DigiCert® ONE version: 1.4803.0 | IoT Trust Manager: 1.415.0

New

DigiCert Gateway

Enterprise customers who have devices (such as routers, switches, etc.) that require certificates to be issued from a DigiCert ONE platform account, but do not have internet connectivity, can now use the DigiCert Gateway to do so. These devices and clients use SCPE/EST/CMP V2 protocols for requesting certificates. The gateway is a standalone application deployed as a JAR.

Gateway offers:

  • Supported protocols

    • CMPv2 (first priority)

    • EST (first priority)

    • SCEP

    • ACME

  • Gateway to DC1 connection supported credentials

    • API token

    • Client authentication certificate

    • Enrollment profile credentials (passcode and client authentication certificate)

February 23, 2023

DigiCert® version: 1.4672.6 | IoT Trust Manager: 1.407.0

Fixes

Error uploading authentication CA

In Enrollment profiles under Authentication credentials, there was an issue that prevented CA certificates with the certificate policy extension from being uploaded to authentication CA templates.

Error Message: “Authentication CA(s) parsing was failed."

We now support CA certificates that contain the certificate policy extension.

February 8, 2023

New

DigiCert Gateway

The DigiCert Gateway helps in use cases where devices behind a firewall are not allowed direct outbound access to IoT Trust Manager in the cloud. Using the DigiCert Gateway, devices can make certificate requests using the protocols: EST, SCEP, CMPv2 and REST APIs. In this way the device need only to be granted access to make certificate requests to the DigiCert Gateway service, running within the network, the DigiCert Gateway handles passing the certificate request outside the network.

This release includes a DigiCert Gateway on-prem standalone service which can be run in Java runtime environment or Docker container. A DigiCert Gateway configuration/registration step must take place within IoT Trust Manager before an instance of the DigiCert Gateway can be started and allowed to connect to IoT Trust Manager.

Two new user permissions have been added to IoT Trust Manager: Manager DigiCert Gateway and View DigiCert Gateway.

IoT Device Manager is changing its name to IoT Trust Manager

IoT Device Manager has been renamed to IoT Trust Manager. This name change did not create any changes to processes, workflows or features and none of the APIs or page URLs were changed due to this name change.

Enhancements

Create Device and Edit Device pages—Updated the design

Updated the create device page and the edit device page to a new look. There were not any functional changes to the pages.

End Entity Certificates Page—Added the Enrollment Profile column

Added Enrollment Profile to the list of additional columns to select from on the end entity certificates page.

Fixes

Enrollment Profiles table is empty on Authentication CA details page

Fixed an issue where enrollment profiles using an authentication CA were not showing in the enrollment profiles table on the authentication CA details page.