Release Notes

Keyfactor announces the Keyfactor Windows Enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). Gateway 24.2, which includes some updates such as FIPS compliance.

Windows Enrollment Gateway v24.2 (June 2024)

Update: Invalid configuration warnings in the configuration wizard template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. mappings are now calculated up front, where possible, when the templates load rather then only as a user attempts to map a template. This allows multiple issues for a template to be displayed, if multiple issues exist, where previously only a single issue would be displayed and once corrected a second issue for the same template might appear (perhaps CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. Enrollment is not enabled and the template is missing the correct extension data enrollment field). Some errors cannot be calculated until a user attempts a specific template mapping (for example, the local template has key type The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519). RSA while the remote template has key type Ed25519). On selecting a template for mapping, all discovered issues are displayed in the Validation Errors and Warnings dropdown and can be seen in a popup if you hover over the warning icon for the template with a warning. Remote templates with warnings only appear if you check the Include Invalid Templates box.
Update: The gateway now uses the AES 256 algorithm for application-level encryption of secrets, making it FIPS-compliant. This applies to the OAuth client secret for making the connection to the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command., if OAuth authentication is used, the Basic authentication username and password for making the connection to the Keyfactor API, if Basic authentication is used, and the Basic authentication username and password for account synchronization, if configured. On upgrade, information in these fields will be re-encrypted as it is configured. No user action is required to bring the system into FIPS-compliance.
Update: The Keyfactor logo has been updated in the configuration wizard.
Fixed: The Web Proxy URL field on the Account Synchronization tab of the configuration wizard now correctly enforces validation of the URL.
Fixed: Validation warnings that appeared duplicated in the configuration wizard on editing existing settings on the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Config and Account Synchronization tabs have been corrected.

Windows Enrollment Gateway v24.1 (February 2024)

Update: Authentication libraries updated to Keyfactor standard.
Fixed: The logging level of the message stating “Successfully retrieved an access token” was moved from Info to Trace.

Windows Enrollment Gateway v23.4 (November 2023)

Update: OAuth is now supported as one of the authentication options to connect to the managed instance of Keyfactor Command.
Fixed: The gateway service now runs correctly when configured to run as a custom service account rather than Network Service.

Windows Enrollment Gateway v23.3 (August 2023)

Update: During installation, on the template tab of the gateway configuration wizard, template validation logic checks that the template has CSR enrollment enabled. If CSR enrollment is not enabled, the template will not be valid for mapping and a validation error message will be displayed when adding the template.
Update: Logging in the gateway has been improved for enrollment failure cases.
Fixed: If the machine account of the server on which the gateway is installed is granted permissions for enrollment directly (as a machine account) on the Security tab of the configuration wizard, enrollments via the gateway from the gateway server using an enrollment method that operates in the context of the machine account (e.g. the certificates MMC for the local computer store) will not be possible because templates from the gateway will not appear for enrollment. To work around this issue, grant the gateway server enrollment permissions via group membership rather than directly.
Fixed: Changes to a certificate template at the CA level were not reflected by the gateway until a restart of the gateway service.

Windows Enrollment Gateway v23.1 (June 2023)

Initial release
Known Issue: If the machine account of the server on which the gateway is installed is granted permissions for enrollment directly (as a machine account) on the Security tab of the configuration wizard, enrollments via the gateway from the gateway server using an enrollment method that operates in the context of the machine account (e.g. the certificates MMC for the local computer store) will not be possible because templates from the gateway will not appear for enrollment. To work around this issue, grant the gateway server enrollment permissions via group membership rather than directly.

Version v25.1

On this page: