Trust Lifecycle Manager
2023 releases
December 13, 2023
DigiCert® ONE version: 1.6573.2 | Trust Lifecycle Manager: 1.2366.0
New
DigiCert Trust Assistant - post-processing scripts for Windows (AD Publish)
Added a new DigiCert Trust Assistant post-processing script enabling the automated publication of a user's X.509 certificate to the userCertificate
attribute within the Active Directory.
You can enable the post-processing script for S/MIME certificate templates:
Public S/MIME Secure Email (via CertCentral)
Private S/MIME Secure Email
Enhancements
DigiCert Trust Assistant - post-processing script for Outlook
In this release, we expose the internal validation checks required for the Outlook post-processing script to successfully configure Outlook with the installed certificate.
Internal validation checks:
Access to CRL and OCSP services via the URLs inside the CRL Distribution Point (CDP) and Authority Information Access (AIA) extensions
CA chain validation (including the Root CA)
Fixes
Certificate Policy validation for eIDAS templates
Resolved the Certificate Policy OID validation issue with the five eIDAS templates.
重要
Customers using these templates must mark the CAs created or uploaded onto the DigiCert® CA Manager application as “Qualified.” Otherwise, the Issuing CAs will not be shown when creating a profile from the eIDAS templates.
To mark the CAs as "Qualified, in the Create ICA flow, use the “Get a CSR from DigiCert ONE and sign with your own CA” option, and then select the “Qualified” option.
Renewal options in the revocation email template
Removed the list of renewal checkboxes within the revocation email template configured within a profile.
Unwanted certificate fields in the public-facing pages
Removed the internal profile fields appearing on public-facing pages (for example, we removed the key usage field).
Latest sensor not working when set up as a proxy
In the latest sensor release, v3.8.63, we fixed the bug in sensor version v3.8.62, restricting agents from using the sensor as a proxy.
Deleting the Azure Key vault connector marks the CC connector as "Action needed"
When deleting the Azure Key vault connector (and other connectors), the CC connector is no longer marked as Action needed.
Support TLM-ACME server with Ansible
Added support for the Ansible ACME Client in the TLM-ACME server.
December 7, 2023
DigiCert® ONE version: 1.6392.5 | Trust Lifecycle Manager: 1.2350.0
New
注意
Removed the DigiCert Desktop Client
enrollment method from the Generic User Certificate
template, which is no longer supported. If you are making use of the DigiCert Desktop Client in a profile, use the DigiCert Trust Assistant
client instead by cloning your profile and selecting it as the new enrollment method. For new profiles, simply select the DigiCert Trust Assistant enrollment method. See the online documentation for details of its functionality.
FQDN and IP addresses allowed list for server requests
New feature that allows authorized profile administrators to configure a list of FQDN and IP addresses that are allowed to be included within private server certificate requests and checked against a profile-based ‘allowed list’ before issuance. Certificate request fields that will be checked are:
SAN:dnsName
SAN:ipAddress
The list of FQDNs/IPs within the profile can be modified at any time.
Supported template for this feature: Generic Private Server Certificate
.
Custom extensions
New powerful feature that allows authorized administrators to configure private certificates with custom extensions, defined as a JSON structure inside the Advanced profile wizard step for the three ‘generic’ certificate templates:
Generic Device Certificate
Generic Private Server Certificate
Generic User Certificate
Values for the private custom extension can be sourced from all the standard application sources based on the profile’s enrollment method, with the exception of “Microsoft Autoenrollment”, which will be supported in a future release.
For details see: Issue private certificates with custom extensions
Workflow customization for agent-based automation
Enhanced workflows that allow administrators to customize automation using hooks at various steps of the automation flow.
Pre-scripts before automation starts, and post-scripts after the certificate is installed:
Assign pre and post-scripts for the core automation workflow based on application type for one or more agents.
Configure script at application or request level.
SNI scripts to look up domains on servers for SNI-based discovery:
Configure a custom script to fetch SNI domains in addition to the manual configuration available today.
Restart control hook for application restart:
Custom ACME application clients to extend already supported applications:
For more details see: Agent scripts
注意
Minimum agent version: 3.0.8.
Sensor Update v.3.8.62
New sensor release with the following updates:
JDK updated to v17
Updated open-source packages to the latest version to remove vulnerabilities.
Agent Update v.3.0.8
New agent release to support workflow extensibility.
New eIDAS Qualified Certificates templates
New set of eIDAS Qualified Certificate ‘limited’ templates that replace the 3 released earlier this year, which have been removed, and extend the use-cases to support issuance of qualified certificates that meet the requirements of the Payment Services Directive 2 (PSD2). The new templates (linked to User Seat type for Natural persons, and Organization Seat types for Legal Persons/eSeals) will also make use of an OCSP service that is ETSI compliant.
eIDAS Electronic Signature Certificate (Natural Person): It allows Qualified Trust Service Providers, who are audited and compliant with eIDAS, to issue EU Qualified Certificates to natural persons (QCP-n). This certificate will result in an Advanced Electronic Signature under eIDAS [SD1] (EU Regulation No 910/2014).
eIDAS Electronic Signature Certificate (Natural Person with QSCD): It allows Qualified Trust Service Providers, who are audited and compliant with eIDAS, to issue EU Qualified Certificates to natural persons where the private key and the related certificate reside on a QSCD (QCP-n-qscd). This certificate will result in a Qualified Electronic Signature under eIDAS (EU Regulation No 910/2014).
eIDAS Electronic Seal Certificate (Legal Person): It allows Qualified Trust Service Providers, who are audited and compliant with eIDAS, to issue EU Qualified Certificates to legal persons (QCP-l). This certificate will result in an Advanced Electronic Seal under eIDAS (EU Regulation No 910/2014.
eIDAS Electronic Seal Certificate (Legal Person with QSCD): It allows Qualified Trust Service Providers, who are audited and compliant with eIDAS, to issue EU Qualified Certificates to legal persons where the private key and the related certificate reside on a QSCD (QCP-n-qscd). This certificate will result in a Qualified Electronic Seal under eIDAS (EU Regulation No 910/2014).
eIDAS Electronic Seal Certificate (Legal Person with PSD2): It allows Qualified Trust Service Providers, who are audited and compliant with eIDAS, to issue EU Qualified Certificates to a Payment Service Provider (PSP) organisation and used to apply Qualified Electronic Seals (QSeal) that meet the requirements of the Payment Services Directive 2 (PSD2).
警告
Trusted Service Providers are fully responsible for the issuance of Qualified Certificates that are conformant with the eIDAS standard and also responsible for meeting all of the regulations and requirements set within it.
Old eIDAS templates are no longer available. Use the 5 new templates going forward.
Enhancements
Multiple key sizes per profile
Profile enhancement that allows an authorized administrator to set multiple key sizes using checkboxes in a single profile, without the need to create separate profiles per key size. This feature is supported for profiles configured with any of the below enrollment methods for most templates, where a user (or a client) can now submit a CSR using any of the allowed key sizes set within the profile:
CSR
EST
REST API
SCEP
注意
This enhancement is applied to all supported key types: RSA, ECDSA, EdDSA
This enhancement is not supported by the below templates:
Public S/MIME Secure Email (via PKI Platform 8)
Public S/MIME Secure Email (via CertCentral)
User experience enhancements
Warning message in Reports side-rail when a user exceeds the maximum amount of 10 custom reports.
Support for a confirmation pop-up and optional message to all users for bulk approval/rejection of enrollments.
Redesign of the Reports functionality for the Enrollments page, to be consistent with the reports icon within the Inventory page, which shows a side-rail with options to generate an instant or custom report.
Extended use of Action Needed
Extended the "Action needed" functionality to show a profile in this state when the enrollment method associated with the profile is no longer enabled on the account.
Resend renewal email action
Support for a new action for certificates inside a renewal window, allowing an authorized administrator to manually send the renewal email by clicking on the "Resend renewal email" action available from the Inventory page
MS Autoenrollment support for ”Public S/MIME Secure Email (via CertCentral)” template
Support for the Microsoft Autoenrollment enrollment method using the DigiCert AutoEnrollment Server to silently issue Public S/MIME sponsor-validated certificates using a profile created from the Public S/MIME Secure Email (via CertCentral)
template.
November 15, 2023
DigiCert® ONE version: 1.6392.4 | Trust Lifecycle Manager: 1.2287.0
New
New Security Identifier (SID) extension
Support for the Security Identifier (SID) extension (OID - 1.3.6.1.4.1.311.25.2
), which Windows uses for authentication (e.g. Windows Logon). Users can manually enter the SID in the user interface or read automatically from an Active Directory attribute using the new DigiCert Autoenrollment Server release (v2.23.2.0), available for download from Resources > Client tools.
The following templates support the SID extension for all enrollment methods:
Domain Controller
Generic User Certificate
Generic Device Certificate
Generic Server Certificate
Microsoft® Enrollment Agent
Windows Hello for Business Authentication
注意
Note: when configuring a profile with the Microsoft Autoenrollment enrollment method, the DigiCert Autoenrolment Server v2.23.2.0 must be deployed to support the new SID extension, which has been qualified for the following templates with some restrictions based on whether the profile is configured to issue RSA or ECDSA certificates:
Domain Controller
(for RSA and ECDSA key types)Generic User Certificate
(for RSA and ECDSA key types)Generic Device Certificate
(for RSA and ECDSA key types)Generic Server Certificate
(for RSA and ECDSA key types)Microsoft® Enrollment Agent
(for RSA key types only)Windows Hello for Business Authentication
(for RSA key types only)
Azure Key Vault connector and enrollment flow
Trust Lifecycle Manager now automates the certificate request workflow for administrators allowing them to request certificates to be delivered to one or more Azure Key Vaults from within their Trust Lifecycle Manager account.
Support for adding one or more Azure Key Vault connectors
New
Admin web request
enrollment method that the following templates support:AWS CA Private Server Certificate
CA Manager Private Server Certificate
CertCentral Private Server Certificate
CertCentral Public Server Certificate
Microsoft CA Private Server Certificate
New
Request certificate
option onEnrollments
pageAbility to enroll for new certificates and have them delivered to the key vault of your choice
Enhancements
Private S/MIME Secure Email template enhancements
Enhancements to the “Private S/MIME Secure Email” template to support:
The
Non repudiation
Key Usage for all key types: RSA, ECDSA, EdDSAThe
Key agreement
,Encipher only
, andDecipher only
Key Usages for ECDSA key types
Dual Admin Approvals and Dual Admin Key Recovery enhancement
Enhancement to only allow Dual Admin Approvals and Dual Admin Key Recovery options to be enabled in the profile wizard if at least 2 authorized administrators exist in the account.
DigiCert Trust Assistant - Outlook post-processing script support for SafeNet eTokens
Extending the support of the post-processing script for Outlook (Windows only) when using a SafeNet eToken (5100, 5110), in addition to previously supported key stores (OS keystore and the DigiCert Software Keystore). This feature continues to be available for the below templates:
Private S/MIME Secure Email
Public S/MIME Secure Email (via PKI Platform 8)
提示
You require DigiCert Trust Assistant 1.1.4 to make use of the post-processing feature.
Customer fixes
Fixed a typo in the Country label for Kuwait, shown on web pages that require a Country field to be selected by an end-user.
November 8, 2023
DigiCert® ONE version: 1.6392.3 | Trust Lifecycle Manager: 1.2263.0
New
New Tenable connector
Support discovery of certificates from Tenable. We’ve introduced:
A new connector that allows you to connect to your Tenable.io account.
Support for importing certificate data to Trust Lifecycle Manager Inventory.
Support for adding tags and assigning business units as you import your data.
Support for setting schedules to pull new certificates and change information to keep inventory up to date.
Enhancements
Enhance connector tags to add auto suggest
Show suggestions when adding tags to choose from a list of existing tags.
Improves usability when adding a new tag.
Sensor update v3.8.61 available
TLM Plugin Manager framework
November 1, 2023
DigiCert® ONE version 1.6392.1 | Trust Lifecycle Manager: 1.2172.0
New
Two-factor authentication (2FA) requirement
Starting November 1, 2023, at 18:00 MDT (November 2, 2023, at 00:00 UTC), we will require all DigiCert ONE accounts to use two-factor authentication (2FA).
You will use both your credentials and a one-time password to access your account. When you log in to your DigiCert ONE account on November 1, you will be prompted to set up two-factor authentication. If you have already enabled two-factor authentication in Account Manager before this date, no further action is necessary.
How to enable two-factor authentication in Account Manager.
注意
If you use single sign-on (SSO) to access your DigiCert ONE account, the new two-factor authentication requirement does not affect you. However, the requirement will activate if you modify your SSO settings.
Enhancements
DigiCert Trust Assistant 1.1.4 introduces post-processing scripts for S/MIME configuration in Microsoft Outlook (Windows only), simplifying certificate configuration post-enrollment and renewal.
Improved CSR generation flow within the application to enhance User Experience with more key type/size options.
New enrollment methods and signature algorithms have been added for the “Public S/MIME Secure Email (via CertCentral)” template, including Browser PKCS12, CSR, and DigiCert Trust Assistant.
Added support for RSASSA-PSS signing algorithms:
sha256WithRSAPSS
sha384WithRSAPSS
sha512WithRSAPSS
Bulk management of Discovery seats is now possible through CSV upload, enabling creation, update, and deletion in bulk.
Updated Seat usage widget now displays links for created and consumed seats, with a new "Consumed" column and refined counters with rounding and detailed hover information.
October 25, 2023
DigiCert® ONE version: 1.6201.5 | Trust Lifecycle Manager: 1.2224.0
New
Optional grace period for certificate renewal
New Grace period
option for the “Renewal options” section that allows the addition of the days before expiration to the renewed certificates. If not selected, the renewed certificate takes a strict validity period based on the “Certificate expired in” value.
For example, for a profile configured with the grace period, if renewing a 365-day certificate 20 days before its expiration, the renewed certificate will have a validity period of 385 days. If the option was disabled, the renewed certificate only has a validity period of 365 days.
注意
This feature is enabled for profiles making use of Issuing CAs hosted by DigiCert® CA Manager, not external CAs such Microsoft CA, CertCentral or AWS CA.
Bulk deployment for agents
Ability to create a deployable package with an encrypted API-KEY that can then be distributed using any available tools like GPO push, Ansible, PS Exec, etc. and triggered such that the agent provisions to the account and is ready for automation.
Enhancements
CA vendor widget enhancement
Enhanced the CA vendor dashboard widget to support clicking on the “Others” sector of the graph to redirect to the Inventory page with a filter of all other CA vendor values.
October 18, 2023
DigiCert® ONE version: 1.6201.3 | Trust Lifecycle Manager: 1.2203.0
New
Public S/MIME template for Email Gateway providers using CMP
This new certificate template named Public S/MIME Secure Email using CMP (via CertCentral)
allows issuance of Public S/MIME sponsor-validated certificates via CertCentral using the Certificate Management Protocol (CMP), is mainly consumed by our Email Gateway service providers.
The template is tagged as “limited”, meaning that a is not available for all accounts. If required, contact an administrator with appropriate access to assign templates to accounts.
Enhancements
CertCentral Public S/MIME template enhancements
Updated the Public S/MIME Secure Email (via CertCentral) template to support:
Multiple email addresses within the SAN:rfc822Name extension.
LDAP search feature, where profiles with this option enabled allows certificates issued from the profile to be searched using an LDAP client. See Access certificates with LDAP (digicert.com) for more info.
注意
Searches based on a “mail” value (an email address) are currently done against the Subject DN Email field, not the SAN:rfc822Name extension.
For CertCentral issued certificates, the LDAP service does not search against CA certificates, nor CRLs, only end-user Public S/MIME certificates for profiles with the LDAP option enabled.
Certificate Renewal Reminder email template enhancements
Added two new variables to the Certificate Renewal Reminder email template:
cert_serial_number
: will show a “Certificate Serial Number” label in the renewal email with the associated certificate serial number of the certificate being renewed.cert_subject_dn
: will show a “Subject Distinguished Name (SDN)” label in the renewal email with the entire SDN value of the certificate being renewed.
New DigiCert Agent v3.0.7
With this new version of the agent, the following updates are performed:
IIS moved from win-acme to Certbot as the client library
OpenSSL has upgraded to v3.0.9
RHEL 9.2 support added
Fixes
Browser PKCS12 certificate delivery issue
Fixed an issue with profiles configured with the “Browser PKCS12” enrollment method and using a self-signed Issuing/Root CA, with the include Root CA in the delivery format option, not including the Root CA in the PKCS12 response file.
Get profile API response issue
Resolved an issued with GET profile API response not delivering the profiles bound to the account.
October 12, 2023
DigiCert® ONE version 1.6201.2 | Trust Lifecycle Manager: 1.2172.0
New
Post-Quantum Cryptography (PQC) vulnerable certificate filter
New PQC vulnerable
certificate filter that shows whether a certificate within the Inventory (“All certificates” system view) is vulnerable to post-quantum cryptography attacks.
New Seat API endpoint
This new seat API endpoint (GET /mpki/api/v1/seat
) that allows the retrieval of paginated list of seats based on multiple filtering parameters:
account_id
business_unit_id
seat_type
active
Enhancements
Dashboard enhancements
Auto-layout of the dashboard when removing or adding widgets to find the best position for every widget automatically
New Certificates by CA vendor widget showing certificates issued grouped by the Subject DN - Organization value of the Issuing CA, including:
Up to 10 sectors in the pie chart, one for each different vendor.
An
Others
sector in the pie, for certificates that are not identified/trusted within the Account > Root CAs list.An
Unknown
category, for certificates without a Subject DN - Organization value in the Issuing CA certificate.
New
Overview icon
available next to the page titleRedesign of the Automation Alerts widget to show the alerts by categories using a vertical and scrollable graph instead of a horizontal carrousel.
Redesign of the Integrations widget to become the new Connectors widget.
Redesign of the Certificates Expired or Expiring widget.
Support Tags for Certificates API endpoint
Enhanced the certificate API endpoint to support a new ‘tag’ request parameter that is bound to the certificate object and can later be filtered within the Inventory web page to find certificates associated with a specific tag.
Custom certificate report enhancements
Added a new
Pseudonym
field to the "Subject Distinguished Name (SDN) details" section when creating a custom certificate report.Added a new
PQC vulnerable
field to the “Public key detail” section when creating a custom certificate report, showing what certificates are vulnerable to Post Quantum Cryptography attacks with ayes
/no
value.
Make Server authentication EKU optional for ACME
enrollment method in CA Manager Private Server Certificate
profile.
Fixes
Profiles list page
Resolved issue with showing the new onboarding/overview page when visiting the Mange > Profiles page even though there are profiles available on the account. The issue was related to retrieving the first profile in the account as “Inactive”, hence the page thinking there are no profiles available on the account and showing the new onboarding page.
October 4, 2023
DigiCert® ONE version: 1.6201.1 | Trust Lifecycle Manager: 1.2128.0
New
Overview pages
A new set of overview pages, which are displayed when no data is available on a page, provides users:
With an overview of the page, and
Guidance on how to see data populated for one of these overview pages.
This is particularly important for users who are onboarding onto the platform for the first time.
A new icon is also displayed next to the page’s title. This icon provides access to the same overview page anytime after the product has been used and data has already been created.
Pages that implement the new overview functionality are:
Inventory
Manage > Enrollments, Profiles, Seats, Network scans
Reporting & auditing > Audit logs, Report library
Integrations > Agents, Sensors
Settings > Notifications
New Legal Entity Identification (LEI) extension
Support for a new Extension called Legal Entity Identification (LEI), defined in ISO 17442, for the “Generic User Certificate” template.
AWS private CA discovery
Discover certificates using the AWS private CA connectors configured in TLM. Admins can either enable discovery when adding a new connector or updating existing ones for discovery. Once enabled, the connector discovers and imports certificates across all the roots configured in the target AWS account.
Network scan enhancement to support more detailed cipher discovery
Enable cipher discovery when setting up a network scan. This allows you to find all the ciphers configured on the system in addition to the handshake cipher information collected.
When enabled, view this cipher information under the certificate details section categorized by protocol and flagged when found to be weak.
Inherit certificate tags from profile
Add tags when creating a new profile. Manage tags for a profile. Any certificate issued from that profile inherits the tags assigned to the profile.
New Sensor release v3.8.60
Enhanced security by using client based authentication for all communication.
Updated to installer to fork installation experience for TLM vs CertCentral.
Enhanced sensor provisioning to support private trust for TLM on-premise deployments.
A few functional bug fixes.
Allow users to upload roots to TLM discovery Trust Store
Upload roots or ICAs to TLM discovery Trust store such that:
Private roots and ICAs when uploaded are available at account scope.
Public roots and ICAs if uploaded undergo an approval step and apply to all accounts once approved.
Enhancements
Dashboard enhancements
Set of enhancements to the Dashboard:
New widget management feature, where graphs and widgets in the Dashboard can be added/removed and refreshed by users from a menu option located on the top-right of the Dashboard.
Every widget now shows a “Last updated” date upon which it was last refreshed, and can be removed from the Dashboard. Note that some widgets can be refreshed in real-time and others via a scheduled job (asynchronous).
The Seat Usage widget has been split into two separate graphs.
The Pending Enrollments and Pending Recovery widgets have been merged into a single graph.
Update to CertCentral connector
With CertCentral implementing 2-factor authentication, we are limiting the options for linking TLM to CertCentral such that:
All DigiCert hosted instances continue to have the option to use the CertCentral username/password to authenticate and link to CertCentral.
Any on-premises or non DigiCert deployment only shows the API-KEY option to link to CertCentral.
X509 and PKCS7 Certificate Download Label
Updated the X509 and PKCS7 download button labels in public-facing web pages to show more user-friendly labels:
For X509:
Download certificate in PEM format (.pem)
Download certificate in DER format (.der)
For PKCS7:
Download certificate in PEM format (.p7b)
Download certificate in DER format (.p7b)
September 28, 2023
DigiCert® ONE version: 1.6074.9 | Trust Lifecycle Manager: 1.2103.0
New
Inventory page
Renamed the Certificates page to the Inventory page since DigiCert® Trust Lifecycle Manager manages more than just certificates. It is a single ‘book of record’ / inventory page from where you can view and manage all its assets, for example unsecured IPs and ports.
The new Inventory page includes an enhanced views dropdown list and a new collapsible Quick Taskbar, available from the right side of the Inventory page with quick access icons to:
“Add connectors”, which redirects the user to the Manage > Connectors page.
“Manage views”, from where default views can be managed and custom views can be created.
“Reports”, to create instant reports (for less than 5000 records), and access the Custom Reports wizard.
“Notifications”, which redirects the user to the Manage > Notifications page to manage or create new custom notifications.
Enhancements
DigiCert Trust Assistant - RSASSA-PSS renewals
Support for RSASSA-PSS certificate renewals via DigiCert Trust Assistant.
DirectoryName enhancements
Extended support for additional fields/aliases within the SAN:directoryName and IAN:directoryName extensions:
USER_IDENTFIER
using various aliases:USERID
,USERIDENTIFIER
, andUID
.Extend the
STATE
field to support theS
alias.
Fixes
Fixed an issue that prevented downloading user certificates
Fixed issue with not being able to download a user certificate for profiles configured with Browser PKCS12/Enrollment Code methods, which occurs under some specific ‘caching’ circumstances.
September 20, 2023
DigiCert® ONE version: 1.6074.7 | Trust Lifecycle Manager: 1.2085.0
New
Integration with CertCentral CA for public S/MIME
Support for issuance of Public S/MIME Legacy sponsor-validated certificate types conformant with the new S/MIME Baseline Requirements making use of the new template called Public S/MIME Secure Email (via CertCentral)
.
The supported enrollment method for this initial release is: REST API
. Web-based enrollment methods will be supported in a future release.
注意
Before you can create a profile from this new template, make sure you have linked your Trust Lifecycle Manager account with your CertCentral account by setting up the CertCentral CA connector under Integrations → Connectors → Add connector → CertCentral. You also need to have the Automation feature enabled on your account.
September 14, 2023
DigiCert® ONE version: 1.6074.5 | Trust Lifecycle Manager: 1.2065.0
New
eIDAS Qualified Certificates
European Trusted Service Providers who are compliant with eIDAS can now issue EU Qualified Certificates to natural and legal persons for the purposes of supporting digital signatures, peer entity authentication, data authentication, and data confidentiality, in accordance with EU Regulation No. 910/2014 [i.9], and ETSI EN 319 412-5 [i.7] for requirements relating to QCStatements.
Two new templates (eIDAS Electronic Signature and Electronic Seal) have been created to support these use cases. The templates are bound to the user seat type and tagged as Limited, meaning that only system administrators with appropriate permissions can explicitly assign them to accounts that require these types of certificates:
eIDAS Electronic Signature Certificate
eIDAS Electronic Seal Certificate
重要
Trusted Service Providers are fully responsible for the issuance of Qualified Certificates that are conformant with the eIDAS standard and also responsible for meeting all of the regulations and requirements set within it.
Enhancements
DigiCert Trust Assistant enhancements
DigiCert Trust Assistant now supports the new RSASSA-PSS signing algorithm.
注意
Using this algorithm requires DigiCert Trust Assistant v1.1.3, available for both Windows and Mac platforms from the client tools page.
Relaxing rules for country codes
Relaxed the SubjectDN Country field validation rules. Certificates imported into the Trust Lifecycle Manager application via the “certificate-import” API now allow any 2-letter country code.
Issuance of new certificates will continue to be restricted to ISO-compliant country codes.
September 6, 2023
DigiCert® ONE version: 1.6074.1 | Trust Lifecycle Manager: 1.2036.0
New
New certificate system view
A new system view available from the Certificates page shows which certificates will be expiring in the next 30 days, and shows the remaining days until expiration in a new table field called “Expiring in (days)”. Users can filter the data further to show expiring certificates by seat type.
Enhancements
Generic Private Server template update
Updated the template to set the “Server authentication” Extended Key Usage (EKU) as default.
Email templates enhancement
Updated all email templates to use the Seat ID value instead of User Full Name.
Relocated 'Link PKI Platform 8' pages
Moved the Link PKI Platform 8 functionality from Settings to Integrations → Connectors to locate it alongside other CA connectors.
Show Add Connector page when none is available in the account
For accounts that have no configured connectors, the Add connector page will show when the user selects the Connectors link under Integrations in the left navigation bar.
Enhancements to Issuing CA field
For certificates discovered or issued using Certificate Lifecycle workflows:
The Issuing CA column will now show the issuer common name, in line with existing behavior for CA manager certificates.
A new column called CA vendor shows the name of the CA (e.g. DigiCert).
Fixes
Seat usage data in dashboard
Resolved issue with Seat Usage widget in the dashboard, which was only showing data against all business units and not respecting the business unit selector at the top of the page. Customers using only one business unit would not have noticed the issue.
August 29, 2023
DigiCert® ONE version: 1.5874.11 | Trust Lifecycle Manager: 1.2005.0
New
S/MIME Secure Email compliance with new CA/B Forum S/MIME Baseline Requirements
Updated the Public S/MIME Secure Email (via PKI Platform 8)
profile wizard to support the new Legacy generation Sponsor-validated certificate type, as defined in the new CAB Forum S/MIME Baseline Requirements standard.
You need a PKI Platform 8 account and validated email domains to issue Sponsor-validated certificates.
For details about the changes, refer to the Trust Lifecycle Manager section in this knowledgebase article.
注意
The PKI Platform 8 issuing CA has been updated accordingly to enforce the new Public S/MIME Secure Email industry requirements.
August 23, 2023
DigiCert® ONE version: 1.5874.8 | Trust Lifecycle Manager: 1.1996.0
Enhancements
REST API for business units
Added REST API endpoints to:
Create business units
List business units
Assign seats/licenses to a business unit
Fixes
Private S/MIME error
Resolved an issue with web-based enrollments associated to a Private S/MIME profile present under very narrow conditions.
ACME: Remediated wrong message when order is in reissue pending state
For CertCentral orders using third-party ACME methods, when the order goes into reissue pending state for any reason, subsequent requests were returning a “Bad Request” error. This has been updated to return an ACME compliant error.
Hide additional parameters option on Microsoft CA connector
Removed additional parameter options from Microsoft CA connector as they are not used for connector configurations.
August 16, 2023
DigiCert® ONE version: 1.5874.6 | Trust Lifecycle Manager: 1.1967.0
Enhancements
Support plans
On August 15, 2023, DigiCert upgraded our support plans to provide a better, more customizable experience. These improved plans are scalable and backed by our technical experts to ensure your success.
New plans:
Standard support (free)
Business support (mid-level)
Premium support (highest-level)
For more details about what these plans include, see the DigiCert Support Plans and DigiCert Support: Enabling Your Success.
How does this affect me?
To show our appreciation, DigiCert has upgraded all existing customers to either Business or Premium support plans for a limited time at no additional charge. See our August 15 change log entry.
How the limited-time upgrade works:
Platinum support plans are upgraded to Premium support for the duration of the contract.
Gold or Platinum-Lite support plans will be upgraded to Premium support for the duration of your contract.
Included (non-paid) DigiCert support will be upgraded to Business support for up to one year.
UX enhancements
Updated modal pop-up for suspend/resume actions using common UI design component.
Added a Select all link for the custom report “Profile authentication fields” section.
For profiles that support a Cloud Key Escrow option, added an Information banner to the public-facing web enrollment pages to inform users that their keys are being escrowed.
Fixes
Certificate renewal job
Resolved issue with the certificate renewal job not getting completed in a timely fashion.
Blank page with Public S/MIME profile
Resolved issue with blank page appearing when creating a profile from the “Public S/MIME Secure Email (via PKI Platform 8)” template.
Automatic seat allocation
Resolved an issue where not all seat types were being automatically allocated to the Default Business Unit.
August 9, 2023
DigiCert® ONE version: 1.5874.4 | Trust Lifecycle Manager: 1.1946.0
Enhancements
Profile cloning
Added support for choosing a different business unit or issuing CA when cloning a profile. Previously, both fields were locked and could not be modified when cloning a profile. Now, if you have access to additional business units and issuing CAs, you will be able to select them before saving the newly cloned profile.
Intune enhancement
Intune revocation scheduler job will now run hourly instead of every 3 hours.
Profile enhancement - default common name
Starting from this release, if a template supports the Subject DN Common name
field, it will be automatically added to the profile wizard’s second step by default.
Private S/MIME Secure Email enhancement
The previous Private S/MIME Secure Email template implementation blocked users from modifying the Key Usages extension. Now, both the Digital signature
and Key encipherment
fields are optional, and account administrators can configure signing-only and/or encryption-only certificates.
Fixes
Refresh configuration action notifications
Fixed an error where the Refresh configuration action was sending a notification stating that the F5 server cannot be reached. This notification will no longer be triggered.
Virtual IP with no profile shows as unreachable
Fixed an issue that was preventing admins from automating virtual IPs that had no profile. Admins can now automate these IPs.
August 2, 2023
DigiCert® ONE version: 1.5874.1 | Trust Lifecycle Manager: 1.1913.0
New
Network scanning
With this release, administrators can configure and run one or more network scans in Trust Lifecycle Manager:
Added new feature in Account manager for Network Discovery.
Added new option to create and manage network scans in Trust Lifecycle Manager when the feature is enabled in Account Manager, with these abilities:
Add and manage network scans.
Schedule scans and see their progress.
See scan results on certificate list page.
In addition, added the following functions:
Filter by scan name.
Calculate a security rating for certificates found in a scan.
Capture chain information and analyze of any issues.
Capture security headers and handshake information.
Added security rating column in certificate list view.
Added new notifications for discovered certificates:
Default and custom notification options.
Allow users to clone email templates.
Allow users to configure criteria for emails.
Updated certificate details page
Certificate details page has been restructured to better represent certificate and discovery data.
Reformatted with a tab layout for better accessibility.
Added new tabs for security details with detailed information on security rating, chaining, headers, and handshake protocols based on how the data was discovered.
Private S/MIME Secure Email template enhancements
Updated the "Private S/MIME Secure Email" template to support the DigiCert Trust Assistant
enrollment method with all corresponding authentication methods:
Enrollment code
Manual approval
SAML IdP
Added support for the Microsoft Autoenrollment
enrollment method to auto-provision private S/MIME (non-escrowed) certificates, both RSA and ECDSA key-based.
Enhancements
Added 'Request a new certificate' as secondary action for automation flows
Allows users to get a new certificate from a different profile when their default automation action is set to reissue or renew.
Added 'Check status' option for certificate management profiles
Allows users to select one or more profiles to check their status and refresh the profile from profile list page.
Intune profile enhancement
Relaxed the validation rules for the Tenant Name field in profiles created from Intune templates to allow domain values that are different to just using the default onmicrosoft.com domains.
July 27, 2023
DigiCert® ONE version: 1.5658.5 | Trust Lifecycle Manager: 1.1875.0
Enhancements
Removed redundant link
Removed the Enrollment code report link under the main Reporting and auditing menu option.
注意
Equivalent reports can be generated from the Enrollments page as custom scheduled reports.
Fixes
Intune certificates
Resolved issue with Intune certificate enrollments failing. They now proceed as expected.
CertCentral profile status
Resolved issue with CertCentral profiles showing an “Action needed” status. This now only displays when expected.
July 26, 2023
DigiCert® ONE version: 1.5658.4 | Trust Lifecycle Manager: 1.1867.0
New
Scheduled reports
Authorized account administrators can now schedule custom Certificate and Enrollment reports to be generated at different intervals:
Once: The report will be queued immediately and run as soon as possible.
On a specific date: Select a date to run the report.
Weekly: The report will run on the selected day(s) of the week, every week until manually stopped.
Monthly: The report will run monthly, on a specific day of the month (or last day of the month), with the option to run it every set number of months until manually stopped.
Custom labels for Subject DN and SAN labels in different languages
When creating or editing a profile, users can specify replacements for the default Subject DN and SAN labels with custom labels in multiple languages. Example: The “Common name” field could be customized to show: “Please enter your full name:” (for English), and similar text in other supported languages if set within the profile.
Enhancements
Key size update to the Private S/MIME template
Updated the "Private S/MIME Secure Email" template to support RSA 3072-bit key sizes.
SAN Directory Name extension in Generic User Certificate template
Updated the SAN Directory Name extension functionality, available when creating a profile from a Generic User Certificate template, to support:
A single Organization Identifier field, using a tag of
ORGANIZATIONIDENTIFIER
orORGID
(case insensitive).One or multiple Description fields and values, using a tag of
DESCRIPTION
orDESC
within the overall Directory Name value (case insensitive).
Here is a sample SAN Directory Name value using all currently supported tags:
C=US,O=DigiCert,OU=myOU-1,OU=myOU-2,ST=Utha,L=Lehi,GIVENNAME=John M,SURNAME=Doe,TITLE=Product Manager,SERIALNUMBER=00001,ORGID=123456,DESC=my description 1,DESC=my description 2,DC=DigiCert,DC=com
Certificate recovery enhancements
Enhanced the certificate recovery flow for profiles configured with the Cloud Key Escrow option, to include 3 new email templates that can be customized:
Private key recovery initiation
Private key recovery approved
Private key recovery rejected
When approving/rejecting a second admin recovery operation, the administrator can optionally send a message to the user with the reason for the rejection, or extra information when approving the recovery. The message will also be saved as an internal note for auditing purposes.
Profile wizard enhancements
Enhanced the profile wizard logic for the first step (“Primary option”) to show warning messages when required enrollment methods are not available on the account. To show these, contact your administrator to ensure your account has the required feature enabled.
Profile list page update
Removed the bulk action button placed outside the table in favor of functionality inside the table, to make it consistent with the Certificates List page.
Email logo update
Updated the default Trust Lifecycle Logo included in all email templates.
Fixes
Missing fields in status change email
Fixed issue where SeatID and SeatName variables were omitted from the Certificate Enrollment Status Change email template.
Error on enrollments list page
Fixed error displayed in the Enrollments List page caused by enrollments associated with a deleted profile.
Known issues
Proxy issues for some CertCentral flows
Discovery and synchronization actions using CertCentral accounts do not go through the proxy right now, although certificate issuance does.
July 12, 2023
DigiCert® ONE version: 1.5658.1 | Trust Lifecycle Manager: 1.1810.0
New
Suspend and resume email templates
New suspend and resume email templates have been added. Authorized administrators can configure them when creating/editing a profile from any of the three Generic templates (User/Device/Server).
Enhancements
Internal audit enhancement
For profiles configured with the Manual approval authentication method, we now capture the name of the administrator who approves or rejects a certificate request within the internal notes displayed on the enrollment details page.
Fixes
TLM CertCentral CA public server profiles “Action needed” state issue
Fixed a code issue affecting multiple customers where CertCentral CA public server profiles were incorrectly labeled Action needed.
July 5, 2023
DigiCert® ONE version: 1.5658.0 | Trust Lifecycle Manager: 1.1784.0
New
Microsoft CA support for issuance of user certificates via web-based flows
Added support for issuance of user certificates using a Microsoft CA as the issuer with Microsoft certificate templates, which are selected when creating a profile from the new Microsoft CA User Certificate template and will prepopulate most of the profile wizard settings based on the Microsoft template configuration. Customers will still be able to control the SubjectDN and SAN fields to be used when signing the certificate, which will be added to the CSR that is sent to Microsoft CA for signing via the DigiCert MSCA Connector.
Prerequisites: Similar to the already available Microsoft CA support for private certificates, this solution also requires the configuration of a sensor and a Microsoft CA Connector, available under the Integrations menu option.
The Microsoft CA User Certificate template supports the below user enrollment/authentication methods (flows):
Enrollment method | Authentication method |
---|---|
|
|
Also added support for these certificate lifecycle operations using a Microsoft CA as the signer/issuer:
revocation, where the Microsoft CA solution will be responsible for providing any certificate validation services (CRL / OCSP).
renewal, where the appropriate renewal flow will be enforced based on the profile configuration using the renewal thresholds set within the Microsoft template and intersecting with the allowed renewal window values set within the profile wizard.
For more details, see instructions.
Platform proxy support
On-premises DigiCert ONE customers can now configure their platform with proxy settings to send all outgoing traffic from the Trust Lifecycle Manager application. Both anonymous and authenticated proxy servers are supported. Check documentation for details on how to configure your DigiCert ONE cluster.
AWS Private CA management
This release introduces AWS Private CA as a supported CA to issue and manage certificates using the following enrollment methods:
ACME
Agent
Sensor
A new AWS Private CA connector is available to be configured with the user's AWS account. A new AWS CA Private Server Certificate can be configured to issue certificates from one of the AWS private CA roots.
Option to connect to CertCentral Europe
Added ability for users to choose between US and EU CertCentral environments when configuring CertCentral connector.
Synchronize revocation status for Microsoft CA
Added the ability to synchronize revocation status for certificates revoked directly from Microsoft CA outside of Trust Lifecycle Manager.
New enrollment method column
A new column Enrollment method
is added to all certificate views as an additional column.
New REST API enrollment method for CertCentral profiles
A new REST API method is available in CertCentral profiles to use with the /mpki/api/v1/certificate API endpoint.
Enhancements
Bulk management of imported seat types
Extended the management of seats in bulk via the upload of a CSV file, supporting bulk update and deletion of Import seat types.
Extensive Health Check enhancements
Enhancements to the Extensive Health Check API endpoint (GET {{host}}/mpki/api/v1/health/extensive
) to report back on the status of more services and all scheduled jobs for the Trust Lifecycle Manager application.
Consolidate sensor connections and connectors
With this release, we are consolidating sensor connections and connectors in Trust Lifecycle Manager.
All existing sensor connections will show in connectors list page (ensure you have the connectors feature turned on for your account). New connections can be added using the Add Connector
flow. All existing references to "sensor connections" will be updated to "connectors" in dashboard, notifications, lifecycle workflow, etc.
Updates to Linux sensor installation flow
Linux sensor installation will now not default to CertCentral but instead prompt the user to check if it should be provisioned to Trust Lifecycle Manager.
Fixes
Support local hostnames for Win-ACME
Users can now use local names and IP addresses with ACME clients and agents when supported by the client.
Known issues
Proxy issues for some CertCentral flows
Discovery and synchronization actions using CertCentral accounts do not go through the proxy right now, although certificate issuance does.
June 28, 2023
DigiCert® ONE version: 1.5428.8 | Trust Lifecycle Manager: 1.1759.0
Enhancements
Performance enhancements
Improved performance on audit logs page:
Improved speed by limiting audit events in search results to 1,000 (same as the Certificates page).
Removed display of total number of matched audit log records. This feature will be reintroduced in a future release as an asynchronous internal request.
Improved initial page loading.
Improved speed of traversing through audit log results using pagination.
Limited the Resource name filter to searches using the prefix or exact value.
UI support for single hosts in DNS server field
Added support for single-host values for the DNS server field (e.g. localhost, my-server
) in public-facing and admin enrollment pages.
Fixes
Remove dependency for 'CA manager private server certificate' profile
This fix removes dependency of "CA manager private server certificate" on CertCentral connector, allowing users to use this profile even if CertCentral connector is not present.
Known issues
Audit log performance
Slow audit logs when filtering via Seat ID or Seat GUID for accounts with a very large number of audit log records.
June 21, 2023
DigiCert® ONE version: 1.5428.7 | Trust Lifecycle Manager: 1.1732.0
New
Custom enrollments report
The custom report generation feature has been extended to support the generation of CSV custom reports from the Enrollments page.
Account owners with appropriate reporting permission can create up to 10 Enrollment CSV-based reports to be generated offline/asynchronously and be available for 30 days after creation.
Users can select the Create custom report button, available on the Enrollments page under the Create report icon above the table. The reporting wizard appears to guide you through report creation.
When a report is ready, the user who created it will receive an email.
All created/custom reports are available from the new Report library page inside the Report & Auditing menu option, where you can:
View the status of reports.
Download completed reports.
Re-run a saved report against the latest available data. The new report will be available for another 30 days.
For more details visit Report library (advanced custom reporting).
Support for Edwards ‘hashedEd25519’ curves
For the three Generic templates (User/Device/Server), you now have the ability to select Edwards hashedEd25519 curves (key types) for enrollment methods that support such key type:
CSR
REST API
Certificate management seat type creation
The seat creation page and API now allow for the creation of “Certificate management” seats individually or in bulk, via the upload of a CSV file. Note that you must have the automation feature enabled on your account.
Intune API migration
Migrated the deprecated Intune Azure AD Graph API to use the supported Microsoft Graph API.
Enhancements
Performance enhancements
Enhancements to the Certificate List page to improve the performance of initial page loading, as well as the searching/filtering responses for the various filters on the table. In order to achieve the performance improvements, we will:
Return up to 1,000 records for any search criteria selected on the page.
Remove the capability to perform partial searches for Common name and Seat ID. From this release, only ‘prefix searching' or ‘exact value searching’ will be supported for these table filters.
Certificate search API enhancement
Enhanced the certificate-search
API endpoint to support an extra query parameter called enrollment_id
, which allows a certificate to be retrieved based on its unique Enrollment ID.
The format of the certificate will depend on the Certificate Delivery format the profile is configured with. Also, the enrollment_id value is returned from the manual-enrollment API response, against profiles configured with the “Manual approval” authentication method.
Fixes
Business unit filter
Fixed an issue where the business unit filter was not working for the unassigned filter value
Add/edit certificates
Fixed an issue where add/edit tags for certificates were not working in All certificate and managed automation views.
1-year configuration
Fixed an issue where certificate renewals failed when configuring a profile with 1 year instead of 365 days.
Email templates
Fixed an issue where he subject title for custom email templates under the “Email and notifications” configuration section in the profile wizard is not showing the dynamic email template variables.
June 14, 2023
DigiCert® ONE version: 1.5428.5 | Trust Lifecycle Manager: 1.1703.0
Fixes
IIS automation failing
Fixed issue causing IIS automation to fail.
Sensor downgrade issue
Fixed issue causing a new installation of Sensor v3.8.59 to downgrade current installation and corrupt additional Sensor installation attempts.
June 8, 2023
DigiCert® ONE version: 1.5428.2 | Trust Lifecycle Manager: 1.1672.0
Fixes
Enrollment approval failure
Fixed an issue causing enrollment approval to fail when a profile was configured with the manual approval authentication method and fixed fields set in the Subject DN field.
June 7, 2023
DigiCert® ONE version: 1.5428.1 | Trust Lifecycle Manager: 1.1668.0
New
DigiCert Trust Assistant v1.1.1
DigiCert® Software KeyStore now supports macOS using the CryptoTokenKit framework.
Support for renewal of certificates managed by DTA, stored on the operating system, DigiCert Software KeyStore, or hardware tokens, via a proof-of-possession of the private key flow where a renewal request is digitally signed by the to-be-expired private key and validated before issuing the renewed certificate.
For macOS, removed default YubiKey attestation certificate from the list of certificates being displayed by the client for YubiKey tokens. (This was supported for Windows in the previous release.)
DigiCert Trust Assistant - licensing
The DigiCert Trust Assistant license file has been removed from within the application and added to the overall platform license. No changes for DigiCert-hosted platforms.
注意
This is especially important for customers running the DigiCert ONE platform on their premise. Starting this release, if you require access to the DigiCert Trust Assistant client, contact your DigiCert representative and ask them to update your platform license. The updated license whitelists your platform domains so DigiCert Trust Assistant can use it.
Enhancements
Dual recovery and comments
Now for private and public S/MIME profiles configured with the dual-admin approval flow, the second admin approver has the ability to cancel the recovery process.
Any recovery approval or rejection action (via the UI or API) can now include an internal comment with an internal note when approving or canceling the recovery operation.
Audit log event filtering by resource name
New column Resource name added to the Audit log table, allowing you to filter or search for its contents inlog events.
New action for custom reports
New View audit event action is available from within the Report library and Report details pages, allowing users to directly visit the Audit logs page and view the events associated with the selected report.
Added columns on Certificates list
Added 2 columns for certificate views, SANs and Thumbprint, on the Certificates list page. New columns can be added to all certificate views (except unsecured views).
User instructions
Added support for the upload of custom/user instructions for profiles configured with the “SAML IdP” authentication method and the “Enforce manual approval” option enabled.
Now show the user instructions on the last Certificate installed page, not on the previous Install certificate page.
Performance improvements
Improved response time for certificate revocation via the Certificate List page and REST API.
Faster certificate issuance times for all flows (e.g., CSR, Browser PKCS12, and REST API).
Retrieval time for certificates listed within the Certificate List page reduced.
Japanese installation instructions page changes
Updates to the Japanese certificate installation instructions web page to make them more accurate and user-friendly.
Remove duplicate bulk actions on Enrollments page
Removed the bulk actions and associated button on the Manage > Enrollments page. To use the inline bulk actions functionality, select more than one enrollment on the table.
Custom report create page enhancements
Renamed Automation details title to Server management details.
Moved the Tags field from the Server management details section to the Other details section.
Added support for new “Server management” field named SANs (also available within the Certificates page).
Multiple httpd configuration file support
Added support for multiple Apache httpd configuration files configured via different process on the same server.
Sensor installation updates
Windows sensor users can choose to automatically provision a sensor to Trust Lifecycle Manger after installation. Users can choose if they want the sensor to be provisioned to Trust Lifecycle Manager and can provide the
license.properties
file to finish provisioning.
Renamed Citrix Netscaler
Renamed Citrix Netscaler to Citrix ADC.
Fixes
Duplicate certificate issue
Fixed not being able to issue duplicate certificates for profiles configured with the “Microsoft autoenrollment” enrollment method and the "Allow duplicate certificates" option when using fixed Subject DN fields in the profile.
Business Unit seat consumption and allocation
Fixed how Business Unit seat consumption and allocation is calculated.
Enrollments linked to invalid email
Enrollment errors due to not being able to send an email (e.g., invalid email or SMTP server issues) can be rejected by an authorized administrator.
DCV for OV/EV using TLM ACME Agent
Resolved issue with OV/EV DCV failure for agent flows.
May 24, 2023
DigiCert® version: 1.5118.8 | Trust Lifecycle Manager: 1.1597.0
Enhancements
Windows and Linux sensor auto-upgrade
From this release, Trust Lifecycle Manager will support automatic sensor updates for Windows and Linux sensors.
Users will have the option to set upgrades to manual for one or more sensors. They will be prompted to update whenever an upgrade is available.
Email confirmation template
Introduced a new email confirmation template. This email template can be enabled and customized when configuring a profile with the “Manual approval” authentication method, where users can option all receive an email confirmation after successfully submitting a certificate enrollment request.
Bulk enrollments
Bulk enrollments action for Enrollments page are now inside the table instead of at the bottom of the page.
Log events based on resource type
Dynamically show the correct log events based on the resource type.
Fixes
Unnecessary alert state
Fixed an issue where CertCentral profiles were set to “Action Needed” even though there was no configuration problem.
May 17, 2023
DigiCert® version: 1.5118.6 | Trust Lifecycle Manager: 1.1557.0
New
Seat naming changes
Renamed
Unmanaged
seat type toDiscovery
.Renamed
Automation
seat type toCertificate management
. When deleting aCertificate management
seat, you will have the option to revoke certificates associated with the seat.
Show TLM features in Account Manager
The Account Manager application will expose a set of features for the Trust Lifecycle Manager application and can be enabled/disabled per account, enforced by Trust Lifecycle Manager. This is particularly meant to help DigiCert ONE on-premises customers. Features include:
Enrollment methods: REST API, Browser PKCS12, CSR, SCEP, EST, Microsoft Autoenrollment, ACME/Agent/Sensor (enabled/disabled via the Automation feature)
Custom reports
Reporting (email)
Seat creation logic
Updated seat creation logic for automation methods (ACME, sensor, agent) to create seats per website (i.e., combination of unique CN+IP+Port) for both server and certificate management seats.
Enhancements
YubiKey slot selection in DigiCert Trust Assistant
DigiCert Trust Assistant now supports selecting the YubiKey slot where keys are to be created when configuring a profile with the YubiKey hardware token.
SCEP support for SHA-384
The SCEP GetCACaps response now supports the SHA-384 hashing algorithm. Use this URL to check the response: https://one.digicert.com/mpki/api/v1/scep/cgi-bin/pkiclient.exe?operation=GetCACaps
REST API update
New REST API PUT status endpoint to change the status of enrollment requests from pending
to either approve
or reject
, for enrollments linked to profiles configured with the "Manual approval" authentication flow. See Trust Lifecycle Manager REST API reference.
Connectors support
Connectors are now a separate feature in Account Manager (separated from automation) and can be enabled or disabled for a given account.
Environment support for agents
Downloaded agents are now preconfigured with the correct environment information (US vs NL, etc.) so that installation can proceed without configuration changes.
Fixes
MSCA issued certificates
Fixed an issue where users were unable to revoke an MSCA issued certificate from the UI.
Sensor version issue
Fixed an issue where sensor versions were not resolving in Windows and Linux sensors.
Sensor update issue
Fixed an issue where users were unable to update the heartbeat of an active sensor if the sensor was not assigned to a business unit.
Refresh configuration
Fixed an issue that was preventing refresh configuration for sensor connections.
May 3, 2023
DigiCert® version: 1.5118.1 | Trust Lifecycle Manager: 1.1518.0
New
Provide customizable user instructions for download
For profiles configured with the Manual approval authentication method, you can upload a file with specific instructions that a user can follow when installing a certificate. Examples are: configuring a WiFi or VPN client, configuring Outlook, or accessing a certificate-protected web resource.
Supported file formats: .txt, .ppt, .pptx, .doc, .docx, .pdf
Supported maximum file size: 10 MB
Users can download the file from the certificate confirmation and installation web pages.
Added connector column to certificate view
Added a column to certificate views to filter data by connector name.
Enhancements
Additional fields and enhancements for custom certificate reports
Split the first section of fields (certificate, automation, and other fields) into three sections:
Automation details
Profile details
Other details
Support for new fields to be added as part of the custom certificate report wizard:
Requestor email
Trust type
Seat ID mapping
注意
As mentioned in a previous release note, we removed the Certificate report link in the Reporting and auditing menu. We now support a more powerful reporting solution when creating offline custom reports from the certificates page.
Seat email address for server and device seats
Support for an optional seat email address when creating or editing server or device seats via the UI interface.
Chunking for large uploads
For large data coming in from Microsoft CA and other plugins, the sensor now supports breaking the upload into smaller chunks so that it can be uploaded via customer proxies. You can configure the chunk size on the sensor.
New Sensor version 3.8.57 released with multiple enhancements and fixes:
Microsoft CA and Qualys connector support on Windows and Linux sensors.
Update for chunking logic (all sensor types).
注意
Docker sensors need to be updated to the latest version for Microsoft CA and Qualys integrations to continue working.
Support for 1-day certificates for CA Manager Private Server Certificate profile templates
Users now have the option to choose 1-day validity for certificates issued from CA Manager for the following enrollment methods:
Agent
Sensor
ACME
Updates to certificate view column selector
The column selector on certificate views now shows available options in one or more columns to improve usability.
Fixes
Reintroduced Source column in certificate views
Fixed performance issues with the Source column. This column is now reintroduced to all certificate views.
April 19, 2023
DigiCert® version: 1.4957.3 | Trust Lifecycle Manager: 1.1487.0
New
DigiCert Trust Assistant support for new Software KeyStore (Windows only)
Added support for a new token type, DigiCert Software KeyStore, when configuring a profile with the DigiCert Trust Assistant enrollment method. This allows keys and certificates to be protected on the user’s machine within a proprietary software keystore with a user personal identification number (PIN).
A user must initialize DigiCert Software KeyStore after installing the DigiCert Key Store Provider (KSP) using elevated user permissions, e.g. local administrator Windows account.
注意
This new feature is only available for the Windows version of the DigiCert Trust Assistant, for which you need to download/install v1.1.0. (The Mac client continues to run on v1.0.0.) Support for Mac is planned for a future release.
For more details, see the following guides:
Delete business units
Added an action to the business unit (BU) list page that allows a BU to be deleted after all profiles and seats bound to that BU are deleted.
Agent DV automation
Administrators can now automate domain validated (DV) certificate lifecycle operations using the Trust Lifecycle Manager agent.
Enhancements
DigiCert Trust Assistant enhancements
注意
These enhancements are only available for the DigiCert Trust Assistant Windows release. We will update the Mac client in a future release.
Removed the default YubiKey attestation certificate from the list of certificates displayed for YubiKey tokens.
User experience (UX) changes to the import certificate process (e.g. importing a glck or pkcs12 file). Once the password is verified, the “Verify” button will change to “Import.”
UI changes to PIN verification and any errors displayed due to incorrect PINs. The error message is now displayed inline within the same PIN pop-up window, instead of a separate error notification.
Client tools - DigiCert Autoenrollment Server doc update
Replaced a link in the “Overview” section of the Client tools - DigiCert Autoenrollment Server page with a link to DigiCert documentation: https://docs.digicert.com/en/digicert-one/trust-lifecycle-manager/autoenrollment-server.html
Validation enhancements
Profile wizard - certificate policy validation: Added extra validation checks to the profile wizard when adding one or more certificate policy extensions to a profile.
Enrollment pages - dnsName validation: Added inline validation for dnsName values entered by users on the public-facing enrollment page before submitting.
Fixes
Dual admin approvals
Resolved an issue where users were unable to approve certificate requests bound to profiles configured with “Manual approval” authentication method and dual-admin approval flow.
Slow certificate enrollments for data-rich accounts
Resolved an issue with slow certificate enrollments for accounts with large amounts of data, which was caused by a reliant database table being locked for writing.
April 12, 2023
DigiCert® version: 1.4957.2 | Trust Lifecycle Manager: 1.1458.0
New
Agent settings page
This page allows users to set account level options for the following:
Manual vs. automatic agent approval
Blocked ports
Sensor details
Added sensor details page that will allow users to:
View sensor hostname, IP, and version information
Update debug settings
Change proxy port to be used by the agent when using sensor as a proxy
Agent notifications
Added agent lifecycle notifications for:
Agent activated
Agent error
Agent approval pending
Agent approved
Agent rejected
Application detection
With this release, agents have been enhanced to detect the application version during the initial discovery task. This application type and version will automatically be configured in the UI. Users will have an option to change these settings from the agent details page if needed.
Enhancements
Dashboard
Updated integrations graph to show agent status.
Added Agent error alert for automation.
ACME failures audit logs
Some third-party ACME clients have an issue where not all error messages are shown on the client CLI. As a workaround for this limitation, TLM has started logging ACME errors in audit logs.
Known issues
Connectors on Windows and Linux sensors
Connectors are currently not supported on Windows and Linux sensors. To use MS CA and Qualys connectors, use the latest Docker sensor.
April 5, 2023
DigiCert® version: 1.4957.1 | Trust Lifecycle Manager: 1.1432.0
New
Microsoft CA integration for server certificate
Trust Lifecycle Manager now supports issuing certificates from the customer's Microsoft CA.
To enable Microsoft CA support, users must install DigiCert Microsoft CA remoting service and DigiCert Sensor. Once configured, to import and issue certificates in Trust Lifecycle Manager, add one Microsoft CA connection for each internally hosted Microsoft CA.
Added a new Microsoft CA private server certificate profile template to create profiles with these enrollment methods:
Sensor automation
Third-party ACME integrations
Agent automation
Qualys CertView integration
Added support for a new Qualys connector to import certificate data discovered using Qualys scans. Imported data is available on the Trust Lifecycle Manager certificates page in line with data from other sources. This data can be used to manage notification and alerting, automated lifecycle management, and perform other tasks.
Web server automation using agent
Trust Lifecycle Manager now supports automation of the following web servers:
Internet Information Server (IIS)
Apache Tomcat
Apache web server
Nginx web server
IBM HTTP server
Administrators can install an agent on the target server to facilitate automation flows, similar to that for sensors. Existing profiles have been updated to add a new "agent" enrollment method. You can download agents from the TLM resource page. After installation, agents are managed from the new Agent section in Trust Lifecycle Manager.
Advanced reporting for certificates
A new custom report generation feature allows account owners with appropriate reporting permission to create up to 10 reports to be generated offline/asynchronously and be available for 30 days after creation.
Users can select the Create custom report button, available on the Certificates page under the Create report icon above the table. The reporting wizard appears to guide you through report creation.
When a report is generated, an email is sent to the user who created the report.
All created/custom reports are available from the new Report library page inside the Report & Auditing menu option, where you can:
View the status of reports.
Download completed reports.
Re-run a saved report against the latest available data. The new report will be available for another 30 days.
Learn more about custom report generation.
注意
The Certificate report link under the Reporting & auditing menu option will be removed in the next monthly release.
Enhancements
Audit log enhancements
Displays an info banner to the user when more than 5,000 audit events are encountered. The banner shows how many audit log events match the search criteria and advises the user to use filtering options to narrow the search result.
A new audit log resource type, Email, stores audit log events related to email sending operations and will simplify troubleshooting email-related issues.
Number of authentication attempts
Enhanced public-facing pages for enrollments making use of enrollment codes for authentication. These pages now show the number of failed authentication attempts as well as the maximum number of attempts allowed by the profile before locking the enrollment.
Additional certificate status values for automation flows
Added two new options to the certificate status field:
Replaced
represents certificates that are replaced on a server using automation.Replaced External
represents automated certificates that are found to be replaced outside Trust Lifecycle Manager during a discovery task.
New permissions for connector pages
Added separate view, create, and manage permissions for connector pages.
Native Windows and Linux sensors
Trust Lifecycle Manager administrators can now install the DigiCert Sensor on Windows or Linux machines.
Fixes
Missing email templates
Resolved issue with some email templates not being displayed for profiles configured with the SAML IdP authentication method with the Enforce manual approval checkbox enabled.
Incorrect certificate status when suspending imported seat
Resolved issue when uploading certificates from an external system bound to an imported seat type. After suspending the certificate via the UI, the certificate status in Trust Lifecycle Manager was correct (showing a status of Suspended), but the revocation request to CA Manager was not submitted, causing the status to be shown as Valid and validation services not reflecting the correct status.
March 23, 2023
DigiCert® version: 1.4803.6 | Trust Lifecycle Manager: 1.1380.0
Enhancements
Enrollment code enhancements
Added new actions available from the enrollments page, for enrollments linked to a profile configured with an enrollment code authentication method. This allows an authorized administrator to:
Unlock a locked enrollment code via the UI after the maximum number of attempts has been reached.
Reactivate an expired enrollment code.
View an enrollment code and URL for enrollments associated with private CAs. This action is hidden for enrollments associated with public CAs.
Also added a configuration option for profiles configured with the enrollment code authentication method, to set the maximum number of incorrect enrollment code authentication attempts before locking.
Auto-copy a SAN:dnsName field with the SubjectDN:commonName value
For profiles configured from the “Generic Private Server” template, added an Auto-copy from SAN: dnsName
checkbox for the Subject DN - Common Nam
e field. This automatically copies the value into the dnsName field, regardless of whether this field is configured in the profile or not.
If a profile is configured with a dnsName field and a certificate request already contains one or multiple dnsName values, the Common Name value will appear automatically at the top of the list.
March 15, 2023
DigiCert® version: 1.4803.2 | Trust Lifecycle Manager: 1.1356.0
Enhancements
Certificate expiration email template
Customers with unmanaged or imported seat licenses can configure a certificate expiration email to be sent before the uploaded certificate expires. This configuration page is now available under the Settings - Uploaded certificates
expiration menu, and will be visible only when an account has been allocated with Unmanaged and/or Imported seats/licenses.
Additional option for ACME enrollment
For third-party ACME client-based flows, we added a new parameter option for the client to explicitly ask Trust Lifecycle Manager to issue a new certificate from CertCentral irrespective of the status of the previous certificate. This allows users to enforce a re-enrollment in addition to the already available options to renew, reissue, or get a duplicate certificate.
Sample ACME URL: https://one.digicert.com/mpki/api/v1/acme/v2/directory?action=enroll
Fixes
Renewal reminder timeout for unmanaged/imported seats
Resolved an issue with renewal emails not being sent to end users. We have introduced a 30-second timeout period for the hourly job that takes care of sending renewal email reminders, when not receiving a response from the SMTP server responsible for sending the email.
注意
We will not make a second attempt to send the same failed email at the next hourly run. Failed emails could pile up and there would be no room left for new emails to be sent. However, emails will be sent every [90, 60, 30, 15, 10, 7, 5, 3, 2, 1] days depending on profile configuration. Therefore, if an email fails to be sent at 90 days before expiration, the next attempt will be made at 60 days, etc.
Lowercase country values for unmanaged and imported seats
Resolved issue with not being able to upload unmanaged and imported certificates using a two-digit Subject DN country value in lowercase. We now support the upload of country values as case-insensitive values.
March 9, 2023
DigiCert® version: 1.4803.0 | Trust Lifecycle Manager: 1.1349.0
New
New extensions
Support for three new X.509 certificate extensions, which users can configure in the profile wizard:
Subject Alternative Name (SAN) Directory Name extension, supported by the
Generic User Certificate
template.Certificate Policies extension, supported by all the standard templates, with the exception of the Public S/MIME (via PKI Platform 8) and CertCentral templates. You can configure a Certificate Policy extension with just a private OID, or include User Notice and/or CPS URL fields.
Issuer Alternative Name extension, supported by the
Generic User Certificate
template, when configuring a profile with the REST API enrollment method and 3rd party app authentication method.
New manual-enrollment REST API
For profiles configured with the “Manual approval” authentication method, you can use the new manual-enrollment
API endpoint to submit a certificate request via API and drop it into the queues for authorized administrators to review and manually approve it or reject it.
Once a request has been manually approved, the user will receive an email with instructions on how to download the certificate via the currently supported web-based enrollment methods: CSR, Browser PKCS12, and DigiCert Trust Assistant.
提示
Use the existing enrollment-details
API endpoint to retrieve the status of a specific enrollment by submitting the enrollment Id.
SAML single logout
Enables a profile, with the SAML IdP
authentication method, to be configured with a SAML single logout
URL. This allows an end user to click on a Single Logout
link displayed on the public-facing enrollment pages, which forces the logout of all connected SAML sessions on both the Service Provider and the Identity Provider.
Enhancements
DigiCert Trust Assistant for public S/MIME
DigiCert Trust Assistant support for the issuance of public S/MIME certificates (escrowed or non-escrowed, depending on the profile configuration) from PKI Platform 8 accounts, using the following authentication methods:
Manual approval
Enrollment code
SAML IdP
Seat object enhancements
Updated the GET Seat API endpoint to extend the response to include a
seat_creation_date
parameter showing the seat creation date.Updated the Seat List web page to show an optional
Created date
column.
Profile wizard enhancements
Now allows for a maximum custom renewal window of up to 90 days.
Updated the renewal email template to also support sending renewal notifications up to 90 days in advance.
Variables inside the email templates are now alphabetically ordered.
Profile List page enhancement
Added a Seat type filter to the Profile List page to allow profiles to be filtered by a seat type.
Additional options in “Valid to” filter
Enhanced the “Valid to” filter inside the Certificates list page to support three new filters, in addition to searching between a date range:
By days, for example for: certificates expiring in the next 7 days.
From a specific date, for example for: certificates expiring after 1st March 2023.
Until a specific date, for example for: certificates expiring before 15th March 2023.
Enhancements to the Generic Private Server Certificate template
Enabled the Browser PKCS12 enrollment method and associated authentication methods, which are Manual approval, Enrollment code, and SAML IdP.
Fixes
Create custom report button in various places
Resolved a known issue that incorrectly showed the “Create custom report” button on the Certificates, Enrollments, and Seats List pages
Certificate and Seat consumption charts errors
Resolved an issue with Certificate and Seat consumption chart widgets within the Dashboard not displaying the correct data.
Error notifications on Certificates and Enrollment pages
Resolved issues with errors being displayed on the Certificates and Enrollments pages after the Issuing CA had been unassigned from an account. When the issue occurs on the Certificates page, a Not resolved label now appears in the Issuing CA column.
February 15, 2023
New
New organization identifier field
Added new subject DN field, Organization identifier
(OID - 2.5.4.97
), to the Generic User Certificate template.
Fixes
API error in distinguished name parsing
Fixed an error that occurred when using the API to import a certificate.
Instant reporting error
Fixed an error where the instant reporting button failed to download data.
Known issues
Custom report button appears but does not work
On the Certificates page, the "Create report" dropdown menu shows an option to "Create custom report," but nothing happens when this is selected. This feature will be implemented in a future release; the button was displayed erroneously.
February 9, 2023
Enhancements
Translations
Translations added for all languages.
Fixes
Edit connector details page not loading
Fixed an issue where users were not able to see the page for editing connector details.
CA Manager private profile creation with enrollment method as ACME shows blank page
Fixed an issue where users were not able to create a CA Manager profile.
February 8, 2023
New
DigiCert Trust Assistant
Cross-browser and cross-platform client for certificate provisioning and management on software keystores and hardware tokens. This initial release delivers:
Provisioning of RSA and ECDSA certificates to software keystores on Windows and macOS operating systems.
Provisioning of RSA and ECDSA certificates to hardware tokens such as Gemalto and YubiKey—see the Support Matrix page within the Client Tools page for details.
PIN management functionality for hardware tokens.
Generation of CSRs using a private key on a selected keystore or hardware token.
注意
Key size restrictions apply per token vendor.
Import and export of certificates. Supported formats: X509, PKCS#7, PKCS#12 and GLCK (a proprietary format consumed by the legacy PKI Client software used by PKI Platform 8 customers).
Manual and auto-update of the client.
The client is available as a new Enrollment Method for the Generic User Certificate template, and supports the following Authentication methods:
Manual approval
Enrollment code
SAML IdP
Check the Administration and User guides for more information:
DigiCert Trust Assistant User Guide
提示
For new DigiCert ONE on-premises deployments, please contact your DigiCert representative to ensure your platform URLs have been included within the required DigiCert Trust Assistant license file.
Certificate tags
Ability to assign and manage tags for one or more certificates.
Allows users to assign tags of their choice which can later be used to filter data in views.
Available for all certificates issued or discovered by Trust Lifecycle Manager.
New Source column in views
A new source column and filter are added to views. Source is defined by how the certificate was discovered (API Discovery, CA connector etc).
Global Enrollment Code
Ability to configure a SCEP-enabled profile with a global enrollment code that will be used to automatically issue certificates via SCEP to unregistered devices, without the need to previously create a Seat or an Enrollment.
New User ID field and new data type for the UniqueIdentifier field
For the UniqueIdentifier field:
New Subject DN User ID field (
OID - 0.9.2342.19200300.100.1.1
) is supported by the Generic User Certificate templateFor the existing Unique Identifier Subject DN field, the default encoding for the field is BitString. However, from this release onwards, an additional data type (PrintableString) can be selected when configuring this field inside the profile wizard to format the Unique Identifier value in either BitString or PritableString. Supported by the Generic Private Server template.
Enhancements
MariaDB upgrade
The internal MariaDB version was upgraded and qualified to use 10.6.11. This is of particular interest to DigiCert ONE on-premises customers.
Support for IP Address in ACME and Sensor Automation flows
Use IP address in place of domain names for private certificate issuance.
Updated application logo and email templates
Updated the application logo displayed within the administrator pages to not include the word “Manager”.
Updated email templates to be consistent across all application flows, including the same footer making use of the Admin contact detail variables that need to be set in order to be displayed within the email notifications.
Email subject lines displayed within the profile wizard are used as email subject values when sending email notifications.
The “Your certificate is ready” email template supports a new variable called
Cert Common name
. Account administrators can optionally add the new variable to this email template.
Profile wizard enhancements
Added the template use cases and description to the initial page when creating or editing a profile.
Breadcrumb changes
Updated the breadcrumbs for all the pages under the “Manage” menu item to reflect the correct navigational structure. Approval/rejection emails sent to administrators for profiles configured with the “Manual approval” flow now contain a URL with the word “manage” in the patch.
注意
URLs within emails that were already sent redirect to the new URL.
DigiCert Autoenrollment Server enhancements
Updated the DigiCert Autoenrollment Server to version 2.23.1.0 with the below enhancements:
Updated references from Enterprise PKI Manager to Trust Lifecycle Manager.
Partially masked the API KEY value within the Autoenrollment Server logs—only the first four characters are displayed in the log.
Friendly country list
Enhancement to only display the allowed country list with their 2-letter ISO country codes as part of dropdown lists within various application locations:
Admin-based enrollment pages
Profile wizard, when selecting a fixed Country value
Public-facing enrollment pages for end-users to select when enrolling for a certificate
Show "-" if there is no data in the table
For all data tables including certificate views, if there is no data for a given row, a hyphen is shown to represent “no data”.
Add validation in create automation flows for wildcard and SAN usecases
Add validation based on CertCentral product settings for wildcard products and products when they support SANs.
Sensor v3.8.54 release
The sensor copyright version changed to 2023.
Fixes
Auto-refresh for views
Removed auto-refresh for all views except Managed Automation view. Streamlined refresh to be inline for the grid alone instead of refreshing the whole page. Auto-refresh preserves user state and ongoing actions.
Fix Dashboard drill down links for certificate lifecycle pages
Fixed deep links from the dashboard graphs to sensor, sensor connections, managed automation, and other pages to filter and align to the data shown in the graphs.
Intune Device template
Resolved a miss-configuration issue with the Device Authentication for Microsoft Intune (SCEP)
template auto-copying the Common Name value to the DNS Server field and causing errors with CA Manager.
DigiCert Autoenrollment Server
Resolved a connection issue against the Hello API endpoint that was introduced after last month's rebranding.
Revocation of imported certificates
Resolved issue with not being able to revoke certificates associated with the Imported seat type, which were uploaded to an account via their certificate-import API endpoint.
Known issues
DigiCert Trust Assistant—ECDSA p-521 error
Key pair generations using ECDSA NIST p-521 curves on Windows and macOS keystores fail with a csr_signature_failed
error. Smaller curve sizes work successfully (p-256 and p-384).
January 11, 2023
New
Application rebranding
Updated all references to Enterprise PKI Manager to reflect the product’s new name: Trust Lifecycle Manager.
Rebranded the Enterprise PKI Manager application to Trust Lifecycle Manager. Assets that have been rebranded include:
Product/administration portals
DigiCert documentation and API websites
Email templates
Knowledgebase articles
Additionally, the “EPKI” certificate view has been removed from the default system views. Customers can make use of the “All Certificate” system view to filter the same certificate data and create their own custom views.
Issuance of Public S/MIME certificates via DigiCert PKI Platform 8
The new Public S/MIME Secure Email (via PKI Platform 8) certificate profile template leverages DigiCert PKI Platform 8 to issue public S/MIME RSA email signing and encryption certificates linked to a user seat.
Certificate requests can be enrolled and authenticated by these methods:
Enrollment method | Authentication method |
---|---|
|
|
|
|
To learn more about this feature, see Public S/MIME Secure Email (via PKI Platform 8) template.
注意
Existing PKI Platform 8 customers can simply share the API key with their DigiCert ONE Trust Lifecycle Manager account, where a new profile will be created to issue the Public S/MIME certificates. A matching profile will be automatically created within the PKI Platform 8 account.
Certificate lifecycle operations for Public S/MIME certificates issued via a DigiCert ONE Trust Lifecycle Manager account must be carried out within that account.
Managed automation - sensor DV
Issue DV certificates on sensor connections managed using certificate lifecycle automation. Create DNS integrations that allow sensors to fulfill DCV challenges to issue DV certificates to appliances and cloud providers.
Bulk actions on certificate lifecycle
In case of compromise or account consolidation, select more than one certificate to renew or reissue certificates in bulk.
Admin can select more than one certificate from Certificate section and trigger automation.
Admin can use APIs to bulk reissue certificates.
CertCentral Connector
With this release we are introducing the TLM connectors framework. This framework will help drive integrations in the future.
A new CertCentral connector is being added to:
Issue private and public certificates. (Existing functionality will now use the connector instead of the CertCentral linking page.)
Discover certificates. We can now pull certificate data from linked CertCentral account into TLM.
Users can define what data should be imported (valid certificates, certificates expired in last x days, revoked certificates).
This data can be assigned to a BU at import and also tagged with user defined labels. these labels will be available for search in the certificate views in a future release.
With introduction of connectors the “Link to CertCentral” feature is rolled into the CertCentral Connector.
注意
The “Link to CertCentral” page is no longer available.
Domain control validation for OV/EV using ACME
Customers can now perform domain control validation (DCV) for pre-validated OV/EV organization Public TLS certificates from CertCentral using ACME.
With this release, clients can demonstrate domain control using either DNS (ACME DNS.01) or HTTP (ACME HTTP.01) methods for their OV/EV requests. This option is only available when other organization and extended validations are already completed.
Enhancements
ACME - Skip validation for prevalidated domains
TLM ACME server is no longer creating challenge requests for prevalidated domains during ACME flows.
This will simplify client-side workflows where a dummy validation needs to be hosted by the client. This in turn means that:
Cert-manager: client can bypass challenge creation and validation step.
Certbot: hosting of dummy challenge on port 80 (with requirement that port 80 not be used by any other service) is no longer needed.
CA Manager - Private certificate automation on appliances
Most appliances such as F5 and Citrix ADC require that an organization be specified when creating a CSR during automation. CA Manager - Private Server has been enhanced to accept an organization that can be used for such automation workflows.
Patch
Automation certificate profiles
Fixed an issue with the creation of automation certificate profiles.