Enterprise PKI Manager
New and enhancements
Microsoft Intune integration via SCEP - Support for issuance of private authentication certificates via the Microsoft Intune service via two new certificate templates that make use of the SCEP enrollment method and a new authentication method called Azure Auth
:
User Client Authentication for Microsoft Intune (SCEP)
Device Client Authentication for Microsoft Intune (SCEP)
When configuring a profile from the above templates, you will require to enter your Intune tenant/account details under the “Authentication method” section:
Application ID
Client Secret
Tenant Name
Support for certificate revocation: when retiring or deleting a device from the Azure Portal, a revocation request is sent to the CA, which is picked up asynchronously on an hourly basis, and the Serial Number for the revoked certificate will be included within the next generation of the Certificate Revocation List (CRL), typically published every 24 hours. If the associated Intune profile is configured to enable email revocation notifications, the end-user will receive an email stating his certificate has been revoked.
참고
Refer to this Knowledge Base article to access the Intune integration guide
Windows Hello for Business - Hybrid Certificate Trust model - Support for Windows Hello for Business (WHfB) Hybrid Certificate Trust model using the DigiCert Autoenrollment Server running on a domain-joined Windows Server 2022 to deliver a 'passwordless' solution that doesn't require end-users to remember their Active Directory credential (username/password) every time they authenticate to the network from their workstation.
The WHfB solution supports the below new certificate templates:
Windows Hello for Business Authentication
: to automate the issuance of user certificates that can be used to strongly authenticate a user’s device to a Domain Controller (1st factor) by unlocking access to the private key associated with such user authentication certificate with a gesture (a 2nd factor), e.g. a PIN, a biometric (fingerprint or face)Microsoft® Enrollment Agent
: to automate the issuance of Microsoft® Enrollment Agent certificates that allow for certificate enrollments on behalf of another entity in your Active Directory domains.주의
For Windows Hello for Business user authentication, the Service User must be bound to a certificate in Account Manager. The DigiCert Autoenrollment Server uses such certificate (also referred to as a Registration Authority certificate) for client authentication.
참고
Refer to this Knowledge Base article to access the WHfB integration guide
DigiCert Autoenrollment server enhancements - New DigiCert Autoenrollment Server binary available for download from the Resources → Client Tools page, version 2.22.2.0
The new binary includes support for:
“Fixed value” field source for profiles configured with the “Microsoft Autoenrollment” enrollment method.
Certificate-based authentication using a software keystore (a PKCS12 file) that is downloaded from Account Manager for a given Service User, which is required for the Windows Hello for Business use-case.
참고
Refer to this Knowledge Base article to access the WHfB integration guide
Seat licensing consumption changes - Changed the Seat/licensing consumption logic from creating Seats (current implementation) to only consuming a Seat if there is at least 1 valid certificate issued against the Seat. Additionally:
Introduced a new "Created" label for every seat type in the Dashboard, showing the number of created seats. Note: The Allocated Seats amount is not a hard limit for the Business Unit. Unique Seat IDs can be created beyond the allocated amount for the Business Unit.
Added helper text to the “Seat management” component within the Dashboard to explain the meaning of Consumed/Allocated/Created seats.
Consumption warning icon updates:
The Consumed value will turn amber and will display a warning icon when it exceeds 75% of the allocated licenses for a given Business Unit.
The Consumed value will turn red and will display an error icon when it exceeds 90% of the allocated licenses for a given Business Unit, or reaches the maximum allocated licenses.
Important notes seat licensing
You can create as many Seats against a given Seat Type within a Business Unit in your account. But, will only be counted as ‘consumed’ when at least one certificate is successfully issued against it, and is in Valid status.
For on-prem DigiCert ONE customers, you will not be able to issue unique certificates if the maximum number of allocated Seats to a Business Unit has been consumed. You MUST contact your System Administrator to increase the license on your account. The sum of allocated Seats for every account can not exceed the platform-wide license limits. Contact DigiCert to update your platform-wide license.
New Domain Controller certificate template - The new Domain Controller template allows for profiles to be configured for the issuance of Windows Domain Controller certificates via the following enrollment methods:
REST API
CSR
Microsoft Autoenrollment
When using the "Microsoft Autoenrollment" method you can auto-enroll and auto-renew the certificate required for your Domain Controller server using the DigiCert Autoenrollment Server, and either an API Key or a software certificate for authentication.
Other enhancements
Certificate Report page changes - Modified the Certificate Report page logic to show up to the last 5000 audit report records, and set a default cert event from date filter of the last 30 days. Added a warning message to the page stating: "This table can retrieve and display a maximum of 5000 records. Use filters to decrease search results and speed up data retrieval."
Enrollments page enhancements - Enhancement applied to table displayed within the Enrollments page, where if an enrollment code is set to not expire we will show No expiration for the "Expiration date" cell, and for enrollments not configured with an enrollment code authentication method (e.g. Manual Approval or SAML IdP), we will show N/A in the cell.
Subject DN ordering - Added support to order the Subject DN fields when creating or editing a profile.
Deletion of pending enrollments when deleting a profile - Added a warning to the profile deletion pop-up window to state that all pending enrollments will be automatically rejected when deleting a profile. This applies to enrollments in both 'Pending' and 'Pending 2nd approval' statuses.
CSV upload support for BOM characters - Allow CSV file uploads containing BOM (Byte Order Mark) hidden characters.
Internal enhancements
Updated the application to make use of Java 17.