Skip to main content

Trust Lifecycle Manager

Release notes

March 20, 2024

DigiCert® ONE version: 1.7083.4 | Trust Lifecycle Manager: 1.2674.0

New

Sensor release v3.9.0

New DigiCert sensor release with the following updates:

  • Refactored sensor-to-Trust Lifecycle Manager communication from SOAP to REST.

  • Stability fixes.

Enhancements

Enhanced automation actions

Optimized certificate lifecycle workflow actions on the Inventory page:

  • Switch action allows switching a deployed certificate to any supported CA (previously "Switch to DigiCert").

  • Request a certificate action allows users to issue a new certificate from the same CA.

  • Renew/Reissue actions remain unchanged for CAs that support them.

Streamlined SAML web enrollment flow

Streamlined the SAML-based web enrollment flows to bypass the “Create enrollment” step if no user input is required and the “Cloud Key Escrow” option is disabled in the profile. This streamlined SAML enrollment flow only presents a single page ("Install certificate").

If the “Cloud Key Escrow” option is enabled in the profile (e.g. for S/MIME use-cases) we will continue to show an intermediate page with a warning to the user alerting about the private key being escrowed in the cloud, hence not bypassing this page. We renamed this page from "Create enrollment" to "Enrollment request" and the button from "Create" to "Submit".

"Enrollment status change" email template for enrollment code flows

Profiles configured with the Enrollment code authentication method now have access to an additional email template that can be enabled in the Email configuration and notifications section of the profile to notify end users when their enrollment status changes from "created" to "rejected", "expired", or "redeemed". We renamed this notification type from "Enrollment status is either rejected or expired" to Enrollment status change (rejected, expired, redeemed).

Fixes

Inventory page issue due to deleted profiles

Resolved issue with the Inventory page not loading properly when encountering certificate profiles that had been deleted.

Certificate delivery format for Public S/MIME (via CertCentral) API requests

Resolved issue with incorrect certificate delivery format for profiles configured from the Public S/MIME Secure Email (via CertCentral) template using the "REST API" enrollment method and with the “Cloud Key Escrow” option disabled (i.e. non-escrow).

SCEP URL with additional "/" character

Resolved issue with the SCEP service no longer accepting SCEP requests containing a “/” character at the end of the "pkiclient.exe" resource inside the URL (e.g. "https://one.digicert.com/mpki/api/v1/scep/<profile-guid>/cgi-bin/pkiclient.exe/?operation=GetCACert").

Sensor list not being sent to agent

Resolved issue with sensor list not getting updated to agents when a sensor is added or removed. This fix ensures that proxied agents have the latest sensor list available for failover scenarios.

Unable to change "start now" scan to scheduled

Resolved issue with being unable to edit a "start now" network scan to use the "schedule for later" option instead.

March 13, 2024

DigiCert® ONE version: 1.7083.2 | Trust Lifecycle Manager: 1.2639.0

Enhancements

Multiple CertCentral connectors

Added support for more than one CertCentral CA connector:

  • Connect to multiple CertCentral accounts across US and EU regions.

  • For each connector, map the CertCentral divisions for imported certificates to respective business units in Trust Lifecycle Manager.

  • When creating certificate profiles from a CertCentral CA connector, set the CertCentral division to use to issue new certificates from each profile.

For more information, see Link to DigiCert CertCentral.

Fixes

Duplicate certificate issue

Resolved issue with issuing duplicate certificates for public products when passing the orderid in the request URL.

March 7, 2024

DigiCert® ONE version: 1.7083.1 | Trust Lifecycle Manager: 1.2616.0

Fixes

Disabled enrollment methods

Resolved issue with not being able to create profiles from the "Generic" and "Private S/MIME" certificate templates due to the enrollment method dropdown being disabled.

March 6, 2024

DigiCert® ONE version: 1.7083.0 | Trust Lifecycle Manager: 1.2609.0

New

Self-service portal

New public-facing web portal allows end users to search for and download certificates associated with profiles for which the Self-service portal option has been enabled by an authorized administrator.

Profiles configured with the following web-based enrollment methods support this new self-service option:

  • Browser PKCS12

  • CSR

  • DigiCert Trust Assistant

  • EST

  • Microsoft Autoenrollment

  • REST API

  • SCEP

Authorized administrators can use the Settings > Self-service portal menu function to enable or disable access to the self-service portal and get the portal URL or QR code to share with end users.

The self-service portal can also inherit custom branding configured via the Settings > Branding menu function.

Aviso

The Self-service portal feature must be enabled on your account.

Currently, the self-service portal is only available in English. Support for additional languages will be added soon.

For more information, see Self-service portal.

Sensor release v3.8.66

New DigiCert sensor release with the following updates:

  • Bug and stability fixes for F5 BIG-IP network appliances.

Enhancements

DigiCert Autoenrollment Server enhancements

Updated the DigiCert Autoenrollment Server to version 2.24.2.0 with the following enhancements:

  • Custom private extensions that can be used to dynamically retrieve values from Active Directory based on the profile configuration.

  • New Subject Distinguished Name (DN) fields:

    • Title

    • Given name

    • Surname

    • DN qualifier

For more information, see the DigiCert Autoenrollment Server guide.

Upload PKCS12 certificates

Enhanced the REST API certificate-import endpoint and the DigiCert Import Tool (available from your DigiCert representative upon request) to support uploading end-entity escrowed certificates (PKCS#12 files with their passwords) into a specified business unit, with or without their issuing CA being previously loaded and configured into your account.

Uploaded certificates get automatically bound to one of the below seat types based on whether the issuing CA is available in your account or not:

  • Imported seats: For certificates (whether escrowed or not) with their associated issuing CAs available in your account. Authorized administrators can manage lifecycle operations for these certificates in Trust Lifecycle Manager (for example, revoke, suspend/resume, or recover). Available management actions depend on the type of certificate uploaded.

  • Discovery seats: For certificates without their associated issuing CAs available in you account. Authorized administrators with the appropriate Key Recovery role can download and recover this type of certificate in Trust Lifecycle Manager.

For more information, see Import externally issued certificates using the API.

eIDAS Natural Person - additional Subject DN fields

Added support for the Organization Identifier and Organization Unit Subject Distinguished Name (DN) fields to the following two eIDAS Natural Person certificate templates:

  • eIDAS Electronic Signature Certificate (Natural Person with QSCD)

  • eIDAS Electronic Signature Certificate (Natural Person)

Aviso

Contact your administrator if these certificate templates are not available in your account and you need access to them.

Certificate delivery format profile enhancement

For profiles configured to use a self-signed issuing CA, we enhanced the Additional options: Certificate delivery format step in the profile configuration wizard to dynamically hide the Include CA chain with Root CA and Include CA chain without Root CA PKCS#7 options.

Cause and solution for agent automation errors

Enhanced error messaging to show errors and recommended solutions to help users quickly remediate and retry issues with certificate lifecycle automations managed via DigiCert agents.

Support for CertCentral duplicate certificates

Added support for issuing duplicate certificates from CertCentral during automation events, by selecting the new "get duplicate certificate" option when scheduling the automation. If selected, the request is passed on to CertCentral and the CA there will issue a duplicate if a matching certificate is found. If no match is found, a new order gets created instead.

This feature must be enabled on a per-account basis and is available for certificate profiles configured with the following enrollment methods:

  • Admin web request

  • DigiCert agent

  • DigiCert sensor

  • 3rd-party ACME client

Aviso

To issue a duplicate certificate from an existing CertCentral order, make sure all these conditions are met:

  • Order is active, already had a certificate issued, and has enough remaining validity to fulfill the request.

  • Selected certificate profile is for the same product and organization, and organization is currently validated.

  • Requested common name matches the order, and any requested SANs match or are a subset of the order.

  • None of the requested domains include wildcards.

Fixes

Profile cloning issue with SCEP

Resolved issue with SCEP-based cloned profiles not retaining all the SCEP configuration.

February 21, 2024

DigiCert® ONE version: 1.6887.3 | Trust Lifecycle Manager: 1.2554.0

Fixes

Scheduled report issue

Resolved the issue with not being able to generate scheduled certificate reports.

Issuer Alternative Name (IAN) issue

Resolved an issue with signing certificates with an empty value inside the Issuer Alternative Name (IAN) extension, for certificate profiles configured from templates that support this extension.

ServiceNow app

Version 1.2.1

Released ServiceNow Trust Lifecycle Manager app version 1.2.1 to support Washington version.

This release also resolves the issue with DigiCert email notifications getting sent out when creating approvals for any source table.

For more details, check the app listing in the ServiceNow Store.

February 14, 2024

DigiCert® ONE version: 1.6887.2 | Trust Lifecycle Manager: 1.2527.0

Enhancements

Public Client Authentication (via CertCentral) template

Enhanced the Public Client Authentication (via CertCentral) template to support a new CertCentral product type called Client Authentication Email Subject:

  1. Added support for additional Subject Distinguished Name (DN) fields:

    • Email

    • Organization unit (multiple)

  2. Added support for the CSR enrollment method.

  3. Checked and disabled the Key usage and Extended key usage fields, since they will always be included by the new CertCentral product type.

Atenção

Important Notes

  • In order to support these new fields, you must enable the new CertCentral Client Authentication Email Subject product type and have enough certificate units assigned to it, matching the required User seats in Trust Lifecycle Manager.

  • Existing certificate profiles in Trust Lifecycle Manager will continue to work, but we strongly recommend that you contact your DigiCert representative to reassign your CertCentral certificate units to the new product type and benefit from the new features.

This release also resolves the known issue raised in the previous release related to the SAN:rfc822Name value not being included within the signed certificate.

Audit logs for CMP protocol

Enhanced the Audit logs to support certificate lifecycle operations carried over from the CMP protocol using existing audit log resources and event types from the Public S/MIME Secure Email using CMP (via CertCentral) template ("Limited" scope).

Fixes

Certificate renewal issue

Resolved regression issue that prevented the renewal of certificates that contained a State field within the Subject Distinguished Name (DN).

Issuer Alternative Name (IAN) issue

Resolved issue with not being able to include the Issuer Alternative Name (IAN) extension in signed certificates.

February 7, 2024

DigiCert® ONE version: 1.6887.0 | Trust Lifecycle Manager: 1.2499.0

New

New CA support - Let's Encrypt

Added support for issuance of public TLS certificates from the Let's Encrypt CA using the following enrollment methods:

  • DigiCert agent (all supported applications)

  • DigiCert sensor (support for F5 BigIP LTM, AWS ELB, and AWS Cloudfront)

  • 3rd-party ACME client

Added a new certificate template (Let's Encrypt Public Server Certificate), a new Let's Encrypt connector, and a new Sensor release (v3.8.65) to support automation flows for Let's Encrypt certificates.

To learn more, see Link to Let's Encrypt.

Atenção

Known limitation: Sensor-based automation using Let’s Encrypt is not supported for A10 or Citrix ADC network appliances.

Branding - themes

Extended our branding capabilities, allowing further customization of public-facing enrollment pages with different color themes based on the following configurable items:

  • Font family

  • Base font size

  • Info/helper text color

  • Link color

  • Footer text color

An enhanced preview functionality is also available to show the look and feel after applying the theme configuration.

Configure this new feature from the Settings > Branding > Theme selection page.

Fixes

Public S/MIME using CMP issue

Resolved an issue with certificates not being issued when using the Public S/MIME Secure Email using CMP (via CertCentral) template.

REST API certificate issuance issue

Resolved an issue that prevented certificate issuance when the REST API-based certificate profiles were set with a mix of fixed and dynamic Subject DN fields.

February 2, 2024

DigiCert® ONE version: 1.6665.8 | Trust Lifecycle Manager: 1.2472.0

Fixes

Sensor-based automation of CertCentral certificates

Resolved an issue with CertCentral CA connectors impacting sensor-based automation flows.

February 1, 2024

DigiCert® ONE version: 1.6665.7 | Trust Lifecycle Manager: 1.2469.0

New

Citrix Federated Authentication Service (FAS) integration

New set of certificate templates available to support integration with Citrix Federated Authentication Service (FAS) for issuance of private authentication certificates onto virtual machines via the DigiCert Autoenrollment Server (version 2.24.1.0 required).

The integration requires three certificate profiles in Trust Lifecycle Manager, one each created from the three new templates:

  • Citrix FAS Registration Authority Manual Authorization (Server seat type): Enables Citrix Federated Authentication Service to issue “Citrix FAS Registration Authority” certificates. This template is not used during the integration but is required to proceed.

  • Citrix FAS Registration Authority (Server seat type): Enables Citrix Federated Authentication Service to issue certificates on behalf of Citrix users in your Active Directory domain.

  • Citrix FAS Smartcard Logon (User seat type): Enables Citrix Federated Authentication Service to issue certificates to Citrix users in your Active Directory domain.

For details about how to set up the integration, see Citrix FAS.

Cloud key escrow and recovery for “Public S/MIME Secure Email (via CertCentral)” template

Support for cloud key escrow and recovery of end-user public S/MIME sponsor-validated certificates issued from CertCentral using the existing Public S/MIME Secure Email (via CertCentral) template, for these enrollment methods:

  • Browser PKCS12

  • DigiCert Trust Assistant

  • REST API

Key recovery can be initiated by authorized administrators or API users with the Trust Lifecycle Manager "Recovery manager" role enabled. Certificate profiles can be configured to force a dual-admin recovery flow, where two account administrators (or API users) are required to complete the recovery of an end-user escrowed certificate.

Public client authentication

Support for issuance of public client authentication certificates issued from a CertCentral-shared issuing CA that chains up to a trusted root CA, using the new Public Client Authentication (via CertCentral) template in Trust Lifecycle Manager. This template consumes CertCentral certificate units from the "Authentication Plus" product type and supports the following enrollment methods and their associated authentication methods:

  • Browser PKCS12

  • DigiCert Trust Assistant

  • Microsoft Autoenrollment

  • REST API

Aviso

When using the Public Client Authentication (via CertCentral) template, the location-based Subject DN fields get automatically retrieved from your CertCentral account's validated organization details and added to the issued certificates.

Atenção

Known limitation: This template only supports one Subject Distinguished Name field: the Common Name. Support for multiple OU fields will be included in a subsequent release.

Known issue: The SAN:rfc822name field is mandatory and an email value must be provided by end users or API, however it is not currently being included within the signed certificate.

Enhancements

Seat ID mappings

Enhanced the list of unique fields supported by the Seat ID Mapping dropdown in the profile creation wizard. The two new fields are:

  • User identifier

  • Pseudonym

Fixes

Duplicate certificate issue

Resolved issue that prevented the successful signing of duplicate certificates with profiles configured with Subject Distinguished Name (SDN) optional fields set as 'multi-value' when the certificate request did not contain the matching 'multi-value' fields in the SDN.

Renewal issue

Resolved issue that prevented the renewal of certificates that contained a State (ST) field within the Subject Distinguished Name (SDN).

January 24, 2024

DigiCert® ONE version: 1.6665.5 | Trust Lifecycle Manager: 1.2446.0

Enhancements

CertCentral connectors: default import frequency updated to 24 hours

Updated the default certificate import frequency for CertCentral connectors to 24 hours (from 15 minutes previously). You can still change it to any desired value, as before.

Managed automation for Microsoft CA can now add first SAN as the CN in certificates

DigiCert agent-based automation flows now support adding the first SAN as the CN in certificates issued via Microsoft CA.

To enable this, use the Windows Server certutil command to update the Microsoft CA configuration to allow override of the CN in certificates, as follows:

certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

Restart the Microsoft CA service after making this command for changes to take effect.

January 18, 2024

DigiCert® ONE version: 1.6665.4 | Trust Lifecycle Manager: 1.2428.0

Fixes

Issue with "Next" button when configuring custom extensions

Resolved issue where the Next button was disabled when configuring custom extensions in a certificate profile.

Renewal issues

Resolved some issues with not being able to renew certificates.

January 17, 2024

DigiCert® ONE version: 1.6665.3 | Trust Lifecycle Manager: 1.2424.0

Enhancements

Certificate import REST API

Updated the Inventory controller certificate-import REST API endpoint to support the equal (=) symbol as part of the Subject DN Common Name (CN) field.

January 10, 2024

DigiCert® ONE version: 1.6665.2 | Trust Lifecycle Manager: 1.2402.0

New

Optional overconsumption of seats/certificates

Added a new "overconsumption" feature that allows for the overconsumption of seats and certificate issuance from business units in Trust Lifecycle Manager. DigiCert ONE system administrators can enable this feature from the Account Manager application.

Sensor release v3.8.64

New DigiCert sensor release with the following updates:

  • Stability enhancements.

  • Bug fixes for A10 load balancer.

Enhancements

LDAP searches by email address

Enhanced the LDAP service to support searching certificates (via an LDAP client) using email addresses contained within the SAN:rfc822Name extension.

Custom labels for multiple fields

Added support for custom labels when configuring a certificate profile with a field (for example, OU) that has a multiple checkbox set. This allows each individual field to show a different custom label in public-facing pages, in multiple languages if required.

Updates to "Generic Device Certificate" template

Added support for the “Non repudiation” key usage and SAN:userPrincipalName (UPN) extensions to the Generic Device Certificate template.

eIDAS templates

Updated the eIDAS Natural and Legal Person templates to support a wider set of key usage combinations, following ETSI guidelines.

Honor CA Manager allowlist settings for 3rd-party ACME enrollment

Extended the ability to allowlist domains and IP addresses for the 3rd-party ACME client enrollment method from the CA Manager Private Server Certificate template.

Lifecycle actions for certificates enrolled via "Admin web request"

Added lifecycle actions for certificates originally enrolled through the admin web request workflow. This allows administrators to renew or reissue these certificates from their Inventory views.

Fixes

Public S/MIME profile issue when using CertCentral in Europe

Resolved issue with not being able to create certificate profiles from the Public S/MIME Secure Email (via CertCentral) template, for DigiCert ONE in Netherlands and Switzerland using the European CertCentral platform.

December 13, 2023

DigiCert® ONE version: 1.6573.2 | Trust Lifecycle Manager: 1.2366.0

New

DigiCert Trust Assistant - post-processing scripts for Windows (AD Publish)

Added a new DigiCert Trust Assistant post-processing script enabling the automated publication of a user's X.509 certificate to the userCertificate attribute within the Active Directory.

You can enable the post-processing script for S/MIME certificate templates:

  • Public S/MIME Secure Email (via CertCentral)

  • Private S/MIME Secure Email

Enhancements

DigiCert Trust Assistant - post-processing script for Outlook

In this release, we expose the internal validation checks required for the Outlook post-processing script to successfully configure Outlook with the installed certificate.

Internal validation checks:

  • Access to CRL and OCSP services via the URLs inside the CRL Distribution Point (CDP) and Authority Information Access (AIA) extensions

  • CA chain validation (including the Root CA)

Fixes

Certificate Policy validation for eIDAS templates

Resolved the Certificate Policy OID validation issue with the five eIDAS templates.

Importante

Customers using these templates must mark the CAs created or uploaded onto the DigiCert® CA Manager application as “Qualified.” Otherwise, the Issuing CAs will not be shown when creating a profile from the eIDAS templates.

To mark the CAs as "Qualified, in the Create ICA flow, use the “Get a CSR from DigiCert ONE and sign with your own CA” option, and then select the “Qualified” option.

Renewal options in the revocation email template

Removed the list of renewal checkboxes within the revocation email template configured within a profile.

Unwanted certificate fields in the public-facing pages

Removed the internal profile fields appearing on public-facing pages (for example, we removed the key usage field).

Latest sensor not working when set up as a proxy

In the latest sensor release, v3.8.63, we fixed the bug in sensor version v3.8.62, restricting agents from using the sensor as a proxy.

Deleting the Azure Key vault connector marks the CC connector as "Action needed"

When deleting the Azure Key vault connector (and other connectors), the CC connector is no longer marked as Action needed.

Support TLM-ACME server with Ansible

Added support for the Ansible ACME Client in the TLM-ACME server.

December 7, 2023

DigiCert® ONE version: 1.6392.5 | Trust Lifecycle Manager: 1.2350.0

New

Nota

Removed the DigiCert Desktop Client enrollment method from the Generic User Certificate template, which is no longer supported. If you are making use of the DigiCert Desktop Client in a profile, use the DigiCert Trust Assistant client instead by cloning your profile and selecting it as the new enrollment method. For new profiles, simply select the DigiCert Trust Assistant enrollment method. See the online documentation for details of its functionality.

FQDN and IP addresses allowed list for server requests

New feature that allows authorized profile administrators to configure a list of FQDN and IP addresses that are allowed to be included within private server certificate requests and checked against a profile-based ‘allowed list’ before issuance. Certificate request fields that will be checked are:

  • SAN:dnsName

  • SAN:ipAddress

The list of FQDNs/IPs within the profile can be modified at any time.

Supported template for this feature: Generic Private Server Certificate.

Custom extensions

New powerful feature that allows authorized administrators to configure private certificates with custom extensions, defined as a JSON structure inside the Advanced profile wizard step for the three ‘generic’ certificate templates:

  • Generic Device Certificate

  • Generic Private Server Certificate

  • Generic User Certificate

Values for the private custom extension can be sourced from all the standard application sources based on the profile’s enrollment method, with the exception of “Microsoft Autoenrollment”, which will be supported in a future release.

For details see: Issue private certificates with custom extensions

Workflow customization for agent-based automation

Enhanced workflows that allow administrators to customize automation using hooks at various steps of the automation flow.

  • Pre-scripts before automation starts, and post-scripts after the certificate is installed:

    • Assign pre and post-scripts for the core automation workflow based on application type for one or more agents.

    • Configure script at application or request level.

For more details see: Agent scripts

Nota

Minimum agent version: 3.0.8.

Sensor Update v.3.8.62

New sensor release with the following updates:

  • JDK updated to v17

  • Updated open-source packages to the latest version to remove vulnerabilities.

Agent Update v.3.0.8

New agent release to support workflow extensibility.

New eIDAS Qualified Certificates templates

New set of eIDAS Qualified Certificate ‘limited’ templates that replace the 3 released earlier this year, which have been removed, and extend the use-cases to support issuance of qualified certificates that meet the requirements of the Payment Services Directive 2 (PSD2). The new templates (linked to User Seat type for Natural persons, and Organization Seat types for Legal Persons/eSeals) will also make use of an OCSP service that is ETSI compliant.

Natural person templates
  • eIDAS Electronic Signature Certificate (Natural Person): It allows Qualified Trust Service Providers, who are audited and compliant with eIDAS, to issue EU Qualified Certificates to natural persons  (QCP-n). This certificate will result in an Advanced Electronic Signature under eIDAS [SD1] (EU Regulation No 910/2014).

  • eIDAS Electronic Signature Certificate (Natural Person with QSCD): It allows Qualified Trust Service Providers, who are audited and compliant with eIDAS, to issue EU Qualified Certificates to natural persons where the private key and the related certificate reside on a QSCD (QCP-n-qscd). This certificate will result in a Qualified Electronic Signature under eIDAS (EU Regulation No 910/2014).

Enhancements

Multiple key sizes per profile

Profile enhancement that allows an authorized administrator to set multiple key sizes using checkboxes in a single profile, without the need to create separate profiles per key size. This feature is supported for profiles configured with any of the below enrollment methods for most templates, where a user (or a client) can now submit a CSR using any of the allowed key sizes set within the profile:

  • CSR

  • EST

  • REST API

  • SCEP

Nota

This enhancement is applied to all supported key types: RSA, ECDSA, EdDSA

This enhancement is not supported by the below templates:

  • Public S/MIME Secure Email (via PKI Platform 8)

  • Public S/MIME Secure Email (via CertCentral)

User experience enhancements

  • Warning message in Reports side-rail when a user exceeds the maximum amount of 10 custom reports.

  • Support for a confirmation pop-up and optional message to all users for bulk approval/rejection of enrollments.

  • Redesign of the Reports functionality for the Enrollments page, to be consistent with the reports icon within the Inventory page, which shows a side-rail with options to generate an instant or custom report.

Extended use of Action Needed

Extended the "Action needed" functionality to show a profile in this state when the enrollment method associated with the profile is no longer enabled on the account.

Resend renewal email action

Support for a new action for certificates inside a renewal window, allowing an authorized administrator to manually send the renewal email by clicking on the "Resend renewal email" action available from the Inventory page

MS Autoenrollment support for ”Public S/MIME Secure Email (via CertCentral)” template

Support for the Microsoft Autoenrollment enrollment method using the DigiCert AutoEnrollment Server to silently issue Public S/MIME sponsor-validated certificates using a profile created from the Public S/MIME Secure Email (via CertCentral) template.

November 15, 2023

DigiCert® ONE version: 1.6392.4 | Trust Lifecycle Manager: 1.2287.0

New

New Security Identifier (SID) extension

Support for the Security Identifier (SID) extension (OID - 1.3.6.1.4.1.311.25.2), which Windows uses for authentication (e.g. Windows Logon). Users can manually enter the SID in the user interface or read automatically from an Active Directory attribute using the new DigiCert Autoenrollment Server release (v2.23.2.0), available for download from Resources > Client tools.

The following templates support the SID extension for all enrollment methods:

  • Domain Controller

  • Generic User Certificate

  • Generic Device Certificate

  • Generic Server Certificate

  • Microsoft® Enrollment Agent

  • Windows Hello for Business Authentication

Nota

Note: when configuring a profile with the Microsoft Autoenrollment enrollment method, the DigiCert Autoenrolment Server v2.23.2.0 must be deployed to support the new SID extension, which has been qualified for the following templates with some restrictions based on whether the profile is configured to issue RSA or ECDSA certificates:

  • Domain Controller (for RSA and ECDSA key types)

    • Generic User Certificate (for RSA and ECDSA key types)

    • Generic Device Certificate (for RSA and ECDSA key types)

    • Generic Server Certificate (for RSA and ECDSA key types)

    • Microsoft® Enrollment Agent (for RSA key types only)

    • Windows Hello for Business Authentication (for RSA key types only)

Azure Key Vault connector and enrollment flow

Trust Lifecycle Manager now automates the certificate request workflow for administrators allowing them to request certificates to be delivered to one or more Azure Key Vaults from within their Trust Lifecycle Manager account.

  • Support for adding one or more Azure Key Vault connectors

  • New Admin web request enrollment method that the following templates support:

    • AWS CA Private Server Certificate

    • CA Manager Private Server Certificate

    • CertCentral Private Server Certificate

    • CertCentral Public Server Certificate

    • Microsoft CA Private Server Certificate

  • New Request certificate option on Enrollments page

Enhancements

Private S/MIME Secure Email template enhancements

Enhancements to the “Private S/MIME Secure Email” template to support:

  • The Non repudiation Key Usage for all key types: RSA, ECDSA, EdDSA

  • The Key agreement, Encipher only, and Decipher only Key Usages for ECDSA key types

Dual Admin Approvals and Dual Admin Key Recovery enhancement

Enhancement to only allow Dual Admin Approvals and Dual Admin Key Recovery options to be enabled in the profile wizard if at least 2 authorized administrators exist in the account.

DigiCert Trust Assistant - Outlook post-processing script support for SafeNet eTokens

Extending the support of the post-processing script for Outlook (Windows only) when using a SafeNet eToken (5100, 5110), in addition to previously supported key stores (OS keystore and the DigiCert Software Keystore). This feature continues to be available for the below templates:

  • Private S/MIME Secure Email

  • Public S/MIME Secure Email (via PKI Platform 8)

Dica

You require DigiCert Trust Assistant 1.1.4 to make use of the post-processing feature.

Customer fixes

Fixed a typo in the Country label for Kuwait, shown on web pages that require a Country field to be selected by an end-user.

November 8, 2023

DigiCert® ONE version: 1.6392.3 | Trust Lifecycle Manager: 1.2263.0

New

New Tenable connector

Support discovery of certificates from Tenable. We’ve introduced:

  • A new connector that allows you to connect to your Tenable.io account.

  • Support for importing certificate data to Trust Lifecycle Manager Inventory.

  • Support for adding tags and assigning business units as you import your data.

  • Support for setting schedules to pull new certificates and change information to keep inventory up to date.

Enhancements

Enhance connector tags to add auto suggest

  • Show suggestions when adding tags to choose from a list of existing tags.

  • Improves usability when adding a new tag.

Sensor update v3.8.61 available

TLM Plugin Manager framework

November 1, 2023

DigiCert® ONE version 1.6392.1 | Trust Lifecycle Manager: 1.2172.0

New

Two-factor authentication (2FA) requirement

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.

Nota

If you use single sign-on (SSO) to access your DigiCert ONE account, the new two-factor authentication requirement does not affect you. However, the requirement will activate if you modify your SSO settings.

Enhancements

  • DigiCert Trust Assistant 1.1.4 introduces post-processing scripts for S/MIME configuration in Microsoft Outlook (Windows only), simplifying certificate configuration post-enrollment and renewal.

  • Improved CSR generation flow within the application to enhance User Experience with more key type/size options.

  • New enrollment methods and signature algorithms have been added for the “Public S/MIME Secure Email (via CertCentral)” template, including Browser PKCS12, CSR, and DigiCert Trust Assistant.

  • Added support for RSASSA-PSS signing algorithms:

    • sha256WithRSAPSS

    • sha384WithRSAPSS

    • sha512WithRSAPSS

  • Bulk management of Discovery seats is now possible through CSV upload, enabling creation, update, and deletion in bulk.

  • Updated Seat usage widget now displays links for created and consumed seats, with a new "Consumed" column and refined counters with rounding and detailed hover information.

October 25, 2023

DigiCert® ONE version: 1.6201.5 | Trust Lifecycle Manager: 1.2224.0

New

Optional grace period for certificate renewal

New Grace period option for the “Renewal options” section that allows the addition of the days before expiration to the renewed certificates. If not selected, the renewed certificate takes a strict validity period based on the “Certificate expired in” value.

For example, for a profile configured with the grace period, if renewing a 365-day certificate 20 days before its expiration, the renewed certificate will have a validity period of 385 days. If the option was disabled, the renewed certificate only has a validity period of 365 days.

Nota

This feature is enabled for profiles making use of Issuing CAs hosted by DigiCert® CA Manager, not external CAs such Microsoft CA, CertCentral or AWS CA.

Bulk deployment for agents

Ability to create a deployable package with an encrypted API-KEY that can then be distributed using any available tools like GPO push, Ansible, PS Exec, etc. and triggered such that the agent provisions to the account and is ready for automation.

Enhancements

CA vendor widget enhancement

Enhanced the CA vendor dashboard widget to support clicking on the “Others” sector of the graph to redirect to the Inventory page with a filter of all other CA vendor values.

October 18, 2023

DigiCert® ONE version: 1.6201.3 | Trust Lifecycle Manager: 1.2203.0

New

Public S/MIME template for Email Gateway providers using CMP

This new certificate template named Public S/MIME Secure Email using CMP (via CertCentral) allows issuance of Public S/MIME sponsor-validated certificates via CertCentral using the Certificate Management Protocol (CMP), is mainly consumed by our Email Gateway service providers.

The template is tagged as “limited”, meaning that a is not available for all accounts. If required, contact an administrator with appropriate access to assign templates to accounts.

Enhancements

CertCentral Public S/MIME template enhancements

Updated the Public S/MIME Secure Email (via CertCentral) template to support:

  • Multiple email addresses within the SAN:rfc822Name extension.

  • LDAP search feature, where profiles with this option enabled allows certificates issued from the profile to be searched using an LDAP client. See Access certificates with LDAP (digicert.com) for more info.

Nota

  1. Searches based on a “mail” value (an email address) are currently done against the Subject DN Email field, not the SAN:rfc822Name extension.

  2. For CertCentral issued certificates, the LDAP service does not search against CA certificates, nor CRLs, only end-user Public S/MIME certificates for profiles with the LDAP option enabled.

Certificate Renewal Reminder email template enhancements

Added two new variables to the Certificate Renewal Reminder email template:

  • cert_serial_number: will show a “Certificate Serial Number” label in the renewal email with the associated certificate serial number of the certificate being renewed.

  • cert_subject_dn: will show a “Subject Distinguished Name (SDN)” label in the renewal email with the entire SDN value of the certificate being renewed.

New DigiCert Agent v3.0.7

With this new version of the agent, the following updates are performed:

  • IIS moved from win-acme to Certbot as the client library

  • OpenSSL has upgraded to v3.0.9

  • RHEL 9.2 support added

Fixes

Browser PKCS12 certificate delivery issue

Fixed an issue with profiles configured with the “Browser PKCS12” enrollment method and using a self-signed Issuing/Root CA, with the include Root CA in the delivery format option, not including the Root CA in the PKCS12 response file.

Get profile API response issue

Resolved an issued with GET profile API response not delivering the profiles bound to the account.

October 12, 2023

DigiCert® ONE version 1.6201.2 | Trust Lifecycle Manager: 1.2172.0

New

Post-Quantum Cryptography (PQC) vulnerable certificate filter

New PQC vulnerable certificate filter that shows whether a certificate within the Inventory (“All certificates” system view) is vulnerable to post-quantum cryptography attacks.

New Seat API endpoint

This new seat API endpoint (GET /mpki/api/v1/seat) that allows the retrieval of paginated list of seats based on multiple filtering parameters:

  • account_id

  • business_unit_id

  • seat_type

  • active

Enhancements

Dashboard enhancements

  • Auto-layout of the dashboard when removing or adding widgets to find the best position for every widget automatically

  • New Certificates by CA vendor widget showing certificates issued grouped by the Subject DN - Organization value of the Issuing CA, including:

    • Up to 10 sectors in the pie chart, one for each different vendor.

    • An Others sector in the pie, for certificates that are not identified/trusted within the Settings > My root certificates list.

    • An Unknown category, for certificates without a Subject DN - Organization value in the Issuing CA certificate.

  • New Overview icon available next to the page title

  • Redesign of the Automation Alerts widget to show the alerts by categories using a vertical and scrollable graph instead of a horizontal carrousel.

  • Redesign of the Integrations widget to become the new Connectors widget.

  • Redesign of the Certificates Expired or Expiring widget.

Support Tags for Certificates API endpoint

Enhanced the certificate API endpoint to support a new ‘tag’ request parameter that is bound to the certificate object and can later be filtered within the Inventory web page to find certificates associated with a specific tag.

Custom certificate report enhancements
  • Added a new Pseudonym field to the "Subject Distinguished Name (SDN) details" section when creating a custom certificate report.

  • Added a new PQC vulnerable field to the “Public key detail” section when creating a custom certificate report, showing what certificates are vulnerable to Post Quantum Cryptography attacks with a yes / no value.

Server Authentication EKU update for CA manager certificates via ACME

Make Server authentication EKU optional for ACME enrollment method in CA Manager Private Server Certificate profile.

Fixes

Profiles list page

Resolved issue with showing the new onboarding/overview page when visiting the Mange > Profiles page even though there are profiles available on the account. The issue was related to retrieving the first profile in the account as “Inactive”, hence the page thinking there are no profiles available on the account and showing the new onboarding page.

October 4, 2023

DigiCert® ONE version: 1.6201.1 | Trust Lifecycle Manager: 1.2128.0

New

Overview pages

A new set of overview pages, which are displayed when no data is available on a page, provides users:

  • With an overview of the page, and

  • Guidance on how to see data populated for one of these overview pages.

This is particularly important for users who are onboarding onto the platform for the first time.

A new icon is also displayed next to the page’s title. This icon provides access to the same overview page anytime after the product has been used and data has already been created.

Pages that implement the new overview functionality are:

  • Inventory

  • Manage > Enrollments, Profiles, Seats, Network scans

  • Reporting & auditing > Audit logs, Report library

  • Integrations > Agents, Sensors

  • Settings > Notifications

AWS private CA discovery

Discover certificates using the AWS private CA connectors configured in TLM. Admins can either enable discovery when adding a new connector or updating existing ones for discovery. Once enabled, the connector discovers and imports certificates across all the roots configured in the target AWS account.

Network scan enhancement to support more detailed cipher discovery

Enable cipher discovery when setting up a network scan. This allows you to find all the ciphers configured on the system in addition to the handshake cipher information collected.

When enabled, view this cipher information under the certificate details section categorized by protocol and flagged when found to be weak.

Inherit certificate tags from profile

Add tags when creating a new profile. Manage tags for a profile. Any certificate issued from that profile inherits the tags assigned to the profile.

New Sensor release v3.8.60

  • Enhanced security by using client based authentication for all communication.

  • Updated to installer to fork installation experience for TLM vs CertCentral.

  • Enhanced sensor provisioning to support private trust for TLM on-premise deployments.

  • A few functional bug fixes.

Allow users to upload roots to TLM discovery Trust Store

Upload roots or ICAs to TLM discovery Trust store such that:

  • Private roots and ICAs when uploaded are available at account scope.

  • Public roots and ICAs if uploaded undergo an approval step and apply to all accounts once approved.

Enhancements

Dashboard enhancements

Set of enhancements to the Dashboard:

  • New widget management feature, where graphs and widgets in the Dashboard can be added/removed and refreshed by users from a menu option located on the top-right of the Dashboard.

  • Every widget now shows a “Last updated” date upon which it was last refreshed, and can be removed from the Dashboard. Note that some widgets can be refreshed in real-time and others via a scheduled job (asynchronous).

  • The Seat Usage widget has been split into two separate graphs.

  • The Pending Enrollments and Pending Recovery widgets have been merged into a single graph.

Update to CertCentral connector

With CertCentral implementing 2-factor authentication, we are limiting the options for linking TLM to CertCentral such that:

  • All DigiCert hosted instances continue to have the option to use the CertCentral username/password to authenticate and link to CertCentral.

  • Any on-premises or non DigiCert deployment only shows the API-KEY option to link to CertCentral.

X509 and PKCS7 Certificate Download Label

Updated the X509 and PKCS7 download button labels in public-facing web pages to show more user-friendly labels:

  • For X509:

    • Download certificate in PEM format (.pem)

    • Download certificate in DER format (.der)

  • For PKCS7:

    • Download certificate in PEM format (.p7b)

    • Download certificate in DER format (.p7b)

September 28, 2023

DigiCert® ONE version: 1.6074.9 | Trust Lifecycle Manager: 1.2103.0

New

Inventory page

Renamed the Certificates page to the Inventory page since DigiCert​​®​​ Trust Lifecycle Manager manages more than just certificates. It is a single ‘book of record’ / inventory page from where you can view and manage all its assets, for example unsecured IPs and ports.

The new Inventory page includes an enhanced views dropdown list and a new collapsible Quick Taskbar, available from the right side of the Inventory page with quick access icons to:

  • “Add connectors”, which redirects the user to the Manage > Connectors page.

  • “Manage views”, from where default views can be managed and custom views can be created.

  • “Reports”, to create instant reports (for less than 5000 records), and access the Custom Reports wizard.

  • “Notifications”, which redirects the user to the Manage > Notifications page to manage or create new custom notifications.

Enhancements

DigiCert Trust Assistant - RSASSA-PSS renewals

Support for RSASSA-PSS certificate renewals via DigiCert Trust Assistant.

DirectoryName enhancements

Extended support for additional fields/aliases within the SAN:directoryName and IAN:directoryName extensions:

  • USER_IDENTFIER using various aliases: USERID, USERIDENTIFIER, and UID.

  • Extend the STATE field to support the S alias.

Fixes

Fixed an issue that prevented downloading user certificates

Fixed issue with not being able to download a user certificate for profiles configured with Browser PKCS12/Enrollment Code methods, which occurs under some specific ‘caching’ circumstances.

September 20, 2023

DigiCert® ONE version: 1.6074.7 | Trust Lifecycle Manager: 1.2085.0

New

Integration with CertCentral CA for public S/MIME

Support for issuance of Public S/MIME Legacy sponsor-validated certificate types conformant with the new S/MIME Baseline Requirements making use of the new template called Public S/MIME Secure Email (via CertCentral).

The supported enrollment method for this initial release is: REST API. Web-based enrollment methods will be supported in a future release.

Nota

Before you can create a profile from this new template, make sure you have linked your Trust Lifecycle Manager account with your CertCentral account by setting up the CertCentral CA connector under Integrations → Connectors → Add connector → CertCentral. You also need to have the Automation feature enabled on your account.

September 14, 2023

DigiCert® ONE version: 1.6074.5 | Trust Lifecycle Manager: 1.2065.0

New

eIDAS Qualified Certificates

European Trusted Service Providers who are compliant with eIDAS can now issue EU Qualified Certificates to natural and legal persons for the purposes of supporting digital signatures, peer entity authentication, data authentication, and data confidentiality, in accordance with EU Regulation No. 910/2014 [i.9], and ETSI EN 319 412-5 [i.7] for requirements relating to QCStatements.

Two new templates (eIDAS Electronic Signature and Electronic Seal) have been created to support these use cases. The templates are bound to the user seat type and tagged as Limited, meaning that only system administrators with appropriate permissions can explicitly assign them to accounts that require these types of certificates:

  • eIDAS Electronic Signature Certificate

  • eIDAS Electronic Seal Certificate

Importante

Trusted Service Providers are fully responsible for the issuance of Qualified Certificates that are conformant with the eIDAS standard and also responsible for meeting all of the regulations and requirements set within it.

Enhancements

DigiCert Trust Assistant enhancements

DigiCert Trust Assistant now supports the new RSASSA-PSS signing algorithm.

Nota

Using this algorithm requires DigiCert Trust Assistant v1.1.3, available for both Windows and Mac platforms from the client tools page.

Relaxing rules for country codes

Relaxed the SubjectDN Country field validation rules. Certificates imported into the Trust Lifecycle Manager application via the “certificate-import” API now allow any 2-letter country code.

Issuance of new certificates will continue to be restricted to ISO-compliant country codes.

September 6, 2023

DigiCert® ONE version: 1.6074.1 | Trust Lifecycle Manager: 1.2036.0

New

New certificate system view

A new system view available from the Certificates page shows which certificates will be expiring in the next 30 days, and shows the remaining days until expiration in a new table field called “Expiring in (days)”. Users can filter the data further to show expiring certificates by seat type.

Enhancements

Generic Private Server template update

Updated the template to set the “Server authentication” Extended Key Usage (EKU) as default.

Email templates enhancement

Updated all email templates to use the Seat ID value instead of User Full Name.

Show Add Connector page when none is available in the account

For accounts that have no configured connectors, the Add connector page will show when the user selects the Connectors link under Integrations in the left navigation bar.

Enhancements to Issuing CA field

For certificates discovered or issued using Certificate Lifecycle workflows:

  • The Issuing CA column will now show the issuer common name, in line with existing behavior for CA manager certificates.

  • A new column called CA vendor shows the name of the CA (e.g. DigiCert).

Fixes

Seat usage data in dashboard

Resolved issue with Seat Usage widget in the dashboard, which was only showing data against all business units and not respecting the business unit selector at the top of the page. Customers using only one business unit would not have noticed the issue.

August 29, 2023

DigiCert® ONE version: 1.5874.11 | Trust Lifecycle Manager: 1.2005.0

New

S/MIME Secure Email compliance with new CA/B Forum S/MIME Baseline Requirements

Updated the Public S/MIME Secure Email (via PKI Platform 8) profile wizard to support the new Legacy generation Sponsor-validated certificate type, as defined in the new CAB Forum S/MIME Baseline Requirements standard.

You need a PKI Platform 8 account and validated email domains to issue Sponsor-validated certificates.

For details about the changes, refer to the Trust Lifecycle Manager section in this knowledgebase article.

Nota

The PKI Platform 8 issuing CA has been updated accordingly to enforce the new Public S/MIME Secure Email industry requirements.

August 23, 2023

DigiCert® ONE version: 1.5874.8 | Trust Lifecycle Manager: 1.1996.0

Enhancements

REST API for business units

Added REST API endpoints to:

  • Create business units

  • List business units

  • Assign seats/licenses to a business unit

Fixes

Private S/MIME error

Resolved an issue with web-based enrollments associated to a Private S/MIME profile present under very narrow conditions.

ACME: Remediated wrong message when order is in reissue pending state

For CertCentral orders using third-party ACME methods, when the order goes into reissue pending state for any reason, subsequent requests were returning a “Bad Request” error. This has been updated to return an ACME compliant error.

Hide additional parameters option on Microsoft CA connector

Removed additional parameter options from Microsoft CA connector as they are not used for connector configurations.

August 16, 2023

DigiCert® ONE version: 1.5874.6 | Trust Lifecycle Manager: 1.1967.0

Enhancements

Support plans

On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.

New plans:

  • Standard support (free)

  • Business support (mid-level)

  • Premium support (highest-level)

For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.

How does this affect me?

To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.

How the limited-time upgrade works:

  • Platinum support plans are upgraded to Premium support for the duration of the contract.

  • Gold or Platinum-Lite support plans will be upgraded to Premium support for the duration of your contract.

  • Included (non-paid) DigiCert support will be upgraded to Business support for up to one year.

UX enhancements

  • Updated modal pop-up for suspend/resume actions using common UI design component.

  • Added a Select all link for the custom report “Profile authentication fields” section.

  • For profiles that support a Cloud Key Escrow option, added an Information banner to the public-facing web enrollment pages to inform users that their keys are being escrowed.

Fixes

Certificate renewal job

Resolved issue with the certificate renewal job not getting completed in a timely fashion.

Blank page with Public S/MIME profile

Resolved issue with blank page appearing when creating a profile from the “Public S/MIME Secure Email (via PKI Platform 8)” template.

Automatic seat allocation

Resolved an issue where not all seat types were being automatically allocated to the Default Business Unit.

August 9, 2023

DigiCert® ONE version: 1.5874.4 | Trust Lifecycle Manager: 1.1946.0

Enhancements

Profile cloning

Added support for choosing a different business unit or issuing CA when cloning a profile. Previously, both fields were locked and could not be modified when cloning a profile. Now, if you have access to additional business units and issuing CAs, you will be able to select them before saving the newly cloned profile.

Intune enhancement

Intune revocation scheduler job will now run hourly instead of every 3 hours.

Profile enhancement - default common name

Starting from this release, if a template supports the Subject DN Common name field, it will be automatically added to the profile wizard’s second step by default.

Private S/MIME Secure Email enhancement

The previous Private S/MIME Secure Email template implementation blocked users from modifying the Key Usages extension. Now, both the Digital signature and Key encipherment fields are optional, and account administrators can configure signing-only and/or encryption-only certificates.

Fixes

Refresh configuration action notifications

Fixed an error where the Refresh configuration action was sending a notification stating that the F5 server cannot be reached. This notification will no longer be triggered.

Virtual IP with no profile shows as unreachable

Fixed an issue that was preventing admins from automating virtual IPs that had no profile. Admins can now automate these IPs.

August 2, 2023

DigiCert® ONE version: 1.5874.1 | Trust Lifecycle Manager: 1.1913.0

New

Network scanning

With this release, administrators can configure and run one or more network scans in Trust Lifecycle Manager:

  • Added new feature in Account manager for Network Discovery.

  • Added new option to create and manage network scans in Trust Lifecycle Manager when the feature is enabled in Account Manager, with these abilities:

    • Add and manage network scans.

    • Schedule scans and see their progress.

    • See scan results on certificate list page.

  • In addition, added the following functions:

    • Filter by scan name.

    • Calculate a security rating for certificates found in a scan.

    • Capture chain information and analyze of any issues.

    • Capture security headers and handshake information.

  • Added security rating column in certificate list view.

  • Added new notifications for discovered certificates:

    • Default and custom notification options.

    • Allow users to clone email templates.

    • Allow users to configure criteria for emails.

Updated certificate details page

Certificate details page has been restructured to better represent certificate and discovery data.

  • Reformatted with a tab layout for better accessibility.

  • Added new tabs for security details with detailed information on security rating, chaining, headers, and handshake protocols based on how the data was discovered.

Private S/MIME Secure Email template enhancements
Support for DigiCert Trust Assistant

Updated the "Private S/MIME Secure Email" template to support the DigiCert Trust Assistant enrollment method with all corresponding authentication methods:

  • Enrollment code

  • Manual approval

  • SAML IdP

Support for autoenrollment and ECDSA certificates

Added support for the Microsoft Autoenrollment enrollment method to auto-provision private S/MIME (non-escrowed) certificates, both RSA and ECDSA key-based.

Enhancements

Added 'Request a new certificate' as secondary action for automation flows

Allows users to get a new certificate from a different profile when their default automation action is set to reissue or renew.

Added 'Check status' option for certificate management profiles

Allows users to select one or more profiles to check their status and refresh the profile from profile list page.

Intune profile enhancement

Relaxed the validation rules for the Tenant Name field in profiles created from Intune templates to allow domain values that are different to just using the default onmicrosoft.com domains.

July 27, 2023

DigiCert® ONE version: 1.5658.5 | Trust Lifecycle Manager: 1.1875.0

Enhancements

Fixes

Intune certificates

Resolved issue with Intune certificate enrollments failing. They now proceed as expected.

CertCentral profile status

Resolved issue with CertCentral profiles showing an “Action needed” status. This now only displays when expected.

July 26, 2023

DigiCert® ONE version: 1.5658.4 | Trust Lifecycle Manager: 1.1867.0

New

Scheduled reports

Authorized account administrators can now schedule custom Certificate and Enrollment reports to be generated at different intervals:

  • Once: The report will be queued immediately and run as soon as possible.

  • On a specific date: Select a date to run the report.

  • Weekly: The report will run on the selected day(s) of the week, every week until manually stopped.

  • Monthly: The report will run monthly, on a specific day of the month (or last day of the month), with the option to run it every set number of months until manually stopped.

Custom labels for Subject DN and SAN labels in different languages

When creating or editing a profile, users can specify replacements for the default Subject DN and SAN labels with custom labels in multiple languages. Example: The “Common name” field could be customized to show: “Please enter your full name:” (for English), and similar text in other supported languages if set within the profile.

Enhancements

Key size update to the Private S/MIME template

Updated the "Private S/MIME Secure Email" template to support RSA 3072-bit key sizes.

SAN Directory Name extension in Generic User Certificate template

Updated the SAN Directory Name extension functionality, available when creating a profile from a Generic User Certificate template, to support:

  • A single Organization Identifier field, using a tag of ORGANIZATIONIDENTIFIER or ORGID (case insensitive).

  • One or multiple Description fields and values, using a tag of DESCRIPTION or DESC within the overall Directory Name value (case insensitive).

Here is a sample SAN Directory Name value using all currently supported tags:

C=US,O=DigiCert,OU=myOU-1,OU=myOU-2,ST=Utha,L=Lehi,GIVENNAME=John M,SURNAME=Doe,TITLE=Product Manager,SERIALNUMBER=00001,ORGID=123456,DESC=my description 1,DESC=my description 2,DC=DigiCert,DC=com

Certificate recovery enhancements

Enhanced the certificate recovery flow for profiles configured with the Cloud Key Escrow option, to include 3 new email templates that can be customized:

  1. Private key recovery initiation

  2. Private key recovery approved

  3. Private key recovery rejected

When approving/rejecting a second admin recovery operation, the administrator can optionally send a message to the user with the reason for the rejection, or extra information when approving the recovery. The message will also be saved as an internal note for auditing purposes.

Profile wizard enhancements

Enhanced the profile wizard logic for the first step (“Primary option”) to show warning messages when required enrollment methods are not available on the account. To show these, contact your administrator to ensure your account has the required feature enabled.

Profile list page update

Removed the bulk action button placed outside the table in favor of functionality inside the table, to make it consistent with the Certificates List page.

Email logo update

tlmlogo.png

Updated the default Trust Lifecycle Logo included in all email templates.

Fixes

Missing fields in status change email

Fixed issue where SeatID and SeatName variables were omitted from the Certificate Enrollment Status Change email template.

Error on enrollments list page

Fixed error displayed in the Enrollments List page caused by enrollments associated with a deleted profile.

Known issues

Proxy issues for some CertCentral flows

Discovery and synchronization actions using CertCentral accounts do not go through the proxy right now, although certificate issuance does.

July 12, 2023

DigiCert® ONE version: 1.5658.1 | Trust Lifecycle Manager: 1.1810.0

New

Suspend and resume email templates

New suspend and resume email templates have been added. Authorized administrators can configure them when creating/editing a profile from any of the three Generic templates (User/Device/Server).

Enhancements

Internal audit enhancement

For profiles configured with the Manual approval authentication method, we now capture the name of the administrator who approves or rejects a certificate request within the internal notes displayed on the enrollment details page.

Fixes

TLM CertCentral CA public server profiles “Action needed” state issue

Fixed a code issue affecting multiple customers where CertCentral CA public server profiles were incorrectly labeled Action needed.

July 5, 2023

DigiCert® ONE version: 1.5658.0 | Trust Lifecycle Manager: 1.1784.0

New

Microsoft CA support for issuance of user certificates via web-based flows

Added support for issuance of user certificates using a Microsoft CA as the issuer with Microsoft certificate templates, which are selected when creating a profile from the new Microsoft CA User Certificate template and will prepopulate most of the profile wizard settings based on the Microsoft template configuration. Customers will still be able to control the SubjectDN and SAN fields to be used when signing the certificate, which will be added to the CSR that is sent to Microsoft CA for signing via the DigiCert MSCA Connector.

Prerequisites: Similar to the already available Microsoft CA support for private certificates, this solution also requires the configuration of a sensor and a Microsoft CA Connector, available under the Integrations menu option.

The Microsoft CA User Certificate template supports the below user enrollment/authentication methods (flows):

Enrollment method

Authentication method

  • Browser PKCS12

  • CSR

  • DigiCert Trust Assistant

    (minimum version 1.1.2)

  • Manual approval

  • Enrollment code

  • SAML IdP

Also added support for these certificate lifecycle operations using a Microsoft CA as the signer/issuer:

  • revocation, where the Microsoft CA solution will be responsible for providing any certificate validation services (CRL / OCSP).

  • renewal, where the appropriate renewal flow will be enforced based on the profile configuration using the renewal thresholds set within the Microsoft template and intersecting with the allowed renewal window values set within the profile wizard.

For more details, see instructions.

Platform proxy support

On-premises DigiCert ONE customers can now configure their platform with proxy settings to send all outgoing traffic from the Trust Lifecycle Manager application. Both anonymous and authenticated proxy servers are supported. Check documentation for details on how to configure your DigiCert ONE cluster.

AWS Private CA management

This release introduces AWS Private CA as a supported CA to issue and manage certificates using the following enrollment methods:

  • ACME

  • Agent

  • Sensor

A new AWS Private CA connector is available to be configured with the user's AWS account. A new AWS CA Private Server Certificate can be configured to issue certificates from one of the AWS private CA roots.

Option to connect to CertCentral Europe

Added ability for users to choose between US and EU CertCentral environments when configuring CertCentral connector.

Synchronize revocation status for Microsoft CA

Added the ability to synchronize revocation status for certificates revoked directly from Microsoft CA outside of Trust Lifecycle Manager.

New enrollment method column

A new column Enrollment method is added to all certificate views as an additional column.

New REST API enrollment method for CertCentral profiles

A new REST API method is available in CertCentral profiles to use with the /mpki/api/v1/certificate API endpoint.

Enhancements

Bulk management of imported seat types

Extended the management of seats in bulk via the upload of a CSV file, supporting bulk update and deletion of Import seat types.

Extensive Health Check enhancements

Enhancements to the Extensive Health Check API endpoint (GET {{host}}/mpki/api/v1/health/extensive) to report back on the status of more services and all scheduled jobs for the Trust Lifecycle Manager application.

Consolidate sensor connections and connectors

With this release, we are consolidating sensor connections and connectors in Trust Lifecycle Manager.

All existing sensor connections will show in connectors list page (ensure you have the connectors feature turned on for your account). New connections can be added using the Add Connector flow. All existing references to "sensor connections" will be updated to "connectors" in dashboard, notifications, lifecycle workflow, etc.

Updates to Linux sensor installation flow

Linux sensor installation will now not default to CertCentral but instead prompt the user to check if it should be provisioned to Trust Lifecycle Manager.

Fixes

Support local hostnames for Win-ACME

Users can now use local names and IP addresses with ACME clients and agents when supported by the client.

Known issues

Proxy issues for some CertCentral flows

Discovery and synchronization actions using CertCentral accounts do not go through the proxy right now, although certificate issuance does.

June 28, 2023

DigiCert® ONE version: 1.5428.8 | Trust Lifecycle Manager: 1.1759.0

Enhancements

Performance enhancements

Improved performance on audit logs page:

  • Improved speed by limiting audit events in search results to 1,000 (same as the Certificates page).

  • Removed display of total number of matched audit log records. This feature will be reintroduced in a future release as an asynchronous internal request.

  • Improved initial page loading.

  • Improved speed of traversing through audit log results using pagination.

  • Limited the Resource name filter to searches using the prefix or exact value.

UI support for single hosts in DNS server field

Added support for single-host values for the DNS server field (e.g. localhost, my-server) in public-facing and admin enrollment pages.

Fixes

Remove dependency for 'CA manager private server certificate' profile

This fix removes dependency of "CA manager private server certificate" on CertCentral connector, allowing users to use this profile even if CertCentral connector is not present.

Known issues

Audit log performance

Slow audit logs when filtering via Seat ID or Seat GUID for accounts with a very large number of audit log records.

June 21, 2023

DigiCert® ONE version: 1.5428.7 | Trust Lifecycle Manager: 1.1732.0

New

Custom enrollments report

The custom report generation feature has been extended to support the generation of CSV custom reports from the Enrollments page.

Account owners with appropriate reporting permission can create up to 10 Enrollment CSV-based reports to be generated offline/asynchronously and be available for 30 days after creation.

Users can select the Create custom report button, available on the Enrollments page under the Create report icon above the table. The reporting wizard appears to guide you through report creation.

When a report is ready, the user who created it will receive an email.

All created/custom reports are available from the new Report library page inside the Report & Auditing menu option, where you can:

  • View the status of reports.

  • Download completed reports.

  • Re-run a saved report against the latest available data. The new report will be available for another 30 days.

For more details visit Report library (advanced custom reporting).

Support for Edwards ‘hashedEd25519’ curves

For the three Generic templates (User/Device/Server), you now have the ability to select Edwards hashedEd25519 curves (key types) for enrollment methods that support such key type:

  • CSR

  • REST API

Certificate management seat type creation

The seat creation page and API now allow for the creation of “Certificate management” seats individually or in bulk, via the upload of a CSV file. Note that you must have the automation feature enabled on your account.

Intune API migration

Migrated the deprecated Intune Azure AD Graph API to use the supported Microsoft Graph API.

Enhancements

Performance enhancements

Enhancements to the Certificate List page to improve the performance of initial page loading, as well as the searching/filtering responses for the various filters on the table. In order to achieve the performance improvements, we will:

  • Return up to 1,000 records for any search criteria selected on the page.

  • Remove the capability to perform partial searches for Common name and Seat ID. From this release, only ‘prefix searching' or ‘exact value searching’ will be supported for these table filters.

Certificate search API enhancement

Enhanced the certificate-search API endpoint to support an extra query parameter called enrollment_id, which allows a certificate to be retrieved based on its unique Enrollment ID.

The format of the certificate will depend on the Certificate Delivery format the profile is configured with. Also, the enrollment_id value is returned from the manual-enrollment API response, against profiles configured with the “Manual approval” authentication method.

Fixes

Business unit filter

Fixed an issue where the business unit filter was not working for the unassigned filter value

Add/edit certificates

Fixed an issue where add/edit tags for certificates were not working in All certificate and managed automation views.

1-year configuration

Fixed an issue where certificate renewals failed when configuring a profile with 1 year instead of 365 days.

Email templates

Fixed an issue where he subject title for custom email templates under the “Email and notifications” configuration section in the profile wizard is not showing the dynamic email template variables.

June 14, 2023

DigiCert® ONE version: 1.5428.5 | Trust Lifecycle Manager: 1.1703.0

Fixes

IIS automation failing

Fixed issue causing IIS automation to fail.

Sensor downgrade issue

Fixed issue causing a new installation of Sensor v3.8.59 to downgrade current installation and corrupt additional Sensor installation attempts.

June 8, 2023

DigiCert® ONE version: 1.5428.2 | Trust Lifecycle Manager: 1.1672.0

Fixes

Enrollment approval failure

Fixed an issue causing enrollment approval to fail when a profile was configured with the manual approval authentication method and fixed fields set in the Subject DN field.

June 7, 2023

DigiCert® ONE version: 1.5428.1 | Trust Lifecycle Manager: 1.1668.0

New

DigiCert Trust Assistant v1.1.1

  • DigiCert® Software KeyStore now supports macOS using the CryptoTokenKit framework.

  • Support for renewal of certificates managed by DTA, stored on the operating system, DigiCert Software KeyStore, or hardware tokens, via a proof-of-possession of the private key flow where a renewal request is digitally signed by the to-be-expired private key and validated before issuing the renewed certificate.

  • For macOS, removed default YubiKey attestation certificate from the list of certificates being displayed by the client for YubiKey tokens. (This was supported for Windows in the previous release.)

DigiCert Trust Assistant - licensing

The DigiCert Trust Assistant license file has been removed from within the application and added to the overall platform license. No changes for DigiCert-hosted platforms.

Nota

This is especially important for customers running the DigiCert ONE platform on their premise. Starting this release, if you require access to the DigiCert Trust Assistant client, contact your DigiCert representative and ask them to update your platform license. The updated license whitelists your platform domains so DigiCert Trust Assistant can use it.

Enhancements

Dual recovery and comments

  • Now for private and public S/MIME profiles configured with the dual-admin approval flow, the second admin approver has the ability to cancel the recovery process.

  • Any recovery approval or rejection action (via the UI or API) can now include an internal comment with an internal note when approving or canceling the recovery operation.

Audit log event filtering by resource name

  • New column Resource name added to the Audit log table, allowing you to filter or search for its contents inlog events.

New action for custom reports

  • New View audit event action is available from within the Report library and Report details pages, allowing users to directly visit the Audit logs page and view the events associated with the selected report.

Added columns on Certificates list

  • Added 2 columns for certificate views, SANs and Thumbprint, on the Certificates list page. New columns can be added to all certificate views (except unsecured views).

User instructions

  • Added support for the upload of custom/user instructions for profiles configured with the “SAML IdP” authentication method and the “Enforce manual approval” option enabled.

  • Now show the user instructions on the last Certificate installed page, not on the previous Install certificate page.

Performance improvements

  • Improved response time for certificate revocation via the Certificate List page and REST API.

  • Faster certificate issuance times for all flows (e.g., CSR, Browser PKCS12, and REST API).

  • Retrieval time for certificates listed within the Certificate List page reduced.

Japanese installation instructions page changes

Updates to the Japanese certificate installation instructions web page to make them more accurate and user-friendly.

Remove duplicate bulk actions on Enrollments page

  • Removed the bulk actions and associated button on the Manage > Enrollments page. To use the inline bulk actions functionality, select more than one enrollment on the table.

Custom report create page enhancements

  • Renamed Automation details title to Server management details.

  • Moved the Tags field from the Server management details section to the Other details section.

  • Added support for new “Server management” field named SANs (also available within the Certificates page).

Multiple httpd configuration file support

  • Added support for multiple Apache httpd configuration files configured via different process on the same server.

Sensor installation updates

  • Windows sensor users can choose to automatically provision a sensor to Trust Lifecycle Manger after installation. Users can choose if they want the sensor to be provisioned to Trust Lifecycle Manager and can provide the license.properties file to finish provisioning.

Renamed Citrix Netscaler

  • Renamed Citrix Netscaler to Citrix ADC.

Fixes

Duplicate certificate issue

  • Fixed not being able to issue duplicate certificates for profiles configured with the “Microsoft autoenrollment” enrollment method and the "Allow duplicate certificates" option when using fixed Subject DN fields in the profile.

Business Unit seat consumption and allocation

  • Fixed how Business Unit seat consumption and allocation is calculated.

Enrollments linked to invalid email

  • Enrollment errors due to not being able to send an email (e.g., invalid email or SMTP server issues) can be rejected by an authorized administrator.

DCV for OV/EV using TLM ACME Agent

  • Resolved issue with OV/EV DCV failure for agent flows.

May 24, 2023

DigiCert® version: 1.5118.8 | Trust Lifecycle Manager: 1.1597.0

Enhancements

Windows and Linux sensor auto-upgrade

From this release, Trust Lifecycle Manager will support automatic sensor updates for Windows and Linux sensors.

Users will have the option to set upgrades to manual for one or more sensors. They will be prompted to update whenever an upgrade is available.

Email confirmation template

Introduced a new email confirmation template. This email template can be enabled and customized when configuring a profile with the “Manual approval” authentication method, where users can option all receive an email confirmation after successfully submitting a certificate enrollment request.

Bulk enrollments

Bulk enrollments action for Enrollments page are now inside the table instead of at the bottom of the page.

Log events based on resource type

Dynamically show the correct log events based on the resource type.

Fixes

Unnecessary alert state

Fixed an issue where CertCentral profiles were set to “Action Needed” even though there was no configuration problem.

May 17, 2023

DigiCert® version: 1.5118.6 | Trust Lifecycle Manager: 1.1557.0

New

Seat naming changes

  • Renamed Unmanaged seat type to Discovery.

  • Renamed Automation seat type to Certificate management. When deleting a Certificate management seat, you will have the option to revoke certificates associated with the seat.

Show TLM features in Account Manager

The Account Manager application will expose a set of features for the Trust Lifecycle Manager application and can be enabled/disabled per account, enforced by Trust Lifecycle Manager. This is particularly meant to help DigiCert ONE on-premises customers. Features include:

  • Enrollment methods: REST API, Browser PKCS12, CSR, SCEP, EST, Microsoft Autoenrollment, ACME/Agent/Sensor (enabled/disabled via the Automation feature)

  • Custom reports

  • Reporting (email)

Seat creation logic

Updated seat creation logic for automation methods (ACME, sensor, agent) to create seats per website (i.e., combination of unique CN+IP+Port) for both server and certificate management seats.

Enhancements

YubiKey slot selection in DigiCert Trust Assistant

DigiCert Trust Assistant now supports selecting the YubiKey slot where keys are to be created when configuring a profile with the YubiKey hardware token.

SCEP support for SHA-384

The SCEP GetCACaps response now supports the SHA-384 hashing algorithm. Use this URL to check the response: https://one.digicert.com/mpki/api/v1/scep/cgi-bin/pkiclient.exe?operation=GetCACaps

REST API update

New REST API PUT status endpoint to change the status of enrollment requests from pending to either approve or reject, for enrollments linked to profiles configured with the "Manual approval" authentication flow. See Trust Lifecycle Manager REST API reference.

Connectors support

Connectors are now a separate feature in Account Manager (separated from automation) and can be enabled or disabled for a given account.

Environment support for agents

Downloaded agents are now preconfigured with the correct environment information (US vs NL, etc.) so that installation can proceed without configuration changes.

Fixes

MSCA issued certificates

Fixed an issue where users were unable to revoke an MSCA issued certificate from the UI.

Sensor version issue

Fixed an issue where sensor versions were not resolving in Windows and Linux sensors.

Sensor update issue

Fixed an issue where users were unable to update the heartbeat of an active sensor if the sensor was not assigned to a business unit.

Refresh configuration

Fixed an issue that was preventing refresh configuration for sensor connections.

May 3, 2023

DigiCert® version: 1.5118.1 | Trust Lifecycle Manager: 1.1518.0

New

Provide customizable user instructions for download

For profiles configured with the Manual approval authentication method, you can upload a file with specific instructions that a user can follow when installing a certificate. Examples are: configuring a WiFi or VPN client, configuring Outlook, or accessing a certificate-protected web resource.

  • Supported file formats: .txt, .ppt, .pptx, .doc, .docx, .pdf

  • Supported maximum file size: 10 MB

Users can download the file from the certificate confirmation and installation web pages.

Added connector column to certificate view

Added a column to certificate views to filter data by connector name.

Enhancements

Additional fields and enhancements for custom certificate reports

Split the first section of fields (certificate, automation, and other fields) into three sections:

  • Automation details

  • Profile details

  • Other details

Support for new fields to be added as part of the custom certificate report wizard:

  • Requestor email

  • Trust type

  • Seat ID mapping

Nota

As mentioned in a previous release note, we removed the Certificate report link in the Reporting and auditing menu. We now support a more powerful reporting solution when creating offline custom reports from the certificates page.

Seat email address for server and device seats

Support for an optional seat email address when creating or editing server or device seats via the UI interface.

Chunking for large uploads

For large data coming in from Microsoft CA and other plugins, the sensor now supports breaking the upload into smaller chunks so that it can be uploaded via customer proxies. You can configure the chunk size on the sensor.

New Sensor version 3.8.57 released with multiple enhancements and fixes:

  • Microsoft CA and Qualys connector support on Windows and Linux sensors.

  • Update for chunking logic (all sensor types).

Nota

Docker sensors need to be updated to the latest version for Microsoft CA and Qualys integrations to continue working.

Support for 1-day certificates for CA Manager Private Server Certificate profile templates

Users now have the option to choose 1-day validity for certificates issued from CA Manager for the following enrollment methods:

  • Agent

  • Sensor

  • ACME

Updates to certificate view column selector

The column selector on certificate views now shows available options in one or more columns to improve usability.

Fixes

Reintroduced Source column in certificate views

Fixed performance issues with the Source column. This column is now reintroduced to all certificate views.

April 19, 2023

DigiCert® version: 1.4957.3 | Trust Lifecycle Manager: 1.1487.0

New

DigiCert Trust Assistant support for new Software KeyStore (Windows only)

Added support for a new token type, DigiCert Software KeyStore, when configuring a profile with the DigiCert Trust Assistant enrollment method. This allows keys and certificates to be protected on the user’s machine within a proprietary software keystore with a user personal identification number (PIN).

A user must initialize DigiCert Software KeyStore after installing the DigiCert Key Store Provider (KSP) using elevated user permissions, e.g. local administrator Windows account.

Nota

This new feature is only available for the Windows version of the DigiCert Trust Assistant, for which you need to download/install v1.1.0. (The Mac client continues to run on v1.0.0.) Support for Mac is planned for a future release.

For more details, see the following guides:

Delete business units

Added an action to the business unit (BU) list page that allows a BU to be deleted after all profiles and seats bound to that BU are deleted.

Agent DV automation

Administrators can now automate domain validated (DV) certificate lifecycle operations using the Trust Lifecycle Manager agent.

Enhancements

DigiCert Trust Assistant enhancements

Nota

These enhancements are only available for the DigiCert Trust Assistant Windows release. We will update the Mac client in a future release.

  • Removed the default YubiKey attestation certificate from the list of certificates displayed for YubiKey tokens.

  • User experience (UX) changes to the import certificate process (e.g. importing a glck or pkcs12 file). Once the password is verified, the “Verify” button will change to “Import.”

  • UI changes to PIN verification and any errors displayed due to incorrect PINs. The error message is now displayed inline within the same PIN pop-up window, instead of a separate error notification.

Client tools - DigiCert Autoenrollment Server doc update

Replaced a link in the “Overview” section of the Client tools - DigiCert Autoenrollment Server page with a link to DigiCert documentation: https://docs.digicert.com/en/digicert-one/trust-lifecycle-manager/autoenrollment-server.html

Validation enhancements

  • Profile wizard - certificate policy validation: Added extra validation checks to the profile wizard when adding one or more certificate policy extensions to a profile.

  • Enrollment pages - dnsName validation: Added inline validation for dnsName values entered by users on the public-facing enrollment page before submitting.

Fixes

Dual admin approvals

Resolved an issue where users were unable to approve certificate requests bound to profiles configured with “Manual approval” authentication method and dual-admin approval flow.

Slow certificate enrollments for data-rich accounts

Resolved an issue with slow certificate enrollments for accounts with large amounts of data, which was caused by a reliant database table being locked for writing.

April 12, 2023

DigiCert® version: 1.4957.2 | Trust Lifecycle Manager: 1.1458.0

New

Agent settings page

This page allows users to set account level options for the following:

  • Manual vs. automatic agent approval

  • Blocked ports

Sensor details

Added sensor details page that will allow users to:

  • View sensor hostname, IP, and version information

  • Update debug settings

  • Change proxy port to be used by the agent when using sensor as a proxy

Agent notifications

Added agent lifecycle notifications for:

  • Agent activated

  • Agent error

  • Agent approval pending

  • Agent approved

  • Agent rejected

Application detection

With this release, agents have been enhanced to detect the application version during the initial discovery task. This application type and version will automatically be configured in the UI. Users will have an option to change these settings from the agent details page if needed.

Enhancements

Dashboard

  • Updated integrations graph to show agent status.

  • Added Agent error alert for automation.

ACME failures audit logs

Some third-party ACME clients have an issue where not all error messages are shown on the client CLI. As a workaround for this limitation, TLM has started logging ACME errors in audit logs.

Known issues

Connectors on Windows and Linux sensors

Connectors are currently not supported on Windows and Linux sensors. To use MS CA and Qualys connectors, use the latest Docker sensor.

April 5, 2023

DigiCert® version: 1.4957.1 | Trust Lifecycle Manager: 1.1432.0

New

Microsoft CA integration for server certificate

Trust Lifecycle Manager now supports issuing certificates from the customer's Microsoft CA.

To enable Microsoft CA support, users must install DigiCert Microsoft CA remoting service and DigiCert Sensor. Once configured, to import and issue certificates in Trust Lifecycle Manager, add one Microsoft CA connection for each internally hosted Microsoft CA.

Added a new Microsoft CA private server certificate profile template to create profiles with these enrollment methods: 

  • Sensor automation

  • Third-party ACME integrations

  • Agent automation

Learn more about Microsoft CA integration.

Qualys CertView integration

Added support for a new Qualys connector to import certificate data discovered using Qualys scans. Imported data is available on the Trust Lifecycle Manager certificates page in line with data from other sources. This data can be used to manage notification and alerting, automated lifecycle management, and perform other tasks.

Learn more about Qualys integration.

Web server automation using agent

Trust Lifecycle Manager now supports automation of the following web servers:

  • Internet Information Server (IIS)

  • Apache Tomcat

  • Apache web server

  • Nginx web server

  • IBM HTTP server

Administrators can install an agent on the target server to facilitate automation flows, similar to that for sensors. Existing profiles have been updated to add a new "agent" enrollment method. You can download agents from the TLM resource page. After installation, agents are managed from the new Agent section in Trust Lifecycle Manager.

Learn more about agent-based automation.

Advanced reporting for certificates

A new custom report generation feature allows account owners with appropriate reporting permission to create up to 10 reports to be generated offline/asynchronously and be available for 30 days after creation.

Users can select the Create custom report button, available on the Certificates page under the Create report icon above the table. The reporting wizard appears to guide you through report creation.

When a report is generated, an email is sent to the user who created the report.

All created/custom reports are available from the new Report library page inside the Report & Auditing menu option, where you can:

  • View the status of reports.

  • Download completed reports.

  • Re-run a saved report against the latest available data. The new report will be available for another 30 days.

Learn more about custom report generation.

Nota

The Certificate report link under the Reporting & auditing menu option will be removed in the next monthly release.

Enhancements

Audit log enhancements

  • Displays an info banner to the user when more than 5,000 audit events are encountered. The banner shows how many audit log events match the search criteria and advises the user to use filtering options to narrow the search result.

  • A new audit log resource type, Email, stores audit log events related to email sending operations and will simplify troubleshooting email-related issues.

Number of authentication attempts

Enhanced public-facing pages for enrollments making use of enrollment codes for authentication. These pages now show the number of failed authentication attempts as well as the maximum number of attempts allowed by the profile before locking the enrollment.

Additional certificate status values for automation flows

Added two new options to the certificate status field:

  • Replaced represents certificates that are replaced on a server using automation.

  • Replaced External represents automated certificates that are found to be replaced outside Trust Lifecycle Manager during a discovery task.

New permissions for connector pages

Added separate view, create, and manage permissions for connector pages.

Native Windows and Linux sensors

Trust Lifecycle Manager administrators can now install the DigiCert Sensor on Windows or Linux machines.

Fixes

Missing email templates

Resolved issue with some email templates not being displayed for profiles configured with the SAML IdP authentication method with the Enforce manual approval checkbox enabled.

Incorrect certificate status when suspending imported seat

Resolved issue when uploading certificates from an external system bound to an imported seat type. After suspending the certificate via the UI, the certificate status in Trust Lifecycle Manager was correct (showing a status of Suspended), but the revocation request to CA Manager was not submitted, causing the status to be shown as Valid and validation services not reflecting the correct status.

March 23, 2023

DigiCert® version: 1.4803.6 | Trust Lifecycle Manager: 1.1380.0

Enhancements

Enrollment code enhancements

Added new actions available from the enrollments page, for enrollments linked to a profile configured with an enrollment code authentication method. This allows an authorized administrator to:

  • Unlock a locked enrollment code via the UI after the maximum number of attempts has been reached.

  • Reactivate an expired enrollment code.

  • View an enrollment code and URL for enrollments associated with private CAs. This action is hidden for enrollments associated with public CAs.

Also added a configuration option for profiles configured with the enrollment code authentication method, to set the maximum number of incorrect enrollment code authentication attempts before locking.

Auto-copy a SAN:dnsName field with the SubjectDN:commonName value

For profiles configured from the “Generic Private Server” template, added an Auto-copy from SAN: dnsName checkbox for the Subject DN - Common Name field. This automatically copies the value into the dnsName field, regardless of whether this field is configured in the profile or not.

If a profile is configured with a dnsName field and a certificate request already contains one or multiple dnsName values, the Common Name value will appear automatically at the top of the list.

March 15, 2023

DigiCert® version: 1.4803.2 | Trust Lifecycle Manager: 1.1356.0

Enhancements

Certificate expiration email template

Customers with unmanaged or imported seat licenses can configure a certificate expiration email to be sent before the uploaded certificate expires. This configuration page is now available under the Settings - Uploaded certificates expiration menu, and will be visible only when an account has been allocated with Unmanaged and/or Imported seats/licenses.

Additional option for ACME enrollment

For third-party ACME client-based flows, we added a new parameter option for the client to explicitly ask Trust Lifecycle Manager to issue a new certificate from CertCentral irrespective of the status of the previous certificate. This allows users to enforce a re-enrollment in addition to the already available options to renew, reissue, or get a duplicate certificate.

Sample ACME URL: https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=enroll

Fixes

Renewal reminder timeout for unmanaged/imported seats

Resolved an issue with renewal emails not being sent to end users. We have introduced a 30-second timeout period for the hourly job that takes care of sending renewal email reminders, when not receiving a response from the SMTP server responsible for sending the email.

Nota

We will not make a second attempt to send the same failed email at the next hourly run. Failed emails could pile up and there would be no room left for new emails to be sent. However, emails will be sent every [90, 60, 30, 15, 10, 7, 5, 3, 2, 1] days depending on profile configuration. Therefore, if an email fails to be sent at 90 days before expiration, the next attempt will be made at 60 days, etc.

Lowercase country values for unmanaged and imported seats

Resolved issue with not being able to upload unmanaged and imported certificates using a two-digit Subject DN country value in lowercase. We now support the upload of country values as case-insensitive values.

March 9, 2023

DigiCert® version: 1.4803.0 | Trust Lifecycle Manager: 1.1349.0

New

New extensions

Support for three new X.509 certificate extensions, which users can configure in the profile wizard:

  • Subject Alternative Name (SAN) Directory Name extension, supported by the Generic User Certificate template.

  • Certificate Policies extension, supported by all the standard templates, with the exception of the Public S/MIME (via PKI Platform 8) and CertCentral templates. You can configure a Certificate Policy extension with just a private OID, or include User Notice and/or CPS URL fields.

  • Issuer Alternative Name extension, supported by the Generic User Certificate template, when configuring a profile with the REST API enrollment method and 3rd party app authentication method.

New manual-enrollment REST API

For profiles configured with the “Manual approval” authentication method, you can use the new manual-enrollment API endpoint to submit a certificate request via API and drop it into the queues for authorized administrators to review and manually approve it or reject it.

Once a request has been manually approved, the user will receive an email with instructions on how to download the certificate via the currently supported web-based enrollment methods: CSR, Browser PKCS12, and DigiCert Trust Assistant.

Dica

Use the existing enrollment-details API endpoint to retrieve the status of a specific enrollment by submitting the enrollment Id.

SAML single logout

Enables a profile, with the SAML IdP authentication method, to be configured with a SAML single logout URL. This allows an end user to click on a Single Logout link displayed on the public-facing enrollment pages, which forces the logout of all connected SAML sessions on both the Service Provider and the Identity Provider.

Enhancements

DigiCert Trust Assistant for public S/MIME

DigiCert Trust Assistant support for the issuance of public S/MIME certificates (escrowed or non-escrowed, depending on the profile configuration) from PKI Platform 8 accounts, using the following authentication methods:

  • Manual approval

  • Enrollment code

  • SAML IdP

Updated menu items and other styling changes

  • Updated the left navigational menu items to use "sentence case" and follow DigiCert style guidelines. For example, “Business Unit” menu item becomes “Business unit”, “Reporting & Auditing” becomes “Reporting & auditing”, etc.

  • For public-facing enrollment pages:

    • Removed the colon after SDN and SAN section titles.

    • Updated the color, padding, margins, and font sizes of fixed field labels to meet DigiCert style guidelines.

  • Redesign of the audit logs details page to adhere to DigiCert design guidelines.

Seat object enhancements

  • Updated the GET Seat API endpoint to extend the response to include a seat_creation_date parameter showing the seat creation date.

  • Updated the Seat List web page to show an optional Created date column.

Profile wizard enhancements

  • Now allows for a maximum custom renewal window of up to 90 days.

  • Updated the renewal email template to also support sending renewal notifications up to 90 days in advance.

  • Variables inside the email templates are now alphabetically ordered.

Profile List page enhancement

Added a Seat type filter to the Profile List page to allow profiles to be filtered by a seat type.

Additional options in “Valid to” filter

Enhanced the “Valid to” filter inside the Certificates list page to support three new filters, in addition to searching between a date range:

  • By days, for example for: certificates expiring in the next 7 days.

  • From a specific date, for example for: certificates expiring after 1st March 2023.

  • Until a specific date, for example for: certificates expiring before 15th March 2023.

Enhancements to the Generic Private Server Certificate template

Enabled the Browser PKCS12 enrollment method and associated authentication methods, which are Manual approval, Enrollment code, and SAML IdP.

Fixes

Create custom report button in various places

Resolved a known issue that incorrectly showed the “Create custom report” button on the Certificates, Enrollments, and Seats List pages

Certificate and Seat consumption charts errors

Resolved an issue with Certificate and Seat consumption chart widgets within the Dashboard not displaying the correct data.

Error notifications on Certificates and Enrollment pages

Resolved issues with errors being displayed on the Certificates and Enrollments pages after the Issuing CA had been unassigned from an account. When the issue occurs on the Certificates page, a Not resolved label now appears in the Issuing CA column.

February 15, 2023

New

New organization identifier field

Added new subject DN field, Organization identifier (OID - 2.5.4.97), to the Generic User Certificate template.

Fixes

API error in distinguished name parsing

Fixed an error that occurred when using the API to import a certificate.

Instant reporting error

Fixed an error where the instant reporting button failed to download data.

Known issues

Custom report button appears but does not work

On the Certificates page, the "Create report" dropdown menu shows an option to "Create custom report," but nothing happens when this is selected. This feature will be implemented in a future release; the button was displayed erroneously.

February 9, 2023

Enhancements

Translations

Translations added for all languages.

Fixes

Edit connector details page not loading

Fixed an issue where users were not able to see the page for editing connector details.

CA Manager private profile creation with enrollment method as ACME shows blank page

Fixed an issue where users were not able to create a CA Manager profile.

February 8, 2023

New

DigiCert Trust Assistant

Cross-browser and cross-platform client for certificate provisioning and management on software keystores and hardware tokens. This initial release delivers:

  • Provisioning of RSA and ECDSA certificates to software keystores on Windows and macOS operating systems.

  • Provisioning of RSA and ECDSA certificates to hardware tokens such as Gemalto and YubiKey—see the Support Matrix page within the Client Tools page for details.

  • PIN management functionality for hardware tokens.

  • Generation of CSRs using a private key on a selected keystore or hardware token.

    Nota

    Key size restrictions apply per token vendor.

  • Import and export of certificates. Supported formats: X509, PKCS#7, PKCS#12 and GLCK (a proprietary format consumed by the legacy PKI Client software used by PKI Platform 8 customers).

  • Manual and auto-update of the client.

The client is available as a new Enrollment Method for the Generic User Certificate template, and supports the following Authentication methods:

  • Manual approval

  • Enrollment code

  • SAML IdP

Check the Administration and User guides for more information:

Certificate tags

  • Ability to assign and manage tags for one or more certificates.

  • Allows users to assign tags of their choice which can later be used to filter data in views.

  • Available for all certificates issued or discovered by Trust Lifecycle Manager.

New Source column in views

A new source column and filter are added to views. Source is defined by how the certificate was discovered (API Discovery, CA connector etc).

Global Enrollment Code

Ability to configure a SCEP-enabled profile with a global enrollment code that will be used to automatically issue certificates via SCEP to unregistered devices, without the need to previously create a Seat or an Enrollment.

New User ID field and new data type for the UniqueIdentifier field

For the UniqueIdentifier field:

  • New Subject DN User ID field (OID - 0.9.2342.19200300.100.1.1) is supported by the Generic User Certificate template

  • For the existing Unique Identifier Subject DN field, the default encoding for the field is BitString. However, from this release onwards, an additional data type (PrintableString) can be selected when configuring this field inside the profile wizard to format the Unique Identifier value in either BitString or PritableString. Supported by the Generic Private Server template.

Enhancements

MariaDB upgrade

The internal MariaDB version was upgraded and qualified to use 10.6.11. This is of particular interest to DigiCert ONE on-premises customers.

Support for IP Address in ACME and Sensor Automation flows

Use IP address in place of domain names for private certificate issuance.

Updated application logo and email templates

  • Updated the application logo displayed within the administrator pages to not include the word “Manager”.

  • Updated email templates to be consistent across all application flows, including the same footer making use of the Admin contact detail variables that need to be set in order to be displayed within the email notifications.

  • Email subject lines displayed within the profile wizard are used as email subject values when sending email notifications.

  • The “Your certificate is ready” email template supports a new variable called Cert Common name. Account administrators can optionally add the new variable to this email template.

Profile wizard enhancements

Added the template use cases and description to the initial page when creating or editing a profile.

Breadcrumb changes

Updated the breadcrumbs for all the pages under the “Manage” menu item to reflect the correct navigational structure. Approval/rejection emails sent to administrators for profiles configured with the “Manual approval” flow now contain a URL with the word “manage” in the patch.

Nota

URLs within emails that were already sent redirect to the new URL.

DigiCert Autoenrollment Server enhancements

Updated the DigiCert Autoenrollment Server to version 2.23.1.0 with the below enhancements:

  • Updated references from Enterprise PKI Manager to Trust Lifecycle Manager.

  • Partially masked the API KEY value within the Autoenrollment Server logs—only the first four characters are displayed in the log.

Friendly country list

Enhancement to only display the allowed country list with their 2-letter ISO country codes as part of dropdown lists within various application locations:

  • Admin-based enrollment pages

  • Profile wizard, when selecting a fixed Country value

  • Public-facing enrollment pages for end-users to select when enrolling for a certificate

Show "-" if there is no data in the table

For all data tables including certificate views, if there is no data for a given row, a hyphen is shown to represent “no data”.

Add validation in create automation flows for wildcard and SAN usecases

Add validation based on CertCentral product settings for wildcard products and products when they support SANs.

Sensor v3.8.54 release

The sensor copyright version changed to 2023.

Fixes

Auto-refresh for views

Removed auto-refresh for all views except Managed Automation view. Streamlined refresh to be inline for the grid alone instead of refreshing the whole page. Auto-refresh preserves user state and ongoing actions.

Intune Device template

Resolved a miss-configuration issue with the Device Authentication for Microsoft Intune (SCEP) template auto-copying the Common Name value to the DNS Server field and causing errors with CA Manager.

DigiCert Autoenrollment Server

Resolved a connection issue against the Hello API endpoint that was introduced after last month's rebranding.

Revocation of imported certificates

Resolved issue with not being able to revoke certificates associated with the Imported seat type, which were uploaded to an account via their certificate-import API endpoint.

Known issues

DigiCert Trust Assistant—ECDSA p-521 error

Key pair generations using ECDSA NIST p-521 curves on Windows and macOS keystores fail with a csr_signature_failed error. Smaller curve sizes work successfully (p-256 and p-384).

January 11, 2023

New

Application rebranding

Updated all references to Enterprise PKI Manager to reflect the product’s new name: Trust Lifecycle Manager.

Rebranded the Enterprise PKI Manager application to Trust Lifecycle Manager. Assets that have been rebranded include:

  • Product/administration portals

  • DigiCert documentation and API websites

  • Email templates

  • Knowledgebase articles

Additionally, the “EPKI” certificate view has been removed from the default system views. Customers can make use of the “All Certificate” system view to filter the same certificate data and create their own custom views.

Issuance of Public S/MIME certificates via DigiCert PKI Platform 8

The new Public S/MIME Secure Email (via PKI Platform 8) certificate profile template leverages DigiCert PKI Platform 8 to issue public S/MIME RSA email signing and encryption certificates linked to a user seat.

Certificate requests can be enrolled and authenticated by these methods:

Enrollment method

Authentication method

  • Browser PKCS12

  • DigiCert Trust Assistant

  • Manual approval

  • Enrollment code

  • SAML IdP

  • REST API

  • Third-party application

  • Enrollment code

To learn more about this feature, see Public S/MIME Secure Email (via PKI Platform 8) template.

Nota

  • Existing PKI Platform 8 customers can simply share the API key with their DigiCert ONE Trust Lifecycle Manager account, where a new profile will be created to issue the Public S/MIME certificates. A matching profile will be automatically created within the PKI Platform 8 account.

  • Certificate lifecycle operations for Public S/MIME certificates issued via a DigiCert ONE Trust Lifecycle Manager account must be carried out within that account.

Managed automation - sensor DV

Issue DV certificates on sensor connections managed using certificate lifecycle automation. Create DNS integrations that allow sensors to fulfill DCV challenges to issue DV certificates to appliances and cloud providers.

Bulk actions on certificate lifecycle

In case of compromise or account consolidation, select more than one certificate to renew or reissue certificates in bulk.

  • Admin can select more than one certificate from Certificate section and trigger automation.

  • Admin can use APIs to bulk reissue certificates.

CertCentral Connector

With this release we are introducing the TLM connectors framework. This framework will help drive integrations in the future.

A new CertCentral connector is being added to:

  1. Issue private and public certificates. (Existing functionality will now use the connector instead of the CertCentral linking page.)

  2. Discover certificates. We can now pull certificate data from linked CertCentral account into TLM.

    1. Users can define what data should be imported (valid certificates, certificates expired in last x days, revoked certificates).

    2. This data can be assigned to a BU at import and also tagged with user defined labels. these labels will be available for search in the certificate views in a future release.

With introduction of connectors the “Link to CertCentral” feature is rolled into the CertCentral Connector.

Nota

The “Link to CertCentral” page is no longer available.

Domain control validation for OV/EV using ACME

Customers can now perform domain control validation (DCV) for pre-validated OV/EV organization Public TLS certificates from CertCentral using ACME.

With this release, clients can demonstrate domain control using either DNS (ACME DNS.01) or HTTP (ACME HTTP.01) methods for their OV/EV requests. This option is only available when other organization and extended validations are already completed.

Enhancements

ACME - Skip validation for prevalidated domains

TLM ACME server is no longer creating challenge requests for prevalidated domains during ACME flows.

This will simplify client-side workflows where a dummy validation needs to be hosted by the client. This in turn means that:

  1. Cert-manager: client can bypass challenge creation and validation step.

  2. Certbot: hosting of dummy challenge on port 80 (with requirement that port 80 not be used by any other service) is no longer needed.

CA Manager - Private certificate automation on appliances

Most appliances such as F5 and Citrix ADC require that an organization be specified when creating a CSR during automation. CA Manager - Private Server has been enhanced to accept an organization that can be used for such automation workflows.

Patch

Automation certificate profiles

Fixed an issue with the creation of automation certificate profiles.