Skip to main content
Skip table of contents

Release notes Certificate Manager 8.12

Release date: 2025-04-04

Release.txt

Detailed information about changed functionality, deprecated functions, corrected problems, and known issues is included in the Release.txt file. The file is provided with the installation media.

Important note regarding Java 21:
Avoid algorithms that are weak or non-compliant with modern security standards, as updating to Java 21 enforces algorithm constraints more strictly than previous versions. 

disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, SHA1

legacyAlgorithms=SHA1, RSA keySize < 2048, DSA keySize < 2048, DES, DESede, MD5, RC2

Overview of main new features

Support for ML-DSA and SLH-DSA algorithms

CM now supports ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) algorithms for CAs and end-user certificates issued through the RA, CM SDK and CM REST API.
Implemented as per the following drafts:

  • draft-ietf-lamps-dilithium-certificates-07

  • draft-ietf-lamps-x509-slhdsa-04

ML-DSA and SLH-DSA algorithms can be configured in a CIS device, for more details refer to: cis.conf and algorithms.conf.

Support for QC statement esi4-qcStatement-7

CM now supports issuing certificates with the QC statement esi4-qcStatement-7 defined in ETSI EN 319 412-5 V2.4.1. This means CM now supports all QC statements defined in ETSI EN 319 412-5 V2.4.1.

RFC 5280 certificate attribute value length verification

Adds a new certificate format (rfc5280_strict.conf) which verifies that the values that is to be added to the attributes of the certificate subject RDN complies with the upper bounds specified in RFC 5280. See 'CheckContextParameterLength' in CM Technical Description for details.

Support for CMP revocation via RaVerified

CM now supports revocation over CMP only through raVerified. Implemented according to rfc4210. The current support does not include the crls (CertificateList) in the RevRepContent.

Changed functionality

New iD2ppa version for KGS and card profiles

A new version 5.15 of iD2ppa.dll for KGS has been added. It adds support for Siemens CardOS V6.0.
New card profiles:

  • RaP15Siemens53DI_2FCa1P_1024_OKG.cpf

  • RaP15Siemens53DI_2FCa1P_2048_OKG.cpf

  • RaP15Siemens53DI_2FCa1P_2048_OKG_KAR_Transport.cpf

  • RaP15Siemens60DI_2FCa1P_2048_OKG.cpf

  • RaP15Siemens60DI_2FCa1P_2048_OKG_KAR_Transport.cpf

Contact and support

For information regarding support, training, and other services in your area, visit www.nexusgroup.com/. Nexus offers maintenance and support services for components to customers and partners.

For more information, go to Nexus Technical Support or contact your local sales representative.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close