Release Date: 2022-02-28
Main new features
Support for Server Name Indication (SNI) added to CM-SDK
SNI support has been added to the CM-SDK and can be configured for use by Protocol Gateway. Read more here: Initial configuration of Protocol Gateway. See also section 'TLS Server Name Indication' in the Developers Guide.
Support for Edwards prehash curves ED25519ph and ED448ph
Support for Edwards prehash curves has been added. Certificate Manager now supports the following Edwards curves: X25519, X448, ED25519, ED448, ED25519PH, ED448PH. See the full list here: Certificate Manager requirements and interoperability, section "Algorithms and key types".
Added support for AzureSQL database
Certificate Manager now supports AzureSQL as database using the same JDBC connector as MSSQLServer. See section "Database versions" in Certificate Manager requirements and interoperability and see also Set up Azure SQL in Certificate Manager.
Protocol Gateway supports connections to multiple CF instances
It is possible to configure Protocol Gateway to connect to different CF instances on a per protocol or handler level by re-using the parameter 'cmhost' from 'cm-gateway.properties' and overwriting the value where desired. See Configuration files in Protocol Gateway.
REST-API filter certificates based on issuer
The 'api/certificates' endpoint now supports filtering of certificates based on issuer dn. See the updated swagger.yaml file for documentation.
Protocol Gateway will now poll Intune for revocation data automatically for all configured Intune handlers in scep.properties. This is activated for all Intune configured handlers with some new optional parameters available in scep.properties. Read more here: Example: SCEP Intune configuration in Protocol Gateway and here: SCEP support in Certificate Manager.
New OCSP check modifier
The WinEP formats in Protocol Gateway include a new modifier called OcspCheckModifier which attempts to retrieve a valid OCSP status for the certificate to be issued before sending it to the client. This modifier is disabled by default and can be enabled by setting the format field: handler.0.formatFields.0 = ocspcheck.enabled = true. See Technical Description for further details. See also Certificate request verifications in Protocol Gateway.
Issuing multiple CRLs in advance
Certificate Manager now supports issuing multiple future CRLs in advance. This makes it easier to host an "offline CA" (whose CRLs are static for longer periods) as the CRLs can be pre-generated and thus does not require starting the system where the "offline CA" resides each time a CRL is to be generated. Read more in the Certificate Manager Technical Description, section 188.8.131.52. Issuing multiple CRLs in advance.
Proxy support for SCEP Intune
SCEP Intune request can now be sent through a proxy in cases where Protocol Gateway does not have external internet access. See 'scep.properties' for more info on the new parameters. See also Example: SCEP Intune configuration in Protocol Gateway.
Distributions of Certificates, CRLs etc.
The Distribution Agent in CF has been improved in regards to immediate distributions by acting on changes to the database faster.
CRL Factory now also builds immediate CRLs and CILs
Previously all CRLs and CILs that were built immediately upon certificate revocation or certificate issuance was done in the same pipeline as their respective action. From now on it is always the CRL Factory that builds the CRLs and CILs.
Protocol based registrations are now domain unique
Protocol based registrations, like for SCEP, EST, ACME etc. used to be unique only for their respective protocols. This could cause issues for multi-tenant based systems where registrations for one tenant or domain could be used by another tenant or domain. To remedy this limitation registrations are now tied to the domain of their connected token procedure, and move with the token procedure if its domain is moved or changed
Detailed feature list
For a detailed overview of changed functionality, deprecated functions and corrected problems, see Release.txt which is provided with the installation media.
For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/.
Nexus offers maintenance and support services for Nexus Certificate Manager to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.