Skip to main content
Skip table of contents

Release note Certificate Manager 8.4

Version: 8.4

Release Date: 2021-06-09

Main new features

Edit format definition parameters in AWB

The AWB now enables customizing of format definition fields in certificate, key, CRL and CIL procedures. Default parameters are displayed from the chosen format file. Customized configuration is stored in the CM database as part of the signed procedure, not in the chosen format file. Each procedure in the AWB will contain its own specific format definitions. When upgrading to later CM versions will the customization remain by being part of the signed procedure configuration.

AWB bulk signing

CM officers can now sign multiple AWB configuration objects at once by placing them in a folder, sign the folder and then select the Execute bulk signed from the Tools menu. Read more here: Sign tasks in Certificate Manager.

PKCS#11 performance improvements (TLS/KAR)

Performance in the TLS and KAR handling during high load when keys are protected by HSM, has been improved by use of pooling of PKCS#11 sessions.

New configuration parameter for PGW EST simple reenroll

The new EST configuration parameter 'allowRenewalWithOldCertificates' controls if the client TLS certificate must match the latest issued certificate for the requested subject. Read more here: Authentication and preregistration for EST.

EST registrations now supports authentication certificates

EST registrations has been extended with support for authentication certificates. See new inputview 'est-auth-cert' and read more here: Authentication and preregistration for EST.

Manual authorization of EST based certificate requests using IDM

It is now possible to configure the EST server for manual authorization of requests using IDM (Smart ID Identity Manager). Read more here: Authentication and preregistration for EST.

Distribution Agent LDAP session pooling and performance improvements

Improved pooling of LDAP sessions during distribution to directories now enables better connection stability.
Improved performance by fetching a chunk of distributions from the database to the dispatcher working pool. The maximum value is configurable.

Distribution Agent HTTP timeouts now configurable

It is now possible to configure the connection and request timeout for publication of certificates or CRLs over HTTP.

PGW Distribution Point server for CA and CxL files

The Protocol Gateway Distribution Point server now supports distribution of X509 CA, CRL and CIL files.

Added CM Tools

Two new tools have been added to CM Tools.

SubjectsTool: This tool can be used to verify and regenerate the contents of the Subjects table in CMDB. Read more here: Subjectstool command-line tool in Certificate Manager.

ActiveEntitiesTool: This tool can be used to count the number of current active certificates, and the number of distinct subject entries connected to them. Read more here: ActiveEntitiesTool command-line tool in Certificate Manager

Changed functionality

Allow revocation of NotYetValid certificates in CC

It is now allowed to revoke a certificate that is not yet valid via the certificate controller client.

Upgrade Tools moved to CM-tools

Tools that are used to perform certain CM server upgrades, such as copycacerts, configdiff and updateauditLog have been moved from their individual .jar files into 'cm-tools.jar'.

Moved CMDB AuditLog update instructions to code

The AuditLog database update instructions, when upgrading from version 8.0 to 8.1 has been moved to run as a background job in CF. This was done to minimize the upgrade time and ensure minimal downtime between upgrades when the AuditLog table is very big.

SCEP PKCS#7 response default encryption algorithm changed

The default encryption algorithm for encrypting the SCEP PKCS#7 response has been changed from DES (OiwSecDesCbc) to AES-128 (Aes128-CBC). The encryption algorithm to use is also made configurable in PGW with the parameter 'responseEncryptionAlgorithm'.

Detailed feature list

For a detailed overview of changed functionality, deprecated functions and corrected problems, see Release.txt which is provided with the installation media.


Contact Information

For information regarding support, training and other services in your area, please visit our website at


Nexus offers maintenance and support services for Nexus Certificate Manager to customers and partners. For more information, please refer to the Nexus Technical Support at, or contact your local sales representative.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.