2025 Monthly Release - 25.2.2 Notes

October 2025

Keyfactor announces Keyfactor Command 25.2.2 which includes some fixes.

Please refer to Keyfactor Command Upgrading for important information about the upgrade process. For a complete list of the items included in this release, see Release Note Details v25.2.2. For gateway and CA Connector Client release notes, see:

• CA Connector Client Release Notes
• Keyfactor Cloud Gateway Release Notes
• Keyfactor Windows Enrollment Gateway Release Notes
• KeyfactorAnyCAGateway DCOM Release Notes
• Keyfactor AnyCA Gateway REST Release Notes

Fixes

• Fixed: When a certificate store management job is created (e.g., add certificate to a certificate store), if the certificate store does not have an existing inventory job, one is created for daily at the beginning of the next hour.
• Fixed: Security role names can now be edited without error if the newly entered name is not already in use by another role.
• Fixed: ODKG enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). now works correctly when the Display CA Hostname application setting is toggled off.
• Fixed: Security roles containing Active Directory users or groups that have been deleted in Active Directory can now be edited and updated in Keyfactor Command.
• Fixed: Adding a multiple choice field to an existing certificate store type with existing certificate stores no longer populates the existing certificate stores with all the added multiple choice values.
• Fixed: On changing the type of a metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. field midway through creating it, only the fields that pertain to the new metadata type will be saved.

Known Issues

• Searches for workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. instances using the InitiatingUserName query parser fail with an “invalid column name” error. This will be corrected in a future release.

• On upgrade from an implementation prior to the introduction of enrollment patterns, enrollment patterns generated for any templates from CAs managed using a Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. will result in an error similar to the following when the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA./template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. cache attempts to build:

  Unable to retrieve templates from CA 'CorpIssuingCA1.keyexample.com\CorpIssuingCA1': The RPC server is unavailable. (0x800706BA)

  An enrollment pattern is automatically generated on upgrade for any certificate template for which at least one of the following is true:

  • CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. Enrollment, PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. Enrollment, or CSR Generation is enabled.

  • Restrict Allowed Requesters is enabled and at least one security role configured in Allowed Request Security Roles.

  • One or more custom values are defined on the Enrollment Fields tab.

  • One or more regular expressions are defined on the Enrollment RegExes tab other than the default value of .+ for Common Name A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com)..

  • One or more default values are defined on the Enrollment Defaults tab.

  • Any policies that differ from the system-wide policies are configured.

  The Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. does not support certificate enrollment, so no enrollment patterns are required for templates from CAs managed with the orchestrator. To workaround this error, remove any enrollment patterns generated for these templates after upgrade. This was corrected in release 25.3.

API Endpoint Change Log

Please review the information in the API Change Log for this release carefully if you have implemented any integration using these endpoints: API Change Log v25.2.2.