Skip to main content

Trust Lifecycle Manager

Release notes

June 19, 2024

DigiCert® ONE version: 1.7645.2 | Trust Lifecycle Manager: 1.3030.0


Custom Enhanced Key Usage (EKU) extensions for private certificates

Private trust certificate profiles now allow for configuration of an Enhanced Key Usage (EKU) extension with custom OID values that will be added at the time of certificate signing by the DigiCert® CA Manager application.

This feature is only supported for private certificates. The custom EKU OID values cannot match any standard EKU OID value that is not allowed by the base certificate template.

Chef integration

Chef is a configuration management and IT automation tool.

With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of a Chef recipe. Sample scripts and procedures for ACME and API-based integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the Chef connector guide.

Microsoft CA certificates via API

Added support for requesting Microsoft CA certificates via the Trust Lifecycle Manager REST API, using certificate profiles created from the Microsoft CA Private Server Certificate base template and configured with the REST API enrollment method.


Revocation data in certificate details

The certificate details page now shows revocation data (date/time and revocation reason) for certificates that have been revoked.

Agent release 3.0.11

New DigiCert agent release with the following updates:

  • Fixed issue with custom script paths. All custom scripts should now be placed in the user-scripts folder in the agent install directory.

  • Plugin manager ports are now configurable for the agent. Defaults: StompPort = 61613 and ControlPort = 58080.


    These ports are used for inter-process communication on the local system only. They do not need to be opened on the external firewall.

June 12, 2024

DigiCert® ONE version: 1.7645.1 | Trust Lifecycle Manager: 1.2994.0


Profiles management

Profile rename options

From this release, profiles can be quickly renamed using the "pencil" icon inside the Profiles list and details pages without going through all the profile wizard steps.

LDAP toggle from list

New option to enable/disable the LDAP feature directly from the Profiles list page without going through all the profile wizard steps.

Self-service portal enhancements

Discovery/Imported certificates option

Added a new configuration option to the Settings page for the self-service portal to allow users to search and download Discovery/Imported certificates from both the open and authenticated portals. To enable this feature, select the Allow management of discovered or imported certificates checkbox under the portal settings.

Revocation operation for open portal

Added a new configuration option to the Settings page for the self-service portal to allow users to request revocation of their certificates from the open portal. If enabled, open portal users can submit a certificate revocation request and DigiCert will send an email challenge to the email address listed within the certificate being revoked. The end user (owning the email account for the email address) must click on the link in the email and then enter a revocation reason and confirm the revocation.


Enable this feature with caution, understanding the risk of being able to revoke someone else’s certificate if you have access to their email account.

F5 BIG-IP LTM connector updates

When adding a new connector, the F5 BIG-IP LTM connector type now supports the ability to:

  • Change the private key storage location.

  • Use the existing client profiles in the Local Traffic Manager (LTM) appliance instead of creating new ones.

  • Create unique ICA files for each automation.

  • Modify the filename format used to create the LTM certificate profile and private key.

June 5, 2024

DigiCert® ONE version: 1.7645.0 | Trust Lifecycle Manager: 1.2971.0


Audit log manual integrity check

From this release, all audit log events inside the Audit logs page show a new Check data integrity action that will check the integrity of the log entry. Manually triggering the action will deliver three possible responses:

  • Success: The audit log passed the data integrity check.

  • Failure: The audit log failed to pass the data integrity check.

  • Not available: The audit log data integrity check is not available for this record. This will be delivered for log entries that were generated prior to this release.


Public TLS Server (from CC) support for CSR web-based flow

Updated the CertCentral Public Server Certificate template to support a web-based CSR enrollment method that can be authenticated using the below authentication methods:

  • Enrollment Code

  • Manual Approval

  • SAML IdP

Public S/MIME certificate delivery options

For certificate profiles created from the Public S/MIME Secure Email (via CertCentral) template and configured with the non-escrow option, you can now get the issued certificates in either X.509 or PKCS#7 format by selecting it in the Certificate delivery format section of the profile wizard.

Application version via API

New API unauthenticated endpoint (GET /mpki/api/v1/version) to retrieve the Trust Lifecycle Manager application version. The current application version is also displayed at the top of the API documentation.

Certificate import API enhancement to support multiple tags

Enhanced the certificate import API endpoint (POST /mpki/api/v1/certificate-import) to support multiple tags. The previous implementation only supported a single tag for each imported certificate. From this release, tags can be assigned as a single string value (for backward compatibility) or an array of string values.

Inline help for connector configuration

Added contextual help for add and edit connector flows to guide users about prerequisites, installation, and configuration steps.

Additional DNS integrations for Let's Encrypt CA connector

Extended the following DNS integrations to support automated domain control validation for Let's Encrypt CA connectors:

  • Digital Ocean

  • Google DNS

Sensor release 3.9.1

New DigiCert sensor release with enhancements and fixes to support new sensor-based integrations.

Agent release 3.0.10

New DigiCert agent release with fixes and SNI script support.


User seats with added timestamp for CMP flow

Resolved issue with User seats being created with an appended timestamp for public S/MIME certificates issued from profiles based on the Public S/MIME Secure Email using CMP (via CertCentral) certificate template.

Incorrect validity period when renewing certificate via API

Resolved issue with incorrect validity period when renewing a certificate via REST API, provided the validity period in the profile was modified before submitting the renewal request.

Expiration graph issue

Resolved issue with the expiration graph in the Dashboard page not showing data for Discovery certificates not yet bound to a business unit.

Duplicate certificate issue via SCEP flow

Resolved issue with duplicate certificates not being issued via the SCEP enrollment flow.

PKI Platform 8 integration issues

Resolved public S/MIME synchronization issue with PKI Platform 8. Resolved issue with using Seat GUID instead of Seat ID.

Imported certificates suspension issue

Resolved issue with not being able to suspend certificates that were bound to an Imported seat type.

May 22, 2024

DigiCert® ONE version: 1.7460.3 | Trust Lifecycle Manager: 1.2904.0


Azure Key Vault versioning support

With this release, the Azure Key Vault connector type allows users to configure how certificates should be delivered to the vault using the following options:

  • Unique names: Use a unique identifier for each certificate delivered.

  • Common names: Use common names to group certificates issued over time.

iOS-iPadOS enrollment flow for Safari only

For users enrolling for certificates via the iOS-iPadOS enrollment method, an error message will now be displayed on the Apple device if using a non-Safari web browser.

Profile API endpoint documentation update

Updated the API documentation for the POST profile API endpoint to include the IDs for the three supported "Generic" certificate templates that can be used to create profiles with this API endpoint.


Public S/MIME revocation issue

Resolved issue with not being able to revoke a public S/MIME certificate issued from CertCentral.

Duplicate device certificates via SCEP

Resolved issue with not being able to issue duplicate device certificates via the SCEP protocol. A new certificate was being issued instead.

May 8, 2024

DigiCert® ONE version: 1.7460.1 | Trust Lifecycle Manager: 1.2855.0


Issuance of PQC Dilithium certificates

Support for issuance and lifecycle operations (revoke, suspend/resume, or recover) of post-quantum cryptography (PQC) Dilithium certificates with the below key sizes and signing algorithms, based on certificate profiles created from any of the three "Generic" templates or the Private S/MIME Secure Email template:

Key type

Key sizes

Signing algorithms


  • MLDSA 10496

  • MLDSA 15616

  • MLDSA 20736

  • MLDSA-44

  • MLDSA-65

  • MLDSA-87

Issuance supports the following enrollment methods (and associated authentication methods), depending on the base template used to create the certificate profile:


Enrollment methods

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Generic User Certificate

  • CSR

  • EST


  • Private S/MIME Secure Email

  • CSR


For more information and CSRs/keys for testing, see Issue PQC Dilithium certificates.

iOS enrollment method for web authentication

New iOS enrollment method to support a web-based solution for direct provisioning of certificates to Apple iOS/iPadOS devices without the need to deploy a full-scale MDM/UEM solution.

For the initial release, administrators can specify the Web Authentication use case, which triggers the installation of a digitally signed .mobileConfig file on the target Apple device. Subsequent releases will support additional use cases including VPN, WiFi, and ActiveSync.

For more information, see Configure iOS/iPadOS enrollment via SCEP.

ServiceNow CMDB integration

New integration supports pushing and synchronizing certificates to the ServiceNow configuration management database (CMDB) via two different methods that can be enabled by account administrators:

  • Copy certificates to the CMDB table when requested and approved through the ServiceNow app.

  • Copy certificates from the Trust Lifecycle Manager inventory to the ServiceNow CMDB table.

The CMDB integration features require minimum version 1.3.0 of the ServiceNow app for Trust Lifecycle Manager.

For more information, see the ServiceNow integration guide.

Self-service portal (SAML-authenticated)

The self-service portal now allows users to perform lifecycle management actions on certificates they own after authenticating against their SAML identity provider (IdP). Authentication relies on a unique email address being sent by the SAML IdP to DigiCert’s SAML service provider and used to search for certificates that contain that email address in the SDN:email or SAN:rfc822Name fields.

Account administrators can configure the lifecycle actions that end users are allowed to perform on their certificates. Depending on the type of certificate, available actions may include:

  • Revoke

  • Suspend/Resume

  • Recover

To be visible, certificates must be issued from a profile with the self-service portal option enabled and one of the following enrollment methods:

  • Browser PKCS12

  • CMP

  • CSR

  • DigiCert Trust Assistant

  • EST

  • Microsoft Autoenrollment


  • SCEP

In addition, authenticated users can enroll their own certificates and pick up an approved certificate from the self-service portal for web-based profiles that have the self-service portal feature enabled and one of the following authentication methods:

  • Enrollment code

  • Manual approval

  • SAML IdP

Authorized administrators with the SSP manager role can configure the self-service portal from the Trust Lifecycle Manager Settings menu, where they can enable/disable either the open or authenticated self-service portal, manage the allowed actions for the authenticated portal, and get the portal URLs and QR codes to share with end users.


A future release will include a "Renewal" action and the ability to manage Discovery/Imported certificates from the self-service portal.

API endpoint for profile creation

New POST profile REST API endpoint allows for creation of certificate profiles from the "Generic" base templates and configured for the REST API enrollment method and 3rd Party app authentication method.

For details, see the API endpoint documentation.

DigiCert Trust Assistant qualification for macOS Ventura and Sonoma

DigiCert Trust Assistant v1.1.5 has been formally qualified with both macOS Ventura and Sonoma releases.

SaltStack support

SaltStalk is a configuration management and orchestration tool. With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of a Salt automation script. Sample scripts for ACME and API-based integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the SaltStack connector guide.

Ansible integration

Ansible is a suite of software tools that enables infrastructure as code. It is open-source and includes software provisioning, configuration management, and application deployment functionalities.

With this release, we are providing guidance and documentation for how to use certificates from Trust Lifecycle Manager as part of an Ansible playbook. A sample playbook and instructions for including it in your Ansible projects are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the Ansible connector guide.

mTLS integration with Istio using cert-manager

DevOps administrators can now integrate their Kubernetes workloads to be configured with mTLS for certificates for pod-to-pod communication using Istio and cert-manager. Trust Lifecycle Manager integrates with cert-manager over ACME to issue private certificates from DigiCert® CA Manager for automated service mesh configuration via Istio.

To support this integration, administrators can create a certificate profile from the new CA Manager Private mTLS Certificate base template. A sample configuration file and instructions for enabling the integration are available from the Integrations > Connectors > Add connector page under the Infrastructure automation category.

For more information, see the Istio connector guide.

Policy notifications for discovered certificates

As part of this release, we introduced the ability for administrators to define notification policies for discovered certificates. Any newly discovered certificates matching the user-defined criteria will trigger a notification. To select certificates to notify about, administrators can apply boolean operators against a list of options including the:

  • Subject DN

  • Common name/SAN

  • CA vendor

  • Security rating

  • Signature algorithm (e.g SHA256WITHRSA)

  • Key size

  • Cipher

  • Tags

  • Issuing CA

Administrators can clone the default discovery notification template to define specific criteria, recipients, and email content. They also have an option to combine multiple events in one email. This allows users to configure multiple polices to identify exceptions. The above criteria are also extended to existing expiry notices for discovered certificates from the following notification templates:

  • Discovered certificate (New)

  • Discovered certificate expiring

  • Discovered certificate expired


Duplicate certificates option for Public S/MIME Secure Email (via CertCentral) template

Certificate profiles created from the Public S/MIME Secure Email (via CertCentral) base template now allow configuration of the “Allow duplicate certificates” option. Previously, the option was set to “Yes” and could not be disabled.

IAN extension for web-based enrollment flows

From this release, we extend support for the Issuer Alternative Name (IAN) extension to the following web-based enrollment flows:

  • Browser PKCS12

  • CSR

  • DigiCert Trust Assistant


The IAN extension is only supported by the Generic User Certificate base template. Previously, it was only enabled when using the REST API enrollment method with 3rd Party app authentication.

Self-service portal enhancements

  • Added the ability to enable or disable the self-service portal (SSP) option from the main Profiles table, instead of having to edit each profile individually.

  • Added the ability to view/copy the self-service portal URL from the profile details page (Advanced settings > Self-service portal section) when the feature is enabled.

  • Added more detailed instructions to the self-service portal page to help end users search for and download their certificates.

SAML service provider enhancements

From this release, we support the following SAML service provider (SP) enhancements for profiles configured with the SAML IdP authentication method and the new SAML-authenticated self-service portal.

Signing options

Two new SAML service provider signing options are displayed for profiles configured with the SAML IdP authentication method:

  • Sign SAML assertion

  • Sign SAML response

The default configuration has both options checked, but they can be unchecked. However, not every SAML IdP vendor supports receiving unsigned SAML assertions and responses from service providers. If in doubt, check with your SAML IdP vendor before configuring these options.

Generate new SAML Service Provider certificate

A new Generate new SAML SP certificate button is displayed on the profile details SAML configuration options section. This button can be used at any time to generate a new DigiCert SAML service provider (SP) certificate and view its expiration period. When selected, a warning message prompts the user for confirmation before revoking the current SP certificate and issuing a new one.

For profiles configured with the SAML IdP authentication methods, the profile will go into Action needed state when the SAML SP certificate expires. To restore the profile to active status, use the new Generate new SAML SP certificate function to get a new certificate.


After generating a new SAML SP certificate, the profile will stop authenticating requests against your SAML identity provider (IdP) until you reconfigure your IdP settings with the new SAML SP certificate. It will also stop working if the SAML SP certificate expires without your due attention.

Custom certificate report enhancements

Enhanced the custom certificate CSV reports with three new fields, under two of the sections:

Other extensions

  • Security Identifier

  • Issuer Alternative Name (containing a directory name value)

Subject Alternative Name (SAN) extension

  • Directory name

Profile wizard - custom extensions

Enhanced the Custom extensions section in the profile wizard (used by the "Generic" templates) to deliver a better user experience and only show the details of the custom extension section if a user selects the new Add custom extensions button.


DigiCert Trust Assistant - S/MIME decryption failures

Resolved an issue with encrypted emails not being able to be decrypted via the DigiCert Trust Assistant client, for which version 1.1.6 is required.

Incorrect authentication method for CMP template

Resolved regression bug with incorrectly showing an authentication method that is not supported by the Public S/MIME Secure Email using CMP (via CertCentral) limited template.

Profile creation issue with Public Client Authentication template

Resolved an issue with not being able to create new profiles based on the Public Client Authentication (via CertCentral) template.

Stale data in seat and certificate graphs

Resolved an issue with showing stale data in the seat and certificate usage graphs on the Dashboard page.

April 3, 2024

DigiCert® ONE version: 1.7277.0 | Trust Lifecycle Manager: 1.2722.0


"Uploaded certificates expiration" email notification

New Uploaded certificates expiration email notification template that can be used to send renewal email reminders for certificates uploaded into Trust Lifecycle Manager from an external system using the REST API or DigiCert Certificate Import Tool (available upon request). The renewal reminder gets triggered at configurable notice windows based on "tags" applied to the uploaded certificates.

This new notification replaces the functionality previously available from the Settings > Uploaded certificates expiration page for customers with Imported or Discovery seats.

For more information, see Configure custom email notifications for certificate expiration.

SHA3 signing algorithms

Added SHA3 support for the following certificate templates and enrollment methods:


Enrollment methods

SHA3 signing algorithms

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Generic User Certificate

  • CSR

  • EST


  • SCEP

  • SHA3_256withRSA

  • SHA3_384withRSA

  • SHA3_512withRSA

Azure Key Vault - discovery

New options to enable key vault discovery when adding or editing an Azure Key Vault connector in Trust Lifecycle Manager. This feature allows users to discover certificates in one or more key vaults associated with the connector. When enabled, users can:

  • Discover all valid and expired certificates in key vaults.

  • Update status of deleted and recovered certificates.

Azure Key Vault - remove

New option in the Inventory view to remove certificate from a key vault. Administrators can access this option from the actions (three dots) menu for certificates present in a key vault.

Let's Encrypt - revoke certificate

Administrators can now revoke certificates issued via Let's Encrypt CA connectors. Certificates can be revoked via:

  • The Trust Lifecycle Manager Inventory view.

  • A third-party ACME client.


Profile wizard - certificate preview

Ability to preview the content of a certificate as you work though the profile wizard steps, including the entire CA hierarchy that will be used to sign the certificate, for certificate profiles that use issuing CAs hosted in the DigiCert® CA Manager application.

EST authentication

New EST authentication options available for all three "Generic" certificate templates (Generic Device, Generic Private Server, and Generic User):

Global enrollment code

Extended the enrollment code authentication method to optionally allow the configuration of a global enrollment code that can be used to authenticate all incoming EST client requests.

Certificate-based authentication

Added support for certificate-based client authentication via a new authentication method called TLS Certificate Auth. This option requires that you first upload the certificates of CAs trusted to issue client authentication certificates, via the Settings > My root certificates page. To authenticate, EST clients must present a certificate signed by one of these trusted CAs.

For more information, see Configure and test EST.

DigiCert Trust Assistant release v1.1.5

New DigiCert Trust Assistant release with the following updates.

Client enhancements:

  • Import/Export of PKCS#12 / PKCS#7 / GLCK certificate with CA(s) on Windows CAPI will import CA chain certificates to respective trusted root and intermediate CA stores in CAPI with various configurable options (Windows only).

  • Functionality to rerun the post-processing scripts associated with a certificate/profile in case the scripts fail to execute at the time of certificate enrollment/renewal.

  • Added new system-level notifications (via a notification message within the client) to inform users about failed post-processing scripts, with enhanced error messaging about the script failures in the DigiCert Trust Assistant user interface and logs.

  • Enhanced software auto update flow to reduce the number of alerts in case of network communication failures.

Outlook post-processing script — multiple accounts:

  • Enhanced the Outlook system post-processing script to support Outlook instances with more than one configured email account, based on email matching from the certificate SubjectDN:email and/or SAN rfc822Name fields.

Mixed key types for CA and end-entity certificates:

  • DigiCert Trust Assistant can now handle certificate issuance/renewal flows with the below CA/end-entity key type combinations, for DigiCert Trust Assistant profiles configured with an:

    • RSA CA and end-entity certificates with key types of RSA, RSAPSS or ECDSA.

    • ECDSA CA and end-entity certificates with key types of RSA or ECDSA.

Non-supported browsers:

  • If a DigiCert Trust Assistant-based enrollment or renewal is attempted on a browser that is not officially supported by DigiCert, a warning message will be shown on the enrollment/renewal page. The flow will not be blocked, just a warning message.

Certificate delivery format:

  • When configuring a DigiCert Trust Assistant non-escrow profile from any of the Public S/MIME templates, the default certificate delivery format will now be PKCS#7.

  • For profiles configured with delivery of the certificate with the CA chain, DigiCert Trust Assistant will automatically install the root/intermediate CA certificates into the respective Windows stores in CAPI.


Public S/MIME profile creation

Resolved issue with not being able to create certificate profiles from the Public S/MIME templates.

CertCentral connector

Addressed a problem where users were unable to add a new CertCentral connector using username and password credentials. This update restores the functionality, allowing for seamless CertCentral connector configurations.

Tomcat automation failing

Resolved certificate lifecycle automation issue with Apache Tomcat on Windows.

March 20, 2024

DigiCert® ONE version: 1.7083.4 | Trust Lifecycle Manager: 1.2674.0


Sensor release v3.9.0

New DigiCert sensor release with the following updates:

  • Refactored sensor-to-Trust Lifecycle Manager communication from SOAP to REST.

  • Stability fixes.


Enhanced automation actions

Optimized certificate lifecycle workflow actions on the Inventory page:

  • Switch action allows switching a deployed certificate to any supported CA (previously "Switch to DigiCert").

  • Request a certificate action allows users to issue a new certificate from the same CA.

  • Renew/Reissue actions remain unchanged for CAs that support them.

Streamlined SAML web enrollment flow

Streamlined the SAML-based web enrollment flows to bypass the “Create enrollment” step if no user input is required and the “Cloud Key Escrow” option is disabled in the profile. This streamlined SAML enrollment flow only presents a single page ("Install certificate").

If the “Cloud Key Escrow” option is enabled in the profile (e.g. for S/MIME use-cases) we will continue to show an intermediate page with a warning to the user alerting about the private key being escrowed in the cloud, hence not bypassing this page. We renamed this page from "Create enrollment" to "Enrollment request" and the button from "Create" to "Submit".

"Enrollment status change" email template for enrollment code flows

Profiles configured with the Enrollment code authentication method now have access to an additional email template that can be enabled in the Email configuration and notifications section of the profile to notify end users when their enrollment status changes from "created" to "rejected", "expired", or "redeemed". We renamed this notification type from "Enrollment status is either rejected or expired" to Enrollment status change (rejected, expired, redeemed).


Inventory page issue due to deleted profiles

Resolved issue with the Inventory page not loading properly when encountering certificate profiles that had been deleted.

Certificate delivery format for Public S/MIME (via CertCentral) API requests

Resolved issue with incorrect certificate delivery format for profiles configured from the Public S/MIME Secure Email (via CertCentral) template using the "REST API" enrollment method and with the “Cloud Key Escrow” option disabled (i.e. non-escrow).

SCEP URL with additional "/" character

Resolved issue with the SCEP service no longer accepting SCEP requests containing a “/” character at the end of the "pkiclient.exe" resource inside the URL (e.g. "<profile-guid>/cgi-bin/pkiclient.exe/?operation=GetCACert").

Sensor list not being sent to agent

Resolved issue with sensor list not getting updated to agents when a sensor is added or removed. This fix ensures that proxied agents have the latest sensor list available for failover scenarios.

Unable to change "start now" scan to scheduled

Resolved issue with being unable to edit a "start now" network scan to use the "schedule for later" option instead.

March 13, 2024

DigiCert® ONE version: 1.7083.2 | Trust Lifecycle Manager: 1.2639.0


Multiple CertCentral connectors

Added support for more than one CertCentral CA connector:

  • Connect to multiple CertCentral accounts across US and EU regions.

  • For each connector, map the CertCentral divisions for imported certificates to respective business units in Trust Lifecycle Manager.

  • When creating certificate profiles from a CertCentral CA connector, set the CertCentral division to use to issue new certificates from each profile.

For more information, see DigiCert CertCentral.


Duplicate certificate issue

Resolved issue with issuing duplicate certificates for public products when passing the orderid in the request URL.

March 7, 2024

DigiCert® ONE version: 1.7083.1 | Trust Lifecycle Manager: 1.2616.0


Disabled enrollment methods

Resolved issue with not being able to create profiles from the "Generic" and "Private S/MIME" certificate templates due to the enrollment method dropdown being disabled.

March 6, 2024

DigiCert® ONE version: 1.7083.0 | Trust Lifecycle Manager: 1.2609.0


Self-service portal

New public-facing web portal allows end users to search for and download certificates associated with profiles for which the Self-service portal option has been enabled by an authorized administrator.

Profiles configured with the following web-based enrollment methods support this new self-service option:

  • Browser PKCS12

  • CSR

  • DigiCert Trust Assistant

  • EST

  • Microsoft Autoenrollment


  • SCEP

Authorized administrators can use the Settings > Self-service portal menu function to enable or disable access to the self-service portal and get the portal URL or QR code to share with end users.

The self-service portal can also inherit custom branding configured via the Settings > Branding menu function.


The Self-service portal feature must be enabled on your account.

Currently, the self-service portal is only available in English. Support for additional languages will be added soon.

For more information, see Self-service portal.

Sensor release v3.8.66

New DigiCert sensor release with the following updates:

  • Bug and stability fixes for F5 BIG-IP network appliances.


DigiCert Autoenrollment Server enhancements

Updated the DigiCert Autoenrollment Server to version with the following enhancements:

  • Custom private extensions that can be used to dynamically retrieve values from Active Directory based on the profile configuration.

  • New Subject Distinguished Name (DN) fields:

    • Title

    • Given name

    • Surname

    • DN qualifier

For more information, see the DigiCert Autoenrollment Server guide.Autoenrollment Server-5.1.24

Upload PKCS12 certificates

Enhanced the REST API certificate-import endpoint and the DigiCert Import Tool (available from your DigiCert representative upon request) to support uploading end-entity escrowed certificates (PKCS#12 files with their passwords) into a specified business unit, with or without their issuing CA being previously loaded and configured into your account.

Uploaded certificates get automatically bound to one of the below seat types based on whether the issuing CA is available in your account or not:

  • Imported seats: For certificates (whether escrowed or not) with their associated issuing CAs available in your account. Authorized administrators can manage lifecycle operations for these certificates in Trust Lifecycle Manager (for example, revoke, suspend/resume, or recover). Available management actions depend on the type of certificate uploaded.

  • Discovery seats: For certificates without their associated issuing CAs available in you account. Authorized administrators with the appropriate Key Recovery role can download and recover this type of certificate in Trust Lifecycle Manager.

For more information, see Import externally issued certificates using the API.

eIDAS Natural Person - additional Subject DN fields

Added support for the Organization Identifier and Organization Unit Subject Distinguished Name (DN) fields to the following two eIDAS Natural Person certificate templates:

  • eIDAS Electronic Signature Certificate (Natural Person with QSCD)

  • eIDAS Electronic Signature Certificate (Natural Person)


Contact your administrator if these certificate templates are not available in your account and you need access to them.

Certificate delivery format profile enhancement

For profiles configured to use a self-signed issuing CA, we enhanced the Additional options: Certificate delivery format step in the profile configuration wizard to dynamically hide the Include CA chain with Root CA and Include CA chain without Root CA PKCS#7 options.

Cause and solution for agent automation errors

Enhanced error messaging to show errors and recommended solutions to help users quickly remediate and retry issues with certificate lifecycle automations managed via DigiCert agents.

Support for CertCentral duplicate certificates

Added support for issuing duplicate certificates from CertCentral during automation events, by selecting the new "get duplicate certificate" option when scheduling the automation. If selected, the request is passed on to CertCentral and the CA there will issue a duplicate if a matching certificate is found. If no match is found, a new order gets created instead.

This feature must be enabled on a per-account basis and is available for certificate profiles configured with the following enrollment methods:

  • Admin web request

  • DigiCert agent

  • DigiCert sensor

  • 3rd-party ACME client


To issue a duplicate certificate from an existing CertCentral order, make sure all these conditions are met:

  • Order is active, already had a certificate issued, and has enough remaining validity to fulfill the request.

  • Selected certificate profile is for the same product and organization, and organization is currently validated.

  • Requested common name matches the order, and any requested SANs match or are a subset of the order.

  • None of the requested domains include wildcards.


Profile cloning issue with SCEP

Resolved issue with SCEP-based cloned profiles not retaining all the SCEP configuration.

February 21, 2024

DigiCert® ONE version: 1.6887.3 | Trust Lifecycle Manager: 1.2554.0


Scheduled report issue

Resolved the issue with not being able to generate scheduled certificate reports.

Issuer Alternative Name (IAN) issue

Resolved an issue with signing certificates with an empty value inside the Issuer Alternative Name (IAN) extension, for certificate profiles configured from templates that support this extension.

ServiceNow app

Version 1.2.1

Released ServiceNow Trust Lifecycle Manager app version 1.2.1 to support Washington version.

This release also resolves the issue with DigiCert email notifications getting sent out when creating approvals for any source table.

For more details, check the app listing in the ServiceNow Store.

February 14, 2024

DigiCert® ONE version: 1.6887.2 | Trust Lifecycle Manager: 1.2527.0


Public Client Authentication (via CertCentral) template

Enhanced the Public Client Authentication (via CertCentral) template to support a new CertCentral product type called Client Authentication Email Subject:

  1. Added support for additional Subject Distinguished Name (DN) fields:

    • Email

    • Organization unit (multiple)

  2. Added support for the CSR enrollment method.

  3. Checked and disabled the Key usage and Extended key usage fields, since they will always be included by the new CertCentral product type.


Important Notes

  • In order to support these new fields, you must enable the new CertCentral Client Authentication Email Subject product type and have enough certificate units assigned to it, matching the required User seats in Trust Lifecycle Manager.

  • Existing certificate profiles in Trust Lifecycle Manager will continue to work, but we strongly recommend that you contact your DigiCert representative to reassign your CertCentral certificate units to the new product type and benefit from the new features.

This release also resolves the known issue raised in the previous release related to the SAN:rfc822Name value not being included within the signed certificate.

Audit logs for CMP protocol

Enhanced the Audit logs to support certificate lifecycle operations carried over from the CMP protocol using existing audit log resources and event types from the Public S/MIME Secure Email using CMP (via CertCentral) template ("Limited" scope).


Certificate renewal issue

Resolved regression issue that prevented the renewal of certificates that contained a State field within the Subject Distinguished Name (DN).

Issuer Alternative Name (IAN) issue

Resolved issue with not being able to include the Issuer Alternative Name (IAN) extension in signed certificates.

February 7, 2024

DigiCert® ONE version: 1.6887.0 | Trust Lifecycle Manager: 1.2499.0


New CA support - Let's Encrypt

Added support for issuance of public TLS certificates from the Let's Encrypt CA using the following enrollment methods:

  • DigiCert agent (all supported applications)

  • DigiCert sensor (support for F5 BigIP LTM, AWS ELB, and AWS Cloudfront)

  • 3rd-party ACME client

Added a new certificate template (Let's Encrypt Public Server Certificate), a new Let's Encrypt connector, and a new Sensor release (v3.8.65) to support automation flows for Let's Encrypt certificates.

To learn more, see Let's Encrypt.


Known limitation: Sensor-based automation using Let’s Encrypt is not supported for A10 or Citrix ADC network appliances.

Branding - themes

Extended our branding capabilities, allowing further customization of public-facing enrollment pages with different color themes based on the following configurable items:

  • Font family

  • Base font size

  • Info/helper text color

  • Link color

  • Footer text color

An enhanced preview functionality is also available to show the look and feel after applying the theme configuration.

Configure this new feature from the Settings > Branding > Theme selection page.


Public S/MIME using CMP issue

Resolved an issue with certificates not being issued when using the Public S/MIME Secure Email using CMP (via CertCentral) template.

REST API certificate issuance issue

Resolved an issue that prevented certificate issuance when the REST API-based certificate profiles were set with a mix of fixed and dynamic Subject DN fields.

February 2, 2024

DigiCert® ONE version: 1.6665.8 | Trust Lifecycle Manager: 1.2472.0


Sensor-based automation of CertCentral certificates

Resolved an issue with CertCentral CA connectors impacting sensor-based automation flows.

February 1, 2024

DigiCert® ONE version: 1.6665.7 | Trust Lifecycle Manager: 1.2469.0


Citrix Federated Authentication Service (FAS) integration

New set of certificate templates available to support integration with Citrix Federated Authentication Service (FAS) for issuance of private authentication certificates onto virtual machines via the DigiCert Autoenrollment Server (version required).

The integration requires three certificate profiles in Trust Lifecycle Manager, one each created from the three new templates:

  • Citrix FAS Registration Authority Manual Authorization (Server seat type): Enables Citrix Federated Authentication Service to issue “Citrix FAS Registration Authority” certificates. This template is not used during the integration but is required to proceed.

  • Citrix FAS Registration Authority (Server seat type): Enables Citrix Federated Authentication Service to issue certificates on behalf of Citrix users in your Active Directory domain.

  • Citrix FAS Smartcard Logon (User seat type): Enables Citrix Federated Authentication Service to issue certificates to Citrix users in your Active Directory domain.

For details about how to set up the integration, see Citrix FAS.

Cloud key escrow and recovery for “Public S/MIME Secure Email (via CertCentral)” template

Support for cloud key escrow and recovery of end-user public S/MIME sponsor-validated certificates issued from CertCentral using the existing Public S/MIME Secure Email (via CertCentral) template, for these enrollment methods:

  • Browser PKCS12

  • DigiCert Trust Assistant


Key recovery can be initiated by authorized administrators or API users with the Trust Lifecycle Manager "Recovery manager" role enabled. Certificate profiles can be configured to force a dual-admin recovery flow, where two account administrators (or API users) are required to complete the recovery of an end-user escrowed certificate.

Public client authentication

Support for issuance of public client authentication certificates issued from a CertCentral-shared issuing CA that chains up to a trusted root CA, using the new Public Client Authentication (via CertCentral) template in Trust Lifecycle Manager. This template consumes CertCentral certificate units from the "Authentication Plus" product type and supports the following enrollment methods and their associated authentication methods:

  • Browser PKCS12

  • DigiCert Trust Assistant

  • Microsoft Autoenrollment



When using the Public Client Authentication (via CertCentral) template, the location-based Subject DN fields get automatically retrieved from your CertCentral account's validated organization details and added to the issued certificates.


Known limitation: This template only supports one Subject Distinguished Name field: the Common Name. Support for multiple OU fields will be included in a subsequent release.

Known issue: The SAN:rfc822name field is mandatory and an email value must be provided by end users or API, however it is not currently being included within the signed certificate.


Seat ID mappings

Enhanced the list of unique fields supported by the Seat ID Mapping dropdown in the profile creation wizard. The two new fields are:

  • User identifier

  • Pseudonym


Duplicate certificate issue

Resolved issue that prevented the successful signing of duplicate certificates with profiles configured with Subject Distinguished Name (SDN) optional fields set as 'multi-value' when the certificate request did not contain the matching 'multi-value' fields in the SDN.

Renewal issue

Resolved issue that prevented the renewal of certificates that contained a State (ST) field within the Subject Distinguished Name (SDN).

January 24, 2024

DigiCert® ONE version: 1.6665.5 | Trust Lifecycle Manager: 1.2446.0


CertCentral connectors: default import frequency updated to 24 hours

Updated the default certificate import frequency for CertCentral connectors to 24 hours (from 15 minutes previously). You can still change it to any desired value, as before.

Managed automation for Microsoft CA can now add first SAN as the CN in certificates

DigiCert agent-based automation flows now support adding the first SAN as the CN in certificates issued via Microsoft CA.

To enable this, use the Windows Server certutil command to update the Microsoft CA configuration to allow override of the CN in certificates, as follows:


Restart the Microsoft CA service after making this command for changes to take effect.

January 18, 2024

DigiCert® ONE version: 1.6665.4 | Trust Lifecycle Manager: 1.2428.0


Issue with "Next" button when configuring custom extensions

Resolved issue where the Next button was disabled when configuring custom extensions in a certificate profile.

Renewal issues

Resolved some issues with not being able to renew certificates.

January 17, 2024

DigiCert® ONE version: 1.6665.3 | Trust Lifecycle Manager: 1.2424.0


Certificate import REST API

Updated the Inventory controller certificate-import REST API endpoint to support the equal (=) symbol as part of the Subject DN Common Name (CN) field.

January 10, 2024

DigiCert® ONE version: 1.6665.2 | Trust Lifecycle Manager: 1.2402.0


Optional overconsumption of seats/certificates

Added a new "overconsumption" feature that allows for the overconsumption of seats and certificate issuance from business units in Trust Lifecycle Manager. DigiCert ONE system administrators can enable this feature from the Account Manager application.

Sensor release v3.8.64

New DigiCert sensor release with the following updates:

  • Stability enhancements.

  • Bug fixes for A10 load balancer.


LDAP searches by email address

Enhanced the LDAP service to support searching certificates (via an LDAP client) using email addresses contained within the SAN:rfc822Name extension.

Custom labels for multiple fields

Added support for custom labels when configuring a certificate profile with a field (for example, OU) that has a multiple checkbox set. This allows each individual field to show a different custom label in public-facing pages, in multiple languages if required.

Updates to "Generic Device Certificate" template

Added support for the “Non repudiation” key usage and SAN:userPrincipalName (UPN) extensions to the Generic Device Certificate template.

eIDAS templates

Updated the eIDAS Natural and Legal Person templates to support a wider set of key usage combinations, following ETSI guidelines.

Honor CA Manager allowlist settings for 3rd-party ACME enrollment

Extended the ability to allowlist domains and IP addresses for the 3rd-party ACME client enrollment method from the CA Manager Private Server Certificate template.

Lifecycle actions for certificates enrolled via "Admin web request"

Added lifecycle actions for certificates originally enrolled through the admin web request workflow. This allows administrators to renew or reissue these certificates from their Inventory views.


Public S/MIME profile issue when using CertCentral in Europe

Resolved issue with not being able to create certificate profiles from the Public S/MIME Secure Email (via CertCentral) template, for DigiCert ONE in Netherlands and Switzerland using the European CertCentral platform.

December 13, 2023

DigiCert® ONE version: 1.6573.2 | Trust Lifecycle Manager: 1.2366.0


DigiCert Trust Assistant - post-processing scripts for Windows (AD Publish)

Added a new DigiCert Trust Assistant post-processing script enabling the automated publication of a user's X.509 certificate to the userCertificate attribute within the Active Directory.

You can enable the post-processing script for S/MIME certificate templates:

  • Public S/MIME Secure Email (via CertCentral)

  • Private S/MIME Secure Email


DigiCert Trust Assistant - post-processing script for Outlook

In this release, we expose the internal validation checks required for the Outlook post-processing script to successfully configure Outlook with the installed certificate.

Internal validation checks:

  • Access to CRL and OCSP services via the URLs inside the CRL Distribution Point (CDP) and Authority Information Access (AIA) extensions

  • CA chain validation (including the Root CA)


Certificate Policy validation for eIDAS templates

Resolved the Certificate Policy OID validation issue with the five eIDAS templates.


Customers using these templates must mark the CAs created or uploaded onto the DigiCert® CA Manager application as “Qualified.” Otherwise, the Issuing CAs will not be shown when creating a profile from the eIDAS templates.

To mark the CAs as "Qualified, in the Create ICA flow, use the “Get a CSR from DigiCert ONE and sign with your own CA” option, and then select the “Qualified” option.

Renewal options in the revocation email template

Removed the list of renewal checkboxes within the revocation email template configured within a profile.

Unwanted certificate fields in the public-facing pages

Removed the internal profile fields appearing on public-facing pages (for example, we removed the key usage field).

Latest sensor not working when set up as a proxy

In the latest sensor release, v3.8.63, we fixed the bug in sensor version v3.8.62, restricting agents from using the sensor as a proxy.

Deleting the Azure Key vault connector marks the CC connector as "Action needed"

When deleting the Azure Key vault connector (and other connectors), the CC connector is no longer marked as Action needed.

Support TLM-ACME server with Ansible

Added support for the Ansible ACME Client in the TLM-ACME server.

December 7, 2023

DigiCert® ONE version: 1.6392.5 | Trust Lifecycle Manager: 1.2350.0



Removed the DigiCert Desktop Client enrollment method from the Generic User Certificate template, which is no longer supported. If you are making use of the DigiCert Desktop Client in a profile, use the DigiCert Trust Assistant client instead by cloning your profile and selecting it as the new enrollment method. For new profiles, simply select the DigiCert Trust Assistant enrollment method. See the online documentation for details of its functionality.

FQDN and IP addresses allowed list for server requests

New feature that allows authorized profile administrators to configure a list of FQDN and IP addresses that are allowed to be included within private server certificate requests and checked against a profile-based ‘allowed list’ before issuance. Certificate request fields that will be checked are:

  • SAN:dnsName

  • SAN:ipAddress

The list of FQDNs/IPs within the profile can be modified at any time.

Supported template for this feature: Generic Private Server Certificate.

Custom extensions

New powerful feature that allows authorized administrators to configure private certificates with custom extensions, defined as a JSON structure inside the Advanced profile wizard step for the three ‘generic’ certificate templates:

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Generic User Certificate

Values for the private custom extension can be sourced from all the standard application sources based on the profile’s enrollment method, with the exception of “Microsoft Autoenrollment”, which will be supported in a future release.

For details see: Issue private certificates with custom extensions

Workflow customization for agent-based automation

Enhanced workflows that allow administrators to customize automation using hooks at various steps of the automation flow.

  • Pre-scripts before automation starts, and post-scripts after the certificate is installed:

    • Assign pre and post-scripts for the core automation workflow based on application type for one or more agents.

    • Configure script at application or request level.

For more details see: Agent scripts


Minimum agent version: 3.0.8.

Sensor Update v.3.8.62

New sensor release with the following updates:

  • JDK updated to v17

  • Updated open-source packages to the latest version to remove vulnerabilities.

Agent Update v.3.0.8

New agent release to support workflow extensibility.

New eIDAS Qualified Certificates templates

New set of eIDAS Qualified Certificate ‘limited’ templates that replace the 3 released earlier this year, which have been removed, and extend the use-cases to support issuance of qualified certificates that meet the requirements of the Payment Services Directive 2 (PSD2). The new templates (linked to User Seat type for Natural persons, and Organization Seat types for Legal Persons/eSeals) will also make use of an OCSP service that is ETSI compliant.

Natural person templates
  • eIDAS Electronic Signature Certificate (Natural Person): It allows Qualified Trust Service Providers, who are audited and compliant with eIDAS, to issue EU Qualified Certificates to natural persons  (QCP-n). This certificate will result in an Advanced Electronic Signature under eIDAS [SD1] (EU Regulation No 910/2014).

  • eIDAS Electronic Signature Certificate (Natural Person with QSCD): It allows Qualified Trust Service Providers, who are audited and compliant with eIDAS, to issue EU Qualified Certificates to natural persons where the private key and the related certificate reside on a QSCD (QCP-n-qscd). This certificate will result in a Qualified Electronic Signature under eIDAS (EU Regulation No 910/2014).


Multiple key sizes per profile

Profile enhancement that allows an authorized administrator to set multiple key sizes using checkboxes in a single profile, without the need to create separate profiles per key size. This feature is supported for profiles configured with any of the below enrollment methods for most templates, where a user (or a client) can now submit a CSR using any of the allowed key sizes set within the profile:

  • CSR

  • EST


  • SCEP


This enhancement is applied to all supported key types: RSA, ECDSA, EdDSA

This enhancement is not supported by the below templates:

  • Public S/MIME Secure Email (via PKI Platform 8)

  • Public S/MIME Secure Email (via CertCentral)

User experience enhancements

  • Warning message in Reports side-rail when a user exceeds the maximum amount of 10 custom reports.

  • Support for a confirmation pop-up and optional message to all users for bulk approval/rejection of enrollments.

  • Redesign of the Reports functionality for the Enrollments page, to be consistent with the reports icon within the Inventory page, which shows a side-rail with options to generate an instant or custom report.

Extended use of Action Needed

Extended the "Action needed" functionality to show a profile in this state when the enrollment method associated with the profile is no longer enabled on the account.

Resend renewal email action

Support for a new action for certificates inside a renewal window, allowing an authorized administrator to manually send the renewal email by clicking on the "Resend renewal email" action available from the Inventory page

MS Autoenrollment support for ”Public S/MIME Secure Email (via CertCentral)” template

Support for the Microsoft Autoenrollment enrollment method using the DigiCert AutoEnrollment Server to silently issue Public S/MIME sponsor-validated certificates using a profile created from the Public S/MIME Secure Email (via CertCentral) template.

November 15, 2023

DigiCert® ONE version: 1.6392.4 | Trust Lifecycle Manager: 1.2287.0


New Security Identifier (SID) extension

Support for the Security Identifier (SID) extension (OID -, which Windows uses for authentication (e.g. Windows Logon). Users can manually enter the SID in the user interface or read automatically from an Active Directory attribute using the new DigiCert Autoenrollment Server release (v2.23.2.0), available for download from Resources > Client tools.

The following templates support the SID extension for all enrollment methods:

  • Domain Controller

  • Generic User Certificate

  • Generic Device Certificate

  • Generic Server Certificate

  • Microsoft® Enrollment Agent

  • Windows Hello for Business Authentication


Note: when configuring a profile with the Microsoft Autoenrollment enrollment method, the DigiCert Autoenrolment Server v2.23.2.0 must be deployed to support the new SID extension, which has been qualified for the following templates with some restrictions based on whether the profile is configured to issue RSA or ECDSA certificates:

  • Domain Controller (for RSA and ECDSA key types)

    • Generic User Certificate (for RSA and ECDSA key types)

    • Generic Device Certificate (for RSA and ECDSA key types)

    • Generic Server Certificate (for RSA and ECDSA key types)

    • Microsoft® Enrollment Agent (for RSA key types only)

    • Windows Hello for Business Authentication (for RSA key types only)

Azure Key Vault connector and enrollment flow

Trust Lifecycle Manager now automates the certificate request workflow for administrators allowing them to request certificates to be delivered to one or more Azure Key Vaults from within their Trust Lifecycle Manager account.

  • Support for adding one or more Azure Key Vault connectors

  • New Admin web request enrollment method that the following templates support:

    • AWS CA Private Server Certificate

    • CA Manager Private Server Certificate

    • CertCentral Private Server Certificate

    • CertCentral Public Server Certificate

    • Microsoft CA Private Server Certificate

  • New Request certificate option on Enrollments page


Private S/MIME Secure Email template enhancements

Enhancements to the “Private S/MIME Secure Email” template to support:

  • The Non repudiation Key Usage for all key types: RSA, ECDSA, EdDSA

  • The Key agreement, Encipher only, and Decipher only Key Usages for ECDSA key types

Dual Admin Approvals and Dual Admin Key Recovery enhancement

Enhancement to only allow Dual Admin Approvals and Dual Admin Key Recovery options to be enabled in the profile wizard if at least 2 authorized administrators exist in the account.

DigiCert Trust Assistant - Outlook post-processing script support for SafeNet eTokens

Extending the support of the post-processing script for Outlook (Windows only) when using a SafeNet eToken (5100, 5110), in addition to previously supported key stores (OS keystore and the DigiCert Software Keystore). This feature continues to be available for the below templates:

  • Private S/MIME Secure Email

  • Public S/MIME Secure Email (via PKI Platform 8)


You require DigiCert Trust Assistant 1.1.4 to make use of the post-processing feature.

Customer fixes

Fixed a typo in the Country label for Kuwait, shown on web pages that require a Country field to be selected by an end-user.

November 8, 2023

DigiCert® ONE version: 1.6392.3 | Trust Lifecycle Manager: 1.2263.0


New Tenable connector

Support discovery of certificates from Tenable. We’ve introduced:

  • A new connector that allows you to connect to your account.

  • Support for importing certificate data to Trust Lifecycle Manager Inventory.

  • Support for adding tags and assigning business units as you import your data.

  • Support for setting schedules to pull new certificates and change information to keep inventory up to date.


Enhance connector tags to add auto suggest

  • Show suggestions when adding tags to choose from a list of existing tags.

  • Improves usability when adding a new tag.

Sensor update v3.8.61 available

TLM Plugin Manager framework

November 1, 2023

DigiCert® ONE version 1.6392.1 | Trust Lifecycle Manager: 1.2172.0


Two-factor authentication (2FA) requirement

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.


If you use single sign-on (SSO) to access your DigiCert ONE account, the new two-factor authentication requirement does not affect you. However, the requirement will activate if you modify your SSO settings.


  • DigiCert Trust Assistant 1.1.4 introduces post-processing scripts for S/MIME configuration in Microsoft Outlook (Windows only), simplifying certificate configuration post-enrollment and renewal.

  • Improved CSR generation flow within the application to enhance User Experience with more key type/size options.

  • New enrollment methods and signature algorithms have been added for the “Public S/MIME Secure Email (via CertCentral)” template, including Browser PKCS12, CSR, and DigiCert Trust Assistant.

  • Added support for RSASSA-PSS signing algorithms:

    • sha256WithRSAPSS

    • sha384WithRSAPSS

    • sha512WithRSAPSS

  • Bulk management of Discovery seats is now possible through CSV upload, enabling creation, update, and deletion in bulk.

  • Updated Seat usage widget now displays links for created and consumed seats, with a new "Consumed" column and refined counters with rounding and detailed hover information.

October 25, 2023

DigiCert® ONE version: 1.6201.5 | Trust Lifecycle Manager: 1.2224.0


Optional grace period for certificate renewal

New Grace period option for the “Renewal options” section that allows the addition of the days before expiration to the renewed certificates. If not selected, the renewed certificate takes a strict validity period based on the “Certificate expired in” value.

For example, for a profile configured with the grace period, if renewing a 365-day certificate 20 days before its expiration, the renewed certificate will have a validity period of 385 days. If the option was disabled, the renewed certificate only has a validity period of 365 days.


This feature is enabled for profiles making use of Issuing CAs hosted by DigiCert® CA Manager, not external CAs such Microsoft CA, CertCentral or AWS CA.

Bulk deployment for agents

Ability to create a deployable package with an encrypted API-KEY that can then be distributed using any available tools like GPO push, Ansible, PS Exec, etc. and triggered such that the agent provisions to the account and is ready for automation.


CA vendor widget enhancement

Enhanced the CA vendor dashboard widget to support clicking on the “Others” sector of the graph to redirect to the Inventory page with a filter of all other CA vendor values.

October 18, 2023

DigiCert® ONE version: 1.6201.3 | Trust Lifecycle Manager: 1.2203.0


Public S/MIME template for Email Gateway providers using CMP

This new certificate template named Public S/MIME Secure Email using CMP (via CertCentral) allows issuance of Public S/MIME sponsor-validated certificates via CertCentral using the Certificate Management Protocol (CMP), is mainly consumed by our Email Gateway service providers.

The template is tagged as “limited”, meaning that a is not available for all accounts. If required, contact an administrator with appropriate access to assign templates to accounts.


CertCentral Public S/MIME template enhancements

Updated the Public S/MIME Secure Email (via CertCentral) template to support:

  • Multiple email addresses within the SAN:rfc822Name extension.

  • LDAP search feature, where profiles with this option enabled allows certificates issued from the profile to be searched using an LDAP client. See Access certificates with LDAP ( for more info.


  1. Searches based on a “mail” value (an email address) are currently done against the Subject DN Email field, not the SAN:rfc822Name extension.

  2. For CertCentral issued certificates, the LDAP service does not search against CA certificates, nor CRLs, only end-user Public S/MIME certificates for profiles with the LDAP option enabled.

Certificate Renewal Reminder email template enhancements

Added two new variables to the Certificate Renewal Reminder email template:

  • cert_serial_number: will show a “Certificate Serial Number” label in the renewal email with the associated certificate serial number of the certificate being renewed.

  • cert_subject_dn: will show a “Subject Distinguished Name (SDN)” label in the renewal email with the entire SDN value of the certificate being renewed.

New DigiCert Agent v3.0.7

With this new version of the agent, the following updates are performed:

  • IIS moved from win-acme to Certbot as the client library

  • OpenSSL has upgraded to v3.0.9

  • RHEL 9.2 support added


Browser PKCS12 certificate delivery issue

Fixed an issue with profiles configured with the “Browser PKCS12” enrollment method and using a self-signed Issuing/Root CA, with the include Root CA in the delivery format option, not including the Root CA in the PKCS12 response file.

Get profile API response issue

Resolved an issued with GET profile API response not delivering the profiles bound to the account.

October 12, 2023

DigiCert® ONE version 1.6201.2 | Trust Lifecycle Manager: 1.2172.0


Post-Quantum Cryptography (PQC) vulnerable certificate filter

New PQC vulnerable certificate filter that shows whether a certificate within the Inventory (“All certificates” system view) is vulnerable to post-quantum cryptography attacks.

New Seat API endpoint

This new seat API endpoint (GET /mpki/api/v1/seat) that allows the retrieval of paginated list of seats based on multiple filtering parameters:

  • account_id

  • business_unit_id

  • seat_type

  • active


Dashboard enhancements

  • Auto-layout of the dashboard when removing or adding widgets to find the best position for every widget automatically

  • New Certificates by CA vendor widget showing certificates issued grouped by the Subject DN - Organization value of the Issuing CA, including:

    • Up to 10 sectors in the pie chart, one for each different vendor.

    • An Others sector in the pie, for certificates that are not identified/trusted within the Settings > My root certificates list.

    • An Unknown category, for certificates without a Subject DN - Organization value in the Issuing CA certificate.

  • New Overview icon available next to the page title

  • Redesign of the Automation Alerts widget to show the alerts by categories using a vertical and scrollable graph instead of a horizontal carrousel.

  • Redesign of the Integrations widget to become the new Connectors widget.

  • Redesign of the Certificates Expired or Expiring widget.

Support Tags for Certificates API endpoint

Enhanced the certificate API endpoint to support a new ‘tag’ request parameter that is bound to the certificate object and can later be filtered within the Inventory web page to find certificates associated with a specific tag.

Custom certificate report enhancements
  • Added a new Pseudonym field to the "Subject Distinguished Name (SDN) details" section when creating a custom certificate report.

  • Added a new PQC vulnerable field to the “Public key detail” section when creating a custom certificate report, showing what certificates are vulnerable to Post Quantum Cryptography attacks with a yes / no value.

Server Authentication EKU update for CA manager certificates via ACME

Make Server authentication EKU optional for ACME enrollment method in CA Manager Private Server Certificate profile.


Profiles list page

Resolved issue with showing the new onboarding/overview page when visiting the Mange > Profiles page even though there are profiles available on the account. The issue was related to retrieving the first profile in the account as “Inactive”, hence the page thinking there are no profiles available on the account and showing the new onboarding page.

October 4, 2023

DigiCert® ONE version: 1.6201.1 | Trust Lifecycle Manager: 1.2128.0


Overview pages

A new set of overview pages, which are displayed when no data is available on a page, provides users:

  • With an overview of the page, and

  • Guidance on how to see data populated for one of these overview pages.

This is particularly important for users who are onboarding onto the platform for the first time.

A new icon is also displayed next to the page’s title. This icon provides access to the same overview page anytime after the product has been used and data has already been created.

Pages that implement the new overview functionality are:

  • Inventory

  • Manage > Enrollments, Profiles, Seats, Network scans

  • Reporting & auditing > Audit logs, Report library

  • Integrations > Agents, Sensors

  • Settings > Notifications

AWS private CA discovery

Discover certificates using the AWS private CA connectors configured in TLM. Admins can either enable discovery when adding a new connector or updating existing ones for discovery. Once enabled, the connector discovers and imports certificates across all the roots configured in the target AWS account.

Network scan enhancement to support more detailed cipher discovery

Enable cipher discovery when setting up a network scan. This allows you to find all the ciphers configured on the system in addition to the handshake cipher information collected.

When enabled, view this cipher information under the certificate details section categorized by protocol and flagged when found to be weak.

Inherit certificate tags from profile

Add tags when creating a new profile. Manage tags for a profile. Any certificate issued from that profile inherits the tags assigned to the profile.

New Sensor release v3.8.60

  • Enhanced security by using client based authentication for all communication.

  • Updated to installer to fork installation experience for TLM vs CertCentral.

  • Enhanced sensor provisioning to support private trust for TLM on-premise deployments.

  • A few functional bug fixes.

Allow users to upload roots to TLM discovery Trust Store

Upload roots or ICAs to TLM discovery Trust store such that:

  • Private roots and ICAs when uploaded are available at account scope.

  • Public roots and ICAs if uploaded undergo an approval step and apply to all accounts once approved.


Dashboard enhancements

Set of enhancements to the Dashboard:

  • New widget management feature, where graphs and widgets in the Dashboard can be added/removed and refreshed by users from a menu option located on the top-right of the Dashboard.

  • Every widget now shows a “Last updated” date upon which it was last refreshed, and can be removed from the Dashboard. Note that some widgets can be refreshed in real-time and others via a scheduled job (asynchronous).

  • The Seat Usage widget has been split into two separate graphs.

  • The Pending Enrollments and Pending Recovery widgets have been merged into a single graph.

Update to CertCentral connector

With CertCentral implementing 2-factor authentication, we are limiting the options for linking TLM to CertCentral such that:

  • All DigiCert hosted instances continue to have the option to use the CertCentral username/password to authenticate and link to CertCentral.

  • Any on-premises or non DigiCert deployment only shows the API-KEY option to link to CertCentral.

X509 and PKCS7 Certificate Download Label

Updated the X509 and PKCS7 download button labels in public-facing web pages to show more user-friendly labels:

  • For X509:

    • Download certificate in PEM format (.pem)

    • Download certificate in DER format (.der)

  • For PKCS7:

    • Download certificate in PEM format (.p7b)

    • Download certificate in DER format (.p7b)

September 28, 2023

DigiCert® ONE version: 1.6074.9 | Trust Lifecycle Manager: 1.2103.0


Inventory page

Renamed the Certificates page to the Inventory page since DigiCert​​®​​ Trust Lifecycle Manager manages more than just certificates. It is a single ‘book of record’ / inventory page from where you can view and manage all its assets, for example unsecured IPs and ports.

The new Inventory page includes an enhanced views dropdown list and a new collapsible Quick Taskbar, available from the right side of the Inventory page with quick access icons to:

  • “Add connectors”, which redirects the user to the Manage > Connectors page.

  • “Manage views”, from where default views can be managed and custom views can be created.

  • “Reports”, to create instant reports (for less than 5000 records), and access the Custom Reports wizard.

  • “Notifications”, which redirects the user to the Manage > Notifications page to manage or create new custom notifications.


DigiCert Trust Assistant - RSASSA-PSS renewals

Support for RSASSA-PSS certificate renewals via DigiCert Trust Assistant.

DirectoryName enhancements

Extended support for additional fields/aliases within the SAN:directoryName and IAN:directoryName extensions:

  • USER_IDENTFIER using various aliases: USERID, USERIDENTIFIER, and UID.

  • Extend the STATE field to support the S alias.


Fixed an issue that prevented downloading user certificates

Fixed issue with not being able to download a user certificate for profiles configured with Browser PKCS12/Enrollment Code methods, which occurs under some specific ‘caching’ circumstances.

September 20, 2023

DigiCert® ONE version: 1.6074.7 | Trust Lifecycle Manager: 1.2085.0


Integration with CertCentral CA for public S/MIME

Support for issuance of Public S/MIME Legacy sponsor-validated certificate types conformant with the new S/MIME Baseline Requirements making use of the new template called Public S/MIME Secure Email (via CertCentral).

The supported enrollment method for this initial release is: REST API. Web-based enrollment methods will be supported in a future release.


Before you can create a profile from this new template, make sure you have linked your Trust Lifecycle Manager account with your CertCentral account by setting up the CertCentral CA connector under Integrations → Connectors → Add connector → CertCentral. You also need to have the Automation feature enabled on your account.

September 14, 2023

DigiCert® ONE version: 1.6074.5 | Trust Lifecycle Manager: 1.2065.0


eIDAS Qualified Certificates

European Trusted Service Providers who are compliant with eIDAS can now issue EU Qualified Certificates to natural and legal persons for the purposes of supporting digital signatures, peer entity authentication, data authentication, and data confidentiality, in accordance with EU Regulation No. 910/2014 [i.9], and ETSI EN 319 412-5 [i.7] for requirements relating to QCStatements.

Two new templates (eIDAS Electronic Signature and Electronic Seal) have been created to support these use cases. The templates are bound to the user seat type and tagged as Limited, meaning that only system administrators with appropriate permissions can explicitly assign them to accounts that require these types of certificates:

  • eIDAS Electronic Signature Certificate

  • eIDAS Electronic Seal Certificate


Trusted Service Providers are fully responsible for the issuance of Qualified Certificates that are conformant with the eIDAS standard and also responsible for meeting all of the regulations and requirements set within it.


DigiCert Trust Assistant enhancements

DigiCert Trust Assistant now supports the new RSASSA-PSS signing algorithm.


Using this algorithm requires DigiCert Trust Assistant v1.1.3, available for both Windows and Mac platforms from the client tools page.

Relaxing rules for country codes

Relaxed the SubjectDN Country field validation rules. Certificates imported into the Trust Lifecycle Manager application via the “certificate-import” API now allow any 2-letter country code.

Issuance of new certificates will continue to be restricted to ISO-compliant country codes.

September 6, 2023

DigiCert® ONE version: 1.6074.1 | Trust Lifecycle Manager: 1.2036.0


New certificate system view

A new system view available from the Certificates page shows which certificates will be expiring in the next 30 days, and shows the remaining days until expiration in a new table field called “Expiring in (days)”. Users can filter the data further to show expiring certificates by seat type.


Generic Private Server template update

Updated the template to set the “Server authentication” Extended Key Usage (EKU) as default.

Email templates enhancement

Updated all email templates to use the Seat ID value instead of User Full Name.

Show Add Connector page when none is available in the account

For accounts that have no configured connectors, the Add connector page will show when the user selects the Connectors link under Integrations in the left navigation bar.

Enhancements to Issuing CA field

For certificates discovered or issued using Certificate Lifecycle workflows:

  • The Issuing CA column will now show the issuer common name, in line with existing behavior for CA manager certificates.

  • A new column called CA vendor shows the name of the CA (e.g. DigiCert).


Seat usage data in dashboard

Resolved issue with Seat Usage widget in the dashboard, which was only showing data against all business units and not respecting the business unit selector at the top of the page. Customers using only one business unit would not have noticed the issue.

August 29, 2023

DigiCert® ONE version: 1.5874.11 | Trust Lifecycle Manager: 1.2005.0


S/MIME Secure Email compliance with new CA/B Forum S/MIME Baseline Requirements

Updated the Public S/MIME Secure Email (via PKI Platform 8) profile wizard to support the new Legacy generation Sponsor-validated certificate type, as defined in the new CAB Forum S/MIME Baseline Requirements standard.

You need a PKI Platform 8 account and validated email domains to issue Sponsor-validated certificates.

For details about the changes, refer to the Trust Lifecycle Manager section in this knowledgebase article.


The PKI Platform 8 issuing CA has been updated accordingly to enforce the new Public S/MIME Secure Email industry requirements.

August 23, 2023

DigiCert® ONE version: 1.5874.8 | Trust Lifecycle Manager: 1.1996.0


REST API for business units

Added REST API endpoints to:

  • Create business units

  • List business units

  • Assign seats/licenses to a business unit


Private S/MIME error

Resolved an issue with web-based enrollments associated to a Private S/MIME profile present under very narrow conditions.

ACME: Remediated wrong message when order is in reissue pending state

For CertCentral orders using third-party ACME methods, when the order goes into reissue pending state for any reason, subsequent requests were returning a “Bad Request” error. This has been updated to return an ACME compliant error.

Hide additional parameters option on Microsoft CA connector

Removed additional parameter options from Microsoft CA connector as they are not used for connector configurations.

August 16, 2023

DigiCert® ONE version: 1.5874.6 | Trust Lifecycle Manager: 1.1967.0


Support plans

On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.

New plans:

  • Standard support (free)

  • Business support (mid-level)

  • Premium support (highest-level)

For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.

How does this affect me?

To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.

How the limited-time upgrade works:

  • Platinum support plans are upgraded to Premium support for the duration of the contract.

  • Gold or Platinum-Lite support plans will be upgraded to Premium support for the duration of your contract.

  • Included (non-paid) DigiCert support will be upgraded to Business support for up to one year.

UX enhancements

  • Updated modal pop-up for suspend/resume actions using common UI design component.

  • Added a Select all link for the custom report “Profile authentication fields” section.

  • For profiles that support a Cloud Key Escrow option, added an Information banner to the public-facing web enrollment pages to inform users that their keys are being escrowed.


Certificate renewal job

Resolved issue with the certificate renewal job not getting completed in a timely fashion.

Blank page with Public S/MIME profile

Resolved issue with blank page appearing when creating a profile from the “Public S/MIME Secure Email (via PKI Platform 8)” template.

Automatic seat allocation

Resolved an issue where not all seat types were being automatically allocated to the Default Business Unit.

August 9, 2023

DigiCert® ONE version: 1.5874.4 | Trust Lifecycle Manager: 1.1946.0


Profile cloning

Added support for choosing a different business unit or issuing CA when cloning a profile. Previously, both fields were locked and could not be modified when cloning a profile. Now, if you have access to additional business units and issuing CAs, you will be able to select them before saving the newly cloned profile.

Intune enhancement

Intune revocation scheduler job will now run hourly instead of every 3 hours.

Profile enhancement - default common name

Starting from this release, if a template supports the Subject DN Common name field, it will be automatically added to the profile wizard’s second step by default.

Private S/MIME Secure Email enhancement

The previous Private S/MIME Secure Email template implementation blocked users from modifying the Key Usages extension. Now, both the Digital signature and Key encipherment fields are optional, and account administrators can configure signing-only and/or encryption-only certificates.


Refresh configuration action notifications

Fixed an error where the Refresh configuration action was sending a notification stating that the F5 server cannot be reached. This notification will no longer be triggered.

Virtual IP with no profile shows as unreachable

Fixed an issue that was preventing admins from automating virtual IPs that had no profile. Admins can now automate these IPs.

August 2, 2023

DigiCert® ONE version: 1.5874.1 | Trust Lifecycle Manager: 1.1913.0


Network scanning

With this release, administrators can configure and run one or more network scans in Trust Lifecycle Manager:

  • Added new feature in Account manager for Network Discovery.

  • Added new option to create and manage network scans in Trust Lifecycle Manager when the feature is enabled in Account Manager, with these abilities:

    • Add and manage network scans.

    • Schedule scans and see their progress.

    • See scan results on certificate list page.

  • In addition, added the following functions:

    • Filter by scan name.

    • Calculate a security rating for certificates found in a scan.

    • Capture chain information and analyze of any issues.

    • Capture security headers and handshake information.

  • Added security rating column in certificate list view.

  • Added new notifications for discovered certificates:

    • Default and custom notification options.

    • Allow users to clone email templates.

    • Allow users to configure criteria for emails.

Updated certificate details page

Certificate details page has been restructured to better represent certificate and discovery data.

  • Reformatted with a tab layout for better accessibility.

  • Added new tabs for security details with detailed information on security rating, chaining, headers, and handshake protocols based on how the data was discovered.

Private S/MIME Secure Email template enhancements
Support for DigiCert Trust Assistant

Updated the "Private S/MIME Secure Email" template to support the DigiCert Trust Assistant enrollment method with all corresponding authentication methods:

  • Enrollment code

  • Manual approval

  • SAML IdP

Support for autoenrollment and ECDSA certificates

Added support for the Microsoft Autoenrollment enrollment method to auto-provision private S/MIME (non-escrowed) certificates, both RSA and ECDSA key-based.


Added 'Request a new certificate' as secondary action for automation flows

Allows users to get a new certificate from a different profile when their default automation action is set to reissue or renew.

Added 'Check status' option for certificate management profiles

Allows users to select one or more profiles to check their status and refresh the profile from profile list page.

Intune profile enhancement

Relaxed the validation rules for the Tenant Name field in profiles created from Intune templates to allow domain values that are different to just using the default domains.

July 27, 2023

DigiCert® ONE version: 1.5658.5 | Trust Lifecycle Manager: 1.1875.0



Intune certificates

Resolved issue with Intune certificate enrollments failing. They now proceed as expected.

CertCentral profile status

Resolved issue with CertCentral profiles showing an “Action needed” status. This now only displays when expected.

July 26, 2023

DigiCert® ONE version: 1.5658.4 | Trust Lifecycle Manager: 1.1867.0


Scheduled reports

Authorized account administrators can now schedule custom Certificate and Enrollment reports to be generated at different intervals:

  • Once: The report will be queued immediately and run as soon as possible.

  • On a specific date: Select a date to run the report.

  • Weekly: The report will run on the selected day(s) of the week, every week until manually stopped.

  • Monthly: The report will run monthly, on a specific day of the month (or last day of the month), with the option to run it every set number of months until manually stopped.

Custom labels for Subject DN and SAN labels in different languages

When creating or editing a profile, users can specify replacements for the default Subject DN and SAN labels with custom labels in multiple languages. Example: The “Common name” field could be customized to show: “Please enter your full name:” (for English), and similar text in other supported languages if set within the profile.


Key size update to the Private S/MIME template

Updated the "Private S/MIME Secure Email" template to support RSA 3072-bit key sizes.

SAN Directory Name extension in Generic User Certificate template

Updated the SAN Directory Name extension functionality, available when creating a profile from a Generic User Certificate template, to support:

  • A single Organization Identifier field, using a tag of ORGANIZATIONIDENTIFIER or ORGID (case insensitive).

  • One or multiple Description fields and values, using a tag of DESCRIPTION or DESC within the overall Directory Name value (case insensitive).

Here is a sample SAN Directory Name value using all currently supported tags:

C=US,O=DigiCert,OU=myOU-1,OU=myOU-2,ST=Utha,L=Lehi,GIVENNAME=John M,SURNAME=Doe,TITLE=Product Manager,SERIALNUMBER=00001,ORGID=123456,DESC=my description 1,DESC=my description 2,DC=DigiCert,DC=com

Certificate recovery enhancements

Enhanced the certificate recovery flow for profiles configured with the Cloud Key Escrow option, to include 3 new email templates that can be customized:

  1. Private key recovery initiation

  2. Private key recovery approved

  3. Private key recovery rejected

When approving/rejecting a second admin recovery operation, the administrator can optionally send a message to the user with the reason for the rejection, or extra information when approving the recovery. The message will also be saved as an internal note for auditing purposes.

Profile wizard enhancements

Enhanced the profile wizard logic for the first step (“Primary option”) to show warning messages when required enrollment methods are not available on the account. To show these, contact your administrator to ensure your account has the required feature enabled.

Profile list page update

Removed the bulk action button placed outside the table in favor of functionality inside the table, to make it consistent with the Certificates List page.

Email logo update


Updated the default Trust Lifecycle Logo included in all email templates.


Missing fields in status change email

Fixed issue where SeatID and SeatName variables were omitted from the Certificate Enrollment Status Change email template.

Error on enrollments list page

Fixed error displayed in the Enrollments List page caused by enrollments associated with a deleted profile.

Known issues

Proxy issues for some CertCentral flows

Discovery and synchronization actions using CertCentral accounts do not go through the proxy right now, although certificate issuance does.

July 12, 2023

DigiCert® ONE version: 1.5658.1 | Trust Lifecycle Manager: 1.1810.0


Suspend and resume email templates

New suspend and resume email templates have been added. Authorized administrators can configure them when creating/editing a profile from any of the three Generic templates (User/Device/Server).


Internal audit enhancement

For profiles configured with the Manual approval authentication method, we now capture the name of the administrator who approves or rejects a certificate request within the internal notes displayed on the enrollment details page.


TLM CertCentral CA public server profiles “Action needed” state issue

Fixed a code issue affecting multiple customers where CertCentral CA public server profiles were incorrectly labeled Action needed.

July 5, 2023

DigiCert® ONE version: 1.5658.0 | Trust Lifecycle Manager: 1.1784.0


Microsoft CA support for issuance of user certificates via web-based flows

Added support for issuance of user certificates using a Microsoft CA as the issuer with Microsoft certificate templates, which are selected when creating a profile from the new Microsoft CA User Certificate template and will prepopulate most of the profile wizard settings based on the Microsoft template configuration. Customers will still be able to control the SubjectDN and SAN fields to be used when signing the certificate, which will be added to the CSR that is sent to Microsoft CA for signing via the DigiCert MSCA Connector.

Prerequisites: Similar to the already available Microsoft CA support for private certificates, this solution also requires the configuration of a sensor and a Microsoft CA Connector, available under the Integrations menu option.

The Microsoft CA User Certificate template supports the below user enrollment/authentication methods (flows):

Enrollment method

Authentication method

  • Browser PKCS12

  • CSR

  • DigiCert Trust Assistant

    (minimum version 1.1.2)

  • Manual approval

  • Enrollment code

  • SAML IdP

Also added support for these certificate lifecycle operations using a Microsoft CA as the signer/issuer:

  • revocation, where the Microsoft CA solution will be responsible for providing any certificate validation services (CRL / OCSP).

  • renewal, where the appropriate renewal flow will be enforced based on the profile configuration using the renewal thresholds set within the Microsoft template and intersecting with the allowed renewal window values set within the profile wizard.

For more details, see instructions.

Platform proxy support

On-premises DigiCert ONE customers can now configure their platform with proxy settings to send all outgoing traffic from the Trust Lifecycle Manager application. Both anonymous and authenticated proxy servers are supported. Check documentation for details on how to configure your DigiCert ONE cluster.

AWS Private CA management

This release introduces AWS Private CA as a supported CA to issue and manage certificates using the following enrollment methods:

  • ACME

  • Agent

  • Sensor

A new AWS Private CA connector is available to be configured with the user's AWS account. A new AWS CA Private Server Certificate can be configured to issue certificates from one of the AWS private CA roots.

Option to connect to CertCentral Europe

Added ability for users to choose between US and EU CertCentral environments when configuring CertCentral connector.

Synchronize revocation status for Microsoft CA

Added the ability to synchronize revocation status for certificates revoked directly from Microsoft CA outside of Trust Lifecycle Manager.

New enrollment method column

A new column Enrollment method is added to all certificate views as an additional column.

New REST API enrollment method for CertCentral profiles

A new REST API method is available in CertCentral profiles to use with the /mpki/api/v1/certificate API endpoint.


Bulk management of imported seat types

Extended the management of seats in bulk via the upload of a CSV file, supporting bulk update and deletion of Import seat types.

Extensive Health Check enhancements

Enhancements to the Extensive Health Check API endpoint (GET {{host}}/mpki/api/v1/health/extensive) to report back on the status of more services and all scheduled jobs for the Trust Lifecycle Manager application.

Consolidate sensor connections and connectors

With this release, we are consolidating sensor connections and connectors in Trust Lifecycle Manager.

All existing sensor connections will show in connectors list page (ensure you have the connectors feature turned on for your account). New connections can be added using the Add Connector flow. All existing references to "sensor connections" will be updated to "connectors" in dashboard, notifications, lifecycle workflow, etc.

Updates to Linux sensor installation flow

Linux sensor installation will now not default to CertCentral but instead prompt the user to check if it should be provisioned to Trust Lifecycle Manager.


Support local hostnames for Win-ACME

Users can now use local names and IP addresses with ACME clients and agents when supported by the client.

Known issues

Proxy issues for some CertCentral flows

Discovery and synchronization actions using CertCentral accounts do not go through the proxy right now, although certificate issuance does.

June 28, 2023

DigiCert® ONE version: 1.5428.8 | Trust Lifecycle Manager: 1.1759.0


Performance enhancements

Improved performance on audit logs page:

  • Improved speed by limiting audit events in search results to 1,000 (same as the Certificates page).

  • Removed display of total number of matched audit log records. This feature will be reintroduced in a future release as an asynchronous internal request.

  • Improved initial page loading.

  • Improved speed of traversing through audit log results using pagination.

  • Limited the Resource name filter to searches using the prefix or exact value.

UI support for single hosts in DNS server field

Added support for single-host values for the DNS server field (e.g. localhost, my-server) in public-facing and admin enrollment pages.


Remove dependency for 'CA manager private server certificate' profile

This fix removes dependency of "CA manager private server certificate" on CertCentral connector, allowing users to use this profile even if CertCentral connector is not present.

Known issues

Audit log performance

Slow audit logs when filtering via Seat ID or Seat GUID for accounts with a very large number of audit log records.

June 21, 2023

DigiCert® ONE version: 1.5428.7 | Trust Lifecycle Manager: 1.1732.0


Custom enrollments report

The custom report generation feature has been extended to support the generation of CSV custom reports from the Enrollments page.

Account owners with appropriate reporting permission can create up to 10 Enrollment CSV-based reports to be generated offline/asynchronously and be available for 30 days after creation.

Users can select the Create custom report button, available on the Enrollments page under the Create report icon above the table. The reporting wizard appears to guide you through report creation.

When a report is ready, the user who created it will receive an email.

All created/custom reports are available from the new Report library page inside the Report & Auditing menu option, where you can:

  • View the status of reports.

  • Download completed reports.

  • Re-run a saved report against the latest available data. The new report will be available for another 30 days.

For more details visit Report library (advanced custom reporting).

Support for Edwards ‘hashedEd25519’ curves

For the three Generic templates (User/Device/Server), you now have the ability to select Edwards hashedEd25519 curves (key types) for enrollment methods that support such key type:

  • CSR


Certificate management seat type creation

The seat creation page and API now allow for the creation of “Certificate management” seats individually or in bulk, via the upload of a CSV file. Note that you must have the automation feature enabled on your account.

Intune API migration

Migrated the deprecated Intune Azure AD Graph API to use the supported Microsoft Graph API.


Performance enhancements

Enhancements to the Certificate List page to improve the performance of initial page loading, as well as the searching/filtering responses for the various filters on the table. In order to achieve the performance improvements, we will:

  • Return up to 1,000 records for any search criteria selected on the page.

  • Remove the capability to perform partial searches for Common name and Seat ID. From this release, only ‘prefix searching' or ‘exact value searching’ will be supported for these table filters.

Certificate search API enhancement

Enhanced the certificate-search API endpoint to support an extra query parameter called enrollment_id, which allows a certificate to be retrieved based on its unique Enrollment ID.

The format of the certificate will depend on the Certificate Delivery format the profile is configured with. Also, the enrollment_id value is returned from the manual-enrollment API response, against profiles configured with the “Manual approval” authentication method.


Business unit filter

Fixed an issue where the business unit filter was not working for the unassigned filter value

Add/edit certificates

Fixed an issue where add/edit tags for certificates were not working in All certificate and managed automation views.

1-year configuration

Fixed an issue where certificate renewals failed when configuring a profile with 1 year instead of 365 days.

Email templates

Fixed an issue where he subject title for custom email templates under the “Email and notifications” configuration section in the profile wizard is not showing the dynamic email template variables.

June 14, 2023

DigiCert® ONE version: 1.5428.5 | Trust Lifecycle Manager: 1.1703.0


IIS automation failing

Fixed issue causing IIS automation to fail.

Sensor downgrade issue

Fixed issue causing a new installation of Sensor v3.8.59 to downgrade current installation and corrupt additional Sensor installation attempts.

June 8, 2023

DigiCert® ONE version: 1.5428.2 | Trust Lifecycle Manager: 1.1672.0


Enrollment approval failure

Fixed an issue causing enrollment approval to fail when a profile was configured with the manual approval authentication method and fixed fields set in the Subject DN field.

June 7, 2023

DigiCert® ONE version: 1.5428.1 | Trust Lifecycle Manager: 1.1668.0


DigiCert Trust Assistant v1.1.1

  • DigiCert® Software KeyStore now supports macOS using the CryptoTokenKit framework.

  • Support for renewal of certificates managed by DTA, stored on the operating system, DigiCert Software KeyStore, or hardware tokens, via a proof-of-possession of the private key flow where a renewal request is digitally signed by the to-be-expired private key and validated before issuing the renewed certificate.

  • For macOS, removed default YubiKey attestation certificate from the list of certificates being displayed by the client for YubiKey tokens. (This was supported for Windows in the previous release.)

DigiCert Trust Assistant - licensing

The DigiCert Trust Assistant license file has been removed from within the application and added to the overall platform license. No changes for DigiCert-hosted platforms.


This is especially important for customers running the DigiCert ONE platform on their premise. Starting this release, if you require access to the DigiCert Trust Assistant client, contact your DigiCert representative and ask them to update your platform license. The updated license whitelists your platform domains so DigiCert Trust Assistant can use it.


Dual recovery and comments

  • Now for private and public S/MIME profiles configured with the dual-admin approval flow, the second admin approver has the ability to cancel the recovery process.

  • Any recovery approval or rejection action (via the UI or API) can now include an internal comment with an internal note when approving or canceling the recovery operation.

Audit log event filtering by resource name

  • New column Resource name added to the Audit log table, allowing you to filter or search for its contents inlog events.

New action for custom reports

  • New View audit event action is available from within the Report library and Report details pages, allowing users to directly visit the Audit logs page and view the events associated with the selected report.

Added columns on Certificates list

  • Added 2 columns for certificate views, SANs and Thumbprint, on the Certificates list page. New columns can be added to all certificate views (except unsecured views).

User instructions

  • Added support for the upload of custom/user instructions for profiles configured with the “SAML IdP” authentication method and the “Enforce manual approval” option enabled.

  • Now show the user instructions on the last Certificate installed page, not on the previous Install certificate page.

Performance improvements

  • Improved response time for certificate revocation via the Certificate List page and REST API.

  • Faster certificate issuance times for all flows (e.g., CSR, Browser PKCS12, and REST API).

  • Retrieval time for certificates listed within the Certificate List page reduced.

Japanese installation instructions page changes

Updates to the Japanese certificate installation instructions web page to make them more accurate and user-friendly.

Remove duplicate bulk actions on Enrollments page

  • Removed the bulk actions and associated button on the Manage > Enrollments page. To use the inline bulk actions functionality, select more than one enrollment on the table.

Custom report create page enhancements

  • Renamed Automation details title to Server management details.

  • Moved the Tags field from the Server management details section to the Other details section.

  • Added support for new “Server management” field named SANs (also available within the Certificates page).

Multiple httpd configuration file support

  • Added support for multiple Apache httpd configuration files configured via different process on the same server.

Sensor installation updates

  • Windows sensor users can choose to automatically provision a sensor to Trust Lifecycle Manger after installation. Users can choose if they want the sensor to be provisioned to Trust Lifecycle Manager and can provide the file to finish provisioning.

Renamed Citrix Netscaler

  • Renamed Citrix Netscaler to Citrix ADC.


Duplicate certificate issue

  • Fixed not being able to issue duplicate certificates for profiles configured with the “Microsoft autoenrollment” enrollment method and the "Allow duplicate certificates" option when using fixed Subject DN fields in the profile.

Business Unit seat consumption and allocation

  • Fixed how Business Unit seat consumption and allocation is calculated.

Enrollments linked to invalid email

  • Enrollment errors due to not being able to send an email (e.g., invalid email or SMTP server issues) can be rejected by an authorized administrator.

DCV for OV/EV using TLM ACME Agent

  • Resolved issue with OV/EV DCV failure for agent flows.

May 24, 2023

DigiCert® version: 1.5118.8 | Trust Lifecycle Manager: 1.1597.0


Windows and Linux sensor auto-upgrade

From this release, Trust Lifecycle Manager will support automatic sensor updates for Windows and Linux sensors.

Users will have the option to set upgrades to manual for one or more sensors. They will be prompted to update whenever an upgrade is available.

Email confirmation template

Introduced a new email confirmation template. This email template can be enabled and customized when configuring a profile with the “Manual approval” authentication method, where users can option all receive an email confirmation after successfully submitting a certificate enrollment request.

Bulk enrollments

Bulk enrollments action for Enrollments page are now inside the table instead of at the bottom of the page.

Log events based on resource type

Dynamically show the correct log events based on the resource type.


Unnecessary alert state

Fixed an issue where CertCentral profiles were set to “Action Needed” even though there was no configuration problem.

May 17, 2023

DigiCert® version: 1.5118.6 | Trust Lifecycle Manager: 1.1557.0


Seat naming changes

  • Renamed Unmanaged seat type to Discovery.

  • Renamed Automation seat type to Certificate management. When deleting a Certificate management seat, you will have the option to revoke certificates associated with the seat.

Show TLM features in Account Manager

The Account Manager application will expose a set of features for the Trust Lifecycle Manager application and can be enabled/disabled per account, enforced by Trust Lifecycle Manager. This is particularly meant to help DigiCert ONE on-premises customers. Features include:

  • Enrollment methods: REST API, Browser PKCS12, CSR, SCEP, EST, Microsoft Autoenrollment, ACME/Agent/Sensor (enabled/disabled via the Automation feature)

  • Custom reports

  • Reporting (email)

Seat creation logic

Updated seat creation logic for automation methods (ACME, sensor, agent) to create seats per website (i.e., combination of unique CN+IP+Port) for both server and certificate management seats.


YubiKey slot selection in DigiCert Trust Assistant

DigiCert Trust Assistant now supports selecting the YubiKey slot where keys are to be created when configuring a profile with the YubiKey hardware token.

SCEP support for SHA-384

The SCEP GetCACaps response now supports the SHA-384 hashing algorithm. Use this URL to check the response:

REST API update

New REST API PUT status endpoint to change the status of enrollment requests from pending to either approve or reject, for enrollments linked to profiles configured with the "Manual approval" authentication flow. See Trust Lifecycle Manager REST API reference.

Connectors support

Connectors are now a separate feature in Account Manager (separated from automation) and can be enabled or disabled for a given account.

Environment support for agents

Downloaded agents are now preconfigured with the correct environment information (US vs NL, etc.) so that installation can proceed without configuration changes.


MSCA issued certificates

Fixed an issue where users were unable to revoke an MSCA issued certificate from the UI.

Sensor version issue

Fixed an issue where sensor versions were not resolving in Windows and Linux sensors.

Sensor update issue

Fixed an issue where users were unable to update the heartbeat of an active sensor if the sensor was not assigned to a business unit.

Refresh configuration

Fixed an issue that was preventing refresh configuration for sensor connections.

May 3, 2023

DigiCert® version: 1.5118.1 | Trust Lifecycle Manager: 1.1518.0


Provide customizable user instructions for download

For profiles configured with the Manual approval authentication method, you can upload a file with specific instructions that a user can follow when installing a certificate. Examples are: configuring a WiFi or VPN client, configuring Outlook, or accessing a certificate-protected web resource.

  • Supported file formats: .txt, .ppt, .pptx, .doc, .docx, .pdf

  • Supported maximum file size: 10 MB

Users can download the file from the certificate confirmation and installation web pages.

Added connector column to certificate view

Added a column to certificate views to filter data by connector name.


Additional fields and enhancements for custom certificate reports

Split the first section of fields (certificate, automation, and other fields) into three sections:

  • Automation details

  • Profile details

  • Other details

Support for new fields to be added as part of the custom certificate report wizard:

  • Requestor email

  • Trust type

  • Seat ID mapping


As mentioned in a previous release note, we removed the Certificate report link in the Reporting and auditing menu. We now support a more powerful reporting solution when creating offline custom reports from the certificates page.

Seat email address for server and device seats

Support for an optional seat email address when creating or editing server or device seats via the UI interface.

Chunking for large uploads

For large data coming in from Microsoft CA and other plugins, the sensor now supports breaking the upload into smaller chunks so that it can be uploaded via customer proxies. You can configure the chunk size on the sensor.

New Sensor version 3.8.57 released with multiple enhancements and fixes:

  • Microsoft CA and Qualys connector support on Windows and Linux sensors.

  • Update for chunking logic (all sensor types).


Docker sensors need to be updated to the latest version for Microsoft CA and Qualys integrations to continue working.

Support for 1-day certificates for CA Manager Private Server Certificate profile templates

Users now have the option to choose 1-day validity for certificates issued from CA Manager for the following enrollment methods:

  • Agent

  • Sensor

  • ACME

Updates to certificate view column selector

The column selector on certificate views now shows available options in one or more columns to improve usability.


Reintroduced Source column in certificate views

Fixed performance issues with the Source column. This column is now reintroduced to all certificate views.

April 19, 2023

DigiCert® version: 1.4957.3 | Trust Lifecycle Manager: 1.1487.0


DigiCert Trust Assistant support for new Software KeyStore (Windows only)

Added support for a new token type, DigiCert Software KeyStore, when configuring a profile with the DigiCert Trust Assistant enrollment method. This allows keys and certificates to be protected on the user’s machine within a proprietary software keystore with a user personal identification number (PIN).

A user must initialize DigiCert Software KeyStore after installing the DigiCert Key Store Provider (KSP) using elevated user permissions, e.g. local administrator Windows account.


This new feature is only available for the Windows version of the DigiCert Trust Assistant, for which you need to download/install v1.1.0. (The Mac client continues to run on v1.0.0.) Support for Mac is planned for a future release.

For more details, see the following guides:

Delete business units

Added an action to the business unit (BU) list page that allows a BU to be deleted after all profiles and seats bound to that BU are deleted.

Agent DV automation

Administrators can now automate domain validated (DV) certificate lifecycle operations using the Trust Lifecycle Manager agent.


DigiCert Trust Assistant enhancements


These enhancements are only available for the DigiCert Trust Assistant Windows release. We will update the Mac client in a future release.

  • Removed the default YubiKey attestation certificate from the list of certificates displayed for YubiKey tokens.

  • User experience (UX) changes to the import certificate process (e.g. importing a glck or pkcs12 file). Once the password is verified, the “Verify” button will change to “Import.”

  • UI changes to PIN verification and any errors displayed due to incorrect PINs. The error message is now displayed inline within the same PIN pop-up window, instead of a separate error notification.

Client tools - DigiCert Autoenrollment Server doc update

Replaced a link in the “Overview” section of the Client tools - DigiCert Autoenrollment Server page with a link to DigiCert documentation:

Validation enhancements

  • Profile wizard - certificate policy validation: Added extra validation checks to the profile wizard when adding one or more certificate policy extensions to a profile.

  • Enrollment pages - dnsName validation: Added inline validation for dnsName values entered by users on the public-facing enrollment page before submitting.


Dual admin approvals

Resolved an issue where users were unable to approve certificate requests bound to profiles configured with “Manual approval” authentication method and dual-admin approval flow.

Slow certificate enrollments for data-rich accounts

Resolved an issue with slow certificate enrollments for accounts with large amounts of data, which was caused by a reliant database table being locked for writing.

April 12, 2023

DigiCert® version: 1.4957.2 | Trust Lifecycle Manager: 1.1458.0


Agent settings page

This page allows users to set account level options for the following:

  • Manual vs. automatic agent approval

  • Blocked ports

Sensor details

Added sensor details page that will allow users to:

  • View sensor hostname, IP, and version information

  • Update debug settings

  • Change proxy port to be used by the agent when using sensor as a proxy

Agent notifications

Added agent lifecycle notifications for:

  • Agent activated

  • Agent error

  • Agent approval pending

  • Agent approved

  • Agent rejected

Application detection

With this release, agents have been enhanced to detect the application version during the initial discovery task. This application type and version will automatically be configured in the UI. Users will have an option to change these settings from the agent details page if needed.



  • Updated integrations graph to show agent status.

  • Added Agent error alert for automation.

ACME failures audit logs

Some third-party ACME clients have an issue where not all error messages are shown on the client CLI. As a workaround for this limitation, TLM has started logging ACME errors in audit logs.

Known issues

Connectors on Windows and Linux sensors

Connectors are currently not supported on Windows and Linux sensors. To use MS CA and Qualys connectors, use the latest Docker sensor.

April 5, 2023

DigiCert® version: 1.4957.1 | Trust Lifecycle Manager: 1.1432.0


Microsoft CA integration for server certificate

Trust Lifecycle Manager now supports issuing certificates from the customer's Microsoft CA.

To enable Microsoft CA support, users must install DigiCert Microsoft CA remoting service and DigiCert Sensor. Once configured, to import and issue certificates in Trust Lifecycle Manager, add one Microsoft CA connection for each internally hosted Microsoft CA.

Added a new Microsoft CA private server certificate profile template to create profiles with these enrollment methods: 

  • Sensor automation

  • Third-party ACME integrations

  • Agent automation

Learn more about Microsoft CA integration.

Qualys CertView integration

Added support for a new Qualys connector to import certificate data discovered using Qualys scans. Imported data is available on the Trust Lifecycle Manager certificates page in line with data from other sources. This data can be used to manage notification and alerting, automated lifecycle management, and perform other tasks.

Learn more about Qualys integration.

Web server automation using agent

Trust Lifecycle Manager now supports automation of the following web servers:

  • Internet Information Server (IIS)

  • Apache Tomcat

  • Apache web server

  • Nginx web server

  • IBM HTTP server

Administrators can install an agent on the target server to facilitate automation flows, similar to that for sensors. Existing profiles have been updated to add a new "agent" enrollment method. You can download agents from the TLM resource page. After installation, agents are managed from the new Agent section in Trust Lifecycle Manager.

Learn more about agent-based automation.

Advanced reporting for certificates

A new custom report generation feature allows account owners with appropriate reporting permission to create up to 10 reports to be generated offline/asynchronously and be available for 30 days after creation.

Users can select the Create custom report button, available on the Certificates page under the Create report icon above the table. The reporting wizard appears to guide you through report creation.

When a report is generated, an email is sent to the user who created the report.

All created/custom reports are available from the new Report library page inside the Report & Auditing menu option, where you can:

  • View the status of reports.

  • Download completed reports.

  • Re-run a saved report against the latest available data. The new report will be available for another 30 days.

Learn more about custom report generation.


The Certificate report link under the Reporting & auditing menu option will be removed in the next monthly release.


Audit log enhancements

  • Displays an info banner to the user when more than 5,000 audit events are encountered. The banner shows how many audit log events match the search criteria and advises the user to use filtering options to narrow the search result.

  • A new audit log resource type, Email, stores audit log events related to email sending operations and will simplify troubleshooting email-related issues.

Number of authentication attempts

Enhanced public-facing pages for enrollments making use of enrollment codes for authentication. These pages now show the number of failed authentication attempts as well as the maximum number of attempts allowed by the profile before locking the enrollment.

Additional certificate status values for automation flows

Added two new options to the certificate status field:

  • Replaced represents certificates that are replaced on a server using automation.

  • Replaced External represents automated certificates that are found to be replaced outside Trust Lifecycle Manager during a discovery task.

New permissions for connector pages

Added separate view, create, and manage permissions for connector pages.

Native Windows and Linux sensors

Trust Lifecycle Manager administrators can now install the DigiCert Sensor on Windows or Linux machines.


Missing email templates

Resolved issue with some email templates not being displayed for profiles configured with the SAML IdP authentication method with the Enforce manual approval checkbox enabled.

Incorrect certificate status when suspending imported seat

Resolved issue when uploading certificates from an external system bound to an imported seat type. After suspending the certificate via the UI, the certificate status in Trust Lifecycle Manager was correct (showing a status of Suspended), but the revocation request to CA Manager was not submitted, causing the status to be shown as Valid and validation services not reflecting the correct status.

March 23, 2023

DigiCert® version: 1.4803.6 | Trust Lifecycle Manager: 1.1380.0


Enrollment code enhancements

Added new actions available from the enrollments page, for enrollments linked to a profile configured with an enrollment code authentication method. This allows an authorized administrator to:

  • Unlock a locked enrollment code via the UI after the maximum number of attempts has been reached.

  • Reactivate an expired enrollment code.

  • View an enrollment code and URL for enrollments associated with private CAs. This action is hidden for enrollments associated with public CAs.

Also added a configuration option for profiles configured with the enrollment code authentication method, to set the maximum number of incorrect enrollment code authentication attempts before locking.

Auto-copy a SAN:dnsName field with the SubjectDN:commonName value

For profiles configured from the “Generic Private Server” template, added an Auto-copy from SAN: dnsName checkbox for the Subject DN - Common Name field. This automatically copies the value into the dnsName field, regardless of whether this field is configured in the profile or not.

If a profile is configured with a dnsName field and a certificate request already contains one or multiple dnsName values, the Common Name value will appear automatically at the top of the list.

March 15, 2023

DigiCert® version: 1.4803.2 | Trust Lifecycle Manager: 1.1356.0


Certificate expiration email template

Customers with unmanaged or imported seat licenses can configure a certificate expiration email to be sent before the uploaded certificate expires. This configuration page is now available under the Settings - Uploaded certificates expiration menu, and will be visible only when an account has been allocated with Unmanaged and/or Imported seats/licenses.

Additional option for ACME enrollment

For third-party ACME client-based flows, we added a new parameter option for the client to explicitly ask Trust Lifecycle Manager to issue a new certificate from CertCentral irrespective of the status of the previous certificate. This allows users to enforce a re-enrollment in addition to the already available options to renew, reissue, or get a duplicate certificate.

Sample ACME URL:


Renewal reminder timeout for unmanaged/imported seats

Resolved an issue with renewal emails not being sent to end users. We have introduced a 30-second timeout period for the hourly job that takes care of sending renewal email reminders, when not receiving a response from the SMTP server responsible for sending the email.


We will not make a second attempt to send the same failed email at the next hourly run. Failed emails could pile up and there would be no room left for new emails to be sent. However, emails will be sent every [90, 60, 30, 15, 10, 7, 5, 3, 2, 1] days depending on profile configuration. Therefore, if an email fails to be sent at 90 days before expiration, the next attempt will be made at 60 days, etc.

Lowercase country values for unmanaged and imported seats

Resolved issue with not being able to upload unmanaged and imported certificates using a two-digit Subject DN country value in lowercase. We now support the upload of country values as case-insensitive values.

March 9, 2023

DigiCert® version: 1.4803.0 | Trust Lifecycle Manager: 1.1349.0


New extensions

Support for three new X.509 certificate extensions, which users can configure in the profile wizard:

  • Subject Alternative Name (SAN) Directory Name extension, supported by the Generic User Certificate template.

  • Certificate Policies extension, supported by all the standard templates, with the exception of the Public S/MIME (via PKI Platform 8) and CertCentral templates. You can configure a Certificate Policy extension with just a private OID, or include User Notice and/or CPS URL fields.

  • Issuer Alternative Name extension, supported by the Generic User Certificate template, when configuring a profile with the REST API enrollment method and 3rd party app authentication method.

New manual-enrollment REST API

For profiles configured with the “Manual approval” authentication method, you can use the new manual-enrollment API endpoint to submit a certificate request via API and drop it into the queues for authorized administrators to review and manually approve it or reject it.

Once a request has been manually approved, the user will receive an email with instructions on how to download the certificate via the currently supported web-based enrollment methods: CSR, Browser PKCS12, and DigiCert Trust Assistant.


Use the existing enrollment-details API endpoint to retrieve the status of a specific enrollment by submitting the enrollment Id.

SAML single logout

Enables a profile, with the SAML IdP authentication method, to be configured with a SAML single logout URL. This allows an end user to click on a Single Logout link displayed on the public-facing enrollment pages, which forces the logout of all connected SAML sessions on both the Service Provider and the Identity Provider.


DigiCert Trust Assistant for public S/MIME

DigiCert Trust Assistant support for the issuance of public S/MIME certificates (escrowed or non-escrowed, depending on the profile configuration) from PKI Platform 8 accounts, using the following authentication methods:

  • Manual approval

  • Enrollment code

  • SAML IdP

Updated menu items and other styling changes

  • Updated the left navigational menu items to use "sentence case" and follow DigiCert style guidelines. For example, “Business Unit” menu item becomes “Business unit”, “Reporting & Auditing” becomes “Reporting & auditing”, etc.

  • For public-facing enrollment pages:

    • Removed the colon after SDN and SAN section titles.

    • Updated the color, padding, margins, and font sizes of fixed field labels to meet DigiCert style guidelines.

  • Redesign of the audit logs details page to adhere to DigiCert design guidelines.

Seat object enhancements

  • Updated the GET Seat API endpoint to extend the response to include a seat_creation_date parameter showing the seat creation date.

  • Updated the Seat List web page to show an optional Created date column.

Profile wizard enhancements

  • Now allows for a maximum custom renewal window of up to 90 days.

  • Updated the renewal email template to also support sending renewal notifications up to 90 days in advance.

  • Variables inside the email templates are now alphabetically ordered.

Profile List page enhancement

Added a Seat type filter to the Profile List page to allow profiles to be filtered by a seat type.

Additional options in “Valid to” filter

Enhanced the “Valid to” filter inside the Certificates list page to support three new filters, in addition to searching between a date range:

  • By days, for example for: certificates expiring in the next 7 days.

  • From a specific date, for example for: certificates expiring after 1st March 2023.

  • Until a specific date, for example for: certificates expiring before 15th March 2023.

Enhancements to the Generic Private Server Certificate template

Enabled the Browser PKCS12 enrollment method and associated authentication methods, which are Manual approval, Enrollment code, and SAML IdP.


Create custom report button in various places

Resolved a known issue that incorrectly showed the “Create custom report” button on the Certificates, Enrollments, and Seats List pages

Certificate and Seat consumption charts errors

Resolved an issue with Certificate and Seat consumption chart widgets within the Dashboard not displaying the correct data.

Error notifications on Certificates and Enrollment pages

Resolved issues with errors being displayed on the Certificates and Enrollments pages after the Issuing CA had been unassigned from an account. When the issue occurs on the Certificates page, a Not resolved label now appears in the Issuing CA column.

February 15, 2023


New organization identifier field

Added new subject DN field, Organization identifier (OID -, to the Generic User Certificate template.


API error in distinguished name parsing

Fixed an error that occurred when using the API to import a certificate.

Instant reporting error

Fixed an error where the instant reporting button failed to download data.

Known issues

Custom report button appears but does not work

On the Certificates page, the "Create report" dropdown menu shows an option to "Create custom report," but nothing happens when this is selected. This feature will be implemented in a future release; the button was displayed erroneously.

February 9, 2023



Translations added for all languages.


Edit connector details page not loading

Fixed an issue where users were not able to see the page for editing connector details.

CA Manager private profile creation with enrollment method as ACME shows blank page

Fixed an issue where users were not able to create a CA Manager profile.

February 8, 2023


DigiCert Trust Assistant

Cross-browser and cross-platform client for certificate provisioning and management on software keystores and hardware tokens. This initial release delivers:

  • Provisioning of RSA and ECDSA certificates to software keystores on Windows and macOS operating systems.

  • Provisioning of RSA and ECDSA certificates to hardware tokens such as Gemalto and YubiKey—see the Support Matrix page within the Client Tools page for details.

  • PIN management functionality for hardware tokens.

  • Generation of CSRs using a private key on a selected keystore or hardware token.


    Key size restrictions apply per token vendor.

  • Import and export of certificates. Supported formats: X509, PKCS#7, PKCS#12 and GLCK (a proprietary format consumed by the legacy PKI Client software used by PKI Platform 8 customers).

  • Manual and auto-update of the client.

The client is available as a new Enrollment Method for the Generic User Certificate template, and supports the following Authentication methods:

  • Manual approval

  • Enrollment code

  • SAML IdP

Check the Administration and User guides for more information:

Certificate tags

  • Ability to assign and manage tags for one or more certificates.

  • Allows users to assign tags of their choice which can later be used to filter data in views.

  • Available for all certificates issued or discovered by Trust Lifecycle Manager.

New Source column in views

A new source column and filter are added to views. Source is defined by how the certificate was discovered (API Discovery, CA connector etc).

Global Enrollment Code

Ability to configure a SCEP-enabled profile with a global enrollment code that will be used to automatically issue certificates via SCEP to unregistered devices, without the need to previously create a Seat or an Enrollment.

New User ID field and new data type for the UniqueIdentifier field

For the UniqueIdentifier field:

  • New Subject DN User ID field (OID - 0.9.2342.19200300.100.1.1) is supported by the Generic User Certificate template

  • For the existing Unique Identifier Subject DN field, the default encoding for the field is BitString. However, from this release onwards, an additional data type (PrintableString) can be selected when configuring this field inside the profile wizard to format the Unique Identifier value in either BitString or PritableString. Supported by the Generic Private Server template.


MariaDB upgrade

The internal MariaDB version was upgraded and qualified to use 10.6.11. This is of particular interest to DigiCert ONE on-premises customers.

Support for IP Address in ACME and Sensor Automation flows

Use IP address in place of domain names for private certificate issuance.

Updated application logo and email templates

  • Updated the application logo displayed within the administrator pages to not include the word “Manager”.

  • Updated email templates to be consistent across all application flows, including the same footer making use of the Admin contact detail variables that need to be set in order to be displayed within the email notifications.

  • Email subject lines displayed within the profile wizard are used as email subject values when sending email notifications.

  • The “Your certificate is ready” email template supports a new variable called Cert Common name. Account administrators can optionally add the new variable to this email template.

Profile wizard enhancements

Added the template use cases and description to the initial page when creating or editing a profile.

Breadcrumb changes

Updated the breadcrumbs for all the pages under the “Manage” menu item to reflect the correct navigational structure. Approval/rejection emails sent to administrators for profiles configured with the “Manual approval” flow now contain a URL with the word “manage” in the patch.


URLs within emails that were already sent redirect to the new URL.

DigiCert Autoenrollment Server enhancements

Updated the DigiCert Autoenrollment Server to version with the below enhancements:

  • Updated references from Enterprise PKI Manager to Trust Lifecycle Manager.

  • Partially masked the API KEY value within the Autoenrollment Server logs—only the first four characters are displayed in the log.

Friendly country list

Enhancement to only display the allowed country list with their 2-letter ISO country codes as part of dropdown lists within various application locations:

  • Admin-based enrollment pages

  • Profile wizard, when selecting a fixed Country value

  • Public-facing enrollment pages for end-users to select when enrolling for a certificate

Show "-" if there is no data in the table

For all data tables including certificate views, if there is no data for a given row, a hyphen is shown to represent “no data”.

Add validation in create automation flows for wildcard and SAN usecases

Add validation based on CertCentral product settings for wildcard products and products when they support SANs.

Sensor v3.8.54 release

The sensor copyright version changed to 2023.


Auto-refresh for views

Removed auto-refresh for all views except Managed Automation view. Streamlined refresh to be inline for the grid alone instead of refreshing the whole page. Auto-refresh preserves user state and ongoing actions.

Intune Device template

Resolved a miss-configuration issue with the Device Authentication for Microsoft Intune (SCEP) template auto-copying the Common Name value to the DNS Server field and causing errors with CA Manager.

DigiCert Autoenrollment Server

Resolved a connection issue against the Hello API endpoint that was introduced after last month's rebranding.

Revocation of imported certificates

Resolved issue with not being able to revoke certificates associated with the Imported seat type, which were uploaded to an account via their certificate-import API endpoint.

Known issues

DigiCert Trust Assistant—ECDSA p-521 error

Key pair generations using ECDSA NIST p-521 curves on Windows and macOS keystores fail with a csr_signature_failed error. Smaller curve sizes work successfully (p-256 and p-384).

January 11, 2023


Application rebranding

Updated all references to Enterprise PKI Manager to reflect the product’s new name: Trust Lifecycle Manager.

Rebranded the Enterprise PKI Manager application to Trust Lifecycle Manager. Assets that have been rebranded include:

  • Product/administration portals

  • DigiCert documentation and API websites

  • Email templates

  • Knowledgebase articles

Additionally, the “EPKI” certificate view has been removed from the default system views. Customers can make use of the “All Certificate” system view to filter the same certificate data and create their own custom views.

Issuance of Public S/MIME certificates via DigiCert PKI Platform 8

The new Public S/MIME Secure Email (via PKI Platform 8) certificate profile template leverages DigiCert PKI Platform 8 to issue public S/MIME RSA email signing and encryption certificates linked to a user seat.

Certificate requests can be enrolled and authenticated by these methods:

Enrollment method

Authentication method

  • Browser PKCS12

  • DigiCert Trust Assistant

  • Manual approval

  • Enrollment code

  • SAML IdP


  • Third-party application

  • Enrollment code

To learn more about this feature, see Public S/MIME Secure Email (via PKI Platform 8) template.


  • Existing PKI Platform 8 customers can simply share the API key with their DigiCert ONE Trust Lifecycle Manager account, where a new profile will be created to issue the Public S/MIME certificates. A matching profile will be automatically created within the PKI Platform 8 account.

  • Certificate lifecycle operations for Public S/MIME certificates issued via a DigiCert ONE Trust Lifecycle Manager account must be carried out within that account.

Managed automation - sensor DV

Issue DV certificates on sensor connections managed using certificate lifecycle automation. Create DNS integrations that allow sensors to fulfill DCV challenges to issue DV certificates to appliances and cloud providers.

Bulk actions on certificate lifecycle

In case of compromise or account consolidation, select more than one certificate to renew or reissue certificates in bulk.

  • Admin can select more than one certificate from Certificate section and trigger automation.

  • Admin can use APIs to bulk reissue certificates.

CertCentral Connector

With this release we are introducing the TLM connectors framework. This framework will help drive integrations in the future.

A new CertCentral connector is being added to:

  1. Issue private and public certificates. (Existing functionality will now use the connector instead of the CertCentral linking page.)

  2. Discover certificates. We can now pull certificate data from linked CertCentral account into TLM.

    1. Users can define what data should be imported (valid certificates, certificates expired in last x days, revoked certificates).

    2. This data can be assigned to a BU at import and also tagged with user defined labels. these labels will be available for search in the certificate views in a future release.

With introduction of connectors the “Link to CertCentral” feature is rolled into the CertCentral Connector.


The “Link to CertCentral” page is no longer available.

Domain control validation for OV/EV using ACME

Customers can now perform domain control validation (DCV) for pre-validated OV/EV organization Public TLS certificates from CertCentral using ACME.

With this release, clients can demonstrate domain control using either DNS (ACME DNS.01) or HTTP (ACME HTTP.01) methods for their OV/EV requests. This option is only available when other organization and extended validations are already completed.


ACME - Skip validation for prevalidated domains

TLM ACME server is no longer creating challenge requests for prevalidated domains during ACME flows.

This will simplify client-side workflows where a dummy validation needs to be hosted by the client. This in turn means that:

  1. Cert-manager: client can bypass challenge creation and validation step.

  2. Certbot: hosting of dummy challenge on port 80 (with requirement that port 80 not be used by any other service) is no longer needed.

CA Manager - Private certificate automation on appliances

Most appliances such as F5 and Citrix ADC require that an organization be specified when creating a CSR during automation. CA Manager - Private Server has been enhanced to accept an organization that can be used for such automation workflows.


Automation certificate profiles

Fixed an issue with the creation of automation certificate profiles.