Trust Lifecycle Manager

From this release, Trust Lifecycle Manager will support automatic sensor updates for Windows and Linux sensors.

Users will have the option to set upgrades to manual for one or more sensors. They will be prompted to update whenever an upgrade is available.

Introduced a new email confirmation template. This email template can be enabled and customized when configuring a profile with the “Manual approval” authentication method, where users can option all receive an email confirmation after successfully submitting a certificate enrollment request.

Bulk enrollments action for Enrollments page are now inside the table instead of at the bottom of the page.

Dynamically show the correct log events based on the resource type.

Fixed an issue where CertCentral profiles were set to “Action Needed” even though there was no configuration problem.

The Account Manager application will expose a set of features for the Trust Lifecycle Manager application and can be enabled/disabled per account, enforced by Trust Lifecycle Manager. This is particularly meant to help DigiCert ONE on-premises customers. Features include:

Updated seat creation logic for automation methods (ACME, sensor, agent) to create seats per website (i.e., combination of unique CN+IP+Port) for both server and certificate management seats.

DigiCert Trust Assistant now supports selecting the YubiKey slot where keys are to be created when configuring a profile with the YubiKey hardware token.

The SCEP GetCACaps response now supports the SHA-384 hashing algorithm. Use this URL to check the response: https://one.digicert.com/mpki/api/v1/scep/cgi-bin/pkiclient.exe?operation=GetCACaps

New REST API PUT status endpoint to change the status of enrollment requests from pending to either approve or reject, for enrollments linked to profiles configured with the "Manual approval" authentication flow. See Trust Lifecycle Manager REST API reference.

Connectors are now a separate feature in Account Manager (separated from automation) and can be enabled or disabled for a given account.

Downloaded agents are now preconfigured with the correct environment information (US vs NL, etc.) so that installation can proceed without configuration changes.

Fixed an issue where users were unable to revoke an MSCA issued certificate from the UI.

Fixed an issue where sensor versions were not resolving in Windows and Linux sensors.

Fixed an issue where users were unable to update the heartbeat of an active sensor if the sensor was not assigned to a business unit.

Fixed an issue that was preventing refresh configuration for sensor connections.

For profiles configured with the Manual approval authentication method, you can upload a file with specific instructions that a user can follow when installing a certificate. Examples are: configuring a WiFi or VPN client, configuring Outlook, or accessing a certificate-protected web resource.

Users can download the file from the certificate confirmation and installation web pages.

Added a column to certificate views to filter data by connector name.

Split the first section of fields (certificate, automation, and other fields) into three sections:

Support for new fields to be added as part of the custom certificate report wizard:

Support for an optional seat email address when creating or editing server or device seats via the UI interface.

For large data coming in from Microsoft CA and other plugins, the sensor now supports breaking the upload into smaller chunks so that it can be uploaded via customer proxies. You can configure the chunk size on the sensor.

New Sensor version 3.8.57 released with multiple enhancements and fixes:

Users now have the option to choose 1-day validity for certificates issued from CA Manager for the following enrollment methods:

The column selector on certificate views now shows available options in one or more columns to improve usability.

Fixed performance issues with the Source column. This column is now reintroduced to all certificate views.

Added support for a new token type, DigiCert Software KeyStore, when configuring a profile with the DigiCert Trust Assistant enrollment method. This allows keys and certificates to be protected on the user’s machine within a proprietary software keystore with a user personal identification number (PIN).

A user must initialize DigiCert Software KeyStore after installing the DigiCert Key Store Provider (KSP) using elevated user permissions, e.g. local administrator Windows account.

Added an action to the business unit (BU) list page that allows a BU to be deleted after all profiles and seats bound to that BU are deleted.

Administrators can now automate domain validated (DV) certificate lifecycle operations using the Trust Lifecycle Manager agent.

Replaced a link in the “Overview” section of the Client tools - DigiCert Autoenrollment Server page with a link to DigiCert documentation: https://docs.digicert.com/en/digicert-one/trust-lifecycle-manager/autoenrollment-server.html

Resolved an issue where users were unable to approve certificate requests bound to profiles configured with “Manual approval” authentication method and dual-admin approval flow.

Resolved an issue with slow certificate enrollments for accounts with large amounts of data, which was caused by a reliant database table being locked for writing.

This page allows users to set account level options for the following:

Added sensor details page that will allow users to:

Added agent lifecycle notifications for:

With this release, agents have been enhanced to detect the application version during the initial discovery task. This application type and version will automatically be configured in the UI. Users will have an option to change these settings from the agent details page if needed.

Some third-party ACME clients have an issue where not all error messages are shown on the client CLI. As a workaround for this limitation, TLM has started logging ACME errors in audit logs.

Connectors are currently not supported on Windows and Linux sensors. To use MS CA and Qualys connectors, use the latest Docker sensor.

Trust Lifecycle Manager now supports issuing certificates from the customer's Microsoft CA.

To enable Microsoft CA support, users must install DigiCert Microsoft CA remoting service and DigiCert Sensor. Once configured, to import and issue certificates in Trust Lifecycle Manager, add one Microsoft CA connection for each internally hosted Microsoft CA.

Added a new Microsoft CA private server certificate profile template to create profiles with these enrollment methods: 

Learn more about Microsoft CA integration.

Added support for a new Qualys connector to import certificate data discovered using Qualys scans. Imported data is available on the Trust Lifecycle Manager certificates page in line with data from other sources. This data can be used to manage notification and alerting, automated lifecycle management, and perform other tasks.

Learn more about Qualys integration.

Trust Lifecycle Manager now supports automation of the following web servers:

Administrators can install an agent on the target server to facilitate automation flows, similar to that for sensors. Existing profiles have been updated to add a new "agent" enrollment method. You can download agents from the TLM resource page. After installation, agents are managed from the new Agent section in Trust Lifecycle Manager.

Learn more about agent-based automation.

A new custom report generation feature allows account owners with appropriate reporting permission to create up to 10 reports to be generated offline/asynchronously and be available for 30 days after creation.

Users can select the Create custom report button, available on the Certificates page under the Create report icon above the table. The reporting wizard appears to guide you through report creation.

When a report is generated, an email is sent to the user who created the report.

All created/custom reports are available from the new Report library page inside the Report & Auditing menu option, where you can:

Learn more about custom report generation.

Enhanced public-facing pages for enrollments making use of enrollment codes for authentication. These pages now show the number of failed authentication attempts as well as the maximum number of attempts allowed by the profile before locking the enrollment.

Added two new options to the certificate status field:

Added separate view, create, and manage permissions for connector pages.

Trust Lifecycle Manager administrators can now install the DigiCert Sensor on Windows or Linux machines.

Resolved issue with some email templates not being displayed for profiles configured with the SAML IdP authentication method with the Enforce manual approval checkbox enabled.

Resolved issue when uploading certificates from an external system bound to an imported seat type. After suspending the certificate via the UI, the certificate status in Trust Lifecycle Manager was correct (showing a status of Suspended), but the revocation request to CA Manager was not submitted, causing the status to be shown as Valid and validation services not reflecting the correct status.

Added new actions available from the enrollments page, for enrollments linked to a profile configured with an enrollment code authentication method. This allows an authorized administrator to:

Also added a configuration option for profiles configured with the enrollment code authentication method, to set the maximum number of incorrect enrollment code authentication attempts before locking.

For profiles configured from the “Generic Private Server” template, added an Auto-copy from SAN: dnsName checkbox for the Subject DN - Common Name field. This automatically copies the value into the dnsName field, regardless of whether this field is configured in the profile or not.

If a profile is configured with a dnsName field and a certificate request already contains one or multiple dnsName values, the Common Name value will appear automatically at the top of the list.

Customers with unmanaged or imported seat licenses can configure a certificate expiration email to be sent before the uploaded certificate expires. This configuration page is now available under the Settings - Uploaded certificates expiration menu, and will be visible only when an account has been allocated with Unmanaged and/or Imported seats/licenses.

For third-party ACME client-based flows, we added a new parameter option for the client to explicitly ask Trust Lifecycle Manager to issue a new certificate from CertCentral irrespective of the status of the previous certificate. This allows users to enforce a re-enrollment in addition to the already available options to renew, reissue, or get a duplicate certificate.

Sample ACME URL: https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=enroll

Resolved an issue with renewal emails not being sent to end users. We have introduced a 30-second timeout period for the hourly job that takes care of sending renewal email reminders, when not receiving a response from the SMTP server responsible for sending the email.

Resolved issue with not being able to upload unmanaged and imported certificates using a two-digit Subject DN country value in lowercase. We now support the upload of country values as case-insensitive values.

Support for three new X.509 certificate extensions, which users can configure in the profile wizard:

For profiles configured with the “Manual approval” authentication method, you can use the new manual-enrollment API endpoint to submit a certificate request via API and drop it into the queues for authorized administrators to review and manually approve it or reject it.

Once a request has been manually approved, the user will receive an email with instructions on how to download the certificate via the currently supported web-based enrollment methods: CSR, Browser PKCS12, and DigiCert Trust Assistant.

Enables a profile, with the SAML IdP authentication method, to be configured with a SAML single logout URL. This allows an end user to click on a Single Logout link displayed on the public-facing enrollment pages, which forces the logout of all connected SAML sessions on both the Service Provider and the Identity Provider.

DigiCert Trust Assistant support for the issuance of public S/MIME certificates (escrowed or non-escrowed, depending on the profile configuration) from PKI Platform 8 accounts, using the following authentication methods:

Added a Seat type filter to the Profile List page to allow profiles to be filtered by a seat type.

Enhanced the “Valid to” filter inside the Certificates list page to support three new filters, in addition to searching between a date range:

Enabled the Browser PKCS12 enrollment method and associated authentication methods, which are Manual approval, Enrollment code, and SAML IdP.

Resolved a known issue that incorrectly showed the “Create custom report” button on the Certificates, Enrollments, and Seats List pages

Resolved an issue with Certificate and Seat consumption chart widgets within the Dashboard not displaying the correct data.

Resolved issues with errors being displayed on the Certificates and Enrollments pages after the Issuing CA had been unassigned from an account. When the issue occurs on the Certificates page, a Not resolved label now appears in the Issuing CA column.

Added new subject DN field, Organization identifier (OID - 2.5.4.97), to the Generic User Certificate template.

Fixed an error that occurred when using the API to import a certificate.

Fixed an error where the instant reporting button failed to download data.

On the Certificates page, the "Create report" dropdown menu shows an option to "Create custom report," but nothing happens when this is selected. This feature will be implemented in a future release; the button was displayed erroneously.

Translations added for all languages.

Fixed an issue where users were not able to see the page for editing connector details.

Fixed an issue where users were not able to create a CA Manager profile.

Cross-browser and cross-platform client for certificate provisioning and management on software keystores and hardware tokens. This initial release delivers:

The client is available as a new Enrollment Method for the Generic User Certificate template, and supports the following Authentication methods:

Check the Administration and User guides for more information:

A new source column and filter are added to views. Source is defined by how the certificate was discovered (API Discovery, CA connector etc).

Ability to configure a SCEP-enabled profile with a global enrollment code that will be used to automatically issue certificates via SCEP to unregistered devices, without the need to previously create a Seat or an Enrollment.

For the UniqueIdentifier field:

The internal MariaDB version was upgraded and qualified to use 10.6.11. This is of particular interest to DigiCert ONE on-premises customers.

Use IP address in place of domain names for private certificate issuance.

Added the template use cases and description to the initial page when creating or editing a profile.

Updated the breadcrumbs for all the pages under the “Manage” menu item to reflect the correct navigational structure. Approval/rejection emails sent to administrators for profiles configured with the “Manual approval” flow now contain a URL with the word “manage” in the patch.

Updated the DigiCert Autoenrollment Server to version 2.23.1.0 with the below enhancements:

Enhancement to only display the allowed country list with their 2-letter ISO country codes as part of dropdown lists within various application locations:

For all data tables including certificate views, if there is no data for a given row, a hyphen is shown to represent “no data”.

Add validation based on CertCentral product settings for wildcard products and products when they support SANs.

The sensor copyright version changed to 2023.

Removed auto-refresh for all views except Managed Automation view. Streamlined refresh to be inline for the grid alone instead of refreshing the whole page. Auto-refresh preserves user state and ongoing actions.

Fixed deep links from the dashboard graphs to sensor, sensor connections, managed automation, and other pages to filter and align to the data shown in the graphs.

Resolved a miss-configuration issue with the Device Authentication for Microsoft Intune (SCEP) template auto-copying the Common Name value to the DNS Server field and causing errors with CA Manager.

Resolved a connection issue against the Hello API endpoint that was introduced after last month's rebranding.

Resolved issue with not being able to revoke certificates associated with the Imported seat type, which were uploaded to an account via their certificate-import API endpoint.

Key pair generations using ECDSA NIST p-521 curves on Windows and macOS keystores fail with a csr_signature_failed error. Smaller curve sizes work successfully (p-256 and p-384).

Updated all references to Enterprise PKI Manager to reflect the product’s new name: Trust Lifecycle Manager.

Rebranded the Enterprise PKI Manager application to Trust Lifecycle Manager. Assets that have been rebranded include:

Additionally, the “EPKI” certificate view has been removed from the default system views. Customers can make use of the “All Certificate” system view to filter the same certificate data and create their own custom views.

The new Public S/MIME Secure Email (via PKI Platform 8) certificate profile template leverages DigiCert PKI Platform 8 to issue public S/MIME RSA email signing and encryption certificates linked to a user seat.

Certificate requests can be enrolled and authenticated by these methods:

To learn more about this feature, see Public S/MIME Secure Email (via PKI Platform 8) template.

Issue DV certificates on sensor connections managed using certificate lifecycle automation. Create DNS integrations that allow sensors to fulfill DCV challenges to issue DV certificates to appliances and cloud providers.

In case of compromise or account consolidation, select more than one certificate to renew or reissue certificates in bulk.

With this release we are introducing the TLM connectors framework. This framework will help drive integrations in the future.

A new CertCentral connector is being added to:

With introduction of connectors the “Link to CertCentral” feature is rolled into the CertCentral Connector.

Customers can now perform domain control validation (DCV) for pre-validated OV/EV organization Public TLS certificates from CertCentral using ACME.

With this release, clients can demonstrate domain control using either DNS (ACME DNS.01) or HTTP (ACME HTTP.01) methods for their OV/EV requests. This option is only available when other organization and extended validations are already completed.

TLM ACME server is no longer creating challenge requests for prevalidated domains during ACME flows.

This will simplify client-side workflows where a dummy validation needs to be hosted by the client. This in turn means that:

Most appliances such as F5 and Citrix ADC require that an organization be specified when creating a CSR during automation. CA Manager - Private Server has been enhanced to accept an organization that can be used for such automation workflows.

Fixed an issue with the creation of automation certificate profiles.