CA Manager
2023 releases
November 29, 2023
DigiCert® ONE version: 1.6392.5 | CA Services: 1.630.0
New
Client escrow keys expiration now editable via API
This functionality now mirrors the UI.
Enhancements
Provide metadata with escrow keys
DigiCert ONE managers now get additional information about an escrow key when using the GET /hsm/partition API endpoint.
Fixes
Made consistent the various partition statuses displays
‘Enabled’ is now the common term for active registered partitions, and status boxes all render the same.
Keyper HSM host link goes to bad URL
The link now goes to the proper edit page
Inability to change which partition performs Default escrow options
A bug had blocked changing default partitions, this is now fixed.
Default escrow partition may be reassigned
The partition designated as the default escrow partition is always available to all users.
Additional minor UI and functional fixes
November 15, 2023
DigiCert® ONE version: 1.6392.4 | CA Services: 1.622.0
New
Disable and Reenable
Roots and ICAs now may be “Disabled” - which suspends any issuance, signing or CRLs and OCSP Responses or other use of the certificate until and unless it is reenabled. Disabled CA certificates show “Disabled” status in the Root or ICA table, and do not appear in dropdown menus.
To disable or reenable a CA, select the option from the 3 dot button on that certificate’s detail page.
Revoke CA
ICAs now may be “Revoked”—this option is selected from the 3 dot button on that certificate's details page.
Revoking is a two-person effort, one admin requests the revocation, supplies the appropriate reason code and any details, and selects an approver. The approver will receive an email with the revocation request and a link. They then can approve or deny the request.
Only private trust CAs revoked with the reason “On Hold” can later be un-revoked. Otherwise the revoke is permanent.
Note
To prevent the system from signing OCSP, CRL or using the revoked CA, the CA will also be disabled as part of the process.
Qualified statement support for private certificates
CA services now supports the full range of qualified statements for use in end-entity certificates
ETSI-compliant Qualified statement support
[On-premises only] Additionally, end-entity templates, following ETSI requirements, exist to support issuance of Qualified Natural Persons and Qualified Legal Persons certificates. OCSP utilizes ArchiveCutoff
(with the date set to the parent CA’s notBefore
date), and CRLs are full-and-complete. The ExpiredCertsOnCRL
extension options (see below) is also an option.
CA revocation results in all child certificates, subordinate CA and End-entities, to be revoked; after which a final CRL is published and then the CA is revoked. As noted above revoking a CA is a request and approval process.
Note
These templates follow ETSI guidelines, but are only Qualified-compliant subject to the on-premises customer passing ETSI audit to function as a QTSP.
Enhancements
CRL extension: ExpiredCertOnCRL
[On-premises only] Private and Qualified trust certificate CRLs now may optionally use the CRL extension ExpiredCertonCRL
, that retains the status of certificates for selected durations after they expire. Both Partition scope CRLS and full-and-complete CRLs support this extension. In this first release, the option must be selected during CA creation, from the CRL settings by selecting the checkbox “Include revoked certificates in this CA's CRL even after they expire”
Note
Use of this extension may result in very large CRLs and impact performance.
Known issues
November 1, 2023
DigiCert® ONE version: 1.6392.1 | CA Manager: 1.617.0
New
Two-factor authentication (2FA) requirement
Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).
You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.
How to enable two-factor authentication in Account Manager.
Note
If you use single sign-on (SSO) to access your DigiCert ONE account, the new two-factor authentication requirement does not affect you. However, the requirement will activate if you modify your SSO settings.
Enhancements
Partition detail page now includes the ability to adjust the security level setting, providing more direct access for editing these configurations.
Fixes
After updating the AIA using a .P7C file, the audit log will now correctly display the associated filename.
UI has been corrected to remove the option to disable an already disabled master escrow key, eliminating the previous redundancy.
Known issues
The HSM section currently shows the Remote Proxy menu due to ongoing development. It is not intended for general use at this stage. Expect further updates for its full integration.
October 18, 2023
DigiCert® ONE version: 1.6201.3 | CA Manager: 1.613.0
New
Multi-partition escrow support and other escrow enhancements
CA services now allows multiple HSM partitions to provide key escrow services—though you should designate one as a fallback/default. Additional improvements have been made to facilitate key escrow activities and information
Partition security level indicator for escrow
HSM partitions designated for escrow also should indicate their level of relative security so that escrow requests from managers can ensure the right HSM is used for escrow needs.
The security levels run from 1 to 3, from lowest to the highest at 3.
1 indicates low security (for example SoftHSM) and 3 (for FIPS-certified HSMs; though not necessarily enabled, such as Luna 7 HSMs).
2 indicates somewhere in between, and would be decided by the customer for their dedicated or on-premises HSMs. All DigiCert attached Lunas are set to 3.
Escrow key and partition information endpoint
Managers may call CA services to obtain information about an escrow key—such as it’s expiry and the security level of the partition that houses it.
Escrow key expiry and deletion
When creating escrow keys, an expiry date may be set so that they are deleted to clear room.
Manager now may delete unused escrow keys directly.
October 12, 2023
DigiCert® ONE version: 1.6201.2 | CA Manager: 1.609.0
New
CRLs for qualified certificates must be full and complete
Pre-work to support qualified trust certificate issuance by on-premises QTSPs, ensures CRLs created for such certificates be full and complete.
Fixes
Updated and created dates matching in offline requests
Corrected a problem where updating a request also set that date as the created date. The created date is now preserved.
October 4, 2023
DigiCert® ONE version: 1.6201.1 | CA Manager: 1.606.0
New
Reject or Delete an offline request for ceremony
You can now reject or delete offline requests, which returns any allocated keypair to the public pool.
September 28, 2023
DigiCert ONE version: 1.6074.9 | DigiCert® CA Manager 1.600.0
Fixes
LEI Extension setting
Corrected an issue where the LEI certificate extension could not be set to “Optional”.
Prevent the revoking of an already revoked certificate
Corrected an error in the API that allowed a revoked cert to have it’s revocation date moved forward. Now only backdating is allowed for public certificates.
Other minor backend bugfixes
September 20, 2023
DigiCert® ONE version: 1.6074.7 | CA Manager: 1.600.0
New
Qualified statement support
End-entity certificates may now be issued containing Qualified statements. Additional backend work has been prepared to allow issuance of ETSI-compliant certificates and lifecycle management to come in future releases.
September 13, 2023
DigiCert® ONE version: 1.6074.4 | CA Manager: 1.596.0
Enhancements
User interface updates
Updated user experience to improve accessibility.
Fixes
HSM connectivity
Fixed bugs that were affecting HSM connectivity.
June 28, 2023
DigiCert® ONE version: 1.5428.8 | CA Manager: 1.573.0
New
Custom extensions support
DigiCert ONE managers, such as Trust Lifecycle Manager and IOT Trust Manager, now support custom certificate extensions using JSON-based ASN.1 templating. This removes additional steps for certain workflows.
GlobalPlatform certificate revocation
Revocation is enabled for GlobalPlatform certificates through IOT Trust Manager.
Fixes
Creating a CA with pathLen configured
Fixed an issued where creating a CA with pathLen configured resulted in error.
Data Protection on Demand (DPoD) partitions list
Fixed an issue where no partitions showed as available after a DPoD had been initialized.
Events in logs all action options
The list of the actions available to filter is now shows all actions, instead of a random subset of all actions.
Responder generation settings
Fixed an issue where, when editing the responder generation settings if Auto-generate OCSP responder certificates was deselected, the other elements remained modifiable. Those options are no longer modifiable when Auto-generate OCSP responder certificates is deselected.
May 17, 2023
DigiCert® version: 1.5118.6 | CA Manager: 1.555.1
Enhancements
HTTPS OCSP domains
OCSP (Online Certificate Status Protocol) domains now can be registered as HTTPS. Such domains will display with “(HTTPs)” suffixes from the dropdown menu. Domains still must be unique, so HTTP and HTTPS versions cannot both exist. At this time, only OCSP supports HTTPs.
Offline request details include Extended Key Usages
When reviewing offline requests for ceremony, included EKUs from the selected template are now displayed below the Policy Extension OIDs (Object Identifiers).
Fixes
Long CRL paths overlapping other page data
If an active CRL (Certificate Revocation List) with a long file path was displayed, it would overflow to page details. Now it will indicate truncation and can be viewed in full on mouseover.
April 19, 2023
DigiCert® version: 1.4957.3 | CA Manager: 1.526.0
Fixes
Incorrect preview of setting in CA details page
The read-view of the CRLDP settings now reflects the updated setting.
Log records for HSM partitions were not helpful
The logs for Hardware Security Module (HSM) partitions are now in common language.
Unable to assign another admin to export certificates
Corrected issue with the API that prevented the display of a list of available admins from the assignment list.
Error on Offline Request form
Date picker no longer overlaps icon.
April 5, 2023
DigiCert® version: 1.4957.1 | CA Manager: 1.526.0
Fixes
March 22, 2023
DigiCert® version: 1.4083.6 | CA Manager: 1.522.0
New
Ceremony Manager for CA renewals
Added Renew option to upload the original certificate for recertification when creating an offline request.
Enhancements
Prevent CRL scope changes from breaking the CRL
Fixed a bug that caused errors when a CRL was changed from full and complete to a "lesser" scope. The interface now does not allow changes that will break the CRL and provides information alerting the requestor.
Fixes
Breadcrumb placement
Breadcrumbs have been moved below the header.
Error returned when creating duplicate key for escrow wasn’t helpful
A more useful error is returned when a user tries to create an identical escrowed key.
March 9, 2023
DigiCert® version: 1.4803.0 | CA Services: 1.516.0
Fixes
Subject Alternative Name: dnsName character limit corrected
SAN dnsName now supports up to 255 characters/octets.
Subject Alternative Name incorrectly requires country code
The country code is now optional within private SANs.
IssuerAlternativeName not included without SAN: DirectoryName
Including the IssuerAtlernativeName is no longer dependent on the SAN extension having a DirectoryName.
Various minor accessibility improvements
Various different minor accessibility improvements were added.
February 8, 2023
Enhancements
Branding
Updated icons and names to reflect current branding for DigiCert ONE® services.
Import .p12-formatted responders
CA Manager now allows importing OCSP responders in p12 format.