IoT Trust Manager
2023 releases
December 19, 2023
DigiCert® ONE version: 1.6573.3 | IoT Trust Manager: 1.570.0
Fixes
Mandatory field update
Issue details:
Problem: In an earlier update to the IoT Trust Manager REST API, the
v1/certificate
POST
request was mistakenly updated to require theresponse_with_certificate_only
parameter in the request body. Theresponse_with_certificate_only
field should be optional.
Resolution:
Update: This issue has been fixed. Now, on the
v1/certificate
POST
request, theresponse_with_certificate_only
field is correctly set as an optional request parameter.
December 7, 2023
DigiCert® ONE version: 1.6392.5 | IoT Trust Manager: 1.567.0
Enhancements
ACME Credentials Interface enhancement
Replaced old eye symbol with a modern icon, enhancing the ACME credentials interface on the Enrollment Profile Details page.
Added a sidebar link for quick access to ACME details, improving usability and security.
Certificate Profile UI simplification
Removed the "Required" toggle for non-modifiable settings on the Certificate Profile page. Affected settings include:
Certificate Signing Request, Certificate Value Field, Force Uniqueness, Key Type, Signature Algorithm, Validity Duration, and Renewal Settings
Enhanced Batch Reporting capabilities
New feature allows downloading detailed reports for all jobs, including completed and failed, from the Batch Details page.
Reports now provide insights into job outcomes, aiding in troubleshooting and decision-making.
Improved guidance for Enrollment Profile IP restrictions
Added informative helper text in the 'Limit by IP Address' section on the Create/Edit Enrollment Profile pages.
Text guides users on using IP ranges and wildcard entries, enhancing understanding of new capabilities.
November 8, 2023
DigiCert® ONE version: 1.6392.3 | IoT Trust Manager: 1.553.0
New
Simplified DigiCert Gateway Access Control for Solution Operators
A new feature has been released that enhances the administration of DigiCert Gateway access. Solution Operators can now extend DigiCert Gateway installation privileges to Server Administrators without requiring the latter to log into the DigiCert ONE portal or the Solution Operator to know the installation location in advance.
Feature highlights:
Invitation-based installation: Solution Operators can generate an invitation for Server Admins directly from the DigiCert ONE portal. This process involves providing a friendly name for the DigiCert Gateway and the Server Admin’s email address. An optional passcode can be added for added security.
Secure tokenized link: An email with a secure, tokenized link is sent to the Server Admin, allowing them to download the necessary encrypted invite file without direct portal access.
Complete oversight: Solution Operators are the boss. They can track whether the tokenized link has been used, view the history of invite emails, and resend invitations if necessary. Each new invitation revokes and invalidates the previous token and encrypted file for security purposes.
Flexible administration: Change the Server Admin email address at any time, which then triggers a new invitation. You can also delete a DigiCert Gateway record, which invalidates any outstanding invitations, and marks the Gateway as deleted.
Recovery options: In the event of a deletion, Solution Operators have the ability to undelete and resend invitations to Server Admins.
Cloning of enrollment profiles
In our latest product update, we have introduced new functionality that significantly streamlines the management of enrollment profiles. You can now effortlessly clone an existing enrollment profile directly from the enrollment list page.
What's new?
With a simple click, you can duplicate any enrollment profile. This feature is particularly useful for creating profiles with similar settings or for testing purposes. This enhancement not only saves time but also reduces the potential for errors that can occur when manually creating multiple profiles with similar configurations. We continue to refine our platform to ensure it meets your evolving needs of our users, making certificate management more efficient than ever.
Enhanced certificate renewal endpoints
In our latest enhancement to the IoT API, we've made the certificate renewal process even more accommodating by allowing the certificate ID to be optional during renewal requests.
Renewal using the certificate’s body:
Endpoint for IoT Trust Manager REST API:
https://one.digicert.com/iot/api-docs/index.html#/Certificates/renewBySerial
Feature: You can now renew a certificate by submitting the
certificate_to_renew
parameter in the request body. This parameter is mandatory and should contain the full certificate body of the certificate you want to renew.
Renewal using the certificate’s serial number:
These updates are part of our commitment to provide a more versatile and user-friendly API experience. We understand the importance of flexibility in managing IoT certificates and strive to accommodate your varying preferences.
Endpoint for IoT Trust Manager REST API: https://one.digicert.com/iot/api-docs/index.html#/Certificates/renewBySerial
Feature: This method allows for renewal of a certificate by its unique serial number. The process is streamlined as all parameters in the request body are optional, making it a quick and straightforward option for certificate renewal.
Certificate revocation using device ID
In our latest enhancement to the IoT API, we've made the certificate revocation process even more accommodating by allowing the certificate ID to be optional during revocation requests.
Endpoint for IoT Trust Manager REST API: https://one.digicert.com/iot/api-docs/index.html#/Devices%20(v2)/revokeDeviceCertificate_v2
Feature: This new endpoint empowers users to securely revoke the certificate associated with a specific device using its unique device ID.
Enhancements
Support for SMPB format for batch certificate generation
The batch certificate generation now includes support for the SMPB certificate format. This enhancement is part of our ongoing effort to expand the capabilities of our certificate management offerings to accommodate a wider range of industry standards.
APIs affected:
What's new?
SMPB format option: Users can now specify
smpb
as an option for thecertificate_format
parameter when requesting certificates. This addition caters to systems requiring this specific format.Output format adaptation: In alignment with the new format support, our output has been adapted to produce a zip archive with an
.smpb
extension when the SMPB format is requested.
Output archive contents:
{job-id}.p7m
—An encrypted zip containing certificates, private keys, and a summary file.{job-id}.pem - The certificate utilized for the encryption process.{job-id}.txt - A version file for reference.{job-id}.pem
—The certificate utilized for the encryption process.{job-id}.txt
—A version file for reference.
Benefits
Extended compatibility: With the inclusion of SMPB format, you benefit from a broader range of certificate output options, ensuring compatibility with multi-platform environments and MPKI8 format requirements.
Secure packaging: The
.smpb
zip archive offers a secure method for the delivery of sensitive key material and associated files, ensuring integrity and confidentiality.Streamlined process: This update provides a seamless and integrated experience for users who require the SMPB format, reducing the need for additional conversion tools or manual processes.
Fixes
Scrolling Issue on enrollment profile details page in Safari
We have addressed and resolved a scrolling issue on the Enrollment Profile Details Page when accessed via the Safari browser.
Issue details:
Problem: Users experienced an unintended return to a previously opened section after attempting to scroll up or down on the Enrollment Profile Details page.
Browser: This issue was specific to the Safari browser.
Resolution:
Update: With the latest fix, you can now smoothly scroll to the bottom of the Enrollment Profile Details page or navigate through different sections without the page snapping back to a previously viewed section.
November 1, 2023
New
Two-factor authentication (2FA) requirement
Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).
You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.
How to enable two-factor authentication in Account Manager.
Note
If you use single sign-on (SSO) to access your DigiCert ONE account, the new two-factor authentication requirement does not affect you. However, the requirement will activate if you modify your SSO settings.
October 12, 2023
DigiCert® ONE version: 1.6201.2 | IoT Manager: 1.531.0
Fixes
Handling of batch files for duplicate name
In prior versions, a bug was identified that impeded the retry mechanism when storing a portion of a batch file. This bug resulted in an exception being triggered, leading to the incomplete saving of certificates. This exception went unnoticed by users, who would only become aware of the issue when attempting to download the batch results. This issue has been successfully resolved in this release.
Handling of batch files for duplicate name
In the previous version, a bug was identified in which an additional carriage return was automatically inserted at the end of the string representing the PEM certificate. This anomaly occurred infrequently and was specific to certain scenarios, primarily contingent on the size of the PEM file. To be precise, it occurred only when the number of characters was exactly divisible by 64.
This issue has been rectified in the latest release, ensuring the accurate representation of PEM certificates without the extraneous carriage return.
October 4, 2023
DigiCert® ONE version: 1.6201.1 | IoT Trust Manager: 1.528.0
New
Improved batch flow
A new and improved batch workflow has been introduced, offering enhanced flexibility and efficiency for you. Here's what's new:
Opt-in banner
You now have the option to opt-in to the new and improved batch workflow. This option will be presented to you in two sections:
Editing an existing enrollment profile
When editing an existing enrollment profile, you will encounter a banner inviting you to opt into the new batch workflow. By choosing to opt in, you can take advantage of the improved features.
Requesting a new batch certificate via the portal
When you request a new batch certificate through the portal, a similar banner appears, allowing you to opt into the new workflow.
A new API endpoint has been exposed to enable users to switch this opt-in flag on programmatically.
Users who prefer not to opt-in to the new workflow continue to use the existing workflow. However, please note that all new enrollment profiles created automatically be opted in for the new batch workflow.
The new and improved workflow offers several benefits:
Batch approvals: Users can opt in for batch approvals by using the certificate approvals feature in the enrollment profile section. Conversely, clients may opt out by unselecting the certificate approval checkbox.
Approver email: Clients can now enter the email addresses of approvers for batch certificates within the certificate approvals section. Approvers will receive email notifications when a batch certificate request requires their approval.
No approval mechanism: For situations where no approval mechanism is needed for batch certificates, users have the option of not selecting the certificate approval checkbox.
These enhancements streamline your workflow and improve your experience with the platform.
In the previous workflow, users were able to preview batch workflow results before obtaining approval. However, with this update, batch results will now be accessible exclusively after the batch has been generated and approved. This adjustment means that you no longer have the option to view batch results before the final approval process. Instead, batch results become available once the batch has been successfully generated and has received the necessary approval.
Note
We strongly recommend that all users migrate to the new workflow, as the existing workflow will be deprecated in the December release.
API Request builder—Divisions
With this update, we have added a dedicated section that helps you effortlessly replicate API calls related to device management. Click an existing division entry to navigate to the section to view the details and edit the page.
Create division
Update division
Enable division
Disable division
Delete division
Undelete division
In this integrated section, you will find all the information you need to perform these API functions. This includes clear documentation on the required payloads and endpoints, ensuring that you can quickly and confidently execute these actions via our APIs.
We believe that this enhancement will greatly expedite your workflow, providing a convenient reference point for managing devices programmatically.
API Request builder—Certificate profile
With this update, we have added a dedicated section that empowers you to effortlessly replicate API calls related to certificate profile creation and updates. Click existing certificate profile entries to navigate to this section to view the details or edit the page. You can then navigate to it using the jump bar on the right.
Create certificate profile
Update certificate profile
Disable certificate profile
Enable: certificate profile
Delete certificate profile
Undelete certificate profile
Assign divisions to certificate profile
Remove divisions from certificate profile
In this integrated section, you will find all the information you need to perform these API functions. This includes clear documentation on the required payloads and endpoints, to make sure that you can quickly and confidently execute these actions via our APIs.
We believe that this enhancement will greatly expedite your workflow, providing a convenient reference point for managing devices programmatically.
Batch results log file now available in JSON format
In previous versions, the batch results could only be downloaded in a CSV format. The result log file provides information about success and failure of the issuance of certificates requested in the batch. To increase interoperability we now allow for the batch response to be returned in a JSON format. This assists users who invoke the batch results programmatically.
Enhancements
Ability to filter ACME credentials by enrollment profile
In prior versions of the IoT Trust Portal, users did not have the capability to filter credentials by enrollment profile. With this update, this functionality has been integrated into the system.
Now, within the ACME credentials section, you can easily filter credentials based on specific enrollment profiles. This improvement simplifies the management and retrieval of credentials associated with particular enrollment profiles, enhancing your overall experience and efficiency within the portal.
Digital signing now available for EJBCA and CertCentral Connectors
Previously, the digital signing of batch certificates was limited to enrollment profiles using the Digicert CA Connector exclusively. This has been expanded to include both the EJBCA and CertCentral connectors.
With this update, users leveraging the EJBCA and CertCentral connectors now have the capability to digitally sign their batch certificates. This added flexibility allows you to align your digital signing preferences with your choice of CA Connector, providing greater versatility and control over your certificate management processes.
Enrollment Profile validation now allows for IP Address ranges
Previously, IoT allowed users to add individual IP addresses for validation in enrollment profiles. To provide more robust functionality, we have optimized this feature to now support the addition of IP address ranges. Importantly, individual IP address validation is still fully supported.
With this update, you now have the flexibility to specify IP address ranges, offering greater convenience and efficiency in IP address management within your enrollment profiles. This enhancement not only streamlines the process but also accommodates a wider range of network configurations.
To illustrate, here are examples of supported IP address ranges:
190-200.160-170.50-100.100-200
192...
192.168.2*., 192.168.40-60.10-100, 192.1.55.100-200
Endpoints affected:
https://one.digicert.com/iot/api-docs/index.html#/Enrollment%20profiles/createEnrollmentProfile
https://one.digicert.com/iot/api-docs/index.html#/Enrollment%20profiles/updateEnrollmentProfile
Approve and Reject buttons on Request detail page updated
In the previous design, the "approve" and "reject" actions were represented by checkmark and cross symbols. While these icons are commonly used for approval and rejection, we recognized that they could be unclear to some users.
To address this, we have replaced the icons with explicit wording. Now, you will see "Approve" and "Reject" buttons instead of symbols, ensuring greater clarity and leaving no room for confusion during the approval process.
This change simplifies the user interface and aligns with best practices for usability and accessibility.
September 20, 2023
DigiCert® ONE version: 1.6074.7 | IoT Trust Manager: 1.515.0
Fixes
Server side key generation using MAC addresses
In a previous release, a bug was identified in the enrollment profile selection process when utilizing server-side key generation. Specifically, when users attempted to generate a batch using MAC address generation in conjunction with certain enrollment profiles, an error occurred, preventing the intended operation from being completed successfully.
This bug has been resolved in the current release. Users can now select enrollment profiles with server-side key generation and proceed with MAC address generation without encountering this error.
September 13, 2023
DigiCert® ONE version: 1.6074.4 | IoT Trust Manager: 1.514.0
Fixes
Subject directory extraction
Fixed an issue where the subject directory was not being correctly extracted from CSR submissions, potentially leading to an incomplete certificate generated. This now functions as expected.
September 6, 2023
DigiCert® ONE version: 1.6074.1 | IoT Trust Manager: 1.513.0
New
Improved batch workflow
A new batch workflow offers enhanced flexibility and efficiency for our users. Here's what's new:
Opt-In banner
Users now have the option to opt in to the new batch workflow. This option will be presented to users in two sections:
When editing an existing enrollment profile, users will encounter a banner inviting them to opt into the new batch workflow.
Users requesting a new batch certificate through the portal will see a similar banner, allowing them to opt into the new workflow.
New API endpoint
A new API endpoint has been exposed to enable users to switch this opt-in flag on programmatically.
Opt-out option
Users who prefer not to opt in to the new workflow will continue to use the existing workflow. However, all new enrollment profiles will automatically be opted in for the new batch workflow.
New features
The improved workflow offers several benefits:
Batch approvals: Users can opt in for batch approvals by selecting the 'certificate approvals' feature in the enrollment profile section. Clients may opt out by unselecting the 'certificate approval' checkbox.
Approver email: Clients can now enter the email addresses of approvers for batch certificates within the certificate approvals section. Approvers will receive email notifications when a batch certificate request requires their approval.
No approval mechanism: For situations where no approval mechanism is needed for batch certificates, users have the option of not selecting the certificate approval checkbox.
These enhancements will streamline workflows and improve user experience with the platform.
Note
DigiCert recommends that all users migrate to the new workflow, as the existing workflow will be deprecated in the December release.
API request builder - devices
A button at the top right corner of the Devices table will generate the API request to replicate the table's current view, including all applied filters, date settings, column headers, and data sorting.
This integration empowers users to seamlessly extract data from the table and integrate it into their workflows or applications using the provided API request.
API Request builder - divisions
A button at the top right corner of the Divisions table will generate the API request to replicate the table's current view, including all applied filters, date settings, column headers, and data sorting.
This integration empowers users to seamlessly extract data from the table and integrate it into their workflows or applications using the provided API request.
Enhancements
SEC1 Private key for batch requests
Support has now been added to the SEC1 private key format via the batch API. This includes updates to the following APIs (see links for details):
Added an additional parameter private_key_syntax
with the following options:
SEC1_OR_PKCS1 - used when clients would like to return the private key with SEC1 encoding as in OpenSSL. PKCS1 is primarily applicable to RSA keys, while SEC1 could be used for both RSA and ECC keys.
PKCS8 - returns encoded private key wrapped with PKCS8.
Also added this option to the private_key_option
parameter:
DER - the binary encoding methods for data (excludes the header and footers).
End entity certificates and Intermediate CA merged into a single page
We have integrated the End Entity Certificates and Intermediate CA pages into a single, unified view. Here's what's new:
Streamlined navigation: Previously, you had to navigate between two separate pages to manage end entity certificates and intermediate CAs. With this update, all certificate management tasks can be performed from a single page.
Enhanced usability: The unified page offers an improved user interface, making it easier to view and manage both end entity certificates and intermediate CAs. You'll find a more intuitive layout and streamlined controls for a smoother user experience.
Single point of access: Users no longer need to switch between different sections to perform actions on end entity certificates or intermediate CAs. All functionalities are now available from one central location.
This consolidation simplifies certificate management, reduces the time spent navigating between pages, and provides a more cohesive user experience.
Batch requests now allow unzipped CSV uploads
Starting with this release, users can now upload both zipped and unzipped CSV files for batch requests.
ACME credentials page update
We have updated the user interface for the ACME credentials page. Here's what's new:
Unified view: The page has undergone a complete makeover, offering a more intuitive and streamlined user experience.
Details page enhancements: This page now has two sections:
Key details: This section provides a quick overview of essential ACME credential information.
Enrollment profiles: Manage enrollment profiles associated with the ACME credential.
Copy ID functionality: On the Enrollment Profile Details page, we've added a 'Copy ID' feature, allowing you to copy the ID for your use.
Action buttons and jump navigation: Action buttons have been strategically placed on the right side of the Details page, along with jump navigation for easy access to various actions.
Enhanced management capabilities: With this update, you can now:
Allocate an ACME credential to one or more enrollment profiles.
Specify usage limitations to ensure your ACME credential is used as intended.
Add start and end dates to control the validity period of your credential.
Define registered values as needed.
Fixes
Aligned endpoints with Swagger documentation
This fix applies to endpoints for unassigning divisions and retrieving batch jobs.
Authentication certificates table
This page is now able to load more than 100 certificates.
August 16, 2023
DigiCert® ONE version: 1.5874.6 | IoT Trust Manager: 1.504.0
Enhancements
Support plans
On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.
New plans:
Standard support (free)
Business support (mid-level)
Premium support (highest-level)
For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.
How does this affect me?
To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.
How the limited-time upgrade works:
Platinum support plans are upgraded to Premium support for the duration of the contract.
Gold or Platinum-Lite support plans will be upgraded to Premium support for the duration of your contract.
Included (non-paid) DigiCert support will be upgraded to Business support for up to one year.
August 2, 2023
DigiCert® ONE version: 1.5874.1 | IoT Trust Manager: 1.503.0
New
Digital signing of batch certificate requests
Users now have the option to digitally sign both batch ZIP files (PEM and DER) as well as JSON files. Users may select/unselect this option upon enrollment profile creation or edit. If a user opts in to digital signing, a dropdown offers a list of DigiCert ONE CAs associated with the account from which the digital signing certificate would be issued. DigiCert creates and manages the digital signing certificate created; however, users are given the option to regenerate a digital signing certificate.
Enhancements
Batch Job ID column now added to end-entity certificates table
The certificate table now contains an additional column, Batch Job ID. Users may filter the certificates upon the batch job ID. The value will not be populated unless the certificate was generated via batch. Reports pertaining to certificates will now also include the Batch Job ID, if selected.
End-entity and Intermediate certificates tabs combined
The End Entity Certificates tab and Intermediate CAs tab will be combined into a single tab labeled Certificates. A filter on the field certificate type may be used to distinguish between the Intermediate or end-entity certificates.
Enrollment profile tables updated to new design
The Authentication CA Templates, Authentication certificates, Source fields and Manage Passcodes sections displayed in the enrollment profile details page now reflect an updated table design. The file uploader of the Source fields section has also been updated to a new, friendlier option.
Certificate type added to batch job details
The API endpoint to get certificate import details (get_import_job_details) now includes the certificate type field. The value of certificate_type
would contain either:
End entity
Intermediate
JSON support added to certificate profile and certificate request
Upon performing the following actions on the certificate profile:
Create
Edit
Clone
When a certificate profile field is of type JSON, a JSON editor will now be rendered, allowing users to easily edit values. Similarly, for JSON fields on the Request details page, a JSON editor will now be used to display the values.
July 24, 2023
DigiCert® ONE version: 1.5658.3 | IoT Trust Manager: 1.498.0
New
SEC1/SECG DER encoding of the private key
Customers are now able to encode their private key in SEC1 format, in alignment with encoding done by OpenSSL, which generates a shorter length key.
An update to the following APIs (see links for details):
Added an additional parameter private_key_syntax
with the following options:
SEC1_OR_PKCS1 - used when clients would like to return the private key with SEC1 encoding as in OpenSSL. PKCS1 is primarily applicable to RSA keys, while SEC1 could be used for both RSA and ECC keys.
PKCS8 - returns encoded private key wrapped with PKCS8.
An additional option has been added to the private_key_option
parameter:
DER - the binary encoding methods for data (excludes the header and footers)
July 12, 2023
DigiCert® ONE version: 1.5658.1 | IoT Trust Manager: 1.497.0
Enhancements
Ability to parse certificate policy data from a CSR
Customers can now read and extract the certificate policy from the CSR. When creating a certificate template, a user should include Request as a source in their certificate policy JSON configuration. When this is included, a new checkbox will appear under the Certificate template card, allowing users to obtain the certificate policy value from the CSR.
Fixes
Authentication certificate section within enrollment profile
Fixed an issue where sorting and filtering of authentication certificates (under the enrollment profile details page) were not working. Also, the new authentication certificates section now includes a link to a details page, allowing customers to manage their authentication certificates directly (not via enrollment profile details page).
July 5, 2023
DigiCert® ONE version: 1.5658.0 | IoT Trust Manager: 1.494.0
New
API request builder - Issuing CAs
A new button on the Issuing CA table lets customers execute an API call which leads to the same output as shown on the table. A new button is available in the top right corner of the the table. Selecting this button allows users to apply filters, dates, and headers, as well as sort data.
API request builder - Device search
A new button on the Devices table lets customers execute an API call which leads to the same output as shown on the table. Selecting this button allows users to apply filters, dates, and headers, as well as sort data.
API request builder - Audit logs
A new button on the audit log table lets customers execute an API call which leads to the same output as shown on the table. Selecting this button allows users to apply filters, dates, and headers as well as sort data.
API request builder - Enrollment passcodes
A new button on the enrollment passcode table lets customers execute an API call which leads to the same output as shown on the table. Selecting this button allows users to apply filters, dates, and headers, as well as sort data.
Enhancements
Batch performance improvements
Customers will see an improvement in batch performance. The improvements will be more evident in batch sizes of more than 20,000 records. These improvements lead to more linear growth in time as batch size increases.
JSON type support added to certificate profile
The certificate profile creator now includes a JSON editor has now been included for fields of type JSON. Customers are now able to edit their JSON data.
June 21, 2023
DigiCert® ONE version: 1.5428.7 | IoT Trust Manager: 1.485.0
Fixes
Download button greyed out after clicking
Previously, when downloading a batch file, the download button was not greyed out causing using to click on this button multiple times. The button is now greyed out and the user sees a visual reminder that the download is in progress.
June 7, 2023
DigiCert® ONE version: 1.5428.1 | IoT Trust Manager: 1.477.0
New
EJBCA Connector
DigiCert® IoT Trust Manager has now integrated the EJBCA APIs. This allows users of IoT Trust Manager to enjoy the same ease when using the IoT Trust Manager APIs to manage other CAs. IoT Trust Manager offers both single certificate issuance as well as batch from both API and platform.
Enhancements
Batch JSON format
For batch certificate enrollment jobs using server-side key generation, you have an additional download format: JSON. When your job completes, you can download a JSON formatted file that contains a list of certificates and its encrypted private key. This option is available from both API and platform.
Batch using cached, symmetric key
From enrollment profile configuration, you can use the same AES key for a period of time to encrypt PKCS7 certificates. This option currently only applies to the JSON format batch download. It is available from both API and platform.
Fixes
Renewed or revoked certificates removed from alerting reports
Certificates that have been renewed and revoked no longer show on alert reports for expiration.
May 3, 2023
DigiCert® ONE version: 1.5118.1 | IoT Trust Manager: 1.436.0
New
Support for any certificate extension
DigiCert® IoT Trust Manager now supports a new set of rules in a format that describes attributes of a certificate template. This defines the policies and rules that a CA uses when a request for a certificate is received. These may not necessarily be in the traditional X509 format, but do give you flexibility in the format of certificates that you receive by the Digicert Certificate Authority.
Option to require both a valid passcode and a valid authentication certificate
You have access to an additional authentication mechanism, which allows the option of using both a passcode and an authentication certificate. This offers an additional layer of security those those who require it.
Enhancements
Batch CSV support for client-side key generation
When generating a client-side key generation batch requests, you can submit a CSV zipped file with a specified template. The template will be available for download from both API and the platform.
Fixes
Remove possibility to create new or delete or disable existing divisions for users limited by division
For users limited by divisions, we now prohibit the following functionality:
the ability to create new divisions
the ability to change status of division
April 5, 2023
DigiCert® ONE version: 1.4957.1 | IoT Trust Manager: 1.426.0
New
Symmetrical AES encryption
You now have the option to use the same symmetric AES key when decrypting (PKCS7) certificate responses, which is available from both API and the platform. This feature enables clients to operate more efficiently by being less reliant on HSM for decryption and you only have to decrypt one key on an HSM. Afterwards, you can work in a more high performance and cost efficient manner, while maintaining strong end-to-end data encryption.
Support revocation for GlobalPlatform certificates
You can now revoke GlobalPlatform certificates via API or the platform. This allows customers to now follow a similar workflow as is currently available for X509 certificates.
Enhancements
Certificate approval workflow
You now have the option to create an enrollment profile with an additional option, which allows the issuance of a certificate only with approval from a specified user. The user or list of users who can approve the issuing of this certificate are defined in the enrollment profile. By default, the the enrollment profile does not require approval, unless specified.
In the case where approval is not required, certificates will automatically move to an Auto approved state. If approval is required, the certificate request will be in Pending approval status, until approved by an entrusted approver. A user can go to the request tab to view a table of certificate requests. These will include those that have been auto-approved and those who are pending approval.
This option is available via both API and the platform.
API request builder for certificate requests
You may now easily view the correct way to structure and execute API calls. The portal offers a friendly user interface that maps out the blueprint for APIs. The structure is comprehensible for both developers and non-developers. The API request builder generates interactive and easily testable calls.
March 9, 2023
DigiCert® version: 1.4803.0 | IoT Trust Manager: 1.415.0
Enhancements
Batch requests using API now support .csv file containing CSRs
With this improvement an API user can start a batch certificate request using a comma-separated values file (.csv) containing Certificate Signing Requests (CSRs).
API endpoint to search for enrollment passwords and enrollment authentication certificates
Added external API endpoints to search for enrollment passwords and enrollment authentication certificates.
Added certificate policy filter to the end entity certificates table
Users can now apply a filter on the end entity certificates table for certificate policy.
External APIs to manage OCSP groups
Online Certificate Status Protocol (OCSP) groups can be added, edited, and deleted through API endpoints. There is also an API endpoint for searching through OCSP groups.
Fixes
Applied filters with long column names are truncated
Fixed an issue that truncated column names when a filter is applied. The full filter is now visible.
Report status not updated after a report is run
Fixed an issue where report status was not updating after a report was run. It now displays as expected.
Disabled/deleted authentication CA templates should not be allowed for authentication
Fixed an issue that allowed enrollment with an authentication certificate even after the corresponding authentication CA template was disabled or deleted in the enrollment profile. Now deleting or disabling the authentication CA template in an enrollment profile will also prevent the authentication certificates from being used for certificate enrollment.
Report creation for the certificates table fails when a filter on enrollment profile is applied to the table
Fixed an issue that blocked report generation when a user applied a filter to the enrollment profile table. Report generation now runs as expected.
March 8, 2023
DigiCert® ONE version: 1.4803.0 | IoT Trust Manager: 1.415.0
New
DigiCert Gateway
Enterprise customers who have devices (such as routers, switches, etc.) that require certificates to be issued from a DigiCert ONE platform account, but do not have internet connectivity, can now use the DigiCert Gateway to do so. These devices and clients use SCPE/EST/CMP V2 protocols for requesting certificates. The gateway is a standalone application deployed as a JAR.
Gateway offers:
Supported protocols
CMPv2 (first priority)
EST (first priority)
SCEP
ACME
Gateway to DC1 connection supported credentials
API token
Client authentication certificate
Enrollment profile credentials (passcode and client authentication certificate)
February 23, 2023
DigiCert® version: 1.4672.6 | IoT Trust Manager: 1.407.0
Fixes
Error uploading authentication CA
In Enrollment profiles under Authentication credentials, there was an issue that prevented CA certificates with the certificate policy extension from being uploaded to authentication CA templates.
Error Message: “Authentication CA(s) parsing was failed."
We now support CA certificates that contain the certificate policy extension.
February 8, 2023
New
DigiCert Gateway
The DigiCert Gateway helps in use cases where devices behind a firewall are not allowed direct outbound access to IoT Trust Manager in the cloud. Using the DigiCert Gateway, devices can make certificate requests using the protocols: EST, SCEP, CMPv2 and REST APIs. In this way the device need only to be granted access to make certificate requests to the DigiCert Gateway service, running within the network, the DigiCert Gateway handles passing the certificate request outside the network.
This release includes a DigiCert Gateway on-prem standalone service which can be run in Java runtime environment or Docker container. A DigiCert Gateway configuration/registration step must take place within IoT Trust Manager before an instance of the DigiCert Gateway can be started and allowed to connect to IoT Trust Manager.
Two new user permissions have been added to IoT Trust Manager: Manager DigiCert Gateway and View DigiCert Gateway.
IoT Device Manager is changing its name to IoT Trust Manager
IoT Device Manager has been renamed to IoT Trust Manager. This name change did not create any changes to processes, workflows or features and none of the APIs or page URLs were changed due to this name change.
Enhancements
Create Device and Edit Device pages—Updated the design
Updated the create device page and the edit device page to a new look. There were not any functional changes to the pages.
End Entity Certificates Page—Added the Enrollment Profile column
Added Enrollment Profile to the list of additional columns to select from on the end entity certificates page.
Fixes
Enrollment Profiles table is empty on Authentication CA details page
Fixed an issue where enrollment profiles using an authentication CA were not showing in the enrollment profiles table on the authentication CA details page.