Release note Certificate Manager 8.4
Version: 8.4
Release Date: 2021-06-09
Main new features
Edit format definition parameters in AWB
The AWB now enables customizing of format definition fields in certificate, key, CRL and CIL procedures. Default parameters are displayed from the chosen format file. Customized configuration is stored in the CM database as part of the signed procedure, not in the chosen format file. Each procedure in the AWB will contain its own specific format definitions. When upgrading to later CM versions will the customization remain by being part of the signed procedure configuration.
AWB bulk signing
CM officers can now sign multiple AWB configuration objects at once by placing them in a folder, sign the folder and then select the Execute bulk signed from the Tools menu. Read more here: Sign tasks in Certificate Manager.
PKCS#11 performance improvements (TLS/KAR)
Performance in the TLS and KAR handling during high load when keys are protected by HSM, has been improved by use of pooling of PKCS#11 sessions.
New configuration parameter for PGW EST simple reenroll
The new EST configuration parameter 'allowRenewalWithOldCertificates' controls if the client TLS certificate must match the latest issued certificate for the requested subject. Read more here: Authentication and preregistration for EST.
EST registrations now supports authentication certificates
EST registrations has been extended with support for authentication certificates. See new inputview 'est-auth-cert' and read more here: Authentication and preregistration for EST.
Manual authorization of EST based certificate requests using IDM
It is now possible to configure the EST server for manual authorization of requests using IDM (Smart ID Identity Manager). Read more here: Authentication and preregistration for EST.
Distribution Agent LDAP session pooling and performance improvements
Improved pooling of LDAP sessions during distribution to directories now enables better connection stability.
Improved performance by fetching a chunk of distributions from the database to the dispatcher working pool. The maximum value is configurable.
Distribution Agent HTTP timeouts now configurable
It is now possible to configure the connection and request timeout for publication of certificates or CRLs over HTTP.
PGW Distribution Point server for CA and CxL files
The Protocol Gateway Distribution Point server now supports distribution of X509 CA, CRL and CIL files.
Added CM Tools
Two new tools have been added to CM Tools.
SubjectsTool: This tool can be used to verify and regenerate the contents of the Subjects table in CMDB. Read more here: Subjectstool command-line tool in Certificate Manager.
ActiveEntitiesTool: This tool can be used to count the number of current active certificates, and the number of distinct subject entries connected to them. Read more here: ActiveEntitiesTool command-line tool in Certificate Manager
Changed functionality
Allow revocation of NotYetValid certificates in CC
It is now allowed to revoke a certificate that is not yet valid via the certificate controller client.
Upgrade Tools moved to CM-tools
Tools that are used to perform certain CM server upgrades, such as copycacerts, configdiff and updateauditLog have been moved from their individual .jar files into 'cm-tools.jar'.
Moved CMDB AuditLog update instructions to code
The AuditLog database update instructions, when upgrading from version 8.0 to 8.1 has been moved to run as a background job in CF. This was done to minimize the upgrade time and ensure minimal downtime between upgrades when the AuditLog table is very big.
SCEP PKCS#7 response default encryption algorithm changed
The default encryption algorithm for encrypting the SCEP PKCS#7 response has been changed from DES (OiwSecDesCbc) to AES-128 (Aes128-CBC). The encryption algorithm to use is also made configurable in PGW scep.properties with the parameter 'responseEncryptionAlgorithm'.
Detailed feature list
For a detailed overview of changed functionality, deprecated functions and corrected problems, see Release.txt which is provided with the installation media.
Contact
Contact Information
For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/.
Support
Nexus offers maintenance and support services for Nexus Certificate Manager to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.