Release note Certificate Manager 8.7.1
Release Date: 2023-06-09
Version: 8.7.1
Certificate Manager release 8.7.1 fully replaces Certificate Manager release 8.7.0.
Main new features
- Certificate Manager 8.7.1 replaces Certificate Manager 8.7.0, improving the database migration step when upgrading from earlier versions.
- CM REST API and CM-SDK are extended with new certificate search filters and certificate download formats.
- WinEP now supports Windows WCCE Null Signature requests.
Additional updates are described below.
Support for Null Signature PKCS10 in WinEP
WinEP now supports PKCS10 which has a Null Signature according to the MS-WCCE v20211006 specification, section 2.2.2.6.5. This means that a PKCS10 that is received in the related requests through WinEP is allowed to have a hash instead of a signature. To disable this, set "allowNullPkcs10Signature" to false in winep.properties. See Upgrade Protocol Gateway.
Support for KRB5PrincipalName (pkinit-san)
Certificate Manager now supports encoding and decoding of KRB5PrincipalName (pkinit-san) with OID 1.3.6.1.5.2.2. A new kerberos-pkinit-san inputview and support in the general iv is added.
Support for Extended Key Usage EKU id-pkinit-KPClientAuth
Extended Key Usage id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4) is added to the drop-down list for EKUs in Administrator's workbench (AWB).
CF background DB data migration
Due to a change in the Certificate Manager database schema in 8.7.1, some data needs to be populated and migrated in the database.
To minimize downtime, this is automatically done after CF startup, but it is also possible to do this by running the SubjectsTool before starting CF, if needed.
The work can be parallelized between multiple nodes of CF. Using two CF nodes, this upgrade process will take approximately ten minutes per one million certificates in the database. Since this is done in the background, CF can be used meanwhile. The CF log will state the start and end of these processes as follows:
"CM87CaUpgrader: Starting!"
"CM87CaUpgrader: Finished successfully!"
"CM87EndUserCertificatesSkiUpgrader: Starting!"
"CM87EndUserCertificatesSkiUpgrader: Finished successfully!"
CA certificates searchable
It is now possible to search for CA certificates through the CM-SDK and CM REST API. In CM-SDK the class ListCertificatesRequest
and the new certificate search criteria "IncludeAuthorityCerts" and "OnlyAuthorityCerts" can be used for filtering. It is also possible to retrieve CA certificate data using the GetCertificatesRequest
. For CM REST API, see Certificate Manager (CM) REST API for more information.
X.509 certificates searchable with SKI and AKI
It is now possible to search for X.509 certificates with the search criteria "subjectkeyidentifier" and "authoritykeyidentifier" in the CM-SDK request ListCertificatesRequest
and CM REST API certificates-endpoint. See Certificate Manager (CM) REST API for more information.
CM REST API supports extended certificate search criteria
It is now possible to search for certificates with the extended certificate search criteria in the CM REST API certificates-endpoint. See Certificate Manager (CM) REST API for more information. The Extended Certificate Search functionality enables searching for information in the ExtendedCertSearch database table. The table can be used to store custom defined information for identifying certificate holders. See the CM Technical Description for details about ExtendedCertSearch.
CM REST API supports downloading certificates in PEM and PKCS7
CM REST API download endpoint now supports downloading of a certificate or a certificate chain in PEM, PKCS7 or DER format. The format is decided by setting the Accept header in the request to one of the following media types, "application/pkix-cert", "application/pem-certificate-chain" or "application/pkcs7-mime". See Certificate Manager (CM) REST API for more information.
CM REST API supports delivering certificates in different formats
It is now possible to choose the format of delivered certificate and attribute certificate in pkcs12 and pkcs12-to-attr-cert endpoints. Same as downloading certificates. See Certificate Manager (CM) REST API for more information.
Changed functionality
Configuration for denying No-Signature Signature Mechanism
It is now possible to deny No-Signature Signatures on CMC/CMS requests received through WinEP. This is done by setting the "allowNoSignature" configuration parameter to false in winep.properties. See Upgrade Protocol Gateway.
WinEP "Subject name format" configuration support
WinEP now takes into account the "Subject name format" configuration parameter in the template to decide the subject name format to use in the certificate. Until now it has used DNS name even if configuring "Common Name". All upgrading customers are encouraged to make sure that their templates are correctly configured as per their requirements.
CM REST-API certificate downloads reverted to pkix-cert DER format
The REST-API endpoint /certificates/<certId>/download now returns a DER encoded certificate by default as it did before Certificate Manager 8.7.1.
Days can be used to configure Delta CRL/CIL margins
In addition to minutes and hours, now days can be used to configure the margin for a Delta CRL or Delta CIL inside their respective procedures in the AWB client. See Create CRL procedure in Certificate Manager and Create CIL procedure in Certificate Manager for more information.
REST API verifies that correct signed data is used with a pkcs10
The REST API now verifies that the correct signed data is used for the pkcs10 sent in a request. This is done by matching the publickeyinfo value from the pkcs10 data with the value from the signed data.
Detailed feature list
For a detailed overview of changed functionality, deprecated functions and corrected problems, see Release.txt which is provided with the installation media.
Contact and support
For information regarding support, training, and other services in your area, visit www.nexusgroup.com/. Nexus offers maintenance and support services for components to customers and partners.
For more information, go to Nexus Technical Support or contact your local sales representative.