Release Notes

Keyfactor announces the AnyCAGateway DCOM 24.4, which includes fixes to pending requests and logging. Only those releases with documentation updates are included in the Release Notes section.

AnyCAGateway DCOM v24.4 (December 2024)

Fixed: Pending requests to the AnyCAGateway DCOM now show the requested SANs in Keyfactor Command
Fixed: The logging package is now consolidated all of the AnyCAGateway DCOM installation.

AnyCAGateway DCOM v24.2 (June 2024)

Update: Certificate requests with an external validation status now return free-form data provided by the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. in the enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). response to Keyfactor Command. This data is placed in a workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. data bucket field called EnrollmentContext, which is a dictionary of the returned data. In the Keyfactor Command enrollment workflow the returned data can then be accessed and manipulated as needed using other workflow steps.
Update: The gateway now uses the AES 256 algorithm for application-level encryption of secrets, making it FIPS-compliant. This applies to the database connection string and any encrypted data in the registry. On upgrade, data other than the connection string is re-encrypted as it is configured. The Set-KeyfactorGatewayDatabaseConnection cmdlet must be re-run to re-encrypt the connection string.Keyfactor also recommends re-running the Set-KeyfactorGatewayEncryptionCertificate and Set-KeyfactorGatewayConfiguration cmdlets for completeness. No other user action is required to bring the system into FIPS-compliance.
Update: TheKeyfactor logo has been updated in the configuration wizard.
Update: The CertificatePruningConfiguration input to the gateway configuration now has a default value of Disabled. Users are no longer required to provide a value in the configuration file if this default is acceptable. If no value is provided, a debug-level message is written to the log stating:

No value for CertificatePruningConfiguration was provided. Certificate pruning will be disabled by default.
Fix: Under certain circumstances, when the gateway synchronized certificates from the CA to the gateway database with the same CARequestID but with a different certificate on subsequent syncs (in the case of a renewed certificate, for example), the original certificate was overwritten in the gateway database with the new certificate. This has been corrected. If a different certificate with the same CARequestID is found on synchronization, it will not be synchronized. The original certificate will be retained. The following message will be logged:

CA sync returned a certificate with thumbprint <NewThumbprint> for record <CARequestID>. The gateway database already has a certificate with thumbprint <OldThumbprint> for record <CARequestID>. The existing certificate will be preserved.
Fix: The CertificatePruningConfiguration field in the gateway configuration file was case sensitive, so input values in lowercase were not accepted. The values are now case insensitive.
Fix: Upgrade script 23.4.0.1 was failing to run on upgrading to gateway version 24.1.

AnyCAGateway DCOM v24.1 (February 2024)

Update: There are now two formats of the Keyfactor AnyCAGateway (DCOM and REST). While it is the intention to deprecate the DCOM format eventually, for a brief period, both versions will be released. This complicates the upgrade process, in terms of determining whether a given gateway install can or cannot be upgraded to a particular destination version. For more information, see the upgrade compatibility included in the Gateway Upgrade Matrix.
Update: In the ServiceSettings section of the JSON config file, a new string property is required called CertificatePruningConfiguration. It may take one of three values: Disabled, FromIssuance, and FromExpiration (see Service Settings Section). Currently, the values for CertifcatePruningConfiguration property is case-sensitive which will be addressed in a future release. Upon upgrades, the CertificatePruningConfiguration in the configuration file will be set to the default value of Disabled.
Update: The CA sync error handling and logging is improved:
- If no CA is found with the logical name The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two)., a Debug message is logged that states as much.
- Catches and logs exceptions that arise during the sync, but which are not handled as part of the sync's error handling.
- If an error occurs while pruning a certificate, the certificate's row ID is provided in the error message.
Fix: The gateway no longer logs the following invalid messages on install:

ConfigServiceHost.ConfigServiceHost [Error] - Unable to open ConfigServiceHost, web service host was not initialized.

ConfigServiceHost.ConfigServiceHost [Error] - Unable to close ConfigServiceHost, web service host was not initialized.

AnyCAGateway DCOM v23.4 (November 2023)

Update: Informational logging from the AnyCAGateway DCOM has been improved to provide greater insight into the functionality and health of the system.

Informational messages will now be logged during the AnyCAGateway DCOM startup containing the gateway version, ICAConnector version and implementation, and the database connection string with any passwords redacted.
Update: The AnyCAGateway DCOM configuration now offers a means to provide a pre-formatted SQL connection string to be populated with the proper details during the configuration process.

An optional parameter A parameter or argument is a value that is passed into a function in an application. called ConnectionStringTemplate has been defined in the Set-KeyfactorDatabaseConnection cmdlet. If provided, this value will be used as the default connection string. The other values—such as database name and server—are substituted after the template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. string is set.

Note that the default connection string is used if the ConnectionStringTemplate parameter does not have a value.
Fix: A memory leak has been addressed to properly release memory after AnyCAGateway DCOM enrollments. Several contributing factors were addressed as part of this fix.

One issue involved a new template reader object which was being initialized for every request and re-downloading the associated templates. This caused high memory usage under heavy enrollment load.

The other factor was due to an event handler object being unregistered improperly, preventing most of the objects created—including the template readers—from being garbage-collected. For this reason memory usage remained high even when the load subsided.

Also note that template information is now properly cached and as a result template changes made in Active Directory may not be available for up to 10 minutes. This time span is not configurable.
Fix: An issue was addressed in which the DatabaseManagementConsole application was not properly configuring the SQL Authentication permissions. The --service-user and --service-password parameters are now properly applied during configuration.

Note that this issue was only applicable to explicit SQL authentication to SQL and does not apply to other types of authentication methods (e.g. Windows Authentication).
Fix: An issue was fixed in which the AnyCAGateway DCOM was recording an object reference error for cases of failed enrollment requests. This was due to a failed request not having a CA request identifier. The log now properly reports the cause of the failed enrollment without the object reference error.

AnyCAGateway DCOM v23.3 (August 2023)

Update: Handling of invalid CSRs has been improved so as not to interfere with CA synchronizations.
Fix: The type of the column dbo.RequestAttributes.AttributeValue Column is now NVARCHAR(MAX) to allow for longer SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. values.

AnyCAGateway DCOM v22.1 (August 2022)

Update: The validation done by the CA connector now validates not only that there are CAs, but that the CA name provided exists.
Update: When a template that populates from AD is mapped in the gateway, the gateway must establish a connection to a valid Keyfactor Command instance to ensure there is a license (see Build from AD Template).

AnyCAGateway DCOM v20.11 (November 2020)

Update: The AnyCAGateway DCOM Database Management Console tool now supports input of parameters in three different ways—command-line flag, JSON configuration file, or environment variable (see Overview of the Database Management Console).

AnyCAGateway DCOM v20.9 (September 2020)

Update: The AnyCAGateway DCOM supports multi-tenancy, which allows one installation of the AnyCAGateway DCOM to connect to multiple third party CAs as long as all the CAs are of the same type.
Update: The AnyCAGateway DCOM provides the option to implement multiple AnyCAGateway DCOM servers using clustering for a highly available and redundant implementation. This option relies on Microsoft Failover Clustering and a shared storage solution (such as a NAS).
Update: The AnyCAGateway DCOM now utilizes a SQL database.

Version v24.4.1

On this page: