Release Notes

Keyfactor announces the Keyfactor ACME server release 25.5.

Only those releases with documentation updates are included in the Release Notes section.

Keyfactor ACME v25.5 (March 2026)

• Update: Keyfactor ACME now requires ASP.NET Core Hosting Bundle version 10.0.

  Environments running earlier versions of .NET must upgrade before installing or upgrading.

• Update: Helm chart versioning has been updated to align with the product version. As a result, the Helm chart version for this release is 25.5.0.

Keyfactor ACME v25.4 (November 2025)

• Update: A new update option has been added to the Command Line Tool that supports updating the certificate template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. mapped to an account.

• Update: A new API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoint An endpoint is a URL that enables the API to gain access to resources on a server., PUT /Admin/Accounts/{id}, has been added that supports updating the certificate template mapped to an account.

• Update: The Command Line Tool List -accounts command has been updated to include the JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption. thumbprint and current mapped certificate template in the output.

• Update: The GET /Admin/Accounts/List API operation has been has been updated to include the JKS thumbprint, current mapped certificate template, and number of orders in the output

• Update: The full public key In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. output has been removed from the GET /Admin/Accounts/List API operation and Command Line Tool List -accounts outputs.

• Update: The GET /Admin/Accounts/List API operation now includes paging options as input parameters.

• Fix: The Command Line Tool now provides feedback on failure if the SQL server cannot be reached.

• Fix: Installation now correctly handles the case where a Keyfactor Command Keyfactor API virtual directory supports both Windows and Basic authentication, defaulting to Windows authentication.

• Fix: Installation now supports the use of the SharedSQLConnectionString.json file to provide the SQL connection string information.

• Known Issue : Installations on Windows using SQL authentication to connect to the SQL server may encounter the following error when attempting to use the Keyfactor ACME API endpoints:

  Unable to start ACME server. Cannot fetch OAuth configuration from the database.

  This indicates that the application pool user for the Keyfactor ACME server has insufficient permissions to read the Keyfactor ACME database when executing the API request. The workaround to this issue is to grant the application pool user db_owner permissions on the Keyfactor ACME SQL database. This will be corrected in a future release.

Keyfactor ACME v25.3 (September 2025)

• Update: The KeyValue returned by the GET /KeyManagement and POST /KeyManagement API endpoints is now Base64 Url encoded.

• Update: Support has been added for container installations under Kubernetes for the following additional environment variables to support dynamic NLog updates:

  • NLogConfigFile: The path to the custom NLog.config file.
  • NLogPoller__Enabled: A Boolean indicating whether the NLog poller service to periodically query for updates to the custom NLog file is enabled.
  • NLogPoller__PollingInterval: The frequency, in seconds, to poll for NLog file updates.
• Update: Keyfactor ACME now supports Azure Active Directory authentication, including Managed Identity, for connections to Azure SQL. This enhancement is enabled by migrating from System.Data.SqlClient to Microsoft.Data.SqlClient.
• Fix: Certificate enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). through cert-manager no longer fails in the scenario where the number of processor cores changes on the Keyfactor ACME server.
• Known Issue: When upgrading, the validator may not carry over and the metadata script location in the manifest.json file may be overwritten. Please check both of these items post-upgrade.

Keyfactor ACME v2.4.2 (August 2025)

• Fix: Certificate enrollment through cert-manager no longer fails in the scenario where the number of processor cores changes on the Keyfactor ACME server.

Keyfactor ACME v25.2.1 (July 2025)

• Fix: The installer for Windows now correctly includes the PowershellDriver extension directory and its contents when preparing the installation directory set.

Keyfactor ACME v25.2 (June 2025)

• Update: The Keyfactor ACME server now supports two installation options—Windows under IIS and container under Kubernetes using Helm.

• Update: Several new endpoints have been added to the Keyfactor ACME API to expand functionality and support container implementations. These cover claims management, identifier management, and application setting management. For more information, see Keyfactor ACME API.

• Update: A new POST /Revoke endpoint has been added to the Keyfactor ACME API to support certificate revocation. Certificate revocation can only be initiated through Keyfactor ACME (as opposed to in Keyfactor Command) if the Keyfactor ACME application setting CertificateRevocationEnabled is set to True.

• Update: The DNS01 validator now supports following CNAME records through multiple hops (up to a maximum of 100) to find the TXT records configured for the _acme-challenge.<DOMAIN>.

• Update: EAB keys can now, optionally, be removed when the account for an Keyfactor ACME user is revoked.

• Update: SuperAdmin as been added as a new role in Keyfactor ACME. Users with the SuperAdmin role can configure the Keyfactor ACME implementation and manage claims and identifiers in the Keyfactor ACME database using the Keyfactor ACME API. This differs from the AccountAdmin role. AccountAdmins can administer accounts in the Keyfactor ACME database including listing and revoking accounts and associated EAB keys. SuperAdmin users inherit AccountAdmin permissions.

• Update: Encryption methodologies have been added for application-level encryption to support container implementations and migrations from Windows installations to container installations (see Application-Level Encryption).

• Fix: Certificate enrollment no longer fails in the scenario where one of the certificates in the chain of trust contains the string KEY in the certificate contents rendered as a PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key..

• Known Issue: Using a built-in Active Directory group such as the Domain Users group to grant certificate enrollment permissions to legacy Active Directory users may fail. As a workaround, use a custom Active Directory group instead.

Keyfactor ACME v2.4.1.2 (April 2025)

• Fix: Certificate enrollment no longer fails in the scenario where one of the certificates in the chain of trust contains the string KEY in the certificate contents rendered as a PEM.

Keyfactor ACME v25.1 (March 2025)

• Update: The Keyfactor ACME server now uses OAuth token authentication both to authenticate clients to the Keyfactor ACME server to acquire EAB keys and to authenticate the Keyfactor ACME to Keyfactor Command to enroll for certificates. These do not necessarily need to be the same identity provider. During setup, configuration information for these is provided either with parameters or interactively.

• Update: Multiple new parameters have been added to the Keyfactor ACME command line tool (KeyfactorACMEConfig.exe) Configure command to support OAuth authentication configuration (see Table 5: Configure Command Parameters).

• Update: A new Claims command has been added to the Keyfactor ACME command line tool (KeyfactorACMEConfig.exe) with multiple parameters for managing claims for users and groups/roles that are allowed to request External Account Binding (EAB) keys—which can then be used to register ACME clients and enroll for certificates—or administer the Keyfactor ACME database (see Access Control and Claims). The claims command is also used to map certificate templates to the users or groups/roles to specify which certificate template in Keyfactor Command should be used for certificate enrollments received for the user’s EAB key.

• Update: With the support of OAuth, the Keyfactor ACME server no longer supports Active Directory authentication either to communicate with Keyfactor Command or acquire an EAB key. Active Directory user and group configuration for EAB key generation has been removed from the configuration tool. Legacy Active Directory users for upgrades will still exist in the database and will continue to function for existing ACME clients but cannot be used to register new ACME clients.
• Update: The ACMEAPI IIS application is no longer created. The Keyfactor ACME API endpoints are now all hosted in the main virtual directory in IIS (by default, ACME).

• Update: The Keyfactor ACME now requires ASP.NET Core Hosting Bundle version 8.0 (x64).

• Update: With the switch to .NET 8.0, the configuration methodology for metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. PowerShell scripts has changed to an extension model (see Keyfactor ACME Metadata).

• Update: The Keyfactor ACME is now compatible with Keyfactor Command 11.0 or later.

• Update: The Keyfactor ACME install no longer requires the Basic Authentication and Windows Authentication IIS components.

• Update: Certificate templates for enrollment are now configured on a per-user or per-role basis rather than a per-installation basis. This allows for greater flexibility in template use per user or group with the same Keyfactor ACME implementation.

• Update: The following changes have been made to the validators used by Keyfactor ACME:

  • A new custom validator has been added to support validating domain ownership based on IP subnet restrictions.
  • The DNS01Validator validator is now supported.
  • The DefaultACMEValidator custom validator has been renamed to DNSRegexValidator.

• Update: The following commands have been removed from the Keyfactor ACME command line tool (KeyfactorACMEConfig.exe):

  • AdminUsers

  • AuthorizedUsers
  • Secret

• Update: The following parameters have been removed from the Keyfactor ACME command line tool (KeyfactorACMEConfig.exe) Configure command:

  • --template, -t

  • --keymanagementvirtualdirectory, -m

  • --key, -k

  • --secret, -x

Keyfactor ACME v2.4.1.1 (March 2025)

• Fix: Enrollments with cert-manager and a chain order of root CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. first using the ACME Server against a Keyfactor Command 24.4 instance no longer fail.

Keyfactor ACME v2.4 (November 2023)

• Update: The Keyfactor ACME Server now supports the use of wildcards in enrollment requests and identifiers (see Validators and the Identifiers Command). To support this, a new KeyfactorACMEConfig.exe settings --allowwildcard command has been added and a new --wildcard switch has been added to KeyfactorACMEConfig.exe identifiers.

• Update: The Identifiers list command now displays the status of the identifier (Valid or Revoked).

• Update: The Identifiers list command now displays whether an identifier is based on a regular expression A regular expression--RegEx--is a pattern used to validate data by ensuring it meets specific criteria. Several fields on the CSR enrollment, CSR generation, and PFX enrollment pages support RegEx validation, including certificate subject and metadata fields., wildcard, or neither.

• Update: A new KeyfactorACMEConfig.exe Unrevoke --identifer command has been added to support unrevoking identifiers.

Keyfactor ACME v2.3.1 (February 2023)

• Fix: Keyfactor ACME Server’s SQL connections could begin to fail while the Keyfactor ACME server was under load.

• Fix: New databases would be missing a stored procedure upon creation. Databases upgraded to, or past, v2.2 are not affected.

Keyfactor ACME v2.2 (October 2022)

• Update: API Two new endpoints added to the Keyfactor ACME API:

  • /ACMEAPI/Admin/Accounts/List

  • /ACMEAPI/Admin/Accounts/Revoke?accountId={guid}

  The List endpoint returns all accounts registered to the Keyfactor ACME server, and the Revoke endpoint is used to revoke an account. This should allow automation of deprovisioning of users.

• Update: cert-manager integration added. cert-manager can issue certificates through Keyfactor ACME.

• Update: Added KeyfactorACMEConfig.exe configure --forcedatabaseupgrade command.

• Fix: Documentation updates to Certbot scripts and some minor fixes.