Enterprise PKI Manager
New and enhancements
Microsoft Autoenrollment - New major feature that facilitates automatic certificate deployment and renewal to network computers and end users connected to a Windows domain, via the DigiCert Autoenrollment Server (an on-premise application). Enrollments are authenticated via Active Directory, and certificate requests to DigiCert ONE Enterprise PKI Manager are performed silently by the Windows autoenrollment client when domain users log onto the network. This solution can also be used to automate the provisioning of server certificates to domain-connected servers such as IIS Web Servers.
Supported certificate templates:
Generic User Certificate
Generic Device Certificate
Generic Private Server Certificate
You can download the DigiCert Autoenrollment Server from the Resources > Client Tools page within the Enterprise PKI Manager application. The DigiCert Autoenrollment Server integration guide (PDF) is available from the below Knowledge Base (KB) page - this URL is also available on the Microsoft Autoenrollment client tools page:
This initial Microsoft Autoenrollment solution does not support:
ECDSA certificates - only RSA
Setting Fixed Values when creating the certificate profile - values can only be read from Active Directory attributes
Certificate-based authentication - only API KEY authentication
Domain Controller certificates - a new template will be delivered with a future release
Private S/MIME Secure Email
New template that allows issuance of Private certificates that can be used for S/MIME (signing/encrypting emails), offering two key escrow options:
DigiCert cloud key escrow
- DigiCert creates and securely escrows/backs up your certificate private key, which can then be recovered by an authorized administrator or service user API key with the appropriate permissions (RECOVER_EM_CERTIFICATE
)No escrow
- Your certificate private key is not escrowed/backed up
The template supports the following authentication methods:
Manual Approval
Enrollment Code
SAML IdP
When enabling the DigiCert cloud key escrow option, a further option will be available to
Enable dual admin recovery
flow.Two new table columns are available on the Certificates page to help search for and visualize which certificates are escrowed and their corresponding dual recovery status:
Escrowed
: shows what certificates are escrowedDual recovery status
: shows the status of the escrow process (N/A
,Not initiated
,Pending 2nd approver
,Recovery approved
)注記
Once a certificate has been recovered, its status will go back to the initial state >
Not initiated
, requiring 2 approvers before being recovered again.
API Enhancements
Approve/Recover endpoints - New approve and recover API endpoints to allow for the approval and recovery of escrowed certificates, for profiles configured with the "DigiCert cloud Key Escrow" option, using API keys with the appropriate
RECOVER_EM_CERTIFICATE
permission:/mpki/api/v1/certificate/escrow/approve/{serialNumber}
: to approve a recovery request, for profiles configured with the Dual admin recovery option./mpki/api/v1/certificate/escrow/recover/{serialNumber}
: to recover the escrowed certificate (in PKCS12 format, with password). If the profile is configured with the "Dual admin recovery" option, the approve endpoint needs to receive 2 approval requests, from 2 different API keys.
Certificate-import endpoint - Enhancements to the certificate-import API endpoint to support special characters (e.g. commas, full stops) within the Common Name.
API documentation updates - Added detailed enhancements to the API documentation on our Swagger UI pages (Resources -> API Reference) to ease API integration.
DigiCert Desktop Client Enhancements
Windows 11 - Qualified support for Windows 11
Certificate delivery format - Added support for choosing the delivery format of the certificate for both software keystores and hardware tokens. This is configured as part of the Certificate options > Certificate delivery format section of the certificate profile wizard.
Security Enhancements
Profile access from another account - Restrict access to profile View and Edit pages from different accounts when manually modifying a profile link. Note that all related profile resources (e.g. CA, BU) were already unavailable in this scenario, but this enhancement blocks access to the page completely.
Restricted HTTP headers - Configured the application to have 'X-Frame-Options' and 'Content-Type-Options' HTTP headers set to deny.
Other Enhancements
Days to expiration - Added a new Days to expiration column to the Certificate Report page to help identify what valid certificates are due to expire.
Fixes
[DOEPM-2541] Fixed issue when using Azure AD as a SAML IdP provider and the SAML IdP-initiated flow.
[DOEPM-3064] Improved the performance of the Enrollment Code report page.
[DOEPM-3088] For profiles configured with the SCEP enrollment method, we now check profile validity period settings when redeeming a SCEP enrollment instead of the validity period stored for the enrollment in the database. This is to accommodate for the validity period being updated within the profile whilst the enrollment has not yet been redeemed by a SCEP client. Also, removed the "Override validity" option in the profile wizard since this setting does not apply for SCEP enrollments.
[DOEPM-3177] Fixed issue which hid the last column filter within tables when too many columns were selected.