2025 Second Quarterly Release - 25.2 Notes

June 2025

Keyfactor announces Keyfactor Command 25.2, which includes some major new features and updates such support for perma-deletion of certificates from Keyfactor Command, enhanced support for post-quantum cryptography Cryptographic algorithms designed to be secure against the potential capabilities of quantum computers, which could break traditional encryption methods. (PQC Cryptographic algorithms designed to be secure against the potential capabilities of quantum computers, which could break traditional encryption methods.) and hybrid certificates A certificate that uses a non-PQC (Post-Quantum Cryptography) primary key paired with an alternative key algorithm such as ML-DSA-44, ML-DSA-65, or ML-DSA-87 for enhanced security and quantum resistance., and an option to renew certificates through CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). has been added to Keyfactor Command.

Please refer to Keyfactor Command Upgrading for important information about the upgrade process. For a complete list of the items included in this release, see Release Note Details v25.2. For gateway and CA Connector Client release notes, see:

• CA Connector Client Release Notes
• Keyfactor Cloud Gateway Release Notes
• Keyfactor Windows Enrollment Gateway Release Notes
• Keyfactor AnyCAGateway DCOM Release Notes
• Keyfactor AnyCA Gateway REST Release Notes

Highlights

• Support for Certificate Perma-Deletion in Keyfactor Command

  Support was added to allow for permanently deleting certificates from the Keyfactor Command database, excluded from all product functionality.

  • A Delete and Exclude action was added to the certificate search page (see certificate operations: Delete And Exclude). When a certificate is deleted with exclusion, it will not be re-imported during a CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronization or add certificate task. However, it will be re-imported if it is found on an SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scan or in a certificate store configured for inventory. This ensures that certificates that are still used in the environment are still tracked.

  • A new query field, IsExcluded, was added to the certificate search page. This is used to search for certificates that are found during an SSL scan or certificate store inventory even if they have been excluded from Keyfactor Command.

  • An Excluded Certificates page was added in the Management Portal to allow monitoring of excluded certificates (see Excluded Certificates).

  • API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints were added to both manage excluded certificates and to exclude certificates through the API via, query, list or ID (see Certificates).

  • New role permissions were added at both the global and collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). levels to assign users access to the Delete and Excludefunctionality (see security role permissions: Certificates).

• View Full Certificate Details from Certificate Store Page

  The View Inventory option on the Certificate Stores page has been enhanced to support viewing the full certificate detail information (see Certificate Details) for each certificate found in the certificate store.

  • Breadcrumbs have been added to the Certificate Details page to support navigation back to the previous page. These are found in the Certificate Details both when accessed from Certificate Search and when accessed from Certificate Stores.

  • Users with appropriate permissions can manage these features about the certificates from this page:

    • The Revoke button may appear, allowing the user to revoke the certificate.

    • The Change Owner button may appear, allowing the user to change the certificate owner (a security role) assigned to a certificate. Users will only be able to change the owner to a security role of which they are a member (see Change Owner).

    • On the Metadata tab, the user may be able to edit the data in the metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. fields.

    • On the download dialog accessed with the Download button, the user may have the option to download the certificate with its private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. if the private key for the certificate is stored in Keyfactor Command.

Changes & Improvements

• Application Settings

  • New UI Customization settings have been added to the Application Settings to allow for a custom banner to display across the product. The banner ensures that critical notices are seen by every user, eliminating the risk of important information getting lost or overlooked.

• Certificate Operations

  • An expanded certificate owner permissions has been added. The new Expanded Change Owner permission provides for the ability to allow users to change the certificate owner to any role with the permissions sets the acting user is a member of. This is available for the certificates details, PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. and CSR enrollment pages, setting default certificate owner on enrollment patterns ( and changing default certificate owner on certificates during enrollment). The certificate history tracks whether or not the user had Expanded Change Ownerpermission when changing the owner. To support the logic for this functionality, the API endpoint An endpoint is a URL that enables the API to gain access to resources on a server. GET /PermissionSets/My now returns associated security roles for each permission set.

  • The option to renew certificates via CSR enrollment has been added.

    • The options available when clicking Renew from the certificate search page have changed to: One Click, Configure with PFX, and Configure with CSR (see Renew/Reissue).

    • The value returned by the API endpoints GET /AvailableRenewal/Thumbprint/{thumbprint} and GET /AvailableRenewal/Id/{id} has changed to a flag that sums the supported enrollment values, and required permissions have changed. The values assigned to the enrollment types have added CSR with a value of 4. GET /AvailableRenewal/Id/{id} now uses the new flag values to determine which enrollment options are available in the Management Portal for certificate renewal. See GET Enrollment Available Renewal ID.

    • There is a new application setting on the enrollment tab Enable warning for CSR renewal with a Subject/SAN mismatch (see Application Settings: Enrollment Tab).

    • There are two new optional parameters, RenewalCertificateIdand RenewalCertificateCollectionId, which were added to the POST /Enrollment/CSR endpoint for renewals (see POST Enrollment CSR).

• Certificate Stores

  • The certificate store location dialog, accessed when you add/remove certificates from certificate stores, has been updated to support more custom fields organized in a tidier fashion.

  • Certificate store types introduce Validation Options in Custom Fields. The Validation Options are located on a tab of the same name in the Add/Edit Custom Field dialog. The Validation Options—Optional, Required, or Hidden—replace the former Required checkbox.

• Documentation

  • Select tables now feature additional capabilities to enhance your experience with the information they display. These interactive tables have thicker light-blue column dividers, as opposed to the standard thinner white dividers. Typically, these tables include columns with long parameter A parameter or argument is a value that is passed into a function in an application. names that you may need to copy for product configuration (e.g. -DatabaseManagementAuthCredentials).

    To ensure readability across different screen sizes, long parameter names are truncated with ellipses (...) upon page load. You can view and copy these full values in several ways:

    • Hover over a truncated value: A tooltip will appear, displaying the full value. You can then click the Copy button in the tooltip to copy the value to your clipboard.

    • Resize columns: Click and drag the light-blue column dividers to expand a column, revealing the full value or simply making the contents easier to read.

    • Resize the table: Click and drag the rightmost edge of the table to adjust its width.

    Have you found a table you wish had resizable columns? Let us know by providing feedback.

    Figure 480: Documentation Column Resizing and Tooltip Video

• Enrollment

  • CSR Enrollment in Management Portal now has the Include Chain option for PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. file formats.

  • The warning message on enrollment pages that appears if there are no possible enrollment options (no CAs available, no templates available, no permissions, etc) now includes a message to check to ensure that any CAs desired for enrollment use are configured with the Use for Enrollment option.

  • A new query parser, Name, has been added to the Enrollment Patterns search.

  • The Generate Hybrid CSR toggle on the CSR Generation page only appears if at least one Alternative Key Type has been enabled at either the system-wide or enrollment pattern level. If it has been enabled for the enrollment pattern, the toggle will not appear until the enrollment pattern is selected.

  • An Include Chain toggle has been added on the CSR Enrollment page for certificates of type PEM.

• Post-Quantum Cryptography (PQC)

  • PFX Enrollment and the POST /Enrollment/PFX API endpoint now support enrollment for hybrid certificates. Hybrid certificates support download in PEM or ZIP PEM format and do not support the option to install to certificate stores.

  • PFX Enrollment and the POST /Enrollment/PFX API endpoint now support enrollment for certificates with a primary ML-DSA key.

  • CSR Enrollment and the POST /Enrollment/CSR API endpoint now support enrollment for certificates with a primary ML-DSA key.

  • CSR Generation and the POST /CSRGeneration/Generate API endpoint now support CSR generation with a primary ML-DSA key.

  • Seeded certificate renewal (the configure option) now supports renewal of certificates with a primary ML-DSA key and hybrid certificates.

  • Certificates with a primary ML-DSA key and hybrid certificates can now be downloaded in Certificate Search and Details in all the same formats supported by non-PQC certificates, both with and without certificate chain. Hybrid certificates with private keys can only be downloaded in PEM or ZIP PEM format, but certificates with a primary ML-DSA key and a private key are not limited in download format.

  • Certificates with a primary ML-DSA key and hybrid certificates can now be uploaded with Add Certificate in all the same formats supported by non-PQC certificates.

  • Enrollment patterns now support configuration of ML-DSA keys as both primary and alternative keys at both the system-wide and individual level.

  • ML-DSA keys—as both primary and alternative keys—reported by the CA for a template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. are now visible in the certificate template record.

• Security Roles, Claims, and Permissions

  • A new Certificates > Expanded Change Owner permission has been introduced. A user who holds this permission can change the default certificate owner to any role within the permission sets they are a member of. This differs from the Certificates > Collections > Change Owner permission, which functions as follows:

    • Global Level: A user who holds only the Certificates > Collections > Change Owner permission at the Global level can change the default certificate owner to any role they belong to, for any certificate.
    • Collection Level: A user who holds only the Certificates > Collections > Change Owner permission at the Collection level can change the default certificate owner to any role they belong to, for any certificate in a collection to which they have permissions.

    The Certificates > Expanded Change Owner permission setting overrides the Certificates > Collections > Change Owner permission (both Global and Collection-level) if both are set.

  • Four new permissions have been added for certificate store management, available also at the certificate store container level, to support managing certificates on the Certificate Details page: Change Owner, Edit Metadata, Download with Private Key, and Revoke. When these permissions are set at the certificate store level, they apply only to actions done on the Certificate Details page when accessed from Certificate Stores. Likewise, these permissions set at the certificate collection level apply only to actions done on the Certificate Details page when accessed from Certificate Search.

Fixes

• The nonfunctional QueryString parameter is no longer available for API endpoint GET/Reports/{id}/Schedules.

• One-click renewal and configured renewal is now disabled for a certificate if there is already a suspended workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. instance associated with it the original certificate.

• The overwrite option is now present on the ODKG page.

• Enrollment using a DS replication GUID SAN type can now be completed with the Keyfactor Windows Enrollment Gateway and Keyfactor Command.

• POST /Enrollment/PFX now validates required parameters related to adding the certificate to a certificate store.

Deprecation & Removals

• The license for the Logi Analytics Platform, used by the Keyfactor Command dashboard and reports, will expire on November 28, 2027 and will not be renewed. Customers who have not upgraded to Keyfactor Command 25.3 or later by that date will no longer be able to use the dashboard or reports.

Known Issues

• The Container Permissions on the containers tab of the certificate stores page allows a user to de-select Read or Schedule permissions for a container while retaining Modify permissions. This is contrary to the behavior of container permissions in security roles, which enforces Read and Schedule to if Modify is enabled and Read if Schedule is enabled. If Modify is configured without Read, when a user logs in and tries to view inventory, they will get an error stating that they do not have Read permissions. Read permissions must be set manually for the users and containers if Modify is selected through this interface. Keyfactor recommends managing certificate store container permissions only through security roles to avoid issues. The container permissions dialog on the certificate stores page will be removed in a future release.

• Searches for workflow instances using the InitiatingUserName query parser fail with an “invalid column name” error. This will be corrected in a future release.

API Endpoint Change Log

Please review the information in the API Change Log for this release carefully if you have implemented any integration using these endpoints: API Change Log v25.2.