Document Trust Manager

Fixed an issue on the delegated RA validation approval page where organization country, locality and state were sent to the backend if “restrict data” feature was enabled.

SealSign 2.0 Client version 1.0.11 released, featuring the ability to notify users by email to authorize signing request from SealSign 2.0. If feature is enabled, users can use the link in the email to initiate Go>Sign push notification.

Added support for signatures with “adbe.pkcs7.detached” subfilter.

Added filtering by certificate validity start and end dates to credential list.

Fixed default credential nickname creation after validation approval to remove first and last names of the user. New credential nicknames now use the format: <ProfileName>_timestamp/<productname>_timestamp.

Linked nickname with validation profile on the updated signup links page to simplify account administrator experience.

Released new version of true-Sign V Client (4.1.0). The new version supports WebView2.

Released new version of SealSign 2.0 Client (1.0.10). The new version introduces new enhancements:

Added “Hashes” field to the audit log details page.

Fixed the signer onboarding flow to display rejected validation status screen.

Released SealSign 2.0 Client version 1.0.9 featuring support for bulk signing up to 200 files simultaneously.

Added functionality to deduct correct number of signing units from license when multiple hashes are signed at once. If 100 hashes are passed in CSC signatures/signHash API, then a 100 signing units will be deducted from license.

Released eIDAS and ZertES compliant PDF signing service. The service lets you apply one or more digital signatures to PDF documents using DigiCert​​®​​ Document Trust Manager APIs.

Added horizontal scroll and sticky column to listing screens.

Released SealSign 2.0 Client (1.0.8). This version introduces the following features:

Added feature flag to restrict RA data sent in POST approve validation API.

If feature flag is enabled, identification_document, title, partner_id, profession_validation_date, organization_identifier, organization_country, organization_state, organization_locality cannot be passed.

Example:

{
  "account": {
    "id": "account_id"
  },
  "contact_data": {
    "mobile_phone": "+1234567890",
    "email": "string"
  },
  "user_data": {
    "first_name": "string",
    "last_name": "string",
    "nationality": "string",
    "ident_language": "en-US",
    "organization": "string",
    "organization_uuid": "organization_uuid"
  }
}

Released new version of true-Sign V Client (4.0.11). The new version introduces new enhancements:

Added functionality to display Create Validation button only if active basic validation profiles or delegated RA validation profiles are present in the account.

Added client credential authentication mode support in Enhance hash (/hashes) and Enhance signatures (/signatures) APIs.

User ID will now be used as serial number in certificates issued using ADSS profiles.

SealSign 2.0 Client version 1.0.7 released, featuring:

Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).

You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.

How to enable two-factor authentication in Account Manager.

Added authentication to all endpoints except CSC/info on Swagger UI page.

Fixed audit logs display.

Fixed username display on credential details screen.

Fixed issue that was appearing in credential details screen when the user's credential was expired and the user's keypair was deleted in the signing engine.

Document Trust Manager now notifies the validation team when the vendor rejects a validation.

This update also adds a field to provide a note/reason when cancelling a validation. This is an optional field and doesn’t affect the existing cancellation API. Examples:

PUT {base_url}/documentmanager/api/v1/validation/{validation_id}/cancel
{
  "reason": "<Reason>"
}

GET {base_url}/api/v1/validation/{validation_id}?account_id={account_id}
{
  "cancelation_reason": "<Reason>"  <-- Will be returned if available
}

Document Trust Manager now supports the new version of true-Sign V, with a version number of 4.0.10.

The creator of an SEP link will now be notified 30 days in advance of the link expiry.

On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.

New plans:

For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.

How does this affect me?

To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.

How the limited-time upgrade works:

This feature allows updates of vetting data (such as contact details) for approved validations during validation approval or update. On creation of new credentials or recurring credentials sync, user contact data will be updated in the signing engine and associated user table if it was changed through Account Manager.

Fixed an error that was causing unexpected behavior when a nickname or product name was changed in a validation profile that had no remote identity provider set or was flagged with the organization_details_required policy. These changes now produce expected behavior.

Added functionality to allow updates of specific parameters on a validation profile that has in-progress validations.

In the Credential list API, two new keys will be returned: cert_valid_from and cert_valid_to. Example:

GET {base_url}/documentmanager/api/v1/credentials/list

{
   "total":1,
   "offset":0,
   "limit":10,
   "credentials":[
      {
         "created_by":"5151097b-bf37-406c-97a0-628f408b2b93",
         "modified_on":"2023-02-20T05:21:02Z",
         "modified_by":"5151097b-bf37-406c-97a0-628f408b2b93",
         "created_on":"2023-02-20T05:21:02Z",
         "credential_id":"{{credential_id}}",
         "label":"mm",
         "key_algorithm":"{{key_algorithm}}",
         "key_size":"{{key_size}}",
         "status":"active",
         "profile_id":"{{profile_id}}",
         "user_id":"{{user_id}}",
         "engine_user_id":"9999-9999-5619-2854",
         "cert_valid_from": "2023-08-01T00:00:00Z", <-- Newly added, will be returned only if available
         "cert_valid_to": "2023-07-01T23:59:59Z", <-- Newly added, will be returned only if available
         "standard":""
      }
   ]
}

Also updated the error message if the sort value is invalid on any of the listing APIs, such as validation/list.

Cloning of system-level validation profiles now works properly when the “organization details required” policy is enabled.

Credential profile now displays on “create credential” page from account-level validation profiles.

Added enhancements to support large field form IDnow validation, including high-resolution video and pictures.

Fixed display of dates in emails for French language.

Added the ability to disable or enable validation profiles when there is an active self-enrollment link or a validation in progress.

Added ability to update validations (product type and nickname fields) while the validation is in progress or self-enrollment link is active.

Improved framework to filter by list values in http query request. Improved validation filtering by a comma-separated list of statuses and validation profile id.

Added restrictions to stop creation of validation in specific scenarios (where T&C is enabled, or where identity verification and credential creation methods are remote).

Added redirect_account_Id param to validation details URL to help approvers with flow for onboarding users manually.

Updated True-Sign V (third-party signing app) to version 4.0.9.

Enhanced EU nationality usage for AutoIdent AATL and VideoIdent AATL.

The authType oauth2client is returned in csc/info response for CH and EU regions only.

Fixed Audit log API issue where system users were seeing audit log records that were not theirs to view.

Updated text on update mobile, email, and QR modal on Credential listing page to alert signers to incoming text from Go>Sign (third-party identity verification app).

SealSign 2.0 Client improvements now supports proxy servers. Newly introduced profiles support multiple configurations of servers, input/output folder, credentials, etc.

Updated client credential flow in Swagger documentation.

Added “bulk id” and “onboarding type” columns and filtering for them on validation listing screen. Added new AutoIdent AATL and VideoIdent AATL remote validation providers.

Audit logs now show the user’s name on the audit logs detail page if the user created an audit log.

Fixed app names on verify identity page (IDnow Online Ident). Updated migration banner text to “Reissue these credentials.“

Added FDQN host in Swagger UI to support all DigiCert environments.

Enhanced bulk onboarding flow for retail customers:

Minor enhancements to API documentation:

Updated banner content on dashboard for migrating customers.

Fixed duplicate validation count in the validation-usage widget on dashboard screen for remote_manual validation.

Fixed “Invalid Certificate Profile” error on validation approval page (validation without create credential policy).

Fixed migration job failure if user credentials are revoked by the vendor.

Fixed error in servers selection dropdown menu on Swagger UI documentation page.

Fixed issue where credential creation would fail from invalid log message length after validation approval.

Fixed issue where Multisign value of ADSS credentials were not being fetched as intended.

Bulk onboarding now supported for retail and enterprise accounts.

Changed UI text for validation_error to credential_creation_error.

Added support for system scope users to create and manage SEP links.

Added audit logs for user/credential creation during the create validation flow.

For email notification, added translation of email subjects.

Added seconds and milliseconds to credential name in the first credential creation.

Added ability to select default onboarding credential profile for default validation profile.

Updated the Extended validation profile API responses to contain the onboarding credential profile field. This enables multiple credential creation after validation approval.

Recent API changes:

[GET] /validation-profile/{id}
[GET] /validation-profile
[PUT] /validation-profile/{id}/enable
[PUT] /validation-profile/{id}/disable

RESPONSE:
{
 ...
   credential_profile_ids : [] <- newly added
  ...
}

[POST] /enrollment-link
[PUT] /enrollment-link/{id}
[GET] /enrollment-link/{id}
[GET] /enrollment-link
[PUT] /enrollment-link/{id}/enable
[PUT] /enrollment-link/{id}/disable

RESPONSE:
{
 ...
   credential_profile_ids : ['String'] <- newly added
  ...
}

[GET] /ui-api/enrollment-link/{id}

RESPONSE:
{
 ...
   certificates :         <--- added
      [                 
          {
              subject_dn : String,
              validity : String,
              certificate_Profile_id : String
          }
      ]
  ...
}

[GET] /validation/user/{userId}

RESPONSE:
{
   ...
   validation_list: [
      {
          ...
          credential_profile_ids : ['String'] <- newly added
          certificates :         <--- newly added
                [                 
                    {
                        subject_dn : String,
                        validity : String,
                        certificate_Profile_id : String
                    }
                ],
          ...
       }
   ]
   ...
}

[GET] /validation/{validationId}
[POST] /validation
[PUT] /validation/{validationId}/revalidate
[PUT] /validation/{validationId}/reSendEmail
[PUT] /validation/{validationId}/approve
[PUT] /validation/{validationId}/reject
[PUT] /validation/{validationId}/cancel
[PUT] /validation/{validationId}/disable
[PUT] /validation/{validationId}/enable
[PUT] /validation/{validationId}/invalidate
[PUT] /validation/{validationId}/reject-selfenrolled-user
[PUT] /validation/{validationId}/approve-organization
[PUT] /validation/{validationId}/reject-organization
RESPONSE:
{
 ...
   credential_profile_ids : ['String'] <- newly added
  ...
}

Document Trust Manager now allows enabling or disabling CertCentral products.

New self-enrollment onboarding flow where signer can be onboarded with one of the enabled products. CertCentral products currently supported from DTM include:

SealSign 2.0 client released for Linux.

Added support for German language in email and Document Trust Manager UI. Also fixed language translations in Self Enrollment Portal.

Fixed an issue where the common name (CN) field doesn't get auto populated for DC1 users when title field is present.

Fixed Create validation page to show system level and account level profiles for system user. Also, users can now create a validation profile without a credential profile.

Create credential and Create validation pages work only with account-level credential and validation profiles for account users.

Updated true-Sign V 64-bit to include legacy keyon functionality.

Fixed access issues with CSC API having account ID in the URL.

Added feature flag feature.unique.global.credential.id.enabled to ensure that returned credential IDs are unique in the csc/credential/list API. When enabled, Document Trust Manager returns unique credential IDs in <existing-credential-id>_<friendly-identifier> format.

Released new version of SealSign 2.0 Client (1.0.4). The new version introduces new enhancements:

Updated validation profile creation page to display only eSeal credential profile when "Organization details required" policy is enabled.

Added missing expiry dates for all approved validations in validation listing page.

Fixed null key value in credential profiles created using Document Signing Engine with SAM profile for EC keys.

Released new version of SealSign 2.0 Client (v1.0.3). The new version introduces new configurations:

Configurations introduced in this release (Refer to Readme.txt in installation folder for descriptions):

Removed language selection dropdown from onboarding steps in inline flow. This is a temporary adjustment. Language selection will return once translated content is available.

On the Client Tool Repository page, the whole card is now clickable instead of just the tool name.

Added an option to copy credential nickname in credential listing.

Changed default profile help text on validation profile page.

Added missing footer text in "Activate your digital ID" email.

Made additional enhancements to inline signer onboarding flows and emails.

Vetting data will be pulled and made available in an archive for those validations that had remote identity verification cancelled.

Added support for multiple signing providers.

Improved onboarding experience for signers onboarded using the self-enrollment portal. Once the signer's identity is verified, selecting "Go to dashboard" will take the user to the dashboard.

Content changed in approved screen for external signer onboarding.

Fixed broken signing hub user creation flow.

Updated table width on all pages.

Removed “create credential” button in validation widget for those users who already have a credential.

Fixed UI with subjectDN Option label for ADSS and DSS.

Added toast message when validation is invalidated.

Individual revocation of credentials created with ADSS is now allowed.

For eSeal certificates, the following subject attributes values have been changed.

Added OI (‘Organization Identifier’) attribute to legal person certificates.

Added standard response for documentmanager/api/v1/credentials/list API.

Old response:

GET {base_url}/documentmanager/api/v1/credentials/list
{
   "total":1,
   "offset":0,
   "limit":10,
   "credentials":[
      {
         "created_by":"5151097b-bf37-406c-97a0-628f408b2b93",
         "modified_on":"2023-02-20T05:21:02Z",
         "modified_by":"5151097b-bf37-406c-97a0-628f408b2b93",
         "created_on":"2023-02-20T05:21:02Z",
         "credential_id":"2bcd3c0e-1877-4510-b081-b2e916ba40be",
         "label":"mm",
         "key_algorithm":"RSA",
         "key_size":2048,
         "status":"active",
         "profile_id":"63950c14-7a99-4f38-82f5-9b05e3fdbdb4",
         "user_id":"5151097b-bf37-406c-97a0-628f408b2b93",
         "engine_user_id":"9999-9999-5619-2854"
      }
   ]
}

New response:

GET {base_url}/documentmanager/api/v1/credentials/list
{
   "total":1,
   "offset":0,
   "limit":10,
   "credentials":[
      {
         "created_by":"5151097b-bf37-406c-97a0-628f408b2b93",
         "modified_on":"2023-02-20T05:21:02Z",
         "modified_by":"5151097b-bf37-406c-97a0-628f408b2b93",
         "created_on":"2023-02-20T05:21:02Z",
         "credential_id":"2bcd3c0e-1877-4510-b081-b2e916ba40be",
         "label":"mm",
         "key_algorithm":"RSA",
         "key_size":2048,
         "status":"active",
         "profile_id":"63950c14-7a99-4f38-82f5-9b05e3fdbdb4",
         "user_id":"5151097b-bf37-406c-97a0-628f408b2b93",
         "engine_user_id":"9999-9999-5619-2854",
         "standard":"qualified"
      }
   ]
}

Removed snake case fix in parameters for creating credential API which was introduced in the February 8, 2023 release. The V1 API is reverted back to the previous request structure.

Request:

1 POST {base_url}/documentmanager/api/v1/credential
2 {
3    "profileId" : "ab0e2d7d-3240-4639-bc6b-6d7fa5d0af7b",
4    "reuseExistingSecret" : false,
5    "label" : "mobile_optional_1",
6    "account" : {
7        "id" : "796fc0cb-d293-43cf-b7d8-3543f2110f78"
8    },
9    "is_terms_accepted" : true,
10    "terms_id" : "9a2e394d-0cd3-11ed-bcbf-6a5fb046c77c",
11    "mobile" : "123"
12 }

Added new V2 API for creating credentials with the below request parameter:

1 POST {base_url}/documentmanager/api/v2/credential 
2 {
3    "profile_id" : "ab0e2d7d-3240-4639-bc6b-6d7fa5d0af7b",
4    "reuse_existing_secret" : false
5    "label" : "mobile_optional_1",
6    "account" : {
7        "id" : "796fc0cb-d293-43cf-b7d8-3543f2110f78"
8    },
9    "is_terms_accepted" : true,
10    "terms_id" : "9a2e394d-0cd3-11ed-bcbf-6a5fb046c77c",
11    "mobile" : "123"
12 }

Updated all text, references, icons, and logos from Document Signing Manager to Document Trust Manager (or DSM to DTM where applicable).

Note: The above changes were made in profile_key_type column of certificate_profile table.

Allows the signer to initiate their own validation and view its status.

To support SCAL1 bulk signings, added SCAL1 online and offline SAM profiles in manager settings.

Introduced extended transaction functionality so ADSS can be used for SealSign.

The CSC info API returns the new OAuth URL in both V0 and V1 implementation.

V1:

V0:

New interactive onboarding flow for self-enrollment portal users.

Endpoint: GET /documentmanager/api/v1/setup/profile/{id}

Old response:

{
  "certificate_profile": {
    "created_on": "2023-01-04T04:08:26Z",
    "id": "07079de3-6482-4e82-baf1-3d1813512034",
    "name": "ADSS-new-credential_profile-AATL-006",
    "certificate_profile_type": "advanced+",
    "adss_certificate_profile_id": "adss:certification:profile:006",
    "subject_dn": "COMMON_NAME, SERIAL_NUMBER, COUNTRY_OF_NATIONALITY, GIVEN_NAME, SURNAME",
    "validity": "31536000000",
    "terms_id": "2191f36d-859a-11ed-8680-a69ef0fbab90",
    "terms_and_conditions": ""
  },
  "vendor_name": "Ascertia Signing Engine",
  "vendor_id": "3067c517-e55e-463f-955c-d4c541aa2bc8",
  "account_id": "67c961b1-94ff-4439-88fb-d629a3bb0460"
}

New response with base_url parameter:

{
  "certificate_profile": {
    "created_on": "2023-01-04T04:08:26Z",
    "id": "07079de3-6482-4e82-baf1-3d1813512034",
    "name": "ADSS-new-credential_profile-AATL-006",
    "certificate_profile_type": "advanced+",
    "adss_certificate_profile_id": "adss:certification:profile:006",
    "subject_dn": "COMMON_NAME, SERIAL_NUMBER, COUNTRY_OF_NATIONALITY, GIVEN_NAME, SURNAME",
    "validity": "31536000000",
    "terms_id": "2191f36d-859a-11ed-8680-a69ef0fbab90",
    "terms_and_conditions": ""
  },
  "vendor_name": "Ascertia Signing Engine",
  "vendor_id": "3067c517-e55e-463f-955c-d4c541aa2bc8",
  "base_url": "https://demo.signingportal.com",
  "account_id": "67c961b1-94ff-4439-88fb-d629a3bb0460"
}