Major Release 10.0 Notes

September 2022

We’re thrilled to announce Keyfactor Command 10.0, which includes some major new features and updates to improve the user experience, enhance automation, and provide native integration with EJBCA.

Important:  The MicrosoftECCurveUpgradeModule may fail due to a pre-v10 issue in which Certificate Request Contents were truncated to 4k characters when saved to the database. If your upgrade fails when the MicrosoftECCurveUpgradeModule is run contact Keyfactor Support to obtain assistance with the scripts that will have to be run to fix this issue.
Tip:  We encourage customers to contact their customer success manager to discuss the new features and functionality in Keyfactor Command 10, and to schedule an upgrade. Please refer to the Keyfactor Command Upgrading for important information about the upgrade process.
Workflow Builder

Workflows in Keyfactor Command allow for automation and governance of certificate enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). and revocation. The workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. builder makes it easy to define workflows within the Keyfactor Command Management Portal to automate event-driven tasks when a certificate is requested (including renewals) or revoked. The workflows can be built with multiple steps between the start and end of the operation that offer a simple way to send notifications, submit approvals, and configure end-to-end automation throughout the environment. This provides for operational agility in an intuitive and easy-to-user tool. Supported built-in steps that can be used in the workflow builder include one or more approval steps supporting one or more approvers, calls to REST APIs, calls to PowerShell, sending emails, and updating enrollment requests with changes to the submitted subject or SANs, if needed. Custom steps can also be built to address specific needs. The workflow builder provides an easy-to-use experience to create rich workflows with multiple steps.

EJBCA Integration with Keyfactor Command

EJBCA is a robust and highly scalable certificate authorityClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA.. Keyfactor Command now natively integrates with EJBCA version 7.8.1 or higher without the need for a gateway, providing a simpler architecture. The Certificate Authorities area of Keyfactor Command now allows an administrator to enter connection information to an EJBCA CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. to manage certificates and support enrollment. With native EJBCA integration, Keyfactor Command offers an alternative to Microsoft CAs. EJBCA is a much more scalable CA with options for multiple CAs on a single server and high availability configuration options that the Microsoft CA lacks. It can also handle a much larger number of certificates than the Microsoft CA.

CA Gateway 22.1 required for Keyfactor Command v10

Upgrade to AnyGatewayClosed The Keyfactor AnyGateway is a generic third party CA gateway framework that allows existing CA gateways and custom CA connections to share the same overall product framework. 22.1 if using gateways on Keyfactor Command v10.

Expanded Template Functionality

  • During the upgrade process Keyfactor Command prevents duplicate template records from being inserted into the database. Duplicate templates could be found if there are templates in different forests with the same name. If you receive an error message during upgrade, contact Keyfactor Support. We will be able to support you through the process of resolving the issue and completing the upgrade. See the Keyfactor Command Upgrading for more information.

Keyfactor API Endpoints

The Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. now has endpoints for most of the functionality found in the product. See the API Endpoint Change Log for information on new and updated API endpoints.

Changes & Improvements

  • CARecordID Replaces CARequestID

    The field CARecordID has been added and the field CARequestID has been removed.

  • Forest has been Renamed Configuration Tenant

  • Certificate Requests

    • The Certificate Requests page is now sorted in descending order by submission date by default. This has been done to cause the more recent requests to appear at the top of the page.
    • The Certificate Requests page is now separated into tabs for pending, external validation, and denied/failed certificate requests.
    • The Denied/Failed tab on the Certificate Requests page now includes only certificate requests denied through Keyfactor Command (see Viewing Certificate Requests in the Keyfactor Command Reference Guide).
    • The Revoked view filter has been removed from the Certificate Requests page since the expectation is that Keyfactor Command workflows will be used for enrollments and the history can be viewed as part of that (see Workflow Instances in the Keyfactor Command Reference Guide).

  • Alerts

    • When an alert is copied, “ - Copy” is appended to the display name to prevent alert display names being duplicated.

    • To aid in clarity, changed the wording on templates when configuring alerts from None to All Templates.

  • SMTP Application Settings

    When making changes to the SMTPClosed Short for simple mail transfer protocol, SMTP is a protocol for sending email messages between servers. configuration, the test email can be sent without saving the configuration changes.

  • Certificate Authorities

    • Added an option to delegate enrollment requests to the Authorization Methods tab. This is in addition to the option to delegate management functions. This allows Keyfactor Command to delegate the authenticated user's credentials to the CA during enrollment to provide end-to-end authentication without unpacking the credentials at the Keyfactor Command layer. If this is not enabled the Restrict Allowed Requesters setting will be used instead. Please see the Certificate Authorities in the Keyfactor Command Reference Guide for more information.
    • When configuring a new certificate authority in the Management Portal, there is now an option to test the connection to the CA before saving the configuration, and CAs will be tested and must be verified and valid to be saved.
    • Updated the CA synchronization so that it logs a message if it could not chain a certificate up to a CA in the system instead of throwing an error.
    • Added a new application setting, CA Sync Consecutive Error Limit, which controls the number of times an error can occur before the synchronization job is abandoned.
    • There is no longer the need to register offline CAs, as the root/policy CA certificates can be imported from the issuing CA sync without them. Additionally, the new CA validation makes it impossible to save offline CAs.

  • Certificate Stores

  • Dashboard and Reporting

    • The Risk header can now be hidden via security role permissions.
    • Some cosmetic updates have been made to the Risk header.
    • The Collections Dashboard widget is limited to only displaying the first 25 collections configured to be on the dashboard. It sorts the list alphabetically.
    • The stale date is visible in the CRLClosed A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. Monitoring Dashboard widget as a new column and is called Next Publish by Date. The stale date should not be used for calculating the status of the CRL. A stale CRL is a valid state and not something that needs to be warned on. If a CRL is stale, the system will check how far it is from expiration and if it is within the warning period it will have a status of Warning, or Valid if outside the warning period.
    • Keyfactor Command v10 ships with a newer version of Logi Analytics (v14) which drives the Reports and Dashboards. This version provides a number of improvements and fixes some security vulnerabilities.
    • CRL dates are always shown in UTC on the Revocation Monitoring Dashboard.
    • A new report—SSHClosed The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. Key Usage—shows a table which displays a list of SSH keys that have not been used to log on in the given minimum number of days.
    • The Risk header on the dashboard has been updated to avoid awkward text formatting and scrolling when resizing the page.
    • The Risk header titles have been updated for consistency and clarity. Titles referring to expiring certificates are now all in the “Expiring” tense and consistent with each other. Weak Keys has been renamed to Certs with Weak Keys.
    • The Certificate Count by Template report has been updated so that it takes the same parameters as the Certificate Count per User by Template report for consistency. This included changing the Evaluation Date to Start Date and adding an End Date field.
    • All reports have been updated to reference UTC time to avoid confusion about which time zone is being applied.

    • The PKI Status for Collection report has been updated to provide clarity on the meaning of Total Active Certificates.

  • Agent, Orchestrators, and Orchestrator Management

    • The OrchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. Details dialog has been updated to show more information about the orchestrator:
      • Legacy Thumbprint
      • Current Thumbprint
      • Last Thumbprint Used
      • Last Register Status
      • Certificate Rotation Status
    • The Job History now shows the time the job completed.
    • The default value for the Registration Handler Timeout (seconds) application setting has been extended to 90 seconds for new implementations only. Keyfactor recommends any existing customers using or planning to use custom registration handlers consider extending this timeout to at least 60 seconds.

    • SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scan job parts are now grabbed more deterministically to help keep the job assignments more predictable. For more information, see SSL Network Operations in the Keyfactor Command Reference Guide.

    • The SSL Scan Now option now allows you to select whether to start a discovery job, a monitoring job, or both (see Initiating a Manual Scan in the Keyfactor Command Reference Guide).

    • The Keyfactor Universal Orchestrator now does CRL checking when contacting Keyfactor Command over an encrypted channel (when you configure the orchestrator with a URL referencing https) both when certificate authentication is used and when basic authentication is used. Previously this was only done when certificate authentication was used. If you attempt to connect your orchestrator using SSL and do not have a valid CRL available to the orchestrator, you will get an error message similar to the following:

      The remote certificate is invalid because of errors in the certificate chain: RevocationStatusUnknown, OfflineRevocation

      For troubleshooting information, see Troubleshooting in the Keyfactor Orchestrators Installation and Configuration Guide.

  • Reenrollment

    A certificate authority and template can now be specified when scheduling a reenrollment job.

  • Certificate Metadata

  • Security Identities and Roles

    • A search bar has been added to search for the collections and containers in the security roles dialog.
    • Improvements were made to performance when loading a large number of security roles in the portal.

    • When copying a security role, a new disclaimer will appear to advise the user that copying a security role will also assign the new role to all the same security identities as the target role.

    • The security roles dialog has been updated to be a tabbed dialog box.

  • UI Changes

    • Some edit dialogs have been changed to use sliding panels to accommodate two different views within the same page rather than pop up windows.
    • Added scroll bars to the certificate details pop ups.
    • Added the ability to copy data from grid information (e.g. SSL location information when expanding the certificate locations). Information in a grid field can be copied to the clipboard by highlighting text in a grid field and clicking Ctrl+C.
    • Performance improvements have been made in loading large data sets in the Management Portal results grids.

  • System Alerts

    The alerts that are displayed in the UI for notification of things like failed orchestrator jobs have been renamed System Alerts for clarity.

  • Logging

    • The Keyfactor API and Orchestrator API logs on the Keyfactor Command server and the log for the Keyfactor Universal Orchestrator include a correlation ID that helps to identify log messages that originated from the same request. The correlation ID is a randomly generated GUID that often appears just after the date in the log entry and is the same for all log messages for the given request until the request completes.

    • Lowered the logging level for the user's authentication from Info to Trace to avoid cluttering log files.

  • Mac Auto-Enrollment

    The Mac auto-enrollment process now identifies all the CAs that have the auto-enrollment template(s) available for enrollment and makes a determination as to whether the enrolling user has permissions to enroll on a CA and whether that CA is online before submitting a request to the CA. Previously, a CA was selected randomly among the CAs that had the template(s) available without regard to the user's permissions on the CA or the availability of the CA.

  • Auditing

    Orchestrator reset, approval, disapproval will now properly audit under the new Orchestrator category and their respective operation.

  • Custom Registration Handlers

    A custom registration handler can now be designed to enroll against a specific certificate authority and template combination. The registration handler chooses which combination to use. If no combination is requested by the registration handler, then the certificate authority and template from the application settings are used. For more information, see Register a Client Certificate Renewal Extension in the Keyfactor Orchestrators Installation and Configuration Guide.

  • Application-Level Encryption Certificate Thumbprint

    The reference thumbprint for the application-level encryption certificate, if configured, is now stored in the registry on the Keyfactor Command server(s) instead of the SQL database to provide a further level of separation from SQL.

Fixes
  • Keyfactor Command
    • Revocation Monitoring Dashboard panel no longer stalls as perpetually “Loading” for OCSP endpoints.
    • Certificate subjects for PFX enrollment via the legacy API have been fixed so they can be formatted according to the API.CertEnroll.Pkcs12CertificateSubjectFormat app setting.
    • Fixed an issue when parsing the CSR so that CSRs containing IP or Email SANs no longer cause excess warnings in CA syncs, and IP and Email SANs show up in the pending request details.
    • Fixed an issue where synching external certificates would cause an “object reference not set to an instance of an object” error.
    • Fixed an issue with revocation monitoring alerts reporting time in the local time zone instead of UTC. Emails now have the time in UTC. The time is explicitly labeled UTC.
    • Fixed an issue where special characters like apostrophes would appear HTML-encoded in the collection name.
    • Fixed an issue in certificate enrollment where SANs for IPv4 and IPv6 addresses were not being validated properly.
    • Fixed an issue where an untrusted certificate chain would prevent the certificate details dialog from opening. An error will still occur if a certificate chain is attempted to be downloaded and the chain build fails, but will not prevent the dialog from opening.
    • Fixed an issue where the Identity Audit table wasn't populating from the Certificate Search page.
    • Fixed an issue where unscheduling an orchestrator management job failed to cancel the previously staged job.
    • Fixed an issue in enrollment where the subject incorrectly added an extra quotation mark when the subject format default was set in certain ways.
    • Fixed an issue where SQL would timeout when deleting over 1,000 certificates from the Keyfactor Command Management Portal.
    • Fixed an issue where the gateway configured to run as a domain service account and running on the same server as Keyfactor Command caused RPCClosed Remote procedure call (RPC) allows one program to call a function from a program located on another computer on a network without specifying network details. In the context of Keyfactor Command, RPC errors often indicate Kerberos authentication or delegation issues. errors.
    • Fixed an issue where the gateway configured to run as a domain service account caused RPC errors.
    • Lowered the logging level for the user's authentication from Info to Trace to avoid cluttering log files.
    • Fixed an issue where PEM files with headers could not convert to DERClosed A DER format certificate file is a DER-encoded binary certificate. It contains a single certificate and does not support storage of private keys. It sometimes has an extension of .der but is often seen with .cer or .crt. with BouncyCastle 1.9.0 and Keyfactor.PKIClosed A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption..dll v4.x.
    • Fixed an issue for certificate store types with the Advanced>Supports Custom Alias setting set to Forbidden, so that the custom alias should only show on the Add to Certificate Store page when the Overwrite checkbox is checked.
    • Fixed an issue where using Delete All on the Certificate Search page would not delete revoked and expired certificates.
    • Fixed an issue in the Issued Certificates Per Certificate Authority report that was caused by having templates with the same name in separate forests.
    • Fixed an issue with certificate store inventories where a certificate store that had completed an inventory scheduled for an interval would fail if it then was scheduled to run immediately.
  • Keyfactor Agents and Orchestrators
    • Fixed an issue so that CRLs are now checked regardless of the authentication method being used by the orchestrator.
    • Fixed an issue where permissions were not being set correctly on the appsettings.json and orchestratorsettings.json file that prevented the files being read or updated if the service was running as the Network Service.
    • Fixed an issue where a misconfigured orchestrator using certificate authentication would renew certificate multiple times.
    • Fixed an issue where an orchestrator's registration session was still allowed even when denied by a registration handler and added an auditing event for the orchestrator session registration.
Deprecation
Future Changes

  • Intune Portal/SCEP Change-over

    Intune portal change-over will be required for SCEP when the old APIs are shut off by Microsoft's deprecation of ADAL at the end of the year.

  • When editing a template, changes will be lost without warning if the Save button isn’t clicked before navigating away. This is slated to be fixed in a future release.
  • When editing a template, the checkboxes for the Metadata, Enrollment RegExes, and Enrollment Defaults tabs do not allow for multi-edit. This will be fixed in a future release.
  • When copying a security role, the identities associated with the security role will also be copied.
  • The Condition Variable field in a step of the workflow builder accepts input values that are not valid. Only true, false and variables that will evaluate to true or false are supported.

  • For most certificate stores, the Client Machine is the machine where the store is located, and the Orchestrator drop-down selects the orchestrator/agent. However, for the Java KeystoreClosed A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption., the Client Machine field is actually the agent and there is no orchestrator dropdown. This will be made more clear in a future release.

  • When creating a new certificate store type, the Depends On Other option may not be available when creating the parameterClosed A parameter or argument is a value that is passed into a function in an application.. The workaround is to save the certificate store type and then use edit to update the parameter.

  • Using the browser back button after generating a report creates a nested instance of Keyfactor Command in Firefox.

  • Occasionally, removing a widget from the Dashboard causes the dashboard to hang. Refreshing the browser should resolve this issue.

  • The -ne operator in certificate search does not return NULL results for Boolean metadata fields. For a metadata field such as Unit use an advanced search such as Unit -ne “false” OR Unit eq NULL to get the desired results.

  • The Certificate Count Grouped by Single Metadata Field report falsely reports no results if using the default metadata value. This will be fixed in a future release.

  • The PKI Status for Collection report click-throughs do not retain the Include Unknown certificates option when clicking through to the certificate search results page. This will be fixed in a future release.

  • SMTP Sender information isn't correctly saved by the Configuration Wizard. This will be fixed in a future release. It is recommended to check the SMTP Configuration page upon upgrade.

  • Alert tests do not show certificate information if there is no recipient configured to receive an email even if Send Alerts is not selected. This will be fixed in a future release. The workaround is to add an email recipient when running the tests.

  • Adding multiple enrollment fields at the same time is only saving the last field entered. This will be fixed in a future release. Workaround is to add and save each enrollment field one at a time.

  • The Certificates in Collection report falsely reports ECCClosed Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers. certificates with a certificate state of Denied rather than Active, revoked certificates with a certificate state of Active rather than Revoked, and shows a incorrectly shows a revocation reason of Unspecified for certificates with an Active certificate state. This will be fixed in a future release.

Please review the information in the API Change Log for this release carefully if you have implemented any integration using these endpoints:

Table 91: API Change Log

Endpoint Methods Action Notes
/Agents/ {id} GET Add  
/Agents/ Reset POST Add  
/Agent Blueprint GET Add  
/Agent Blueprint/ {id} GET, DELETE Add  
/Agent Blueprint/ {id}/ Jobs GET Add  
/Agent Blueprint/ {id}/ Stores GET Add  
/Agent BluePrint/ ApplyBlueprint POST Add  
/Agent BluePrint/ Generate BluePrint POST Add  
/Alerts/ Denied GET, PUT, POST Add  
/Alerts/ Denied/ {id} GET, DELETE Add  
/Alerts/ Expiration GET, PUT, POST Add  
/Alerts/ Expiration/ {id} GET, DELETE Add  
/Alerts/ Expiration/ Schedule GET, PUT Add  
/Alerts/ Expiration/ Test POST Add  
/Alerts/ Expiration/ TestAll POST Add  
/Alerts/ IssuedAlerts GET, PUT, POST Add  
/Alerts/ IssuedAlerts/ {id} GET, DELETE Add  
/Alerts/ Issued/ Schedule GET, PUT Add  
/Alerts/ KeyRotation GET, PUT, POST Add  
/Alerts/ KeyRotation/ {id} GET, DELETE Add  
/Alerts/ KeyRotation/ Schedule GET, PUT Add  
/Alerts/ KeyRotation/ Test POST Add  
/Alerts/ KeyRotation/ TestAll POST Add  
/Alerts/ Pending GET, PUT, POST Add  
/Alerts/ Pending/ {id} GET, DELETE Add  
/Alerts/ Pending/ Schedule GET, PUT Add  
/Alerts/ Pending/Test POST Add  
/Alerts/ Pending/ Test/ {id} POST Add  
/Certificate Authorities GET Update Schedules are now included in the results.
/Certificate Authorities POST Update Ability to turn off schedules, sessions are abandoned properly, and threshold monitoring schedule is included.
/Certificate Authorities/ {id} PUT Update Ability to turn off schedules, sessions are abandoned properly, and threshold monitoring schedule is included.
/Certificate Authorities/ {id} DELETE Update Deletion is now prevented if schedules are associated.
/Certificate Collections POST Update Query parameter no longer needed when a valid CopyFromId is provided.
/Certificate Collections/ {id}/ Permissions POST Deprecated Replaced by /Security/Roles/{id}/Permissions/Collection.
/Certificates/ Analyze POST Add  
/Certificates/ IdentityAudit/ {id} GET Add  
/Certificate Store Containers POST Add  
/Certificate Store Containers/{id} PUT, DELETE Add  
/Certificate Stores/ Server GET, POST, PUT To Be Deprecated Server usernames, server passwords, and the UseSSL flag are managed by the /CertificateStores API endpoints directly as JobProperties using the Properties parameter, replacing the deprecated /CertificateStores/Server API endpoints.
/Certificate Stores GET, POST, PUT Updated Server usernames, server passwords, and the UseSSL flag are managed by the /CertificateStores API endpoints directly as JobProperties using the Properties parameter, replacing the deprecated /CertificateStores/Server API endpoints.
/Enrollment/ PFX (v2) POST Add  
/Enrollment/ Settings/ {id} GET Add  
/JobTypes/ Custom POST Update DefaultValue property is no longer required, validation is now performed on the JobTypeFields/DefaultValue property, validation prevents names containing spaces.
/JobTypes/ Custom/ {id} DELETE Update Includes validation so that deletion is prevented if at least one associated approved orchestrator implements the capability.
/MacEnrollment GET, PUT Add  
/Monitoring/ Revocation GET, POST Update Renamed from /Workflow/RevocationMonitoring
/Monitoring/ Revocation/ {id} GET, PUT, DELETE Update Renamed from /Workflow/RevocationMonitoring/{id}
/Monitoring/ Revocation/ Test POST Add  
/Monitoring/ Revocation/ TestAll POST Add  
/Orchestrators/ JobHistory GET Update Added JobId field.
/Orchestrators/ ScheduledJobs GET Add  
/Orchestrator Jobs/ Reschedule POST Add  
/Orchestrator Jobs/ Unschedule POST Add  
/Orchestrator Jobs/ Acknowledge POST Add  
/Security/ Identities/ {id} GET Add  
/Security/ Roles/ {id}/ Identities GET, POST Add  
/Security/ Roles/ {id}/ Containers GET, POST Add  
/Security/ Roles/ {id}/ Copy POST Add  
/Security/ Roles/{id}/Permissions GET Add  
/Security/ Roles/ {id}/ Permissions/ Global GET, POST, PUT Add  
/Security/ Roles/ {id}/ Permissions/ Collections GET, POST, PUT Add Replaced the /CertificateCollections/{id}/Permissions endpoint functionality.
/Security/ Roles/ {id}/ Permissions/ Containers GET, POST, PUT Add

Returns only containers that have a permission set for the selected security role.
/SMTP GET, PUT Add  
/SMTP/ Test POST Add  
/Templates GET, PUT Update Includes template-specific policy information.
/Templates/ {id} GET Update Includes template defaults.
/Templates/ Settings GET, PUT Update Includes global template policies.
/Template/ Subject Parts GET Add  
/Templates/ Global/ Settings GET, PUT Add  
/Templates/ Import POST Add  
/Workflow/ Certificates/ Pending GET Update Now supports query fields of Requester and RequestType.
/Workflow/ Definitions/ Steps/ {extensionName} GET Add  
/Workflow/ Definitions/ {definitionId} GET, PUT, DELETE Add  
/Workflow/ Definitions GET, POST Add  
/Workflow/ Definitions/ Steps GET Add  
/Workflow/ Definitions/ Types GET Add  
/Workflow/ Definitions/ {definitionId}/ Steps PUT Add  
/Workflow/ Definitions/ {definitionId}/ Publish POST Add  
/Workflow/ Instances/ {instanceId} GET, DELETE Add  
/Workflow/ Instances GET Add  
/Workflow/ Instances/ My GET Add  
/Workflow/ Instances/ AssignedToMe GET Add  
/Workflow/ Instances/ {instanceId}/ Stop POST Add  
/Workflow/ Instances/ {instanceId}/ Signals POST Add  
/Workflow/ Instances/ {instanceId}/ Restart POST Add