Incremental Release 10.4 Notes

May 2023

Note: Keyfactor Command 10.4 is a minor release with incremental fixes and updates following the Keyfactor Command 10 major release. For more details on new features, improvements, and known limitations in Keyfactor Command 10.0, please review the Major Release 10.0 Notes.

Tip: Keyfactor recommends that you check the Keyfactor GitHub Site (https://keyfactor.github.io/integrations-catalog/) with each release that you install to check if you will need to download the updated orchestrators to work with that version of Keyfactor Command.

Changes and Improvements

Workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. now includes two new types—Certificate Entered Collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). and Certificate Left Collection—that are designed to help you monitor the comings and goings of certificates from collections and take actions in the event that a certificate unexpectedly appears or disappears from a collection. You might use one of these workflow types to monitor the Weak Keys collection to be alerted via email when a new certificate is added to the collection after being picked up on an SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scan. Or you might use one of these workflows to monitor a collection of vital certificates and use a PowerShell or REST request to automatically open a support ticket if one of the certificates goes missing. These workflow types work together with the Keyfactor Command Service to periodically evaluate the collections configured for reporting and then initiate workflows for any certificates that have changed membership in the collections. The automated task runs every 10 minutes by default and is not end-user configurable. By default, a maximum of 1000 certificates can be reported on by any one instance of an automated task. This value is configurable with the Concurrent Workflows setting (see Table 89: Keyfactor Command Jobs Services. Certificate collections that are configured for workflows cannot be edited to prevent triggering a large number of entered/left workflows.
Certificates with a key type The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519). of Dilithium2, Dilithium4, or Dilithium5 may now be imported into Keyfactor Command for management and reporting using the Add Certificate function (see Add Certificate in the Keyfactor Command Reference Guide). CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization of certificates with this key type will be supported in a future release.
Certificates with private keys can now be downloaded in JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption. format either in PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). or certificate search. The JKS option for certificates for private keys is in addition to the PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. and PFX options for download format.
On certificate download in both PFX enrollment and certificate search, you now have the option to select a chain order for the chain certificates in the resulting output file if you opt to include the certificate chain in the download. The choice is either End Entity First (at the beginning of the file) or Root First.

Updates and Fixes

Update: The default timeout on the configuration wizard for Keyfactor Command upgrade job executions has been increased to 30 minutes.
Update: The Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. now includes a configuration setting that allows it to skip checking the revocation status (CRL A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.) of the SSL certificate on the Keyfactor Command server when connecting to Keyfactor Command.
Update: On a new installation of Keyfactor Command, the Revoke All option on the Certificates page—controlled with the Revoke All Enabled application setting—will default to disabled. This change will not affect existing implementations of Keyfactor Command.
Update: The wording on the Revoke All option has been changed to clarify that a revocation is occurring.
Fix: SSL monitoring scans done with the Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. were failing to report TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. 1.3 timeouts.
Fix: The maintenance job to remove expired stored private keys that are eligible for deletion was not running as expected on a daily basis to remove the keys.
Fix: A user could be prompted to save changes to a template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. when viewing a template without making changes in certain template configurations.
Fix: The certificate template regular expression A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields. ^$ to disallow any values in a field was in a catch 22 state requiring entry of a value in the field because a regular expression was defined for it and requiring no value because of the nature of the specific regular expression, causing the field not to function at all.
Fix: Delegation was not working as expected for certificate revocation when the certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. record in Keyfactor Command was configured to Delegate Management Operations.
Fix: Attempting to create records in Keyfactor Command for two certificate stores with the same name on the same server but of different types produced an error indicating that the second was a duplicate of the first; now stores of different types may successfully be created with the same name.
Fix: Associating a PAM provider with a certificate store container, placing a certificate store in that certificate store container, and then attempting to set the PAM credentials for that certificate store failed with an error of “The supplied Secured Area is invalid for the selected provider”.
Fix: Certificates with a SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. type of DS Object Guid could not be imported, producing an error of:

illegal object in GetInstance: Org.BouncyCastle.Asn1.DLTaggedObject
Parameter name: obj
Fix: Attempting to validate a CA record for an EJBCA CA using the Test Connection option would fail if the client authentication certificate configured for the CA had no EKU defined, resulting in an error similar to:

There is a problem validating the CA with ID '3' (check the logs for more details):
Object reference not set to an instance of an object.
Fix: Attempting to disapprove an instance of the Keyfactor Bash Orchestrator The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise. when the orchestrator had an SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. synchronization schedule configured or an instance of the Keyfactor Universal Orchestrator when the orchestrator had an SSL scanning schedule configured resulted in a 500 error.

Known Issues

The Audit Log page offers a search comparison value of Instance Signal for the audit category but the results grid Category column references this same value as Workflow Signal.
When a one-click renewal is done on a certificate from the Certificate Search page, even though the renewal succeeds, the grid doesn't refresh with the new status.
The latest version of the Logi reporting engine has functionality that avoids a system timeout issue by periodically pinging the IIS session behind the scenes so that the dashboard doesn't time out when the session has been idle. As a result, the dashboard no longer refreshes after 20 minutes, but invokes this new functionality instead. The settings used to control this depend on the Session State Timeout and Session Auto Keep Alive attribute settings in IIS. For more information on this see:

https://devnet.logianalytics.com/hc/en-us/articles/1500009515942-Manage-Session-Timeout
On an edit, if you change the workflow step type, you must also change the Unique Name. Changing the workflow step type without changing the unique name will result in an error similar to the following:

System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary

Instead of changing both the workflow step type and unique name, you may be prefer to delete the step and create a new step of the desired type.

Deprecation

The Classic API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. will be deprecated in Keyfactor Command version 11.0. All existing uses of the Classic API should be migrated to use Keyfactor API prior to upgrading to Keyfactor Command version 11. If these applications cannot be updated to the newer endpoints then the Allow Deprecate API Calls setting must be set to False (see Application Settings: API Tab in the Keyfactor Command Reference Guide). Otherwise, Keyfactor recommends that these endpoints be disabled to reduce exposure to unauthorized or unintended use.
The Keyfactor Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. will be deprecated in version 11.0 of Keyfactor Command. Customers are encouraged to begin planning a migration to the Keyfactor Universal Orchestrator with the Remote File custom extension publicly available at:

https://github.com/Keyfactor/remote-file-orchestrator

API Endpoint Change Log

Please review the information in the API Change Log for this release carefully if you have implemented any integration using these endpoints:

Table 95: API Change Log

Endpoint	Methods	Action	Notes
/Enrollment/ CSR	POST	Fixed	Includes SANs entered outside the CSR only when the Allow CSR SAN Entry application setting is set to true. SANs entered outside the CSR replace SANs in the CSR rather than appending to SANs from the CSR.
/Workflow/ Instances	GET	Fixed	Includes SANs entered outside the CSR in workflow instance details.
/Workflow/ Instances/ AssignedToMe	GET	Fixed	Includes SANs entered outside the CSR in workflow instance details.
/Workflow/ Instances/ My	GET	Fixed	Includes SANs entered outside the CSR in workflow instance details.
/Workflow/ Instances/ {instanceId}	GET	Fixed	Includes SANs entered outside the CSR in workflow instance details.

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: