Quarterly Release 24.4 Notes

January 2025

Keyfactor announces Keyfactor Command 24.4, which includes some major new features and updates such as support for container-based installation, post-quantum cryptography Cryptographic algorithms designed to be secure against the potential capabilities of quantum computers, which could break traditional encryption methods., and local PAM PAM (Privileged Access Management): Controls privileged access by vaulting credentials, enforcing least-privilege/just-in-time access, rotating secrets, and auditing sessions. Across Keyfactor products, PAM protects diverse sensitive operations and secrets—for example certificate stores and CA credentials—via built-in or third-party providers; external integrations are delivered as custom PAM extensions (several published on Keyfactor’s public GitHub). provider secret management.

Please refer to Keyfactor Command Upgrading for important information about the upgrade process. For a complete list of the items included in this release, see Release Note Details v24.4. For gateway and CA Connector Client release notes, see:

• CA Connector Client Release Notes
• Keyfactor Cloud Gateway Release Notes
• Keyfactor Windows Enrollment Gateway Release Notes
• Keyfactor AnyCAGateway DCOM Release Notes
• Keyfactor AnyCA Gateway REST Release Notes

Highlights

• Keyfactor Command Installation in a Container

  • Keyfactor Command now offers container installation under Kubernetes using a Helm chart as an installation option. This can be supported either in a local Kubernetes cluster or a cloud-based cluster. When implemented as a container installation, Keyfactor Command is made up of seven containers using a Microsoft SQL backend database, plus additional containers during installation and as needed for optional functionality.

  • Container installations support application-level encryption using either a raw AES key, which can be stored in an Azure Key Vault, or Fortanix HSM.

  • Keyfactor Command functionality that is supported for Windows installations under IIS is available for container installations under Kubernetes with just a few exceptions, including:

    • Direct communication with Microsoft CAs is not supported. A Keyfactor CA Connector The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client is required to facilitate communication.

    • SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. management with Keyfactor Command is not supported.

    • Using Active Directory as an identity provider for Keyfactor Command is not supported.

    • Credential delegation is not supported.

    • PowerShell scripts run within Keyfactor Command workflows do not support PowerShell 5.1.

    • The Save Report to File option is disabled in the Report Manager > Schedule dialog.

• Support for Post-Quantum Cryptography (PQC)

  • Keyfactor Command now supports generation of hybrid CSRs (CSRs containing both a standard key as the primary and a secondary post-quantum key) and generation of certificates using hybrid CSRs through CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. Enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. Both fully post-quantum certificates A certificate with a single, primary post-quantum key. and hybrid certificates A certificate that uses a non-PQC (Post-Quantum Cryptography) primary key paired with an alternative key algorithm such as ML-DSA-44, ML-DSA-65, or ML-DSA-87 for enhanced security and quantum resistance. can be synchronized into and downloaded from Keyfactor Command. Both post-quantum and hybrid certificates may be uploaded into Keyfactor Command through Add Certificate, though post-quantum certificates are supported for upload without private keys only. Hybrid certificates are supported for upload as long as the primary key uses an RSA A widely used public-key cryptosystem, RSA is commonly used for encryption and digital signatures. It is based on the mathematical difficulty of factoring large integers., ECC Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers., Ed448 A high-security elliptic curve algorithm, Ed448 is used for digital signatures and is known for providing very strong security while maintaining high performance. It is part of the Edwards-curve Digital Signature Algorithm (EdDSA) family., or Ed25519 Another member of the EdDSA family, Ed25519 is designed for high security and speed. It is widely used in modern cryptography and provides robust protection with a 256-bit key size. algorithm. Hybrid certificates include both primary and alternative versions of the key size The key size or key length is the number of bits in a key used by a cryptographic algorithm., key type The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519)., public key In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key., and signing algorithm fields. Supported key types in the primary key type field are:

    • Unknown

    • RSA

    • DSA

    • ECC

    • DH

    • Ed448

    • Ed25519

    • ML-DSA-44 A variant of the Digital Signature Algorithm (DSA) designed for high-performance and secure digital signatures. ML-DSA-44 is optimized for specific machine learning use cases or specialized systems. (Dilithium-2)

    • ML-DSA-65 Similar to ML-DSA-44, this variant provides a larger key size and is suited for environments requiring more robust security. It is often used in cases where cryptographic strength needs to be balanced with performance. (Dilithium-3)

    • ML-DSA-87 An even stronger variant of ML-DSA, offering a larger key size and enhanced security features for demanding cryptographic operations. Like the others in the ML-DSA family, it is designed for specific use cases that require high-performance cryptography. (Dilithium-5)

    Supported key types in the alternative key type field are:

    • Unknown

    • ML-DSA-44

    • ML-DSA-65

    • ML-DSA-87

• Local PAM Provider Secret Management

  • PAM secrets for the Keyfactor Command local database PAM type can now be managed through the Keyfactor Command Management Portal, in addition to with Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints. The secrets can be added, updated, and removed, but not read from this interface. These PAM secrets can then be used wherever PAM can be used within Keyfactor Command. This offers a centralized management solution for secrets for certificate stores, CAs, CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Connector task queues, identity providers, and workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store..

Changes & Improvements

• Application Settings

  • The API Throttling Interval (seconds) application setting has been removed.

  • Application settings can only be updated one tab at a time. Save or Undo the settings on one tab before moving to another tab.

  • Application settings now use toggles instead of true/false radio buttons.

  • There is a new application setting that applies to SSH server auto-registration: Agents > SSH > Auto Register. The agent auto registration functionality has been removed for most job type and is now controlled by this application setting for SSH only.

  • There are two new application settings that apply to downloading certificates and include chain behavior with PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment and certificate download:

    • Enrollment > General: Include Chain by default

    • Enrollment > PFX: Include Private Key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. by default

• CA Connector and Task Queue

  • The task queue for RabbitMQ for use with the CA Connector now supports managing secrets with PAM.

  • The task queue configuration settings have been moved from the Certificate Authorities page to their open page under System Settings.

• Certificate Metadata

  • A certificate metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. field may now be deleted in the Management Portal even if it is in use (certificates exist in the database with a value configured for this metadata field). If the field is in use, you will be prompted to confirm the deletion.

• Certificate Search and Collections

  • The Include Chain option for certificate download now requires that all certificates in the chain of trust are available in the Keyfactor Command database. Previously, the Keyfactor Command local machine certificate store would be searched for chain certificates, but this is no longer true.

  • The certificate download dialog has been redesigned to be format forward, with other selections in the dialog based on the format selected at the top of the dialog.

  • The EKU details dialog in the certificate details now lists multiple EKUs in list format (multiple lines).

  • The certificate details and EKU details dialog in the certificate details now list OIDs for EKUs without a display name.

  • The Add Certificate option now supports uploading certificates in PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. format.

• Certificate Stores and Certificate Store Types

  • A new Certificate Format option can be configured on certificate store types to determine whether certificates delivered to the orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. are sent in PEM or PFX format. PEM format is required if any hybrid certificates will be delivered to the orchestrator since the PFX format does not support multiple keys. The PEM format requires the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. version 24.4 or later.

    On upgrades, this value is set to PFX for all existing certificate store types.

  • Certificate store inventory jobs can now be scheduled to run on a monthly basis (on the 1st through 27th of a month).

• Certificate Templates

  • The maximum regular expression A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields. length for template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.-level regular expressions has been extended to 4000 characters, matching the maximum regular expression length for system-wide template regular expressions.

• Database

  • Windows installations under IIS now support application-level encryption using a raw AES key as an option. This is intended primarily as a migration step for container installations under Kubernetes.

• Dashboard and Reports

  • The Expiration Report by Days report now includes Renewed On (UTC) and Latest Thumbprint columns, indicating the date and time on which the certificate was renewed, if applicable, and the thumbprint of the renewed (replacement) certificate.

• Documentation

  • Documentation for the CA Connector Client, Keyfactor Cloud Gateway, Keyfactor Windows Enrollment Gateway, AnyCAGateway DCOM, and AnyCAGateway REST has been incorporated into the main documentation suite for this release and is available from the left menu. The search in the documentation suite now incorporates these guides and filters have been added to search just these guides, if desired.

• Enrollment

  • Keyfactor Command supports all the ECC curves supported by EJBCA. New ECC curves were added to the system-wide and template-level policy settings. Added two new parameters to the API.

  • CSR enrollment now supports enrolling for requests containing SANs of type Other Name.

  • CSR enrollment now supports enrolling for requests containing large numbers of SANs—exceeding 4k characters against Microsoft CAs, assuming the Microsoft CAs have been configured to support this, and exceeding 2000 characters against an EJBCA CA, assuming the EJBCA has been configured to support this.

• Installation and configuration

  • A new database upgrade tool has been introduced that allows you to upgrade the Keyfactor Command database as a separate step prior to upgrading the Keyfactor Command software or to run a test upgrade on a restored copy of the database to confirm that a database upgrade will complete successfully before going forward with a full upgrade. Log messages for the new database upgrade tool are saved to C:\Keyfactor\logs\Command_DBUpgradeToolconfig_Log.txt by default.

  • The configuration wizard supports PAM secrets. Authentication tab > Identity Provider client secret, SMTP Short for simple mail transfer protocol, SMTP is a protocol for sending email messages between servers. user and password, and CA connector basic auth password have been updated to choose between a Keyfactor secret or PAM provider.

• Keyfactor Universal Orchestrator

  • The orchestrator can now receive certificates in either PEM or PFX format. See also Certificate Stores and Certificate Store Types.

• Logging and Auditing

  • When a user logs in to or logs out of the Keyfactor Command Management Portal, an informational message will be logged to the audit log.

• .NET Updates

  • The Keyfactor CA Policy Module has been updated to require .NET 8.

• Orchestrator Management and Integrations

  • When a custom IReenrollmentJobExtension implementation is used, the Alias information is available in all appropriate orchestrator jobs via the Job Properties.

  • The built-in auto-registration feature has been removed for most orchestrator features and the auto-registration page is no longer found in the Management Portal. Auto-registration is still supported for SSH servers. This functionality is managed with a new application setting, Agents > SSH > Auto Register. Custom auto-registration handlers are also still supported.

  • The application settings for client certificate authentication moved from the database to the appsettings.json for the orchestrator API.

  • For the API endpoint An endpoint is a URL that enables the API to gain access to resources on a server. GET/Agents, the parameter A parameter or argument is a value that is passed into a function in an application. AgentPlatform ID for Windows Orchestrator and Universal Orchestrator will now both appear as (1) .NET agents. A combination of VersionNumber and AgentPlatform can be used to distinguish between them in queries.

• Reporting

  • In a container environment, the Save Report to File option is disabled in the Report Manager > Schedule dialog. Save Report to File continues to be supported for .msi installs.

• Security Roles and Claims

  • Security claims that have become invalid (due to tampering, for example) may now be deleted.
• Workflows and Alerts

  • An expiration workflow Expiration Renewal Step uses the expiring certificate's CA and Template by default.

  • An Encode As Plus Signs option has been added to revocation monitoring alerts of type CRL A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. to toggle whether to encode plus signs (“+”) in the Location URL as plus signs (%2B) or as spaces (%20). Plus signs are commonly used with delta CRLs.

  • Powershell 5.1 Compatibility Mode is disabled on Non-Windows environments. This includes:

    • A new system notification to notify users if there are any workflows that have a Custom Powershell step that uses Powershell 5.1 AND they are on a non-Windows Environment.

    • A new tooltip on the configuring a handler/step.

    • Any pre-24.4 workflows or alerts which had the option set to use PowerShell 5.1 will fail when upgrading to a Keyfactor Command instance that is in a container.

  • Substitutable Active Directory–based special text tokens (for example, requester:mail or principal:displayname) are no longer supported in alerts. The base requester token remains available because it is not specific to Active Directory.

    Alerts configured to use requester:mail or principal:mail for message delivery will fail unless updated to use an alternate email address. Customers currently relying on these tokens should plan an alternative delivery method.

    The requester:mail token remains available for use in workflows, which can also query for additional data using PowerShell or REST API calls as needed. While Expiration alerts can be delivered via workflow, the Issued, Denied, and Pending alert types do not currently support this option.

Fixes

• The link to the Keyfactor API Reference and Utility (Swagger) will now always use the configured API virtual directory (for the authentication type being used).

• When editing OCSP revocation monitoring location URL, the CA info now does not erroneously change.

• On the Orchestrator Job Status page, the target information is consistent between the Scheduled Jobs tab and the Job History tab.

• When the Default Certificate Owner Role Name is set at the global or template level, it will now appear as the default in the Owner Role Name field during PFX/CSR enrollment.

• The agent application setting: Number of times a job will retry before reporting failure, now applies to orchestrator Discovery jobs.

• For orchestrator jobs failing during configuration, the agent application setting: Orchestrator Job History Limit will apply.

• Users now have the ability to limit visibility of certificate stores to a particular team, and allow them to schedule jobs from a collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). based on the container permissions regardless of global permissions.

• The EKUName query field for certificates now will correctly filter on the -notcontains and -ne operators to show only those certificates that do not have the specified EKU.

• Certificate renewal permissions now work correctly such that if permissions are granted at the collection and container level and not the global level, as long as the user has Schedule permissions to the container for the certificate store, the user can renew the certificate. If the certificate is not in a container, the user cannot renew it.

• The Key Usage field in the certificate details now no longer displays as blank.

• RSA and ECC enrollments now succeed when Allow Public Key Reuse is disabled.

• One click renewal, expiration alert renewal, workflow certificate renewal, and the Keyfactor API /Enrollment/PFX/Replace method now correctly schedule a certificate store job when Keyfactor Command is configured with an OAuth identity provider rather than producing an error indicating a duplicate or invalid user.

Known Issues

• CSR generation with an EJBCA template configured with extended key usage (EKU) is generated without the EKU information.

• EJBCA client authentication certificates with key algorithm ECDSA B-163/B-163/sect163r2 do not work with Keyfactor Command. This will be corrected in a future release.

• The Include Subject Header option is not available in the Certificate Downloads dialog (see Download) unless the Allow Custom Friendly Name application setting is enabled (see Application Settings: Enrollment Tab). This will be corrected in a future release. As a workaround, either enable the Allow Custom Friendly Name application setting or download certificates using the Keyfactor API (see POST Certificates Download or POST Certificates Recover), which is not affected by this issue.

• Searches for workflow instances using the InitiatingUserName query parser fail with an “invalid column name” error. This will be corrected in a future release.

API Endpoint Change Log

Please review the information in the API Change Log for this release carefully if you have implemented any integration using these endpoints:  API Change Log v24.4.