Skip to main content

Trust Lifecycle Manager

May 24, 2023

DigiCert® version: 1.5118.8 | Trust Lifecycle Manager: 1.1597.0


Windows and Linux sensor auto-upgrade

From this release, Trust Lifecycle Manager will support automatic sensor updates for Windows and Linux sensors.

Users will have the option to set upgrades to manual for one or more sensors. They will be prompted to update whenever an upgrade is available.

Email confirmation template

Introduced a new email confirmation template. This email template can be enabled and customized when configuring a profile with the “Manual approval” authentication method, where users can option all receive an email confirmation after successfully submitting a certificate enrollment request.

Bulk enrollments

Bulk enrollments action for Enrollments page are now inside the table instead of at the bottom of the page.

Log events based on resource type

Dynamically show the correct log events based on the resource type.


Unnecessary alert state

Fixed an issue where CertCentral profiles were set to “Action Needed” even though there was no configuration problem.

May 17, 2023

DigiCert® version: 1.5118.6 | Trust Lifecycle Manager: 1.1557.0


Seat naming changes

  • Renamed Unmanaged seat type to Discovery.

  • Renamed Automation seat type to Certificate management. When deleting a Certificate management seat, you will have the option to revoke certificates associated with the seat.

Show TLM features in Account Manager

The Account Manager application will expose a set of features for the Trust Lifecycle Manager application and can be enabled/disabled per account, enforced by Trust Lifecycle Manager. This is particularly meant to help DigiCert ONE on-premises customers. Features include:

  • Enrollment methods: REST API, Browser PKCS12, CSR, SCEP, EST, Microsoft Autoenrollment, ACME/Agent/Sensor (enabled/disabled via the Automation feature)

  • Custom reports

  • Reporting (email)

Seat creation logic

Updated seat creation logic for automation methods (ACME, sensor, agent) to create seats per website (i.e., combination of unique CN+IP+Port) for both server and certificate management seats.


YubiKey slot selection in DigiCert Trust Assistant

DigiCert Trust Assistant now supports selecting the YubiKey slot where keys are to be created when configuring a profile with the YubiKey hardware token.

SCEP support for SHA-384

The SCEP GetCACaps response now supports the SHA-384 hashing algorithm. Use this URL to check the response:

REST API update

New REST API PUT status endpoint to change the status of enrollment requests from pending to either approve or reject, for enrollments linked to profiles configured with the "Manual approval" authentication flow. See Trust Lifecycle Manager REST API reference.

Connectors support

Connectors are now a separate feature in Account Manager (separated from automation) and can be enabled or disabled for a given account.

Environment support for agents

Downloaded agents are now preconfigured with the correct environment information (US vs NL, etc.) so that installation can proceed without configuration changes.


MSCA issued certificates

Fixed an issue where users were unable to revoke an MSCA issued certificate from the UI.

Sensor version issue

Fixed an issue where sensor versions were not resolving in Windows and Linux sensors.

Sensor update issue

Fixed an issue where users were unable to update the heartbeat of an active sensor if the sensor was not assigned to a business unit.

Refresh configuration

Fixed an issue that was preventing refresh configuration for sensor connections.

May 3, 2023

DigiCert® version: 1.5118.1 | Trust Lifecycle Manager: 1.1518.0


Provide customizable user instructions for download

For profiles configured with the Manual approval authentication method, you can upload a file with specific instructions that a user can follow when installing a certificate. Examples are: configuring a WiFi or VPN client, configuring Outlook, or accessing a certificate-protected web resource.

  • Supported file formats: .txt, .ppt, .pptx, .doc, .docx, .pdf

  • Supported maximum file size: 10 MB

Users can download the file from the certificate confirmation and installation web pages.

Added connector column to certificate view

Added a column to certificate views to filter data by connector name.


Additional fields and enhancements for custom certificate reports

Split the first section of fields (certificate, automation, and other fields) into three sections:

  • Automation details

  • Profile details

  • Other details

Support for new fields to be added as part of the custom certificate report wizard:

  • Requestor email

  • Trust type

  • Seat ID mapping


As mentioned in a previous release note, we removed the Certificate report link in the Reporting and auditing menu. We now support a more powerful reporting solution when creating offline custom reports from the certificates page.

Seat email address for server and device seats

Support for an optional seat email address when creating or editing server or device seats via the UI interface.

Chunking for large uploads

For large data coming in from Microsoft CA and other plugins, the sensor now supports breaking the upload into smaller chunks so that it can be uploaded via customer proxies. You can configure the chunk size on the sensor.

New Sensor version 3.8.57 released with multiple enhancements and fixes:

  • Microsoft CA and Qualys connector support on Windows and Linux sensors.

  • Update for chunking logic (all sensor types).


Docker sensors need to be updated to the latest version for Microsoft CA and Qualys integrations to continue working.

Support for 1-day certificates for CA Manager Private Server Certificate profile templates

Users now have the option to choose 1-day validity for certificates issued from CA Manager for the following enrollment methods:

  • Agent

  • Sensor

  • ACME

Updates to certificate view column selector

The column selector on certificate views now shows available options in one or more columns to improve usability.


Reintroduced Source column in certificate views

Fixed performance issues with the Source column. This column is now reintroduced to all certificate views.

April 19, 2023

DigiCert® version: 1.4957.3 | Trust Lifecycle Manager: 1.1487.0


DigiCert Trust Assistant support for new Software KeyStore (Windows only)

Added support for a new token type, DigiCert Software KeyStore, when configuring a profile with the DigiCert Trust Assistant enrollment method. This allows keys and certificates to be protected on the user’s machine within a proprietary software keystore with a user personal identification number (PIN).

A user must initialize DigiCert Software KeyStore after installing the DigiCert Key Store Provider (KSP) using elevated user permissions, e.g. local administrator Windows account.


This new feature is only available for the Windows version of the DigiCert Trust Assistant, for which you need to download/install v1.1.0. (The Mac client continues to run on v1.0.0.) Support for Mac is planned for a future release.

For more details, see the following guides:

Delete business units

Added an action to the business unit (BU) list page that allows a BU to be deleted after all profiles and seats bound to that BU are deleted.

Agent DV automation

Administrators can now automate domain validated (DV) certificate lifecycle operations using the Trust Lifecycle Manager agent.


DigiCert Trust Assistant enhancements


These enhancements are only available for the DigiCert Trust Assistant Windows release. We will update the Mac client in a future release.

  • Removed the default YubiKey attestation certificate from the list of certificates displayed for YubiKey tokens.

  • User experience (UX) changes to the import certificate process (e.g. importing a glck or pkcs12 file). Once the password is verified, the “Verify” button will change to “Import.”

  • UI changes to PIN verification and any errors displayed due to incorrect PINs. The error message is now displayed inline within the same PIN pop-up window, instead of a separate error notification.

Client tools - DigiCert Autoenrollment Server doc update

Replaced a link in the “Overview” section of the Client tools - DigiCert Autoenrollment Server page with a link to DigiCert documentation:

Validation enhancements

  • Profile wizard - certificate policy validation: Added extra validation checks to the profile wizard when adding one or more certificate policy extensions to a profile.

  • Enrollment pages - dnsName validation: Added inline validation for dnsName values entered by users on the public-facing enrollment page before submitting.


Dual admin approvals

Resolved an issue where users were unable to approve certificate requests bound to profiles configured with “Manual approval” authentication method and dual-admin approval flow.

Slow certificate enrollments for data-rich accounts

Resolved an issue with slow certificate enrollments for accounts with large amounts of data, which was caused by a reliant database table being locked for writing.

April 12, 2023

DigiCert® version: 1.4957.2 | Trust Lifecycle Manager: 1.1458.0


Agent settings page

This page allows users to set account level options for the following:

  • Manual vs. automatic agent approval

  • Blocked ports

Sensor details

Added sensor details page that will allow users to:

  • View sensor hostname, IP, and version information

  • Update debug settings

  • Change proxy port to be used by the agent when using sensor as a proxy

Agent notifications

Added agent lifecycle notifications for:

  • Agent activated

  • Agent error

  • Agent approval pending

  • Agent approved

  • Agent rejected

Application detection

With this release, agents have been enhanced to detect the application version during the initial discovery task. This application type and version will automatically be configured in the UI. Users will have an option to change these settings from the agent details page if needed.



  • Updated integrations graph to show agent status.

  • Added Agent error alert for automation.

ACME failures audit logs

Some third-party ACME clients have an issue where not all error messages are shown on the client CLI. As a workaround for this limitation, TLM has started logging ACME errors in audit logs.

Known issues

Connectors on Windows and Linux sensors

Connectors are currently not supported on Windows and Linux sensors. To use MS CA and Qualys connectors, use the latest Docker sensor.

April 5, 2023

DigiCert® version: 1.4957.1 | Trust Lifecycle Manager: 1.1432.0


Microsoft CA integration for server certificate

Trust Lifecycle Manager now supports issuing certificates from the customer's Microsoft CA.

To enable Microsoft CA support, users must install DigiCert Microsoft CA remoting service and DigiCert Sensor. Once configured, to import and issue certificates in Trust Lifecycle Manager, add one Microsoft CA connection for each internally hosted Microsoft CA.

Added a new Microsoft CA private server certificate profile template to create profiles with these enrollment methods: 

  • Sensor automation

  • Third-party ACME integrations

  • Agent automation

Learn more about Microsoft CA integration.

Qualys CertView integration

Added support for a new Qualys connector to import certificate data discovered using Qualys scans. Imported data is available on the Trust Lifecycle Manager certificates page in line with data from other sources. This data can be used to manage notification and alerting, automated lifecycle management, and perform other tasks.

Learn more about Qualys integration.

Web server automation using agent

Trust Lifecycle Manager now supports automation of the following web servers:

  • Internet Information Server (IIS)

  • Apache Tomcat

  • Apache web server

  • Nginx web server

  • IBM HTTP server

Administrators can install an agent on the target server to facilitate automation flows, similar to that for sensors. Existing profiles have been updated to add a new "agent" enrollment method. You can download agents from the TLM resource page. After installation, agents are managed from the new Agent section in Trust Lifecycle Manager.

Learn more about agent-based automation.

Advanced reporting for certificates

A new custom report generation feature allows account owners with appropriate reporting permission to create up to 10 reports to be generated offline/asynchronously and be available for 30 days after creation.

Users can select the Create custom report button, available on the Certificates page under the Create report icon above the table. The reporting wizard appears to guide you through report creation.

When a report is generated, an email is sent to the user who created the report.

All created/custom reports are available from the new Report library page inside the Report & Auditing menu option, where you can:

  • View the status of reports.

  • Download completed reports.

  • Re-run a saved report against the latest available data. The new report will be available for another 30 days.

Learn more about custom report generation.


The Certificate report link under the Reporting & auditing menu option will be removed in the next monthly release.


Audit log enhancements

  • Displays an info banner to the user when more than 5,000 audit events are encountered. The banner shows how many audit log events match the search criteria and advises the user to use filtering options to narrow the search result.

  • A new audit log resource type, Email, stores audit log events related to email sending operations and will simplify troubleshooting email-related issues.

Number of authentication attempts

Enhanced public-facing pages for enrollments making use of enrollment codes for authentication. These pages now show the number of failed authentication attempts as well as the maximum number of attempts allowed by the profile before locking the enrollment.

Additional certificate status values for automation flows

Added two new options to the certificate status field:

  • Replaced represents certificates that are replaced on a server using automation.

  • Replaced External represents automated certificates that are found to be replaced outside Trust Lifecycle Manager during a discovery task.

New permissions for connector pages

Added separate view, create, and manage permissions for connector pages.

Native Windows and Linux sensors

Trust Lifecycle Manager administrators can now install the DigiCert Sensor on Windows or Linux machines.


Missing email templates

Resolved issue with some email templates not being displayed for profiles configured with the SAML IdP authentication method with the Enforce manual approval checkbox enabled.

Incorrect certificate status when suspending imported seat

Resolved issue when uploading certificates from an external system bound to an imported seat type. After suspending the certificate via the UI, the certificate status in Trust Lifecycle Manager was correct (showing a status of Suspended), but the revocation request to CA Manager was not submitted, causing the status to be shown as Valid and validation services not reflecting the correct status.

March 23, 2023

DigiCert® version: 1.4803.6 | Trust Lifecycle Manager: 1.1380.0


Enrollment code enhancements

Added new actions available from the enrollments page, for enrollments linked to a profile configured with an enrollment code authentication method. This allows an authorized administrator to:

  • Unlock a locked enrollment code via the UI after the maximum number of attempts has been reached.

  • Reactivate an expired enrollment code.

  • View an enrollment code and URL for enrollments associated with private CAs. This action is hidden for enrollments associated with public CAs.

Also added a configuration option for profiles configured with the enrollment code authentication method, to set the maximum number of incorrect enrollment code authentication attempts before locking.

Auto-copy a SAN:dnsName field with the SubjectDN:commonName value

For profiles configured from the “Generic Private Server” template, added an Auto-copy from SAN: dnsName checkbox for the Subject DN - Common Name field. This automatically copies the value into the dnsName field, regardless of whether this field is configured in the profile or not.

If a profile is configured with a dnsName field and a certificate request already contains one or multiple dnsName values, the Common Name value will appear automatically at the top of the list.

March 15, 2023

DigiCert® version: 1.4803.2 | Trust Lifecycle Manager: 1.1356.0


Certificate expiration email template

Customers with unmanaged or imported seat licenses can configure a certificate expiration email to be sent before the uploaded certificate expires. This configuration page is now available under the Settings - Uploaded certificates expiration menu, and will be visible only when an account has been allocated with Unmanaged and/or Imported seats/licenses.

Additional option for ACME enrollment

For third-party ACME client-based flows, we added a new parameter option for the client to explicitly ask Trust Lifecycle Manager to issue a new certificate from CertCentral irrespective of the status of the previous certificate. This allows users to enforce a re-enrollment in addition to the already available options to renew, reissue, or get a duplicate certificate.

Sample ACME URL:


Renewal reminder timeout for unmanaged/imported seats

Resolved an issue with renewal emails not being sent to end users. We have introduced a 30-second timeout period for the hourly job that takes care of sending renewal email reminders, when not receiving a response from the SMTP server responsible for sending the email.


We will not make a second attempt to send the same failed email at the next hourly run. Failed emails could pile up and there would be no room left for new emails to be sent. However, emails will be sent every [90, 60, 30, 15, 10, 7, 5, 3, 2, 1] days depending on profile configuration. Therefore, if an email fails to be sent at 90 days before expiration, the next attempt will be made at 60 days, etc.

Lowercase country values for unmanaged and imported seats

Resolved issue with not being able to upload unmanaged and imported certificates using a two-digit Subject DN country value in lowercase. We now support the upload of country values as case-insensitive values.

March 9, 2023

DigiCert® version: 1.4803.0 | Trust Lifecycle Manager: 1.1349.0


New extensions

Support for three new X.509 certificate extensions, which users can configure in the profile wizard:

  • Subject Alternative Name (SAN) Directory Name extension, supported by the Generic User Certificate template.

  • Certificate Policies extension, supported by all the standard templates, with the exception of the Public S/MIME (via PKI Platform 8) and CertCentral templates. You can configure a Certificate Policy extension with just a private OID, or include User Notice and/or CPS URL fields.

  • Issuer Alternative Name extension, supported by the Generic User Certificate template, when configuring a profile with the REST API enrollment method.

New manual-enrollment REST API

For profiles configured with the “Manual approval” authentication method, you can use the new manual-enrollment API endpoint to submit a certificate request via API and drop it into the queues for authorized administrators to review and manually approve it or reject it.

Once a request has been manually approved, the user will receive an email with instructions on how to download the certificate via the currently supported web-based enrollment methods: CSR, Browser PKCS12, and DigiCert Trust Assistant.


Use the existing enrollment-details API endpoint to retrieve the status of a specific enrollment by submitting the enrollment Id.

SAML single logout

Enables a profile, with the SAML IdP authentication method, to be configured with a SAML single logout URL. This allows an end user to click on a Single Logout link displayed on the public-facing enrollment pages, which forces the logout of all connected SAML sessions on both the Service Provider and the Identity Provider.


DigiCert Trust Assistant for public S/MIME

DigiCert Trust Assistant support for the issuance of public S/MIME certificates (escrowed or non-escrowed, depending on the profile configuration) from PKI Platform 8 accounts, using the following authentication methods:

  • Manual approval

  • Enrollment code

  • SAML IdP

Updated menu items and other styling changes

  • Updated the left navigational menu items to use "sentence case" and follow DigiCert style guidelines. For example, “Business Unit” menu item becomes “Business unit”, “Reporting & Auditing” becomes “Reporting & auditing”, etc.

  • For public-facing enrollment pages:

    • Removed the colon after SDN and SAN section titles.

    • Updated the color, padding, margins, and font sizes of fixed field labels to meet DigiCert style guidelines.

  • Redesign of the audit logs details page to adhere to DigiCert design guidelines.

Seat object enhancements

  • Updated the GET Seat API endpoint to extend the response to include a seat_creation_date parameter showing the seat creation date.

  • Updated the Seat List web page to show an optional Created date column.

Profile wizard enhancements

  • Now allows for a maximum custom renewal window of up to 90 days.

  • Updated the renewal email template to also support sending renewal notifications up to 90 days in advance.

  • Variables inside the email templates are now alphabetically ordered.

Profile List page enhancement

Added a Seat type filter to the Profile List page to allow profiles to be filtered by a seat type.

Additional options in “Valid to” filter

Enhanced the “Valid to” filter inside the Certificates list page to support three new filters, in addition to searching between a date range:

  • By days, for example for: certificates expiring in the next 7 days.

  • From a specific date, for example for: certificates expiring after 1st March 2023.

  • Until a specific date, for example for: certificates expiring before 15th March 2023.

Enhancements to the Generic Private Server Certificate template

Enabled the Browser PKCS12 enrollment method and associated authentication methods, which are Manual approval, Enrollment code, and SAML IdP.


Create custom report button in various places

Resolved a known issue that incorrectly showed the “Create custom report” button on the Certificates, Enrollments, and Seats List pages

Certificate and Seat consumption charts errors

Resolved an issue with Certificate and Seat consumption chart widgets within the Dashboard not displaying the correct data.

Error notifications on Certificates and Enrollment pages

Resolved issues with errors being displayed on the Certificates and Enrollments pages after the Issuing CA had been unassigned from an account. When the issue occurs on the Certificates page, a Not resolved label now appears in the Issuing CA column.

February 15, 2023


New organization identifier field

Added new subject DN field, Organization identifier (OID -, to the Generic User Certificate template.


API error in distinguished name parsing

Fixed an error that occurred when using the API to import a certificate.

Instant reporting error

Fixed an error where the instant reporting button failed to download data.

Known issues

Custom report button appears but does not work

On the Certificates page, the "Create report" dropdown menu shows an option to "Create custom report," but nothing happens when this is selected. This feature will be implemented in a future release; the button was displayed erroneously.

February 9, 2023



Translations added for all languages.


Edit connector details page not loading

Fixed an issue where users were not able to see the page for editing connector details.

CA Manager private profile creation with enrollment method as ACME shows blank page

Fixed an issue where users were not able to create a CA Manager profile.

February 8, 2023


DigiCert Trust Assistant

Cross-browser and cross-platform client for certificate provisioning and management on software keystores and hardware tokens. This initial release delivers:

  • Provisioning of RSA and ECDSA certificates to software keystores on Windows and macOS operating systems.

  • Provisioning of RSA and ECDSA certificates to hardware tokens such as Gemalto and YubiKey—see the Support Matrix page within the Client Tools page for details.

  • PIN management functionality for hardware tokens.

  • Generation of CSRs using a private key on a selected keystore or hardware token.


    Key size restrictions apply per token vendor.

  • Import and export of certificates. Supported formats: X509, PKCS#7, PKCS#12 and GLCK (a proprietary format consumed by the legacy PKI Client software used by PKI Platform 8 customers).

  • Manual and auto-update of the client.

The client is available as a new Enrollment Method for the Generic User Certificate template, and supports the following Authentication methods:

  • Manual approval

  • Enrollment code

  • SAML IdP

Check the Administration and User guides for more information:

Certificate tags

  • Ability to assign and manage tags for one or more certificates.

  • Allows users to assign tags of their choice which can later be used to filter data in views.

  • Available for all certificates issued or discovered by Trust Lifecycle Manager.

New Source column in views

A new source column and filter are added to views. Source is defined by how the certificate was discovered (API Discovery, CA connector etc).

Global Enrollment Code

Ability to configure a SCEP-enabled profile with a global enrollment code that will be used to automatically issue certificates via SCEP to unregistered devices, without the need to previously create a Seat or an Enrollment.

New User ID field and new data type for the UniqueIdentifier field

For the UniqueIdentifier field:

  • New Subject DN User ID field (OID - 0.9.2342.19200300.100.1.1) is supported by the Generic User Certificate template

  • For the existing Unique Identifier Subject DN field, the default encoding for the field is BitString. However, from this release onwards, an additional data type (PrintableString) can be selected when configuring this field inside the profile wizard to format the Unique Identifier value in either BitString or PritableString. Supported by the Generic Private Server template.


MariaDB upgrade

The internal MariaDB version was upgraded and qualified to use 10.6.11. This is of particular interest to DigiCert ONE on-premises customers.

Support for IP Address in ACME and Sensor Automation flows

Use IP address in place of domain names for private certificate issuance.

Updated application logo and email templates

  • Updated the application logo displayed within the administrator pages to not include the word “Manager”.

  • Updated email templates to be consistent across all application flows, including the same footer making use of the Admin contact detail variables that need to be set in order to be displayed within the email notifications.

  • Email subject lines displayed within the profile wizard are used as email subject values when sending email notifications.

  • The “Your certificate is ready” email template supports a new variable called Cert Common name. Account administrators can optionally add the new variable to this email template.

Profile wizard enhancements

Added the template use cases and description to the initial page when creating or editing a profile.

Breadcrumb changes

Updated the breadcrumbs for all the pages under the “Manage” menu item to reflect the correct navigational structure. Approval/rejection emails sent to administrators for profiles configured with the “Manual approval” flow now contain a URL with the word “manage” in the patch.


URLs within emails that were already sent redirect to the new URL.

DigiCert Autoenrollment Server enhancements

Updated the DigiCert Autoenrollment Server to version with the below enhancements:

  • Updated references from Enterprise PKI Manager to Trust Lifecycle Manager.

  • Partially masked the API KEY value within the Autoenrollment Server logs—only the first four characters are displayed in the log.

Friendly country list

Enhancement to only display the allowed country list with their 2-letter ISO country codes as part of dropdown lists within various application locations:

  • Admin-based enrollment pages

  • Profile wizard, when selecting a fixed Country value

  • Public-facing enrollment pages for end-users to select when enrolling for a certificate

Show "-" if there is no data in the table

For all data tables including certificate views, if there is no data for a given row, a hyphen is shown to represent “no data”.

Add validation in create automation flows for wildcard and SAN usecases

Add validation based on CertCentral product settings for wildcard products and products when they support SANs.

Sensor v3.8.54 release

The sensor copyright version changed to 2023.


Auto-refresh for views

Removed auto-refresh for all views except Managed Automation view. Streamlined refresh to be inline for the grid alone instead of refreshing the whole page. Auto-refresh preserves user state and ongoing actions.

Intune Device template

Resolved a miss-configuration issue with the Device Authentication for Microsoft Intune (SCEP) template auto-copying the Common Name value to the DNS Server field and causing errors with CA Manager.

DigiCert Autoenrollment Server

Resolved a connection issue against the Hello API endpoint that was introduced after last month's rebranding.

Revocation of imported certificates

Resolved issue with not being able to revoke certificates associated with the Imported seat type, which were uploaded to an account via their certificate-import API endpoint.

Known issues

DigiCert Trust Assistant—ECDSA p-521 error

Key pair generations using ECDSA NIST p-521 curves on Windows and macOS keystores fail with a csr_signature_failed error. Smaller curve sizes work successfully (p-256 and p-384).

January 11, 2023


Application rebranding

Updated all references to Enterprise PKI Manager to reflect the product’s new name: Trust Lifecycle Manager.

Rebranded the Enterprise PKI Manager application to Trust Lifecycle Manager. Assets that have been rebranded include:

  • Product/administration portals

  • DigiCert documentation and API websites

  • Email templates

  • Knowledgebase articles

Additionally, the “EPKI” certificate view has been removed from the default system views. Customers can make use of the “All Certificate” system view to filter the same certificate data and create their own custom views.

Issuance of Public S/MIME certificates via DigiCert PKI Platform 8

The new Public S/MIME Secure Email (via PKI Platform 8) certificate profile template leverages DigiCert PKI Platform 8 to issue public S/MIME RSA email signing and encryption certificates linked to a user seat.

Certificate requests can be enrolled and authenticated by these methods:

Enrollment method

Authentication method

  • Browser PKCS12

  • DigiCert Trust Assistant

  • Manual approval

  • Enrollment code

  • SAML IdP


  • Third-party application

  • Enrollment code

To learn more about this feature, see Public S/MIME Secure Email (via PKI Platform 8) template.


  • Existing PKI Platform 8 customers can simply share the API key with their DigiCert ONE Trust Lifecycle Manager account, where a new profile will be created to issue the Public S/MIME certificates. A matching profile will be automatically created within the PKI Platform 8 account.

  • Certificate lifecycle operations for Public S/MIME certificates issued via a DigiCert ONE Trust Lifecycle Manager account must be carried out within that account.

Managed automation - sensor DV

Issue DV certificates on sensor connections managed using certificate lifecycle automation. Create DNS integrations that allow sensors to fulfill DCV challenges to issue DV certificates to appliances and cloud providers.

Bulk actions on certificate lifecycle

In case of compromise or account consolidation, select more than one certificate to renew or reissue certificates in bulk.

  • Admin can select more than one certificate from Certificate section and trigger automation.

  • Admin can use APIs to bulk reissue certificates.

CertCentral Connector

With this release we are introducing the TLM connectors framework. This framework will help drive integrations in the future.

A new CertCentral connector is being added to:

  1. Issue private and public certificates. (Existing functionality will now use the connector instead of the CertCentral linking page.)

  2. Discover certificates. We can now pull certificate data from linked CertCentral account into TLM.

    1. Users can define what data should be imported (valid certificates, certificates expired in last x days, revoked certificates).

    2. This data can be assigned to a BU at import and also tagged with user defined labels. these labels will be available for search in the certificate views in a future release.

With introduction of connectors the “Link to CertCentral” feature is rolled into the CertCentral Connector.


The “Link to CertCentral” page is no longer available.

Domain control validation for OV/EV using ACME

Customers can now perform domain control validation (DCV) for pre-validated OV/EV organization Public TLS certificates from CertCentral using ACME.

With this release, clients can demonstrate domain control using either DNS (ACME DNS.01) or HTTP (ACME HTTP.01) methods for their OV/EV requests. This option is only available when other organization and extended validations are already completed.


ACME - Skip validation for prevalidated domains

TLM ACME server is no longer creating challenge requests for prevalidated domains during ACME flows.

This will simplify client-side workflows where a dummy validation needs to be hosted by the client. This in turn means that:

  1. Cert-manager: client can bypass challenge creation and validation step.

  2. Certbot: hosting of dummy challenge on port 80 (with requirement that port 80 not be used by any other service) is no longer needed.

CA Manager - Private certificate automation on appliances

Most appliances such as F5 and Citrix ADC require that an organization be specified when creating a CSR during automation. CA Manager - Private Server has been enhanced to accept an organization that can be used for such automation workflows.


Automation certificate profiles

Fixed an issue with the creation of automation certificate profiles.