Release notes Certificate Manager 8.10
Release date: 2024-04-02
Release.txt
Detailed information about changed functionality, deprecated functions, corrected problems, and known issues is included in the Release.txt file. The file is provided with the installation media.
This release notes also includes an additional feature for Certificate Manager 8.10.1 (which does not have its own release note):
Added support for CRL based revocation time for Secunet publications
The 'Secunet OCSP Revocation' publication format now supports the parameter 'secunet.crlBasedRevocationTime'. This allows revocation information distributed to a Secunet OCSP responder to have a more accurate revocation time. This flag is deactivated by default.
Activate the 'secunet.crlBasedRevocationTime' flag by navigating to the publication procedure in AWB that is using the publication format 'Secunet OCSP Revocation' and modifying the format with the 'advanced' button.
Overview of main new features
Signing Authorities
Certificate Manager now has the ability to sign pre-hashed data through the new CM REST API signature endpoint or the new CM SDK request SigningRequest.
To enable this, new components have been introduced within AWB. These include the Signing Authority, SA key, and Signing Procedure. A new officer role (Signing Authority and SA Key tasks) is required for the creation of the mentioned objects.
Comprehensive instructions for configuring this can be found in the 'ca-admin-guide.pdf' and 'technical-description.pdf' documents and in SA tasks in Certificate Manager
See CM REST API swagger.yaml to learn about the new endpoint:
signatures/{procid}
.See CM SDK example SigningExample for an example on how to use the new SigningRequest.
The new officer role Signing Authority Requests is required to send signing requests.
The Signing Authority functionality requires a new license option.
PublicKeyRequirements modifier update
The checks performed by the PublicKeyRequirements
modifier are now updated to follow FIPS 186-5, NIST SP 800-56Ar3, and NIST SP 800-186. For more details, see the chapter "PublicKeyRequirements" in CM Technical Description.
Certificate Manager now supports archiving and recovery of EC keys
Support for archiving and recovery of EC keys is now available in Certificate Manager. See new KAR format archive-ec.conf.
V2X registration
V2X registration reset via CM REST API: The CM REST API now supports reset of VINs via the
/registrations/v2x/reset
endpoint.V2X registration delete via CM REST API: The CM REST API delete endpoint has been deprecated and replaced by the
/registrations/v2x/delete
endpoint.
Certificate removal via CM REST API
The CM REST API now supports removal of the data (certificate, archived keys, audit log, etc.) of revoked or expired certificates using the two new endpoints /certificates/remove
and /certificates/remove-subjects
. The latter will remove the certificate data of all certificates associated to the subject of the given certificate ID(s). See the updated swagger.yaml file for documentation.
CM RA Client supports LDAPS
The RA client now supports LDAPS as the authentication scheme when using inputviews that fetches additional user data from an LDAP server.
Modify ID and Label attributes in HSM via Pkcs#11 using hwsetup
Two new operations are now available allowing modification of ID and Label attributes of existing keys and certificates in HSM.
Chained AuditLog Signatures
Certificate Manager now provides the option to enable signing of the AuditLog entries that are stored in the CMDB database. The signatures on the entries are chained. This makes it possible to detect manipulation of the data of the entries and removal of entries. The key used for signing the AuditLog entries can be stored in either HSM or in PKCS12 files.
Configuration of test environment in PGW
A new configuration parameter, testenvironment
, has been added to the cm-gateway.properties file in Protocol Gateway.
This parameter enables coming test related features and should not be enabled in production.
Changed functionality
Authorities
To facilitate for Signing Authorities, and to make Registration Authorities more visible alongside Certificate Authorities, AWB menus and dialogs have been aligned. Where it previously said "CA", it now says "Authorities". An Authority in CM can be of type "Certificate Authority" (CA), "Signing Authority"(SA), or "Registration Authority" (RA). For more information, see Authority administration tasks in Certificate Manager
New mediatype 'data' in CM REST API procedures endpoint
Added a new mediatype 'data' for the procedures endpoint in the CM REST API. Setting this mediatype in the request will return all available Token Procedures in the system which can be used on the CM REST API signatures endpoint. See Certificate manager (CM) REST API for more information.
Intune provider URLs
It is now possible to use other Intune providers than the default (Microsoft). This is enabled with the new URL configuration parameters in scep.properties configuration file.
Adds support for PostgreSQL 15 and 16
Support for PostgreSQL database version 15 and 16 has been added.
Removed support for PostgreSQL 12
Support for PostgreSQL database version 12 has been removed due to reaching end of life later in the year.
Removed support for checkkeylength.minkeylength
Support for the previously deprecated (from CM 7.8.2) property checkkeylength.minkeylength in file config/certformats/rfc5280.conf has been removed.
Make sure the algorithm specific settings are used instead:
checkkeylength.rsa-minkeylength
checkkeylength.dsa-minkeylength
checkkeylength.ec-minkeylength
Contact and support
For information regarding support, training, and other services in your area, visit www.nexusgroup.com/. Nexus offers maintenance and support services for components to customers and partners.
For more information, go to Nexus Technical Support or contact your local sales representative.