Enterprise PKI Manager
Enhancements
SCEP Service - Support for the provisioning of certificates via Simple Certificate Enrollment Protocol (SCEP), authenticated via a unique Enrollment Code that is pre-registered against a Seat ID. The SCEP server accepts both HTTP and HTTPS POST and GET requests for all SCEP operations. A new Enrollment Method called "SCEP" must be selected when creating a profile that is to be used to issue certificates via the SCEP protocol. Operations supported by this initial SCEP release are, based on IETF's 'draft-gutmann-scep-16' specification (https://tools.ietf.org/id/draft-gutmann-scep-16.html):
GetCACaps
- to retrieve the capabilities (operations and algorithms) the SCEP service supports. It supports both a generic URL to retrieve the capabilities without authentication (https://one.digicert.com/mpki/api/v1/scep/cgi-bin/pkiclient.exe?operation=GetCACaps), and a URL based on your certificate profile ID (https://one.digicert.com/mpki/api/v1/scep/PROFILE-GUID/cgi-bin/pkiclient.exe?operation=GetCACaps)GetCACert
- to download the Issuing CA certificate bound to your SCEP-enabled profilePKIOperation-PKCSReq
message - to enroll for a certificate against your SCEP-enabled profile
Audit Log Enhancements - The audit trail logs page has been enhanced to also log failed SCEP transactions and show the corresponding error message, to help customers troubleshoot their SCEP-based integrations.
Profile Certificate Fields Redesign - Redesign and enhancements to the way fields are added and configured to a profile:
Selection of certificate fields is based on a drop-down list, from where you can select multiple fields to be added to your profile in a single step
Each field now has its own individual data source, e.g. Fixed value, Entered manually, SCEP request
Each data source can be configured as Required or Optional
For newly created profiles, you can now add/delete/reconfigure certificate fields once the profile has been saved.
注記
For existing/saved profiles with fields set as Required, you will NOT be able to delete such fields. If required, you must create/clone a new profile.
REST API Enhancements
Enrollment end-point: Ability to set an enrollment code and its expiry date against a Seat ID via the enrollment REST API end-point. Check the updated Swagger API documentation for details.
Certificate authentication: support for certificate-based authentication instead of using an API KEY. You must create/download a Client Authentication certificate (in PKCS12 format) from the Account Manager application, which can then be used to configure your REST Client application to strongly authenticate to your account/profile. Profiles configured with the "REST API" enrollment method have been updated with a section that allows you optionally bind a User on your account against a specific profile. The REST API end-point for certificate-based authentication must be prefixed with 'clientauth', e.g. https://clientauth.one.digicert.com/mpki/api/v1/hello