Skip to main content
Skip table of contents

Release notes Certificate Manager 8.13.0

Release date: 2025-07-03

Release.txt

Detailed information about changed functionality, deprecated functions, corrected problems, and known issues is included in the Release.txt file. The file is provided with the installation media.

Overview of main new features

Support for the Latest SLH-DSA Draft

CM now supports draft-ietf-lamps-x509-slhdsa-08, the latest SLH-DSA specification published on May 30, 2025.

Support for ML-KEM algorithms

CM now supports ML-KEM (FIPS 203) for end-user certificates issued through the RA, CM SDK and CM REST API with keys generated client side.
Implemented as per the following drafts:
draft-ietf-lamps-kyber-certificates/

CMP supports fetching of the latest CRL

Its now possible to get a copy of the latest CRL via the CMP protocol. See RFC 4210 section 5.3.19.6.

ExpiredCertsOnCrl is now extended to set a customized value

Now users can set extension.expiredcertsoncrl.value and will replace the CA FromValidity.

Example:
extension.expiredcertsoncrl.value=20240101130000Z
extension.expiredcertsoncrl.replace=TRUE

KAR external key archival endpoint support in REST API

REST API is extended to archive keys for issued certificates with the 'keyarchival' endpoint. It accepts a PKCS#12 token or an X509 certificate with PKCS#8 private key as input. For more information see swagger.yaml.

KAR recover endpoint support in REST API

REST API is extended to recover archived keys with 'keyrecovery' endpoint. It returns an archived key and certificate as a PKCS#12 Or private key as PKCS#8. If the password is not specified in the request body it will be returned in the HTTP header.
For more information see swagger.yaml.

CF/importPKI tool support for importing malformed certificates

CF and the importPKI tool now support importing malformed certificates that have the UniqueIdentifier encoded as a PrintableString instead of a BitString. Additionally, support has been enabled for importing keys in P12 format for KAR, which are associated with such certificates.

CA Certificate Serial Number Configuration

The SerialNumber for CA certificates can now be configured to a length between 2 and 20 bytes using the configuration parameter:
signer.certserialnumberlength
This setting applies exclusively to CA certificates and must be specified within the appropriate configuration format.

Client IP address logging configurable in PGW

A new configuration parameter has been introduced to enable logging of the client IP address that initiates requests to PGW at the INFO log level.
See cm-gateway.properties.

CM REST API Procedure details endpoint returns more details

Procedure details endpoint in the CM REST API now also returns the "authoritydn", "certid" and "authorityname" for certificate procedures and signing procedures.
See swagger.yaml for more details.

In swagger.yaml "issuerdn" was previously described as being returned in the details of signing procedures. This was incorrect and swagger.yaml has been corrected.

V2X Warning if EA or AA certificates might get expired

If the EA or AA certificate is reaching below 100 days left of validity there will be a WARNING level message in the logs. E.g. "Warning: AA certificate will expire in 100 days, please renew it."

If it is expired or will expire during the 84 days we create enrollment certificates it will throw a SEVERE message in the log. E.g. "Error: EA certificate is expired or it will expire within 12 weeks, terminating"

Changed functionality

Block CXLs with signer digest in composite CXL for V2X

It is now possible to configure so that CXLs with signer digest does not end up in the composite CXL. Use configuration parameter v2xcompositecxl.blockCxlsWithDigest for the wanted CXL format.

Adds support for PostgreSQL 17

Support for PostgreSQL database version 17 has been added.

Adds support for Windows Server 2025

All our server components, client components, WinEP Service and KGS are now compatible with Windows Server 2025.

Contact and support

For information regarding support, training, and other services in your area, visit www.nexusgroup.com/. Nexus offers maintenance and support services for components to customers and partners.

For more information, go to Nexus Technical Support or contact your local sales representative.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close