Quarterly Release 11.5 Notes

May 2024

Tip: Keyfactor recommends that you check the Keyfactor GitHub Site (https://keyfactor.github.io/integrations-catalog/) with each release that you install to check if you will need to download the updated orchestrators to work with that version of Keyfactor Command.

Highlights

The Keyfactor Command configuration wizard now allows creation of multiple OAuth identity providers, any of which may be used to authenticate to Keyfactor Command (so users from OAuth IdP A and users from OAuth IdP B may both access Keyfactor Command). Active Directory may not be configured in conjunction with any OAuth identity providers on the same Keyfactor Command server. If you need to support both Active Directory and one or more OAuth identity providers, you will need two Keyfactor Command instances with Active Directory on one and the OAuth identity providers on the other.

A new Add option has been added to the Identity Providers page in the Keyfactor Command Management Portal to allow for the addition of new identity providers through this interface. A new POST /IdentityProviders API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoint An endpoint is a URL that enables the API to gain access to resources on a server. as been added to allow creation of new identity providers through the Keyfactor API.

A default logon will be configured during the installation to indicate which identity provider is the preferred identity provider. Users accessing Keyfactor Command without specifying an identity provider will be directed to this identity provider. Users wishing to logon using a non-default identity provider will need to provide the desired identity provider in the request URL (see Using the Management Portal).

On the Administrator Users tab of the Keyfactor Command configuration wizard, OAuth identity providers are now referenced by display name rather than the generic OAuth since more than one identity provider can now be created in the configuration wizard. As a result of this change, on upgrades if you’re using OAuth, you will need to visit the Administrative Users tab and select the display name of your identity provider even if you’re not making any changes in the identity provider area of your configuration.
The workflow A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. require approval step includes a new Requester Can Approve parameter A parameter or argument is a value that is passed into a function in an application. that, when disabled, prevents the initiator of a workflow from being one of the approvers on that specific workflow instance even if they are among the users granted approval rights on the workflow via role security membership. If the initiator attempts to approve a workflow when this parameter has been disabled, a warning will be logged regarding the occurrence.
Orchestrators may now be deleted. Any associated data such as certificate stores, jobs and SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. servers will automatically be removed if this is done through the Keyfactor Command Management Portal. There is a new DELETE /Agents/{id} API endpoint to delete orchestrators with an optional force flag to remove associated data.

Updates and Fixes

Update: Private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. retention may now be set at either the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. level or the template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. level. Previously, private key retention could only be set at the CA level if the CA was designated as a standalone CA. Private key retention should only be set in one place or the other, not both. If it is set in both places, the settings on the template take precedence. When certificates with private keys are imported into Keyfactor Command, the key retention policy is used from the associated template if that is available in Keyfactor Command. If that’s not available, the key retention policy from the associated CA in Keyfactor Command is used. If the CA is not available in Keyfactor Command, the private key is imported and saved indefinitely.
Update: The Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. can now be configured with a batch size to control inventory jobs if inventory job performance tuning is required in the environment (see Universal Orchestrator Performance Tuning).
Update: A new query parser—Certificate Renewed—for certificate search has been added that filters whether a certificate has already been renewed (true) or has not yet been renewed and can potentially be renewed (false). This query parser is set to true to filter out renewed certificates (to avoid counting both the original certificate and the replacement certificate) on most of the dashboard risk header panels including Active Certificates, Certificates Expiring in Less Than 48 Hours, Certificates Expiring in Less Than 14 Days, and Certificates with Weak Keys. The results of the drilldowns (redirects to certificate search) for these headers also exclude renewed certificates. This should resolve occasional mismatches that might have been observed between the count of active certificates on the dashboard risk header and the count in the active certificates drilldown.
Update: Two application settings (Custom Help Link and Custom Help Link Title) have been added to allow inclusion of a custom link on the Keyfactor Command Management Portal help dropdown. Keyfactor strongly urges caution when using this feature and confirming that the link to which users are redirected is thoroughly secured.
Update: The Full Certificate Extract report now includes report parameter checkboxes to include or exclude revoked and expired certificates in report output. The Certificate State field is now included in the Full Certificate Extract report and includes the following states: Unknown, Active, Revoked, Denied, Failed, Pending, CertificateAuthority, ParentCertificateAuthority, ExternalValidation. The Certificate State column is sortable.
Update: A message in the Orchestrators API log indicating that the orchestrator user fetched application setting Console.General.DisableADLogin has been moved from Info level to Debug level to avoid cluttering logs.
Update: The Expiration Report By Days report now includes report parameter checkboxes to include or exclude revoked and expired certificates in report output.
Update: On the SSL Network Definition dialog when defining a new SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scan, the Orchestrator Pool dropdown now includes a search to limit the results in the dropdown. Likewise, a search capability has been added to the Orchestrators dropdown on the SSL Orchestrator Pool Definition dialog.
Update: A new Keyfactor API endpoint—GET /Status/HealthCheck—has been added to perform a check to see if a connection can be made to the Keyfactor Command database. It returns the Keyfactor Command product version as referenced in the database.
Update: Application-level encryption is now FIPS-compliant.
Update: At the conclusion of a CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). that requires one or more approvals through Keyfactor Command workflow, the message to the user will now mirror the message seen at the conclusion of PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment in this circumstance: Enrollment in Process.
Update: A new Keyfactor Command service periodic task scans for and alerts on any stored secrets that cannot be decrypted.
Update: Application settings related to the dashboard and reporting have been moved to a new Dashboard and Reporting tab on application settings page.
Update: The Issuance Less Than threshold alert value for CAs can now be set to a minimum value of 0.
Update: The Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. running in a container has been updated with a different base operating system (Red Hat Universal Base Image, UBI) for a more streamlined install. That has resulted in some minor changes to the installation process due to different expected file locations within the container. For example, when mapping the trusted root certificates file, the location has changed to /etc/ssl/certs/ca-bundle.crt.
Update: The Keyfactor Universal Orchestrator running in a container now runs as the service account uo-svc.
Update: The Keyfactor Universal Orchestrator running in a container has been updated to provide for a more graceful and faster shutdown.
Update: The PKI Status for Collection report PDF export has been beautified.
Update: The hint field for certificate metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. is now available for all types of metadata fields. The hint is now displayed in parentheses following the field name in places where metadata may be edited such as CSR enrollment, PFX enrollment, and the certificate details metadata tab. The description field for certificate metadata now appears in a tool tip when users hover over the field name in places where metadata may be edited.
Update: The Keyfactor Universal Orchestrator has been updated with new libraries to address the vulnerabilities identified in CVE-2021-24112.
Fixed: The GET /PamProviders endpoint now returns data for ProviderTypeParamValues as an array of objects.
Fixed: The Analyze Handler File option on the Event Handler Registration page now disallows entry of paths outside the current directory defined for event handler files. Sub-directories are not supported.
Fixed: The footnote below the Top Five Issuers table on the PKI A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Status for Collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). report has been corrected to clarify that the total active certificates value includes certificates with state Active and Unknown if unknown was selected.
Fixed: The POST /Reports/{id}/Schedules endpoint now has validation on the OrchestratorPool field and will return an error if invalid data is provided in this field. If a value is not provided in this field, a message is returned indicating that the field is required.
Fixed: The Online Last Seen date and time for CAs on the dashboard CA panels now displays correctly. If the referenced CA is offline, the Offline Last Seen will indicate Never.
Fixed: The POST /CertificateCollections/Copy endpoint now only requires a value in the Query parameter if there is no copyFromId parameter defined in the request. If a copyFromId parameter is provided, the Query is optional.
Fixed: Warnings have been removed from the log that indicated when a CA had no sync schedule configured for either full or incremental scans.
Fixed: CRL A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. publishing on revocation of a certificate could fail under some circumstances if there was a timezone difference between the client where the request was being made and the Keyfactor Command timezone. The resulting error message was Value does not fall within the expected range.
Fixed: On stop or restart of the Keyfactor Bash Orchestrator The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise. service, messages were logged indicating errors attempting to acquire a lock on the log file. File locking has been updated on stop/restart to handle this file more gracefully.
Fixed: The flow of adding a new security claim to a security role has been updated to be more intuitive. Previously it was possible to easily add a claim to a role accidentally.
Fixed: The GET /CertificateStoreContainers/{id} endpoint now correctly returns the container Schedule as an object.
Fixed: In certificate search, a user with limited permissions granted using collection-level security and no global permissions no longer sees invalid data in the Content field of the Save Collection dialog on selecting the Save or Save As option.
Fixed: Certificates with IPv6 SANs now correctly function with one-click renewal.
Fixed: A variety of display and usability issues were corrected on the identity provider editing dialog.
Fixed Duplication of entries has been eliminated for the orchestrator job history grid.
Fixed A job completion success and update of the Last Sync time for CA synchronizations managed for the Keyfactor Universal Orchestrator could occur under some circumstances.
Fixed: Default values in metadata fields of type email no longer trigger the metadata error message in interfaces such as PFX enrollment.
Fixed: The default value set for a metadata field of type email was cleared when a template-level override of the system-wide settings was done for the metadata field. A separate default value may now be set on a template-by-template level on metadata fields of type email.
Fixed: Korean language characters now display correctly in the Keyfactor Command Management Portal.
Fixed: The Certificate Authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Health Alert Schedule title now fits correctly in the dialog.
Fixed: The PAM Providers page in the Management Portal and the GET /PamProviders endpoints now correctly limit the results based on the user’s complete role membership set. Previously, if the user held a role with greater permissions and a role with lesser permissions, the role with lesser permissions was incorrectly used.
Fixed: A variety of query issues on the identity providers Management Portal page and with the GET /IdentityProviders endpoint.
Fixed: In PFX and CSR Enrollment, a metadata field of type Email with a default value no longer prompts with a message that the default value is invalid if the user accepts the default value without modification.
Fixed: PowerShell alert handlers now support running PowerShell commands outside the core set.
Fixed: Certificate store reenrollment was not always honoring the key size The key size or key length is the number of bits in a key used by a cryptographic algorithm. and key type The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519). of the configured template for reenrollment.
Fixed: The GET /PamProviders API endpoint now correctly returns data for users with limited but appropriate permissions.
Fixed: The Certificate Store Inventory Schedule dialog has been expanded to appropriately fit the contents without wrapping.
Fixed: The identity provider Auth0ApiUrl parameter now retains the case (upper/lower) as provided by the user when saving the value entered in the field.
Fixed: The PUT and GET /Templates/Settings endpoints consistently use MAIL as the value for the SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. TemplateRegexes SubjectPart.
Fixed: PowerShell handlers in alerts now correctly execute PowerShell scripts rather than producing an error similar to the following:

Cannot load PowerShell snap-in Microsoft.PowerShell.Diagnostics because of the following error: Could not load file or assembly 'C:\Program Files\Keyfactor\Keyfactor Platform\Service\runtimes\win\lib\net6.0\Microsoft.PowerShell.Commands.Diagnostics.dll'. The system cannot find the file specified.
Fixed: API endpoints that support querying and sorting parameters now have aliases for the parameter names for backwards compliance. These aliases are:

Current Name

QueryString

PageReturned

ReturnLimit

SortField

SortAscending

Alias

Query

Page

Rp

SortName

SortOrder
Fixed: The Certificate Authority For Submitted CSRs application setting can now be correctly updated.
Fixed: The Keyfactor.Platform.IOrchestratorJobCompleteHandler.dll and Keyfactor.Platform.IOrchestratorRegistrationHandler.dll Keyfactor Command libraries have been updated with a current signing certificate.
Fix: Enrollment/PFX, 400 is now returned when a Custom Friendly Name is provided with a PFX enrollment, but the application setting is not enabled.

Deprecation

The Keyfactor Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. will be deprecated in a future version of Keyfactor Command. Customers are encouraged to begin planning a migration to the Keyfactor Universal Orchestrator with the Remote File custom extension publicly available at:

https://github.com/Keyfactor/remote-file-orchestrator

Known Issues

EJBCA implementations with a CA of type SSH CA as well as any CAs of type X.509 CA fail to synchronize the CAs of type X.509 CA and CAs of type X.509 CA cannot be validated from Keyfactor Command. You may see an error indicating a CA of type X.509 CA is missing an expiration date or an error similar to:

Error converting value {null} to type 'System.DataTime'. Path 'certificate_authorities[4].expiration_date'.line1 [etc]

This error occurs even if no attempt is made to add the CA of type SSH CA into Keyfactor Command. This will be corrected in a future release.
One-click certificate renewal (the Continue operation) fails if there is a case mismatch between the Active Directory forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. name associated with the template record and the general Active Directory forest name used to contact Active Directory (e.g. keyexample.com and KeyExample.com). This will be corrected in a future release. Contact Keyfactor support (support@keyfactor.com) for a workaround if you need a solution before the fix is available.
Previous versions of Keyfactor Command supported mutual TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. configurations of client certificate authentication for the Keyfactor Universal Orchestrator by relying on IIS authentication modules wherein client certificates either mapped to an Active Directory user based on a set of rules or the requester of the certificate was looked up in Kerberos. Support for these methods was removed in Keyfactor Command v11.0. This has been replaced by a native client certificate authentication capability (see Appendix - Set up the Universal Orchestrator to Use Client Certificate Authentication Directly). Customers upgrading from a previous client certificate authentication deployment that relied on mutual TLS will need to re-approve all relevant orchestrators as their orchestrator identities will most likely have changed. The only case in which orchestrator identities would not change would be if in the previous configuration, the certificate CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). was set to the username of the user authenticating to Keyfactor Command as the orchestrator.

API Endpoint Change Log

Please review the information in the API Change Log for this release carefully if you have implemented any integration using these endpoints:

API Change Log v11.5

Version v12.5.0.1

On this page: