Incremental Release 9.2 Notes
October 2021
New Features
UI Support for PAM CA Password Entry 
-
What problem does it solve?
The API
A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. previously supported the entry of certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. passwords to be stored within a Privileged Access Management (PAM) instance, but the UI did not implement this functionality. -
How does it work?
The certificate authority editor dialog allows for entry of a password to be stored in a PAM instance.
-
What’s the benefit?
Flexibility: Allows for multiple ways to securely store and manage certificate authority passwords
Custom Orchestrator Bulk Scheduling
-
What problem does it solve?
Custom orchestrator
Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. jobs can currently only be scheduled individually. -
How does it work?
An API endpoint
An endpoint is a URL that enables the API to gain access to resources on a server. (POST OrchestratorJobs/Custom/Bulk) has been created to implement bulk schedules. The job identifiers along with the desired schedule can be provided in a single call. -
What’s the benefit?
Ease-of-Use: Enables administrators to easily schedule large batches of custom orchestrator jobs.
Updates and Improvements
-
CA Management with PAM
When configuring the Use Explicit Credentials option on a CA
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA., you can now choose a PAM provider as the storage location for the credential password or the Keyfactor secrets table. -
Logi Analytics License
A new license for Logi Analytics is required as the previous version is expiring. The 9.2 release includes the license update. Please see Updating Logi Analytics License for more information.
-
CSR Parsing Containing Spaces
CSRs containing spaces can now be parsed successfully during enrollment
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).. -
Robust SSL Certificate Parsing Error Handling
Certificates that fail to be parsed during SSL
TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scanning are now logged but do not cause the entire scan to immediately fail. -
Robust Alert Failure Error Handling
A failure processing an alert no longer prevents processing of subsequent alerts.
-
Hidden Metadata Enrollment Fields
Metadata
Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. fields which are hidden during the enrollment process are now displayed properly in the resulting certificate details. -
Collection-based Reports Failing
Reports based on collections containing Revocation, Certificate State or Common Name
A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). no longer fail. -
Incorrect CSR Enrollment CA
The proper forest
An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. certificate authority is used for enrollment when using the API to enroll via CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA.. -
Denied Alerts Template
The Denied Certificate Request alerts are once again properly scoped to the selected template
A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.. This was a regression from a previous release. -
Java & C Agent Inventory Error
An error was corrected in which an error was thrown if no entry updates were returned during inventory processing.
-
Orchestrator/Agent Re-Enrollment Error
Fixed an issue in which an object reference error was thrown during re-enrollment operations.
-
Orchestrator Ceases Processing after Batch Submission
Corrected an issue in which the orchestrators would cease processing after submission of a large batch of SSL results.
Updating Logi Analytics License
Logi is a 3rd party BI tool which is used by Keyfactor Command for its dashboard and report features. The license required for Logi is integrated into Keyfactor Command and resides within the product’s Logi folder. The license’s current term is 3 years with a 7-day grace period after expiration. During that grace period, an alert will appear, and a new license should be used to remediate the issue. Here are two examples:
-
License close to expiration:
Figure 581: Keyfactor Logi License Expiration Alert
Dashboard:
Figure 582: Keyfactor Logi License Expiration Alert on the Dashboard
Report:
Figure 583: Keyfactor Logi License Expiration Alert on Report
-
Expired license:
The Dashboard and Reporting capability is not available with an error message displayed like the one below.
Figure 584: Keyfactor Expired Logi Error Message
Solution
The updated license for Logi is included in release 9.2 and will be installed automatically as part of the upgrade to or fresh installation of this version. If you are not installing Keyfactor Command v9.2, replace the license manually as follows:
-
On your Keyfactor Command server, navigate to the Logi folder in your Keyfactor Command instance. By default, this is:
C:\Program Files\Keyfactor\KeyfactorPlatform\LogiIf you are on an earlier version of Keyfactor Command your license file will by default be found in the following directory:
C:\Program Files\Certified Security Solutions\Certificate Management System\Logi] - The license file ends with an extension of .lic. Replace the license file with a valid one provided to you by Keyfactor. The license filename cannot be changed and should remain as "lgx120102.lic".
If the license has already expired, once it is replaced with a valid one and the browser is refreshed, the product will work as expected. The alert will no longer appear.
If you upgrade to a version of Keyfactor Command prior to v9.2 after replacing the license file, you will need to manually add the new license file again.
API Endpoint Change Log
The following changes were made to the API endpoints. Please review these carefully if you have implemented any integration using these endpoints.
Table 776: API Change Log
| Endpoint | Methods | Action | Notes |
|---|---|---|---|
| /Certificates | GET | Fix | No longer fails if a collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). id is not provided. |
| /OrchestratorJobs/JobHistory | GET | Fix | Request no longer fails for ‘Dynamic’ job types. |
| /Reports/Schedules/{id} | DELETE | Fix | Response code is now 200 when the user role does not have Modify – Report permission. |
