2026 Monthly Release - 25.5 Notes

March 2026

Keyfactor is pleased to announce the release of Keyfactor Command 25.5, featuring major new enhancements.

Tip: Keyfactor recommends that you check the Keyfactor GitHub Site (https://keyfactor.github.io/integrations-catalog/) with each release that you install to check if you will need to download the updated orchestrators to work with that version of Keyfactor Command.

Please refer to Keyfactor Command Upgrading for important information about the upgrade process. For a complete list of the items included in this release, see Release Note Details v25.5. For gateway and CA Connector Client release notes, see:

CA Connector Client Release Notes
Keyfactor Cloud Gateway Release Notes
Keyfactor Windows Enrollment Gateway Release Notes
Keyfactor AnyCAGateway DCOM Release Notes
Keyfactor AnyCA Gateway REST Release Notes

Updates & Fixes

Update: Workflow A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. configuration has been enhanced to support assigning multiple keys—such as certificate collections or certificate templates—to a single workflow. This eliminates the need to duplicate workflows for similar use cases.
Update: Workflow definition management is now separated from workflow step design. A new Configure Steps action manages the workflow name, description, and key assignments, while the workflow workspace is dedicated to defining workflow steps.
Update: Expiration, revocation monitoring, and SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. key rotation alerts now all support selecting a workflow definition via dropdown or adding a new workflow when adding or editing an alert.
Update: Keyfactor Command and the Keyfactor CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Policy Module now both require .NET 10.0.

Environments running earlier versions of .NET must upgrade before installing or upgrading.
Update: The Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. now requires .NET 10.0.

Environments running earlier versions of .NET must upgrade before installing or upgrading.
Update: Workflow steps of type Require Approval now support either tokens or static security roles as approvers, allowing the security role(s) to be populated at runtime. The token can be populated using a step earlier in the workflow. For example, the Owner Role Name set on an enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). request can be retrieved using a Set Variable Data workflow step and populated into a custom $(ApproverRole) token.
Update: SQL optimizations have been implemented to improve response times in many areas of the Management Portal and the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command..
Update: A new application setting, Use Command Certificates in Chain Building, has been added. When turned off, CA certificates stored in the database are excluded from chain building during certificate download.
Update: Helm chart versions for Keyfactor Command and the Universal Orchestrator now match their corresponding product versions.

Previously, chart versions used a separate numbering scheme (e.g., chart version 2 with product version 24.5), which could cause confusion when selecting versions.
Fixed: Certificate history for certificate store operations using custom certificate store types now reflects the correct type and number of operations when a certificate is added to or removed from a certificate store.
Fixed: Loading and sorting the audit log grid with a large number of audit records by no longer causes significant delays.
Fixed: The certificate cleanup job has been optimized to process more efficiently in environments with more than 2 millions certificates.
Fixed: Certificates now correctly synchronize from the AnyCAGateway REST into Keyfactor Command.

Deprecation & Removals

The license for the Logi Analytics Platform, used by the Keyfactor Command dashboard and reports, will expire on November 28, 2027 and will not be renewed. Customers who have not upgraded to Keyfactor Command 26.2.1, when the new reports and dashboards will be available, or later by that date will no longer be able to use the dashboard or reports.

Known Issues

Searches for workflow instances using the InitiatingUserName query parser fail with an “invalid column name” error. This will be corrected in a future release.
If the application setting Only use Alphanumeric Characters is turned on, entering non-alphanumeric characters during PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. enrollment results in an incorrect error message. The message indicates a password length issue rather than invalid characters. This issue will be corrected in a future release.
Email messages generated by alerts or workflows no longer automatically insert line breaks when HTML content is present. Line breaks must be explicitly defined using HTML tags such as <br>, <br/>, or <p> </p>.
If a custom certificate store type field is marked Required, a Default Value must currently be specified in the definition. This behavior will be revised in a future release.
If an HTTPS CA certificate template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. name contains a forward slash (/), the template cannot be imported into Keyfactor Command. For EJBCA integrations, this applies to both certificate profiles and end entity profiles. An error is returned during import and the template is not created. This issue will be addressed in a future release.

API Endpoint Change Log

Please review the information in the API Change Log for this release carefully if you have implemented any integration using these endpoints: API Change Log v25.5.

Was this page helpful? Provide Feedback

Version v25.5.1

On this page: