2025 First Quarterly Release - 25.1.1 Notes

April 2025

Keyfactor announces Keyfactor Command 25.1.1, which includes some major new features and updates such as enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). patterns, which provide flexibility for enrollment, clarification of the reenrollment function with a rename to on-device key generation and expanded availability, and a new certificate cleanup task.

Tip:  Keyfactor recommends that you check the Keyfactor GitHub Site (https://keyfactor.github.io/integrations-catalog/) with each release that you install to check if you will need to download the updated orchestrators to work with that version of Keyfactor Command.

Please refer to Keyfactor Command Upgrading for important information about the upgrade process. For a complete list of the items included in this release, see Release Note Details v25.1.1. For gateway and CA Connector Client release notes, see:

Highlights
Changes & Improvements
Fixes
Deprecation & Removals
  • The license for the Logi Analytics Platform, used by the Keyfactor Command dashboard and reports, will expire on November 28, 2027 and will not be renewed. Customers who have not upgraded to Keyfactor Command 25.3 or later by that date will no longer be able to use the dashboard or reports.
Known Issues
  • The PermissionSetId in /IdentityProviders/ endpoint responses is shown inconsistently for different verbs. For PUT it is not among the response parameters. For GET and POST it is among the response parameters. This will be corrected in a future release.

  • A workflow with a step of type Send Email generates an unhelpful error if the email address resolves to null. This will be corrected in a future release.

  • The ML-DSA information in Logi reports may be slightly incorrect due to the differences between new and old OIDs because the following algorithms have switched their underlying OIDs: ML-DSA-44, ML-DSA-65, ML-DSA-87. Reports will be updated in a future release.

  • An incomplete error message is sent when Test SMTP Fails. This seems to be a known issue on Google’s side. The page link that is missing in some messages should be: https://support.google.com/a/answer/3726730?hl=en.

  • On a PFX enrollment where Include Chain is selected, if the certificate chain cannot successfully be built, an error message pops up indicating a chain building error. However, the certificate is still issued. Because of the error message format, users may think that the certificate was not issued. This will be clarified in a future release.

    Note:  In order for chain certificates to be included with end entity certificates for download, one of the following must be true:
  • If a certificate store inventory is performed and a certificate is found (not in the database) and the template of the certificate does not have a default enrollment pattern, the certificate will be imported but will not be associated to the certificate store. The workaround is to perform a second inventory and this will tie the certificate to the store. This will be fixed in version 25.2.

  • Searches for workflow instances using the InitiatingUserName query parser fail with an “invalid column name” error. This will be corrected in a future release.

API Endpoint Change Log

Please review the information in the API Change Log for this release carefully if you have implemented any integration using these endpoints:API Change Log v25.1.1.