Release note Certificate Manager 8.1

Version: 8.1

Release Date: 2020-02-05

Main new features

ACME support

Support has been added for ACME v2 (RFC 8555) for issuing, renewing and revoking certificates.

Several Certificate Manager ACME server-side endpoints can be used in parallel to provide certificates from different hosted CAs in Certificate Manager. With help of Certificate Manager's preregistration functionality can ACME accounts and unique client credentials be registered to ensure that only authenticated clients can obtain certificates from a specific CA.

For more information, see ACME support in Certificate Manager.

Registration handling

Registration of device-unique information has been extended and can be used with the protocols ACME, EST, EST-Coaps, SCEP, CMP, CMC, and Certificate Manager (CM) REST API.

Registrations can be made using the standard Registration Authority (RA) client, CM SDK and the CM REST API. Registered devices will obtain certificates during certificate enrollment if the validation/authorization is successful.

Default format files

All default format files are now loaded automatically from the server binaries and cannot be modified. The intention is to simplify future upgrades of Certificate Manager by automatic replacement of old by new default configuration. Customer defined format files containing the desired difference from the defaults formats can be placed in the file system as before. The provided upgrade-diff tool can be used as an aid when upgrading format files.

Hardware security module (HSM) connection recovery and performance

If the connection to a hardware security module (HSM) is lost, for example, due to network problems, an improved connection recovery handling in Certificate Manager (CM) reduces the need to restart the CM services to reestablish the connection. The performance of HSM operations via PKCS#11 has been improved: heavy HSM operations can now be executed concurrently if the PKCS#11 library supports it.

Smart Tachograph G2 certificates

Smart Tachograph certificates (G1) and (G2) are now supported in CM and CM SDK for creating and importing CA and end-user certificates, and also MSCA certificate signing requests.

For more information on tachograph certificates in Certificate Manager, see 

• Use case in Certificate Manager: Create tachograph certificate

For general information on tachograph, see:

• https://ec.europa.eu/transport/modes/road/social-provisions/tachograph_en
• https://dtc.jrc.ec.europa.eu

Zlint integration

Zlint is a X.509 certificate linter that checks for conformity with RFC 5280 and CA/B baseline requirements. Zlint is an open-source tool that Certificate Manager can invoke before issuing a certificate. Certificate issuance is prevented if the check mechanism rejects the CSR content.

Metrics reporting to InfluxDb

Metrics related to certificate issuance events can be sent to InfluxDB. Certificate metrics can be provided from CF, and certificate request metrics can be provided for each of the Protocol Gateway hosted enrollment protocols. This can be used to show current activity of the system using for example Grafana.

PKCS#11 SecureRandom Provider

Generation of random numbers in software (the SecureRandom provider) can now be seeded by random data from an HSM.

Search filter 'enrollment protocol' in Certificate Controller

Certificate Controller can be used to search for certificates based on what protocol was used to create it. This requires that the issued certificate is connected to a registration. This search will only work with certificates issued after Certificate Manager version 8.1.

V2X PKI related functionality

Certificate Manager can now act as a V2X Distribution Centre as defined in ETSI TS 102 941. This enables a publicly available and standardised way for external parties to download V2X trust list information such as the RCA CTL and CRLs.

AWB can now import and export signed certificate requests for re-keying of IEEE 1609.2 CA certificates.

It is now possible for the C-ITS Root CA to issue the RCA CTL. IEEE 1609.2 CAs can be created with a valid from value with a future date.

Updated support for operating systems and SQL servers

For details, see BACKUP - Certificate Manager requirements and interoperability. 

Contact 

Contact Information

For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/. 

Support

Nexus offers maintenance and support services for Nexus Certificate Manager to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.