Hot Fix Release 10.4.6 Notes

September 2023

Updates and Fixes

• Update: The data field sizes for the certificate subject field were increased to support re-enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). jobs for certificates with long subjects.

• Fix: CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. synchronizations were hanging with the following error when a corrupted certificate request (for example, a Pending or External Validation record with no CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.) was encountered:

  Keyfactor.CertificateAuthorityClient.Microsoft.MicrosoftClient [Error] - Value cannot be null.

  Parameter name: inArray

• Fix: In an environment with a large numbers of certificate store containers where the orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. user did not have global certificate store read permissions, SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scan times could be excessively long during the certificate import step. This was due to frequent permission check queries on the containers. This hotfix removes unneeded checks. A workaround is to grant the account running the orchestrator the Certificate Store Management: Read permission.

• Fix: Workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. instance details for an enrollment request from an enrollment request with multiple SANs of the same type were only displaying the last SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. in the Management Portal. This was limited to the Management Portal as the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. returned the correct data.

• Fix: CSR enrollment with a CSR that included SAN data was also adding any SANs that were provided separately on the CSR enrollment page of the Management Portal, rather than replacing the SANs from the CSR with those entered on the CSR enrollment page. The proper behavior is that the enrollment should use only the SANs entered on the CSR enrollment page of the Management Portal if they are provided. If they are not provided on the CSR enrollment page of the Management Portal, the SANs in the CSR will be used on the certificate.

• Fix: SANs entered on the CSR enrollment page of the Management Portal or outside the CSR through the Keyfactor API were not displayed in the workflow instance details page.

• Fix: If the Allow CSR SAN Entry application setting was set to false, the Keyfactor API still allowed SANs to be sent in with the certificate request outside of the CSR.

Deprecation

• The Classic API will be deprecated in Keyfactor Command version 11.0. All existing uses of the Classic API should be migrated to use Keyfactor API prior to upgrading to Keyfactor Command version 11. If these applications cannot be updated to the newer endpoints then the Allow Deprecate API Calls setting must be set to False (see Application Settings: API Tab in the Keyfactor Command Reference Guide). Otherwise, Keyfactor recommends that these endpoints be disabled to reduce exposure to unauthorized or unintended use.

• The Keyfactor Java Agent The Java Agent, one of Keyfactor's suite of orchestrators, is used to perform discovery of Java keystores and PEM certificate stores, to inventory discovered stores, and to push certificates out to stores as needed. will be deprecated in a future version of Keyfactor Command. Customers are encouraged to begin planning a migration to the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers. with the Remote File custom extension publicly available at:

  https://github.com/Keyfactor/remote-file-orchestrator