KeyTalk virtual application server ---------------------------------- KNOWN ISSUES ---------------------------- Microsoft's PFX Intune PFX Helper project, required for S/MIME enrollment using Intune, (https://github.com/microsoft/Intune-Resource-Access/tree/develop/src/PFXImportPowershell), has some incompatible issue with PowerShell. KeyTalk has released its own update on the project until Microsoft adopts it or changes it themselves. Kindly use https://downloads.keytalk.com/downloads/tools/IntunePfxImportHelper.zip (Import-Module \IntunePfxImport.psd1 -UseWindowsPowerShell) should your PS 7.x not be able to run the original Despite New Outlook being enrolled in many companies around the world, it still does NOT support S/MIME for Windows properly. For more info kindly see: - https://learn.microsoft.com/en-us/officeupdates/release-notes-outlook-new Quick references ---------------------------- S/MIME for Intune configuration: - https://downloads.keytalk.com/downloads/documents/Intune_SCEP_KeyTalk_EntraID_EnterpriseApp_Registration_20240923.pdf - https://downloads.keytalk.com/downloads/documents/Intune_PFXConnector_instructions_20240923.pdf - https://downloads.keytalk.com/downloads/documents/Intune_SMIMEtrustConfiguration_20240923.pdf KeyTalk and ACME: - https://downloads.keytalk.com/downloads/documents/KeyTalkAcmeServer.pdf KeyTalk used OpenSource projects: - https://downloads.keytalk.com/downloads/documents/KeyTalk_UsedLib&Tools.txt RELEASE NOTES of KeyTalk virtual application server --------------------------------------------------- server-7.8.5, 2 September 2025 --------------- CHANGED: Improved logging in SSL Scanner CHANGED: Updated Exchange Online module versions to v3.9 FIXED: Entra ID Shared Mailbox search due to expiring Authentication token server-7.8.4, 28 August 2025 --------------- ADDED: Support for Entra ID Key Vault beta (Azure Key Vault) ADDED: Show seat license usage statistics on the main page for managers/operators ADDED: Allow configuring license depletion notification threshold both in percentage as well as absolute values CHANGED: Less frequent firing of KeyTalk Db Garbage Collector to reduce the load on the Db FIXED: Notify delegated admins and only direct certificate owners on successful or failed issuance of seat certificate server-7.8.3, 15 August 2025 --------------- CHANGED: Rename DigiCert Secure Email for Business product to Secure Email for Employee CHANGED: Allow configuring seat SAN when adding internal RA user CHANGED: Allow configuring seat First Name and Last Name when adding or configuring internal RA user server-7.8.2, 12 August 2025 --------------- ADDED: Allow configuring seat SAN from internal RA page FIXED: Allow enrolling DigiCert Secure Email for Business certificates for multipurpose profile server-7.8.1, 28 July 2025 --------------- CHANGED: Do not overwrite HWSIG of learn-always slot bound to the best reused certificate during HWSIG verification CHANGED: Single point of administration for certificate attributes defined on seat and Internal RA level CHANGED: Tolerate mistyped values for SAN UPN server-7.8.0, 18 July 2025 --------------- ADDED: Allow specifying domains in the agent task to be added to the certificate SAN DNS FIXED: Email sending script as example for Windows agents supporting custom Powershell scripting FIXED: Dashboard showed public certificate information for unauthorized defined local accounts server-7.7.11, 16 July 2025 --------------- ADDED: Allow matching against multiple OUs for certificate-based logins ADDED: Allow bypassing system HTTP proxy for communicating with MS AD CS via SCEP ADDED: Entra ID OAuth SMTP authentication ADDED: Extend supported signing algorithms ADDED: Email assigned managers/operators on automated renewal of SCEP RA certificates ADDED: Allow managers to configure F5 and Fortigate settings on the eligible templates ADDED: Errors fetching Given Name and Surname mapped attributes from RAs will fall back to 'MyName' and 'FamilyName' respectively CHANGED: Speed up loading of the main page FIXED: Ordering DigiCert Secure Email for Business certificates server-7.7.10, 30 June May 2025 --------------- ADDED: Allow changing seat First Name and Second Name from seat page ADDED: Store First Name and Second Name supplied by user on internal RA for OTP logins against S/MIME BR 2025 - compliant CA products CHANGED: Discontinue S/MIME Class 2 Premium DigiCert Central product, all templates configured to this product are moved to DigiCert Secure Email for Business CHANGED: Allow (automatic) enrollment of SMB certs against S/MIME 2025 BR - compliant CA products by providing bogus First Name and Last Name. CHANGED: Allow pushing non-expired and non-revoked seat certificates to EXO, LDAP/AD, F5 and Mobile Iron and Intune regardless they obey reuse validity margin FIXED: Missing SAN email certificate attribute mappings for DigiCert Secure Email for Business FIXED: Permissions for operator server-7.7.9, 24 June May 2025 --------------- ADDED: Protection of KeyTalk management UI port 3000 against forced Ubuntu update changes server-7.7.8, 16 May 2025 --------------- ADDED: Add detection of disabled unsafe TLS renegotiation case and settings to enable it CHANGED: Demand Given Name and Surname to order certificates from S/MIME BR 2025 - compliant CA products. These attributes can be supplied either via RA overwrites or via KT app when OTP is in effect. The supported CA products are: - GlobalSign GCC ePKI S/MIME - GlobalSign Atlas S/MIME - DigiCert Central Secure Email For Business CHANGED: Do not demand for signing algorithms to match when looking up CSR in the Db matching a cert to be imported server-7.7.7, 27 May 2025 --------------- ADDED: Diagnose failed TLS connection trying to scrape OTP from SCEP/NDES admin page CHANGED: Allow empty Organization attribute match for certificate logins FIXED: Authorization for divisions (containers) for DigiCert Central requests server-7.7.6, 21 May 2025 --------------- ADDED: Allow fetching SMBs via RCDP for any authentication method used server-7.7.5, 19 May 2025 --------------- ADDED: Support for CloudSSL GlobalSign GCC product FIXED: Render regular page with human-readable error on Db configuration error iso HTTP 500 FIXED: Make seat authentication respect caller's HWSIG when locating right authentication certificate on the server server-7.7.4, 12 May 2025 --------------- ADDED: Extra error logging when handling Kerberos requests ADDED: Preparatory work to support EST (Enrollment over Secure Transport protocol) FIXED: Incorrect SAN entries after Entra ID Shared Mailbox/User search server-7.7.3, 7 May 2025 --------------- ADDED: Preparatory work to support seats with EC keys ADDED: Preparatory work to support CMP (Certificate Management Protocol) ADDED: CRL Sign KU to the generated private CAs FIXED: Failing Shared mailbox/User Entra ID cross-template tenant search FIXED: Allow reusable seat certificate not meeting margin threshold to be used for seat authentication server-7.7.2, 24 April 2025 --------------- ADDED: Entra ID User search UPN filtering ADDED: Entra ID Shared Mailbox search UPN filtering CHANGED: Shared Mailbox membership costs seat one extra license regardless the number of memberships server-7.7.1, 22 April 2025 --------------- ADDED: Enforce seat authentication to use User ID and computer name ADDED: Allow configuring the number of webserver worker processes ADDED: Check the user is active at the configured RA as a part of seat-based authentication ADDED: Entra ID User search similar to Shared Mailbox search ADDED: Updating Exchange Online "UserSmimeCertificate" attribute in addition to "UserCertificate" CHANGED: Remove RADIUS RA CHANGED: Remove REST RA CHANGED: Increased verbosity of SMTP mail sender CHANGED: Increase max number of simultaneous connections in local Db CHANGED: Increase min buffer size for JOINs in local Db CHANGED: Increase InnoDB buffer pool size and redo log capacity in local Db FIXED: Allow re-login as local admin in order to fix Db incompatibility errors (caused by cluster fw upgrade) and Db connection errors FIXED: Fetching user own certificates instead of shared mailbox ones server-7.7.0, 7 April 2025 --------------- ADDED: Allow multiple lighttpd worker processes to improve performance of handling large amount of connections on multi-core systems ADDED: Support for divisions (containers) in DigiCert Central certificate order requests ADDED: Statistics on the amount of seats and seat certificates to PR CHANGED: Lower the impact on the system load produced by CAD Key pre-generator task CHANGED: Lower the impact on the system load produced CAD Seat Certificate Revocation task CHANGED: Lower the impact on the system load produced by the Seat Listing task FIXED: Allow Unicode symbols in username of email address and MS UPN server-7.6.15, 1 April 2025 --------------- ADDED: Allow optionally including SMB certificates in seat certificate download archive ADDED: Reload rsyslog after the logs get rotated to avoid logging to be stuck ADDED: Recreate missing log files to help rsyslog ADDED: Piggy-back keep-alive internal in the response to i-am-alive Public API request CHANGED: Lower log verbosity of AD and RDD daemons CHANGED: Lower throttling of AD CHANGED: Enforce log severity to * for rsyslog-enabled apps CHANGED: Disallow altering local log severity from WebUI to facilitate troubleshooting CHANGED: Make log rotation less CPU-intensive server-7.6.14, 24 March 2025 --------------- ADDED: Increase capacity of the incoming connections queue for lighttpd/RDD ADDED: Extra diagnostics on logs and lighttpd runtime status in PR CHANGED: More frequent log rotation to tackle heavy loads CHANGED: Truncate large logs before rotation CHANGED: Remove logs older than 2 weeks CHANGED: Reduce lifetime of RCDP session 30 -> 10 minutes CHANGED: SSL Scanner's SNI field is from now a boolean switch which, if enabled, will attempt to auto detect SNIs and retrieve certificates accordingly server-7.6.13, 19 March 2025 --------------- FIXED: Pushing certificates to F5 having legacy names previously CHANGED: Increase max amount of active KT agent (RCDP) sessions 1024 -> 10240 server-7.6.12, 17 March 2025 --------------- ADDED: Allow mass-replacing spaces with dots in seat names FIXED: Order DigiCert certificates for products having allowed order validity periods configured by admin server-7.6.11, 12 March 2025 --------------- ADDED: Running F5 certificate management in insecure mode for ignoring SSL errors FIXED: More clear reporting on non-availability of security update servers server-7.6.10, 10 March 2025 --------------- ADDED: Retrieval of SMB certificates in RCDP using out-of-band download URL ADDED: Allow searching, filtering and removing SSL Scanner results ADDED: Allow importing found certificate to seats with the SSL Scanner tool ADDED: Push Shared Mailbox certificates to Intune for existing members ADDED: Remove Shared Mailbox certificates from Intune for removed members ADDED: Print Entra ID UPN in log files along with user account name ADDED: Generate strong passwords for new users when no password is provided ADDED: Allow deleting RCCD records listed under templates ADDED: Allow stopping daemons when generating Problem Report and starting them back afterwards ADDED: Support for Microsoft Remote Desktop Authentication EKU (OID 1.3.6.1.4.1.311.54.1.2) ADDED: Allow revoking historical certificates CHANGED: Treat empty "certificate" JSON attribute in the certificate order status response as if the certificate is not yet available CHANGED: Always send historical S/MIME certificates to KeyTalk agent; removed the corresponding template-wide configuration flag on the server FIXED: Publish certificates to Intune, Mobile Iron, Workspace ONE, F5 and Fortinet FIXED: Automated fw upgrade triggered by KeyTalk upgrade daemon fails for all but the first KeyTalk server instances because of incompatibility of remote Db schema FIXED: Externally-uploaded CRL expired because of missing CRL updates from KeyTalk server FIXED: CRL without revoked certificates was not published hence causing HTTP 404 trying to access it FIXED: Published CRL might erroneously include previously revoked certificates not issued by the given issuer (e.g. when the issuer got changed along the way) FIXED: Do not redirect plain HTTP URLs such as CRL or public API requests to HTTPS FIXED: Allow pushing to F5 for certificates bound to SSL profiles based on latest release version FIXED: IP address appearing during GlobalSign GCC domain ID lookup does not render the entire match to fail server-7.6.9, 5 February 2025 --------------- ADDED: Allow bypassing system HTTP proxy for communicating with F5 API endpoint CHANGED: SSL scanner UI has been updated and improved CHNAGED: Defaults for new templates, new internal RAs and App Description FIXED: Disallow HTTP OPTIONS requests to somewhat complicate Web attacks server-7.6.8, 29 January 2025 --------------- ADDED: Allow merging two seats, combining the certificates of both CHANGED: Extend the SAN DNS RA rule to allow any character to follow computer name FIXED: Initializing of certificate CN from the first entry of SAN DNS did not happen for ACME enrollments server-7.6.7, 22 January 2025 --------------- ADDED: Template-wide setting to initialize certificate CN from the first entry of SAN DNS CHANGED: Extend the RA rule to set SAN DNS to also use computer name for CN, Seat Name and SAN DNS CHANGED: Moved the notifications on S/MIME certificate expiration to their owners to "Messages and Workflow" section FIXED: Only show connectivity warning on non-accessible HTTP port 80 when KeyTalk Ubuntu Repo configuration includes repo accessible over plain HTTP server-7.6.6, 17 January 2025 -------------------------------- ADDED: Rule to set SAN DNS in certs after authentication against internal, LDAP or Azure RA server-7.6.5, 13 January 2025 -------------------------------- ADDED: Allow optionally revealing Entra ID Client Secret ADDED: Allow exporting accounts to CSV ADDED: Make cert&key owner created or updated from the seat meta page inherit the caller's template and tenant assignments ADDED: Template-wide flag to let cert&key owners be notified on certificate expiration ADDED: Template-wide flag to let managers, power operators, operators and cert&key owners be notified on successful issuance of a certificate ADDED: Template-wide flag to let managers, power operators, operators and cert&key owners be notified on failed issuance of a certificate ADDED: Template-wide flag to let managers, power operators and operators be notified on successful publishing of seat certs CRL ADDED: Template-wide flag to let managers, power operators and operators be notified on failed publishing of seat certs CRL CHANGED: Increased the space in the Db allocated for SAN entries server-7.6.4, 15 December 2024 -------------------------------- ADDED: FortiGate Certificate management (beta) ADDED: Allow downloading SCEP RA certificate bundle FIXED: Kerberos authentication by reverting to the system Kerberos libraries server-7.6.3, 5 December 2024 -------------------------------- ADDED: The SSL scanner scan form can now receive multiple endpoints separated by comma, as well as ip ranges in the CIDR format ADDED: Template-wide flag to add CN to SAN DNS in the certificate CHANGED: SSL scanner UI has been improved and fields have been added to the result table FIXED: Template page shows tenants not assigned to the given role FIXED: Restrict the rights to alter tenants to admin only FIXED: Fw upgrade always schedules removal of Kerberos system dependencies server-7.6.2, 25 November 2024 -------------------------------- ADDED: Support for fetching Ubuntu updates via https CHANGED: Updated defaults for creating templates, RCCDs and private CAs FIXED: Too generous notifications on reaching seats quota FIXED: Invalid calculation of a duration of DigiCert renewed orders FIXED: System dependency on KeyTalk Kerberos libraries server-7.6.1, 6 November 2024 -------------------------------- FIXED: RDD fail-stop -------------------------------- server-7.6.0, 6 November 2024 -------------------------------- ADDED: Alpha release of SSL Scanner ADDED: Allow managers to copy templates, the copied template gets assigned to the manager and becomes a member of each tenant assigned to the manager ADDED: Allow managers to enable ACME via Admin API on the templates they are eligible for CHANGED: Upgraded jQuery from 2.1.4 to 3.7.1 CHANGED: Upgrade KRB5-Mit from 1.19.4 to 1.21.3 FIXED: Make sure daemons re-read Db configuration when Db encryption key changes FIXED: More robust parsing of CSR challenge password by Generic SCEP server FIXED: Prevent writing encrypted keys to the Db when incompatible Db encryption is detected in KeyTalk cluster FIXED: Discard certificate attribute overwrites coming from RA having empty values FIXED: Capped the memory usage of the gRPC library -------------------------------- server-7.5.12, 10 October 2024 -------------------------------- FIXED: Disable implementation-defined check of SCEP request transaction ID against the fingerprint of the CSR pubkey in Generic SCEP server -------------------------------- server-7.5.11 (1 October 2024) -------------------------------- ADDED: Log in using Multi-factor authentication mapping Entra ID Security groups into KeyTalk User/Role ADDED: Allow static challenge-password for Generic SCEP FIXED: Remove unnecessary sudoers commands enabled for keytalk user FIXED: Dashboard certificate download link in Seat listing -------------------------------- server-7.5.10 (13 September 2024) -------------------------------- ADDED: Allow specifying SAN when creating seat ADDED: Allow altering seat SAN ADDED: Allow configuring SMB enrollment from WebUI ADDED: Allow enforcing account password complexity ADDED: Allow enrolling seat certificates and private CAs having 3072-bit RSA keys ADDED: Use yescrypt hashing algorithm to store passwords of KeyTalk internal accounts ADDED: Path traversal patterns sanity checks for ZIP and TAR/TGZ files submitted to KeyTalk ADDED: Allow enforcing KeyTalk settings backup ADDED: Allow downloading enrolled certificate requests with or without trust chain ADDED: Key size seat property, takes preference over the key size defined template-wide ADDED: Allow specifying S/MIME certificate purpose when generating RCCD ADDED: Log in using Multi-factor authentication and mapping Entra ID User properties into KeyTalk User/Role CHANGED: Restrict the possibility to alter Db settings to the system administrators CHANGED: Updated Thales Luna HSM Network client software to v10.2.7 CHANGED: Do not log session ID for WebUI and RCDP communications FIXED: Automatic Shared Mailbox S/MIME certificate enrollment FIXED: Failed authentication against Internal Db caused by using wrong hash FIXED: Lowered RAM usage by CAD caused by periodic seat archiving task FIXED: Allow parsing CSR with legacy headers FIXED: Allow upgrading Db for non logged-in user FIXED: Optimize importing settings to avoid "Got a packet bigger than 'max_allowed_packet' bytes" errors FIXED: Disallow redirection from login page to a user-defined URL -------------------------------- Server 7.5.9 (11 July 2024) -------------------------------- CHANGD: Disabled Shared Mailbox S/MIME automated enrollment for Exchange Online (manual is still possible) Server 7.5.8 (10 July 2024) -------------------------------- ADDED: Admin API to create tenants ADDED: Admin API to specify ID and external order IDs when copying TEMPLATE ADDED: Admin API enable ACME on the TEMPLATE ADDED: External customer ID and external order IDs attributes to TEMPLATE ADDED: Include workflow reference in the seat certificate report CHANGED: Expand Seat Meta information by default CHANGED: Make Owner optional in Seat Meta information FIXED: Filtering on Workflow in Dashboard FIXED: Editing MFA settings by non-admin users FIXED: Showing all tenants for managers / power operators FIXED: Missing certificates in Dashboard statistics FIXED: Not enrolling certificates for found Shared mailboxes and members Server 7.5.7 (3 July 2024) -------------------------------- ADDED: Public API call to check whether the given seat certificate is known to have TPM key attestation ADDED: 'workflow reference' meta field to a seat ADDED: Protection against brute-forcing password logins ADDED: Check the certificate expiration threshold does not exceed or equals to the minimal validity of a reused certificate CHANGED: Disallow auditor from accessing settings page and problem report generation page CHANGED: Use .CER iso .PEM extension for downloaded certs w/o keys in PEM format CHANGED: Improve Account Management Web UI FIXED: Failing LDAP User search when using TLS connection FIXED: Failing Shared Mailbox search with Schema Property extensions Server 7.5.6 (25 June 2024) -------------------------------- FIXED: Potential command injections where user input is passed to CLI FIXED: Empty Account list due to Proxy settings Server 7.5.5 (22 June 2024) -------------------------------- ADDED: Allow customizing subject, SAN key size and signature algorithm matching rules for CSRs coming into KeyTalk via REST API or via import ADDED: Allow specifying CRL validity duration for seat- and for private CA CRLs ADDED: Split CDP configuration from certificate configuration when generating private CA certificates ADDED: Add Entra ID Multi-factor authentication ADDED: Allow User role changing ADDED: Allow downloading enrolled CSRs imported from the seats page CHANGED: Allow configuring validity of the internally generated CAs and certs from 0 to 100 years CHANGED: Modernize Account administration Web UI CHANGED: Increase JWT Key size to 256 bits and force refreshing on RDD service (re)start FIXED: Require old password when setting a new one for own account FIXED: Invalidate user's login session on the server after the user logs out FIXED: Command injection in connectivity check feature Server 7.5.4 (10 June 2024) -------------------------------- CHANGED: CN submitted in signing request for DigiCert OV, EV and DV products is taken from CSR CN or, when empty, from the first item in CSR SAN DNS (ie -d parameter in ACME agent) Server 7.5.3 (07 June 2024) -------------------------------- ADDED: Allow importing discovered F5 certificates to KeyTalk ADDED: Allow importing binary (ASN.1) PKCS#7 certificates ADDED: Store failed authentication details for seat enrollment ADDED: Support for KDC Authentication EKU (OID 1.3.6.1.5.2.3.5) in certificate template settings ADDED: Support for IP security IKE intermediate EKU (OID 1.3.6.1.5.5.8.2.2) in certificate template settings ADDED: Allow on-demand generating and publishing CRL for seat certificates of the given template ADDED: Allow on-demand generating and publishing CRL for private CA tree certificates ADDED: Power operator role having the same rights as manager except for altering TEMPLATEs FIXED: Improve domain name validation FIXED: Auto correction for Internal RA configuration Server 7.5.2 (22 May 2024) -------------------------------- CHANGED: Tolerate ill-formed SAN entries in Keytalk Internal Db CHANGED: Enforce the template-wide cert renewal threshold to all seats of this template Server 7.5.1 (17 May 2024) -------------------------------- ADDED: Allow configuring keep-alive interval to be sent by KeyTalk agents ADDED: Register seat-wide keep-alives sent by KeyTalk agents ADDED: Add Entra ID Seat name lookup for Shared Mailboxes and members CHANGED: Allow customizing CN with KeyTalk SES agent over OTP authenticated against KeyTalk internal CA FIXED: Configuring fallback values for LDAP attribute mappings FIXED: Misleading WebUI error about not configured LDAP service account FIXED: Allow enrolling seats against KeyTalk internal CA having MS UPN in SAN Server 7.5.0 (13 May 2024) -------------------------------- FIXED: SEAT data fetch bug Server 7.4.9 (09 May 2024) -------------------------------- ADDED: Control the acceptance of certs&keys scraped by Windows Certificate Scanner agent (v7.4.9) ADDED: Control the purpose of the certs&keys scraped by Windows Certificate Scanner agent (v7.4.9) ADDED: Control the stores to look up for the certs&keys scraped by Windows Certificate Scanner agent (v7.4.9) ADDED: Store the last Intune SCEP seat enrollment error and show it under the seat page ADDED: Autocorrect malformed SAN entered by users on Internal RA page and certkeys pages Server 7.4.8 (29 April 2024) -------------------------------- FIXED: Error trying to access seat FIXED: Cut off redundant historical certificate columns when exporting seats from Import/Export seats page CHANGED: Cap max amount of historical certificates exported from Import/Export seats page to max 100 Server 7.4.7 (23 April 2024) -------------------------------- FIXED: Certificate templates no longer show all fields, only relevant fields FIXED: Certificate template trusted CA connection test queries ADDED: Allow saving and loading private CA tree configuration ADDED: Add possibility to run Shared Mailbox/LDAP User search at specific daily/weekly times Server 7.4.6 (19 April 2024) -------------------------------- ADDED: Allow exporting and importing seats along with their certificates ADDED: Allow storing SMB member seat information found during SMB search across templates of the same tenant CHANGED: Unify and extend Intune settings moving it from Mobile Device Management to Entra ID page CHANGED: Automatically correct spaces entered in the name of a newly created TEMPLATE with underscores '_' CHANGED: Use HTTP iso TCP servers for connectivity check to honor HTTP proxy settings Server 7.4.5 (04 April 2024) -------------------------------- ADDED: Allow requesting certificates of all SharedMailBoxes of a given seat within the same TEMPLATE (not within the same tenant) via KeyTalk REST API. Requires KeyTalk agent 7.4.5 or higher ADDED: Pop-up message defintion for KeyTalk agents when renewing certificates requires a manual interaction Server 7.4.4 (11 March 2024) -------------------------------- FIXED: DigiCert CertCentral based DV certificate email based automated approval Server 7.4.3 (8 March 2024) -------------------------------- ADDED: Tighten security of HTTP response headers ADDED: Collect the status of the last seat enrollment attempt ADDED: F5 Load Balancer Partition support ADDED: Support for using generic IMAP to automatically approve DigiCert DV orders ADDED: Secure Email for Business and Secure Email for Organization DigiCert Central products ADDED: Allow configuring MS Graph URL in Azure RA settings CHANGED: Shared Mailbox archiving policy FIXED: Selection criteria for seat certificates considered as "requiring renewal" FIXED: Dashboard selection criteria for the best seat certificate FIXED: F5 Load Balancer certificate updating when referred by Server SSL profiles FIXED: Manager could see templates not assigned to him when configuring ACME and Generic SCEP FIXED: Handling of seat certificates having EC keys Server 7.4.2 (16 February 2024) -------------------------------- ADDED: Entra ID App Permission testing ADDED: Allow specifying notification template for the message shown to end-users when KeyTalk agent automatically pops up ADDED: Allow creating TEMPLATES for enrolling DigiCert DV certs via ACME via Admin API ADDED: Allow enrolling DigiCert DV certificates for multiple domains ADDED: Display URL to be used by ACME Agents when configuring a template for ACME ADDED: Tighten security of HTTP response headers CHANGED: Entra ID/LDAP improvements (cancellation, throttling, batching, ...) FIXED: Clean up old system performance metrics statistics to reduce PR size FIXED: Missing valid SAN fields in imported Shared Mailbox seats FIXED: Invalid SAN fields coming from LDAP search Server 7.4.1 (31 January 2024) -------------------------------- FIXED: Too early notification of S/MIME certificate holders on certificate expiry FIXED: Allow storing string with 4-byte Unicode characters in the Db FIXED: Include On-Prem only users in Intune import FIXED: Allow certificate rewriting during Intune import FIXED: Solved missing Shared Mailboxes after search FIXED: Clean up old system performance metrics statistics to reduce PR size FIXED: HTTP 404 for long operations such as PR generation of manual fw upgrade ADDED: Allow excluding the system load statistics from PR file ADDED: Allow accessing ACME server for multiple TEMPLATES CHANGED: Treat empty subject attributes as well as empty SAN required by the server as "any" value for enrolling client-supplied CSR CHANGED: Communicate invalid HWSIG and locked out user occurred during Kerberos authentication as failed KRB authentication towards KT agents Server 7.4.0 (17 January 2024) -------------------------------- ADDED: Support of ACME agent based (for example certbot and winacme) Certificate Lifecycle Management of DigiCert CertCentral based Domain Validated (DV) certificates, using automated DV vetting validation based on e-mail Until KeyTalk main manual is updated refer to: https://downloads.keytalk.com/downloads/documents/KeyTalkEnrollDigiCertDvCerts.pdf https://downloads.keytalk.com/downloads/documents/KeyTalkAcmeServer.pdf Server 7.3.10 (16 January 2024) -------------------------------- ADDED: Support of WebUI based firmware updates exceeding 1 GB Server 7.3.9 (11 December 2023) -------------------------------- ADDED: F5 BigIP management port selection Server 7.3.8 (11 December 2023) -------------------------------- ADDED: CSV output script on all managed and historic certificates: /usr/local/bin/keytalk/export-seat-cert-info.py --template= Server 7.3.7 (9 December 2023) -------------------------------- FIXED: Remove all Intune stalled certficate (re)publishing requests (not only submitted) Server 7.3.6 (8 December 2023) -------------------------------- FIXED: DigiCert CertCentral based class 2 S/MIME naming convention for CN invalid character replacement Server 7.3.5 (7 December 2023) -------------------------------- ADDED: Add SSL connection diagnostics for known domains to the PR report ADDED: Set HttpOnly and Secure flags in WebUI and in RCDP session cookies Server 7.3.4 (28 November 2023) -------------------------------- ADDED: Allow filtering TEMPLATES by tenant and signer ADDED: Allow parsing CSR pasted from KeyTalk log fragment FIXED: Improve performance of RDD by reusing Db connections FIXED: Failing Intune republish caused by UPN case sensitivity issue Server 7.3.3 (21 November 2023) -------------------------------- ADDED: Allow copying DigiCert API key and GlobalSign GCC username/password across TEMPLATES ADDED: System load monitoring CHANGED: Renamed 'template group' to 'tenant' FIXED: High CPU usage due to excessive Dashboard data fetching Server 7.3.1 (13 November 2023) -------------------------------- ADDED: Allow disabling Web-based Certificate Provisioning agent for the TEMPLATE FIXED: Failing Intune Import due to mixed UPN case Server 7.3.0 (9 November 2023) -------------------------------- ADDED: Display and automatically update Intune certificate publishing progress ADDED: Allow uploading issuer CAs for Public Trusted SSL using DER or PEM format FIXED: KeyTalk Windows agent before v7.2.3 and Linux agent before v7.2.2 could not authenticate with OTP against the server FIXED: Allow storing seat certificates to Exchange Online (EXO) from the seats search page and from the seat configuration page FIXED: Automatically discard Intune certificate publishing requests holding certificates from which UPN cannot be resolved Server 7.2.12 (7 November 2023) -------------------------------- ADDED: New mandatory SID parameter in GlobalSign ePKI configuration ADDED: Add TEMPLATE-wide setting to allow enrolling archived seats, which makes the seat unarchived FIXED: Simplified RCDP version handshake (now: expect the exact match) Server 7.2.11 (1 November 2023) -------------------------------- FIXED: Intune Import Seat mapping by Azure Regular properties FIXED: Incorrect Seat archiving after republishing Intune certificates FIXED: Inconsistencies in Intune Import/Publish info in Web UI CHANGED: Fallback to the latest MobileIron API version should KeyTalk server fail to receive API version from MI endpoint Server 7.2.10 (29 October 2023) -------------------------------- ADDED: Mass importing of zip archive containing multiple (if not thousands) of S/MIME certificates without the need for an index.csv file defined SEAT name. AD/AAD based attribute lookup for SEAT name can be configured based on SAN email address in imported PFX. ADDED: Update KeyTalk managed and Intune present S/MIME PFX Intended Purpose flag Server 7.2.9 (5 October 2023) -------------------------------- ADDED: Allow selecting format for downloading historical seat certificates FIXED: Always store a seat cert (enrolled or imported) to an available slot. This fix also amends the dashboard issue below FIXED: Dashboard displaying expired certificate regardless a valid certificate exists Server 7.2.8 (01 October 2023) -------------------------------- ADDED: Shared Mailboxes support ADDED: Allow archiving seats having their certificate expired more than 2 months ago (automatically and manually) ADDED: Extra logging for MobileIron API errors CHANGED: Allow enrolling and revoking seat certificates as well as store them to LDAP/AD/MDM/F5 via WebUI regardless "certificate reuse" flag set on the TEMPLATE Server 7.2.7 (24 September 2023) --------------------------------- ADDED: Allow uploading system CA trust certificates ADDED: Support for enrolling certificates via ACME protocol (signed by KeyTalk) ADDED: Allow callers to not specify protocol version in RCDP request, which will effectively select the latest version supported by the server ADDED: Include CA trust in the enrolled GlobalSign ePKI certificate by fetching them via AIA ADDED: Allow customizing application description appeared under the top left KeyTalk logo ADDED: Mobile Iron MDM UPN mapping ADDED: Mobile Iron API v11 support CHANGED: Signing algorithm, key type and key size became recommended rather than obligatory requirements imposed on CSRs submitted to KeyTalk CHANGED: Allow downloading seat PEM certificate with a key not protected with a password CHANGED: Do not demand SMTP for automated provisioning of public trusted SSL certificates FIXED: Slow performance of retrieving run time status of KeyTalk daemons FIXED: Bogus empty certificates included in the archive when mass downloading certificates for seats FIXED: Private CA tree generation fails with missing CDP of PCA Server 7.2.5 (1 September 2023) ------------------------ ADDED: Allow selecting USA and EU accounts for enrolling certificates at DigiCert Central ADDED: Allow configuring Microsoft Smartcard Login EKU (1.3.6.1.4.1.311.20.2.2) on TEMPLATE configuration and private CA pages ADDED: Add TEMPLATE-wide flag to control whether a seat name should be used as initial default in seat certificate CN CHANGED: Do not require CSR to contain subject CN CHANGED: Allow specifying empty country for generating seat certificate and private CA Server 7.2.4 (29 August 2023) ------------------------ FIXED: Support for Utimaco CS HSM v4.55 was broken after fw upgrade CHANGED: Tolerate errors when decrypting non-encrypted keys in the Db Server 7.2.3 (28 August 2023) ------------------------   ADDED: Add support for Utimaco CS HSM v4.55 next to the already supported v4.31 (via SDK) CHANGED: Restart CA service on fail-stop iso halting the entire CAD REMOVED: Do not store firmware to the Db any more REMOVED: Do not ping external serves during connectivity check to not annoy admins who tend to airgap their servers FIXED: CDP URL location for locally stored CRLs FIXED: Respect certificate duration configured by 3rd party CA signers when requesting a seat certificate Server 7.2.2 (10 July 2023) ------------------------ ADDED: Allow manual importing of discovered certificates from raw JSON produced by KeyTalk SSL Scanner. (automated import already existed) Server 7.2.1 (08 June 2023) ------------------------ ADDED: Include intermediate CA trust in QuoVadis certificates ADDED: Include MFA client settings in Authentication requirements ADDED: Implement MFA in Web agent ADDED: Allow registering new Internal RA users during authentication CHANGED: Account active seats with a cert or non-empty expiry meta as well as inactive seats with valid&non-revoked cert or meta expiry in the future Server 6.6.3 (08 June 2023) ------------------------ ADDED: Include intermediate CA trust in QuoVadis certificates CHANGED: Account active seats with a cert or non-empty expiry meta as well as inactive seats with valid&non-revoked cert or meta expiry in the future Server 6.6.2 (23 May 2023) ------------------------ CHANGED: Apply LDAP search&match rules after successful Kerberos authentication FIXED: Unable to sign CSR with agents authenticated with Kerberos and having "Use Computer Name" for CN/SAN enabled server-side Server 7.2.0 (22 May 2023) ------------------------ ADDED: RCDP API to store certificate and keys ADDED: SCEP CA NDES OTP periodic fetching CHANGED: Apply LDAP search&match rules after successful Kerberos authentication FIXED: Unable to sign CSR with agents authenticated with Kerberos and having "Use Computer Name" for CN/SAN enabled server-side FIXED: Long shutdown of RDD daemon FIXED: PKCS#12 package with legacy encryption created by KeyTalk could not be opened on mobile devices and on Mac OCX Server 6.6.1 (08 May 2023) ------------------------ ADDED: RCDP API to store certificate and keys FIXED: Long shutdown of RDD daemon Server 7.1.0 (30 April 2023) ------------------------ https://downloads.keytalk.com/downloads/server/OVF_KeyTalk-7.1.0-production_UbuntuServer-22.04.zip ADDED: Backwards compatability to server 6.6.0 shared data CHANGED: Operating System to Ubuntu 22.04 LTS CHANGED: Support for OpenSSL 3.x Server 6.6.0 (25 April 2023) ------------------------ ADDED: Show the amount of active accountable seats in the per-TEMPLATE seat accountability overview ADDED: Allow rewriting the value of $(userid) passed to LDAP BIND ADDED: LDAP encoded password support ADDED: LDAP User lookup mode selection ADDED: Configuration flag whether a new firmware is to be installed automatically CHANGED: Allow revoking certificates of an archived seat CHANGED: Allow specifying empty remote directory to store SSH CRL, which will be turned into a home directory on the remote SSH server FIXED: Only use internal CA certificate attributes from the Db which are supported by the configured signer FIXED: /cert-expiration-margin Public API call could not handle missing username and computer name optional arguments Server 6.5.13 (30 March 2023) ------------------------ FIXED: Private-CA Root/PrimaryCA generation expected an AIA value, causing an error Server 6.5.12 (29 March 2023) ------------------------ ADDED: Allow specifying AIA Issuer URL when (re-)generating internal CAs as well as for seat certificates from TEMPLATE configuration page ADDED: Automated LDAP/AD User search and mapping to seats ADDED: Allow selecting algorithm to encrypt PKCS#7 response payload for Generic SCEP server ADDED: Allow removing individual seat using Admin API as well as using WebUI CHANGED: Make all encrypted Db entries use AES-CBC in preparation of full OpenSSL 3.x support CHANGED: Various administrative updates FIXED: TPM attestation server-side failure Server 6.5.11 (07 March 2023) ------------------------ ADDED: Allow signing seat certificates with an extra signing CA CHANGED: Change Db encryption algorithm from AES-CBC-HMAC to AES-CBC because the former is not properly supported in OpenSSLv3 Server 6.5.10 (21 February 2023) ------------------------ ADDED: Allow using $(userid) as well as $(userid)@domain fallback in LDAP/AD RA certificate mappings CHANGED: Show certificate download page as a landing page for self-service CHANGED: Allow logged-in self-service downloading and emailing certificate regardless the amount of manageable slots configured for him CHANGED: Improve Ux of fetching seat certificate FIXED: GlobalSign Alpha SSL domain query bug when duplicate domains get submitted in the request Server 6.5.9 (09 February 2023) ------------------------ ADDED: Accept configuration entries with a hyphen '-' in the name in Thales Luna HSM configuration (Chrystoki.conf) ADDED: Allow using SAN email cert mappings in all GlobalSign SSL products FIXED: Allow uploading large amount of TPM endorsement CAs Server 6.5.8 (07 February 2023) ------------------------ ADDED: KeyTalk based OTP support for webbased certificate request agent FIXED: Priveleges for MySQL Server 6.5.7 (01 February 2023) ------------------------ ADDED: The option to automatically email new or renewed S/MIME seat certificate to the holder ADDED: Allow obtaining a certificate using KeyTalk webbased agent ADDED: Mandate a key password to be supplied when downloading seat certificate and key in PEM format ADDED: Require password confirmation to download seat certs CHANGED: Drop the option to upload historical seat certificates to Workspace One UEM FIXED: Failed settings export/backup and incomplete KeyTalk server Problem Report caused by reinforced MySQL server privilege Server 6.5.6 (10 January 2023) ------------------------ CHANGED: Define SAN LDAP Mapping Fallbacks on per-TEMPLATE basis from LDAP/AD RA configuration page Server 6.5.5 (06 January 2023) ------------------------ ADDED: Notify S/MIME certificate holders on expiration of their certificates ADDED: Show the link to the Release Notes on the fw upgrade page ADDED: Send ROCA key digests daily at 12AM ADDED: SAN email LDAP Mapping Fallback value can be defined when the corresponding attribute cannot be queried from LDAP/AD Server 6.5.4 (21 December 2022) ------------------------ ADDED: Admin REST API to create internal RA users ADDED: Report on the seats with GlobalSign ATLAS reported ROCA-vulnerable keys CHANGED: Generic SCEP server does not require the subject of the CSR signer to equal the subject of the CSR, ie backwards compatability with older SCEP clients FIXED: Fixed GlobalSign GCC approvers query timeout FIXED: Report on succesful S/MIME to Azure AD UserCertificate attribute writes Server 6.5.3 (07 December 2022) ------------------------ ADDED: Allow resetting notification email templates to the defaults ADDED: Allow publishing seat(s) S/MIME certificates to Azure Active Directory from seats page ADDED: Allow specifying key encryption when publishing Pfx to MDM ADDED: Reduce the TTL of MySQL binary log to save disk space ADDED: Support for enrolling Generic SCEP service certificates using HTTP GET ADDED: Support remote NDES SCEP servers that use HTTP GET to enroll certificates ADDED: Allow checking server health using /public/health-check URL using /public/health-check : 200=Healthy, 521=Not Healthy CHANGED: Do not request SSL certificate for cancelled, removed and revoked domains over GlobalSign GCC mSSL FIXED: Missing PowerShell DLLs for Azure AD / Exchange Online FIXED: Missing auto_restart_fail_stopped_services Db config setting FIXED: Apply Db encryption to Workspace ONE authentication certificate keys Server 6.5.2 (24 November 2022) ------------------------ ADDED: Allow automatically renew seat certificates, controlled by a TEMPLATE-wide setting ADDED: Publish issued S/MIME certificates directly to Azure Active Directory without Azure AD Connect sync CHANGED: Include CertChain flag to the generated RCCDs (always set to True) to support legacy KeyTalk mobile agents FIXED: Perform case-insensitive match of the existing GlobalSign GCC vetted domains when enrolling mSSL domain certificate Server 6.5.1 (11 November 2022) ------------------------ - ADDED: Generic SCEP server - ADDED: Extended MS Enterprise CA connector to work against generic SCEP server, accessible via http or https - ADDED: Generic SCEP client - CHANGED: Renamed SCEP to Intune SCEP - FIXED: Notification templates not properly preserved between fw upgrades - FIXED: Bogus notifications sent on previously expired S/MIME certificates regardless the certificate has already been renewed - FIXED: Dashboard failing due to too short back-end timeout Server 6.5.0 (21 October 2022) ------------------------ ADDED: Allow managers and operators to open the first unoccupied slot via Admin REST API CHANGED: Applied various security fixes to SCEP client FIXED: Preserve seat metadata information when importing certificates FIXED: Allow parsing NDES CAs returned by MS Enterprise CA in various orders FIXED: Allow operators to open slot and archive seat via Admin REST API FIXED: Seats without certificates not shown on the dashboard Server 6.4.12 (4 October 2022) ------------------------ ADDED: KeyTalk database connection quality indicator Server 6.4.11 (30 September 2022) ------------------------ ADDED: Allow emailing S/MIME certificate to its holder from the seat page ADDED: Allow choosing key encryption format when downloading seat PFX ADDED: Allow agents to specify which key encryption format to use for Pfx sent over RCDP CHANGED: Limit the amount of disk space used by the system journal logs FIXED: More strict validation of CSRs coming into KeyTalk Server 6.4.10 (19 September 2022) ------------------------ FIXED: Invalidate any existing Db connections on changing Db configuration Server 6.4.9 (16 September 2022) ------------------------ ADDED: Notify managers and admins when seat quota is reached for TEMPLATES assigned to them ADDED: Admin API to open slot, to list and remove TEMPLATEs CHANGED: Include CA trust chain in certificates created by GlobalSign Atlas and DigiCert Central CHANGED: Always include CA trust chain in the created certificate, whenever available FIXED: Improve performance of root, template and seat pages as well as of certificate generation when connected to an external Db FIXED: Prevent periodically stopping daemons after applying fw upgrade FIXED: Use more secure algorithm to encrypt private keys in PKCS#12 packages in order to be parsed on systems with OpenSSL v3 (e.g. Ubuntu 22) FIXED: HSM and TPM PKCS#11 libraries conflicted with each other Server 6.4.8 (2 August 2022) ------------------------ ADDED: Allow signing client CSR from TPM with attestation ADDED: Allow enrolling seats from CSRs or certificate requests CSV imported via WebUI ADDED: Notify on expiration of GlobalSign GCC domains ADDED: Notify on expiration of GlobalSign Atlas signing API certificate CHANGED: Start notifying on expiring DigiCert Central and GlobalSign Atlas domain 2 months before expiry CHANGED: Store certificates created by signing client-supplied CSR on the server Server 6.4.7 (22 June 2022) ------------------------ FIXED: SCEP logs do not always show up on the Logs page ADDED: Make Public API available also over plain HTTP port 80, including RCCD download ADDED: Allow keeping the existing seat owner when importing seat certificate ADDED: Keep the existing seat owner when importing seat certificates archive without index Server 6.4.6 (1 June 2022) ------------------------ FIXED: Allow KeyTalk agents authenticating against LDAP configured with OTP (based on OKTA LDAP principle) FIXED: Dashboard malfunctioning when an HTTP proxy is defined Server 6.4.5 (24 May 2022) ------------------------ ADDED: Allow importing seat historical certificates ADDED: Allow including historical certificates when uploading S/MIME certificates to Workspace ONE UEM FIXED: Malfunctioning dashboard page when HTTP Proxy was in effect FIXED: Incorrect notification template towards delegated admins on certificate expiration FIXED: When maxPwdAge was set in Active Directory to 'never expires', the user's password was incorrectly treated as expired Server 6.4.4 (19 May 2022) ------------------------ ADDED: Include certificate expiration date in the certificate revocation and certificate expiry notification emails ADDED: Allow setting SAN of internal RA users from the SAN of the associated seats' certificate ADDED: Allow storing and downloading client configuration data (RCCD) from KeyTalk app server FIXED: Allow parsing certificates valid after 2050 Server 6.4.3 (25 April 2022) ------------------------ CHANGED: Seats are counted against the license regardless the presence of a certificate CHANGED: Transactions are also counted for each certificate download and import action FIXED: Archived SEATS are no longer counted against active licenses Server 6.4.2 (15 April 2022) ------------------------ ADDED: Dashboard functionality for statistics and filtering ADDED: Allow agents to fetch certificate expiry margin using REST API call iso relying on the in user.ini setting ADDED: Notify S/MIME certificate holders on expiration of their certificates Server 6.4.1 (4 April 2022) ------------------------ ADDED: Support for Microsoft CA certificate Signer using SCEP/NDES ADDED: Allow moving seats across templates CHANGED: enhanced notification email/SMS with expiry dates and full listing of cert names CHANGED: Several improperly described references Server 6.4.0 (11 March 2022) ------------------------ ADDED: Allow agents to auto-renew seat certificate for multiple templates ADDED: Allow specifying custom URL for Workspace ONE authentication server ADDED: Allow establishing TLS connections to WorkSpace ONE authentication servers configured with weak DH keys ADDED: Allow client certificate authentication against WorkSpace ONE CHANGED: Do not send certificate expiry notifications for archived seats CHANGED: Made "Cannot be Used After" field not obligatory for seat metadata configuration Server 6.3.5 (26 February 2022) ------------------------ ADDED: Allow specifying whether issuing CAs should be included in the Certificate during creation of RCCD CHANGED: Phased out REST API ports 8443 and 4443 in favor for the standard port 443 FIXED: Fix permissions of lighttpd cache, arguably "corrected" by Ubuntu updates FIXED: Importing a key-less certificate matching the existing CSR and key yields a seat certificate to be stored without a key Server 6.3.4 (24 February 2022) ------------------------ ADDED: Extended filtering for historical certificates downloads ADDED: Enable KeyTalk agents to fetch and install historical certificates CHANGED: Increase max duration for internally-enrolled CAs and certificates to 25 years CHANGED: Fill in SAN when automatically creating new internal CA users FIXED: Imported certificate did not match it's CSR when the cert's subject included the / symbol FIXED: Make sure the "include chain" flag passed from KeyTalk agents is honored when signing certificates by 3rd party signers (e.g. DigiCert Central) Server 6.3.3 (04 February 2022) ------------------------ ADDED: TEMPLATE-wide config setting to allow self-service downloading key along with certificates ADDED: Added filtering to historical certificates downloads FIXED: Unable to decrypt RSAES_OAEP-encrypted SCEP messages Server 6.3.2 (01 February 2022) ------------------------ ADDED: Allow publishing traffic certificates to F5 Load Balancers ADDED: Monitor and automatically restart KeyTalk services if Daemons are down for more than 30 minutes ADDED: Additional mail templates for monitoring warning purposes ADDED: Automatically renew generated SCEP Communication certificates ADDED: SSL Discovery Admin account capable of importing certificates using Admin REST API (e.g. via SSL Scanner) FIXED: No longer fail to handle certain encrypted SCEP messages FIXED: Inability to establish non-SSL connection to the local KeyTalk Db in Azure-managed environments server-6.3.1 (22 December 2021) ------------------------ ADDED: Allow S/MIME certificates to be uploaded to Workspace ONE UEM (BETA). server-6.3.0 (15 December 2021) ------------------------ ADDED: Show system load on the main page CHANGED: Approval rules are configured per-TEMPLATE FIXED: Too long load times for seat page FIXED: Notifying DigiCert Central domain expiration should only be sent to the accounts having organization managing these domains FIXED: Update Log4Jv2 to 2.16.0 to fix security vulnerability CVE-2021-44228 & CVE-2021-45046 server-6.2.12 (01 December 2021) ------------------------ FIXED: All but the first KeyTalk cluster member connected to a remote Db failed to install firmware upgrade FIXED: Seat's cert&key was available for download as PEM but not as PFX server-6.2.11 (26 November 2021) ------------------------ ADDED: Allow enforcing approvals for operators to enroll, renew, reissue and revoke certificates ADDED: Allow enforcing approvals for KeyTalk agents requesting certificates via RCDP API ADDED: Allow downloading CSR of the latest seat certificate ADDED: Allow removing historical certificates of a seat ADDED: Per-TEMPLATE option to disable the 'Archive' function for seats ADDED: Admin API call to archive a seat ADDED: Allow for HTML-formatted emails, configured per email template ADDED: Support for PEM-encoded CVC certificates CHANGED: Do not show SCEP as Not Running on the Status web page if SCEP is not configured FIXED: Use a seat-level warning threshold when importing a cert to the existing seat FIXED: Web Admin interface removed end-lines from notification texts after saving server-6.2.10 (20 October 2021) ------------------------ ADDED: Per-TEMPLATE setting to optionally ignore subject OUs when matching a certificate being imported against the stored CSR CHANGED: Check the Internet connectivity asynchronously against OpenDNS and Google DNS, in order not to disrupt the main page load times CHANGED: Minor Ux improvements FIXED: Do case-insensitive comparison when matching SAN for a certificate to be imported against the stored CSR FIXED: Operator certificate download leases could not be requested for operators assigned to a TEMPLATE indirectly via a group server-6.2.9 (08 October 2021) ------------------------ ADDED: Support for importing certificates found by the KeyTalk SSL Scanner ADDED: Respect email supplied in SAN for enrolling GlobalSign S/MIME ePKI certificates ADDED: Allow assigning delegated admins and certificate owners to TEMPLATE groups ADDED: Allow setting per-template default certificate and key meta warning threshold used when creating new seats CHANGED: CA API and certificate download API serves on port 80 instead of 8000 for plain HTTP connections FIXED: Prevent automatic settings backup from being performed twice each day FIXED: License issue fixed causing a maxed license to result in looping certificate requests and other issues server-6.2.8 (27 Sept 2021) ------------------------ FIXED: TRUSTZONE Alpha SSL wildcard support server-6.2.7 (22 Sept 2021) ------------------------ ADDED: TRUSTZONE Alpha SSL support ADDED: Direct firmware upgrade download and install option ADDED: Support for importing certificates API (used e.g. for integration with KeyTalk SSL Scanner solution) ADDED: Templates can be combined into groups CHANGED: Do not mandate OU subject meta data for client certificate / smartcard based logins CHANGED: Made OTP notification emails configurable CHANGED: Made DigiCert Central notification emails configurable CHANGED: Made GlobalSign Atlas domain notification emails configurable CHANGED: Made automatic firmware upgrade notification emails configurable CHANGED: Made license notification emails configurable CHANGED: Made certificate and key revocation and expiration notification emails configurable CHANGED: Allow admin email notifications on expiry of certificates without metadata FIXED: Discard dangling KeyTalk LVM snapshots after reboot FIXED: STARTLS was used when sending out emails regardless the SMTP security settings were configured as 'no-security' server-6.2.6 (30 August 2021) ------------------------ ADDED: Allow (shallow) disabling GlobalSign-related functionality on WebUI as a configuration option CHANGED: Revoking an already revoked order issued by a 3rd party CA is considered normal and does not result in warning on WebUI CHANGED: SCEP relay porst are changed to ports 80 and 443 server-6.2.5 (27 July 2021) ------------------------ FIXED: Outgoing KeyTalk SMTP based emails contain empty body server-6.2.4 (23 July 2021) ------------------------ ADDED: Allow copying TEMPLATE & connected Internal DB Registration Authority via Web Management Interface ADDED: Allow copying TEMPLATE via Admin REST API FIXED: Support OAEP padding for SCEP enveloped data using KeyTalk's JSCEP server server-6.2.3 (20 July 2021) ------------------------ ADDED: More detailed notifications to Delegated Admins on cert&key meta expiration ADDED: Allow using intermediate CAS in Public Trusted SSL certificates CHANGED: Make KeyTalk return intermediate CAs for incoming TLS connections secured by KeyTalk internal CAs CHANGED: Allow selecting an existing owner when importing a certificate instead of entering one by hand CHANGED: Serve SCEP on standard ports 443 and 80 (non standard ports are not properly supported by Intune for HTTPS) FIXED: Public Trusted SSL certificate and key was skipped during settings import FIXED: Protect against LUCKY13 (CVE-2013-0169) FIXED: TLS enabled DB in combination with SCEP is now possible server-6.2.2 (08 July 2021) ------------------------ ADDED: Allow defining certificate owner when importing a certificate ADDED: Allow checking remote server connectivity ADDED: SCEP logs now visible in Web UI CHANGED: More user-friendly input of a certificate TTL using years/months/days/hours/minutes instead of a total seconds CHANGED: Renamed 'Trusted Mobile SSL' to 'Public Trusted SSL' CHANGED: Use Public Trusted SSL certificate for all listening SSL ports FIXED: Allow KeyTalk to correctly function in custom network configurations e.g. when running in AWS FIXED: Sign a CSR for the renewed certificate with the key of the original order server-6.2.1 (30 June 2021) ------------------------ ADDED: New Tools tab to decode CSR ADDED: Allow decoding Cert&Key meta CSR ADDED: Allow importing CSRs ADDED: Allow importing Card Verifiable Certificates (CVC) ADDED: Automated backup of server settings FIXED: Serve all WebUI static resources from the application server server-6.2.0 (11 June 2021) ------------------------ CHANGED: More modern look and feel of WebUI CHANGED: Renamed WebUI menus: SERVICES -> TEMPLATES, AUTHENTICATION MODULES -> REGISTRATION AUTHORITIES, DEVID USERS -> SEATS CHANGED: Renamed SERVICE ADMINS to MANAGERS, SERVICE OPERATORS to OPERATORS CHANGED: Moved certificate reports from DevID submenu to a separate top-menu item CHANGED: Allow archiving DevID users from "Manage DevID User" page CHANGED: Disallow manipulations with archived DevID user other than inspecting, removing and unarchiving ADDED: Disallow cert-based logins having issuer CA revoked ADDED: Allow removing individual SEATS from "Find Certificates" page ADDED: Allow changing name for SEATS ADDED: Show validation status of of DigiCertCentral domains on TEMPLATE page ADDED: Automatically notify template admins and operators on DigiCert Central domain expiration ADDED: TEMPLATE-based generation of RA certificates for SCEP for Intune purposes server-6.1.6 (10 May 2021) ------------------------ ADDED: Support for Class 2 S/MIME client side CN value specification server-6.1.5 (03 May 2021) ------------------------ ADDED: Finalized support for Intune SCEP server-6.1.4 (20 April 2021) ------------------------ ADDED: Initial implementation of SCEP support (tested for Intune) Current functionality works only for Windows laptops/desktops server-6.1.3 (08 April 2021) ------------------------ FIXED: Bug affecting most recent issued valid certificate mass downloads has been resolved server-6.1.2 (23 March 2021) ------------------------ ADDED: All DigiCert OV/EV products, including Thawte & GeoTrust ADDED: Ability to S/MIME digitally sign emails sent by KeyTalk CKMS server-6.1.1 (17 March 2021) ------------------------ ADDED: OTP (One Time Password) authentication method with a temporary password sent by email, currently only for RA authentication module InternalDB purposes. ADDED: Flag to SERVICE template to check whether a certificate request contains email in SAN before submitting the request for signing ADDED: Allow using DNS, IP and Microsoft UPN in SAN for GlobalSign Atlas products CHANGED: Close both learn-once and learn-always slots when mass-closing slots from DevID users page CHANGED: Automatically add subject CN supplied as email to the resulted DigiCert CertCentral S/MIME cert SAN email list CHANGED: Use OpenDNS values as DNS defaults FIXED: Allow authentication modules to contain 2 SAN email bindings for DigiCert CertCentral S/MIME class 2 products and single SAN email binding for DigiCert CertCentral S/MIME class 1 products FIXED: ComputerName as CN automated mapping to SAN DNS when no active SAN DNS mapping has been configured, for both AD and Azure AD as RA authentication module server-6.1.0 (20 February 2021) ------------------------------------ CHANGED: Use learn mode ON with first slot set to learn-always for new SERVICES ADDED: Backwards compatability with KeyTalk clients 5.5.x and beyond server-6.0.0BETA (17 February 2021) ------------------------------------ CHANGED: Use Ubuntu 20.04.2 as a base system CHANGED: Use TLS 1.3 by default to access KeyTalk server REST API endpoints CHANGED: Use TLS 1.3 by default to access KeyTalk Web Management interface CHANGED: Use TLS 1.3 by default for remote MySQL server connections CHANGED: Temporarily dropped support for Microsoft CA source ADDED: Import settings from another KeyTalk server (such as KeyTalk 5) --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- server-5.8.14 (17 February 2021) : EOL, KeyTalk CKMS support provided until 17 Feb 2022 --------------------------------------------------------------------------------------- ADDED: Archive and unarchive DevID users CHANGED: Do not revoke historic certificates when revoking DevID user certificates CHANGED: Disallow enrolling and re-issuing certificates for archived users server-5.8.13 (05 February 2021) ------------------------------ FIXED: Do not require organization ID for enrolling DigiCert CertCentral S/MIME class 1 certificates ADDED: Mass re-issue certificates for DevID users ADDED: Allow to mass re-issue certificates to users with a certificate issued to a specific CA only ADDED: Query KeyTalk server version via Public API as of v1.6 ADDED: Request KeyTalk settings via Admin API as of v1.2 FIXED: Use existing DevID slot when re-issueing certificates server-5.8.12 (25 January 2021) ------------------------------ ADDED: Synchronous enrolling and re-issue of DigiCert PKI Platform and DigiCert CertCentral certificates ADDED: Synchronous re-issue for GlobalSign ePKI certificates server-5.8.11 (18 December 2020) ------------------------------ FIXED Azure AD attribute mapping resulted in NULL value when mapped attribute had no value ADDED: ServiceUseClientOsLogonUser/Machine settings are now supported through master.ini when at least 1 config file setting does not allow for overwrite ADDED: Allow re-issuing GlobalSign mSSL certificates via Web Portal (client 5.8.11 is required to periodically check if a reissued cert is available prior to being revoked) CHANGED: Removed the possibility to import GlobalSign orders into KeyTalk using an export file from the GCC UI server-5.8.10 (23 November 2020) ------------------------------ CHANGED updated kerberos client library to version to 1.15 featuring support for contemporary AES encryption with SHA256 server-5.8.9 (13 November 2020) ------------------------------ ADDED Azure AD attribute to certificate mapping server-5.8.8 (03 November 2020) ------------------------------ ADDED Check KeyTalk account login client certificate for revocation against known DevID user certificates CHANGED Do not automatically search DevID user certificates or DevID user CSRs when opening these pages CHANGED TRUSTZONE CA Source product names server-5.8.7 (21 October 2020) ------------------------------ ADDED: Configure Intune MDM userPrincipalName independent of Ad/AAD binding ADDED: Enrollment of GlobalSign Domain Validated (DV) SSL certificates via webportal and Windows client CHANGED: Improved detailed certificate status on the certificate report page CHANGED: Improve automatic application (append) of Disclaimer to (existing) Signature for Outlook versions supported by the KeyTalk client FIXED: Fail stop of CAD and Trusted Mobile SSL page server-5.8.6 (01 October 2020) ------------------------------ ADDED: Try to use userPrincipalName from AD/LDAP when pushing a certificate to Intune CHANGED: Centralized administration of CN for DevID users linked to InternalDb server-5.8.5 (15 September 2020) ------------------------------ ADDED: Notify on changed license by email/SMS when SMTP/SMS-gateway has been configured ADDED: Show certificate revocation status on the certificate report page FIXED: Prevent automatic revoking of KeyTalk private CAs having CDP enabled FIXED: Mixed up 'Key Generation/Storage Location' and 'Key Function/Type/Length' certificate&key meta fields server-5.8.4 (04 September 2020) ------------------------------ ADDED: When SMTP/SMS-gateway has been configured, and accounts have email and mobile numbers assigned, KeyTalk license has expired warning is sent by email and/or SMS to SysAdmin, ClusterAdmin, and NetworkAdmin ADDED: When SMTP/SMS-gateway has been configured, and accounts have email and mobile numbers assigned, KeyTalk license is about to expire within 1 month warning is sent by email and/or SMS to SysAdmin, ClusterAdmin, and NetworkAdmin ADDED: When SMTP/SMS-gateway has been configured, and accounts have email and mobile numbers assigned, KeyTalk license has reached its maximum threshold warning is sent by email and/or SMS to SysAdmin, ClusterAdmin, and NetworkAdmin ADDED: When SMTP/SMS-gateway has been configured, and accounts have email and mobile numbers assigned, KeyTalk license has reached 95% of its maximum warning is sent by email and/or SMS to SysAdmin, ClusterAdmin, and NetworkAdmin server-5.8.3 (01 September 2020) ------------------------------ ADDED: UPN support in SAN server-5.8.2 (23 August 2020) ------------------------------ ADDED: Allow marking extensions of end-point certificates as critical ADDED: Automatically resolve GlobalSign GCC domain ID from domain found in CSR when not supplied server-5.8.1 (23 July 2020) ------------------------------ ADDED: Option to define AIA signing CA location in the KeyTalk private CA server-5.8.0 (16 July 2020) ------------------------------ ADDED: Support for Utimaco HSM ADDED: Support for Utimaco Cloud HSM ADDED: Allow service admins and operators to create a KeyTalk owner of a certificate metadata or bind to an existing owner ADDED: Allow searching DevID users by certificate CN, serial number and SAN CHANGED: Various label names got changed to better reflect their purpose CHANGED: Order certificate report by expiry date CHANGED: Moved license menu item to system sub menu REMOVED: RCCD menu item leaving the SERVICES menu to build config files server-5.7.10 (18 June 2020) ------------------------------ ADDED: Custom Ubuntu update location FIXED: CA-trust-chain CDP local/SSH-remote-server configuration FIXED: Activated UI element for certificate report search expiry date from-to FIXED: Activated UI element for certificate report search certificate owner FIXED: Applied correct CRL signing key FIXED: Expiry date table label description for certificate report server-5.7.9 (05 June 2020) ------------------------------ ADDED: Option on a SERVICE template level to warn on 30/15/7/6/5/4/3/2/1/0 days before expiry on issued certificates ADDED: Allow adding DevID user from the Certificates Report page ADDED: Allow adding and configuring DevID users from the Internal Db page ADDED: Allow generating meta key material on spot ADDED: Allow specifying a custom key size for meta private key generation ADDED: Allow configuring whether service admins and operators should be notified on certificate expiration ADDED: Allow configuring certificate subject for Internal Db users ADDED: Pagination to DevID cert&key report ADDED: Allow downloading certificate and key form the report page ADDED: Allow exporting certificate report to CSV ADDED: Allow archiving certificate and keys, the archived entires are not included in the certificate report CHANGED: Allow service operators to manipulate Internal Db users CHANGED: Merge together DevID user CSR&privkeys meant for HVCA and for DevID user meta data CHANGED: Take into account stored meta CSR when mass importing certificates CHANGED: Allow service admins and operators create meta owners CHANGED: Show metadata warning threshold as date iso the number of days CHANGED: Immediately publish CRL on saving SERVICE without waiting for the background job to kick in CHANGED: Allow Intune to be configured for all services CHANGED: Report meta data applies to all certificates in DEVID. server-5.7.8 (12 May 2020) ------------------------------ ADDED: Microsoft Intune PKCS MDM support server-5.7.7 (30 April 2020) ------------------------------ CHANGED: Report meta data applies to all certificates in DEVID. CHANGED: The report allows clicking on a certificate entry and immediately be taken to its DEVID USERS page CHANGED: Meta data is editable from DEVID USER page CHANGED: Each DEVID USER has metadata associated with him CHANGED: Mass import certificates and keys from a single interface CHANGED: Import of individual certificates and keys from a single interface CHANGED: Store meta CSRs in the Db server-5.7.6 (17 April 2020) ------------------------------ ADDED: Non graph based reporting on managed certificates ADDED: Option for certificate templates to not be tied to a CA-source, thus enforcing manual processing ADDED: Manual processing of certificates, whereby KeyTalk CKMS solely acts as a notification platform. ADDED: Generate key for a manual processed certificate ADDED: Download key for a manual processed certificate using 4-eye principle ADDED: Generate CSR for a manual processed certificate ADDED: P7B format support ADDED: Allow managing and tracking imported certificates (and keys) ADDED: Enabled importing of certificates and related admnistrative meta data (classification, renewal date, certificate owner, etc) ADDED: Ability to free form translate meta data colums for reporting purposes ADDED: Allow supplying a Trusted Mobile SSL certificate as PFX or PEM with a password-protected key ADDED: Authorization role certificate/key "owner" ADDED: Email and SMS notification upon about-to-expire to certificate/key owner ADDED: Escalation policy in case of no action to required follow-ups by owner ADDED: Email and SMS notification upon escalated about-to-expire to certificate/key owner and manager ADDED: Email and SMS notification upon expired certificate/key to owner and manager ADDED: Authorization role of owner CHANGED: Updated mass importing of certificate template grouped end-point certificates without to no longer require an index file unless additional meta data is required CHANGED: Authorization role other than Sys-Admin/Cluster-Admin to contain an email and mobile number for notification purposes FIXED: Duplicate notifications on GlobalSign certificate enrollment FIXED: Slow search of certificate template end-points having huge number of certificates server-5.7.5 (23 March 2020) ------------------------------ ADDED: Validation of configured textual Windows disclaimer email signature for Outlook for Windows server-5.7.4 (16 March 2020) ------------------------------ ADDED: Configure Outlook 2010/2013/2016/2019/Office365 for textual Windows disclaimer email signature per KeyTalk service email template ADDED: Support for multiple email domain textual Windows disclaimer email signature per KeyTalk service email template FIXED: Duplicate notification emails on GlobalSign Atlas domain expiration server-5.7.3 (09 March 2020) ------------------------------ ADDED: Allow adding multiple domains for vetting by GlobalSign Atlas High Volume CA from CSV file ADDED: Add 'Subject Key Identifier' and 'Authority Key Identifier' based on SHA256 to all certs generated by KeyTalk to harden chain relationships ADDED: When importing a DevID user certificate without a DevID username specified and having an empty subject CN, the SAN email will be used for DevID user name server-5.7.2 (02 March 2020) ------------------------------ ADDED: Allow verifying domains against GlobalSign Atlas HVCA platform for vetting purposes CHANGED: Factor out GlobalSign Atlas accounts to a separate page making vetting independent of certificate templates CHANGED: Allow any domain to be used by private IntranetSSL GlobalSign GCC product for both CN and SAN server-5.7.1 (17 February 2020) ------------------------------ ADDED: Allow blocking access to REST API on per-SERVICE basis ADDED: Allow encrypting KeyTalk backup and Problem Report with AES-256-GCM ADDED: Allow decrypting KeyTalk backup with AES-256-GCM ADDED: Allow excluding shared settings, Db and HSM connection settings as well as KeyTalk certificate tree from backup ADDED: HSM support for signing KeyTalk private CA CRL ADDED: Support for wildcard CN/SAN in GlobalSign GCC mSSL products ADDED: Support for wildcard CN/SAN in TRUSTZONE products CHANGED: Problem reports got more compact CHANGED: Sensitive info (passwords, keys) does not get logged anymore as part of DEBUG logging CHANGED: Sensitive info (passwords, keys) is filtered out from a problem report even when in DEBUG mode server-5.7.0 (29 January 2020) ------------------------------ ADDED: Administrator REST API to enroll certificates ADDED: Adminstrator REST API certificate based authentication ADDED: Allow an admin to load both Linux Chrystoki.conf and Windows crtystoki.ini in Luna Network HSM configuration ADDED: Allow an admin to set slots at the given position, when locked, to learn-always for all DevID users for the given service ADDED: Specification of the Certificate Provisioning API to be implemented by CA providers in order to provision their certificate services to KeyTalk ADDED: Utilize the KeyTalk server as a CRL Distribution Point by hosting the CRL locally on the KeyTalk server ADDED: Show extra information on (non-)succesful stored certificates to LDAP CHANGED: Friendly name of user PFX/PEM certificate created by KeyTalk begin with subject CN value of the certificate CHANGED: Set timeout for GlobalSign GCC API calls FIXED: Email validation to allow e.g. top-level domains longer than 4 characters (user@my.domain) FIXED: Lax validation of a client certificate by the webserver allowing any CA in the issuer chain iso only the immediate issuer CA server-5.6.13 (18 December 2019) ------------------------------ ADDED: Support for SafeNet Luna Network HSM v7 ADDED: Support for SafeNet Luna Network Cloud HSM / Data Protectoin on Demand DPoD ADDED: Admin username-password authenticated REST-API to revoke certificates ADDED: client certificate based authenticated REST-API to revoke certificates ADDED: Allow revoke end-user certs issued by KeyTalk Signing CA from KeyTalk application server using KeyTalk CRL (beta) ADDED: SSH remote CDP hourly upload CHANGED: Allow using individual HSM configuration for each KeyTalk internal CA server-5.6.12 (29 November 2019) ------------------------------ ADDED: Allow regenerating communication and webui cert/key when signing key is stored on HSM ADDED: Azure AD authentication module for username/password and OAuth support FIXED: Fw upgrade does not propagate the upgrade to another servers in a cluster server-5.6.11 (25 November 2019) ------------------------------ CHANGED: Cancel GlobalSign GCC certificate orders younger than 7 days iso revoking them to regain licenses back for these orders FIXED: Format MobileIron Core URL special characters server-5.6.10 (13 November 2019) ------------------------------ ADDED: GlobalSign's Atlas High Volume CA platform support for S/MIME issuance CHANGED: Active Directory attribute to Certificate SAN mapping to reflect multiple attribute values for SAN DNS, IP and Mail entries REMOVED: Default SAN entries from certificate SERVICE template server-5.6.9 (08 November 2019) ------------------------------ ADDED: Allow (re-)submitting Certificate and Key to MobileIron for certificate template based enrolled users (DevID users) ADDED: Allow specifying Certificate Enrolment Configuration ID for MobileIron Mobile Device Management server-5.6.8 (31 October 2019) ------------------------------ FIXED: ERR_SSL_DECRYPT_ERROR_ALERT when switching between client cert-protected KeyTalk accounts in a browser ADDED: Add MobileIron upload to certificate import calls server-5.6.7 (22 October 2019) ------------------------------ FIXED: the missing manual user creation for DEVID USERS server-5.6.6 (21 October 2019) ------------------------------ ADDED: BETA functionality release: Allow issuing of GlobalSign S/MIME certificates having multiple emails in SAN (semi-manual) ADDED: BETA functionality release: Store certificates to Mobile Iron MDM only store & revoke server-5.6.5 (1 October 2019) ------------------------------ ADDED: KeyTalk private/internal Certificate Authority tree can be managed by and stored on SafeNet Luna HSM using PKCS#11 ADDED: MySQL encryption key can be managed by and stored on SafeNet Luna HSM using PKCS#11 ADDED: Added Machine Certificate issuance with and without authentication to the KeyTalk Internal DB ADDED: Added Machine Certificate revocation when machine name changed server-5.6.4 (19 September 2019) ------------------------------ FIXED: Correct logging of binary data FIXED: Allow importing of certificates with empty CN, except for the internal KeyTalk CA tree CHANGED: require an extra interaction from a S/MIME recipient when downloading his certificate in order to deal with email scanners server-5.6.3 (3 September 2019) ------------------------------ ADDED: Add ComputerName as DNS value to SAN as an option when using AD as the authentication source. server-5.6.2 (22 August 2019) ------------------------------ FIXED: Reduce strictness when writing to LDAP concerning S/MIME to allow for Encryption-only S/MIME certificates server-5.6.1 (12 August 2019) ------------------------------ ADDED: Allow (mass) import of existing certificates from any CA-source for target end-points for management purposes ADDED: Allow (mass) import of existing certificates and private-key from any CA-source for target end-points for management purposes ADDED: Support multiple client login CA sources for certificate based management access and self service portal access ADDED: Allow mass downloading DevID users' certificates without private keys ADDED: Downloaded certificate files will now contain the CN value of the downloaded certificate ADDED: Additional CN options for LDAP Auth module, enabling user machine certificate support based on user AD authentication CHANGED: Disallow service operators from accessing authentication modules CHANGED: Disallow service operators from mass importing/exporting DevID users CHANGED: Strip the part of CN after '@' symbol for certificates requested via QuoVadis to comply with the CA/Browser Forum requirements server-5.6.0 (30 July 2019) ------------------------------ ADDED: production and staging profiles for QuoVadis CA source ADDED: allow admins to optionally include trust CA chain into the downloaded DevID user certificate CHANGED: the uploaded QuoVadis signing certificate and key is expected to be in Pfx format iso PEM FIXED: respect SAN passed from KeyTalk authentication module to GlobalSign mSSL products 5.5.10 (04 July 2019) ---------------------------- ADDED: QuoVadis DigiCert TLDEV S/MIME certificate issuance support for company-based personal certificates ADDED: QuoVadis DigiCert TLDEV S/MIME certificate issuance support for solely third party email certificates ADDED: PFX and PEM download for KeyTalk Management roles ADDED: Option to configure Outlook for Windows with S/MIME encryption and signing CHANGED: Third party certificate request/issuance requires the order to come from either a Management role or the self service portal CHANGED: Defaulted support for multi-user Windows systems when creating KeyTalk client configuration file CHANGED: Increase the size of serial number for KeyTalk-generated certificates from 64 bit to 128 bit CHANGED: Phased out support for KeyTalk 4 backup import into KeyTalk 5 CHANGED: Phased out support for legacy KeyTalk communication protocol as used by older KeyTalk 4 clients FIXED: Self Service Portal third party order status refresh 5.5.9 (15 July 2019) ---------------------------- ADDED: Allow querying the type of the certificate store to place the certificate using public API v1.3.0 and/or KT client 5.5.9 FIXED: Unable to import KeyTalk settings created from Amazon MySQL Db 5.5.8 (07 July 2019) ---------------------------- - FIXED: MySQL client no longer also requires TLS 1.0 5.5.7 (29 May 2019) ---------------------------- - FIXED: Failed LDAP search for DN on AD environments (similar to https://support.microfocus.com/kb/doc.php?id=7021021#) - CHANGED: Server-side enrollment follows the same procedure (checks, slots update) as a regular enrollment triggered client-side - CHANGED shared Db schema version 11.0-> 12.0 5.5.6 (19 May 2019) ---------------------------- - ADDED: Full client REST-API over TLS 1.2 using (Q)TCSP certificates 5.5.5 (16 May 2019) ---------------------------- - ADDED: Update remote MySQL schema option if its out-of-sync due to the KeyTalk virtual appliance getting a firmware upgrade while not being connected to the remote MySQL Db 5.5.4 (10 May 2019) ---------------------------- - ADDED: Warn an admin when at least one service is configured with a 3rd party CA, and no NTP is enabled - ADDED: Allow downloading, when authorized, all historical certificates of a given type issued to an end-point - ADDED: Mirror non-HTTPS KeyTalk REST API endpoints to HTTPS secured by known trusted CA (Apple device requirement) - FIXED: Provided content to previous empty notification email templates after upgrading to 5.5.3 - FIXED: Store to LDAP Button no longer shows when there are no valid certificates to store 5.5.3 (17 April 2019) ---------------------------- - ADDED: Allow specifying subject in S/MIME notification email templates - ADDED: Allow uploading multiple DER and PEM certs for auth. modules and for the client login CA - ADDED: Notify a requestor and a recipient of GlobalSign PS1 S/MIME certificate about placed and pending orders - ADDED: Notify a requestor of GlobalSign PS1 S/MIME certificate about declined orders - ADDED: Allow using coupon code for GlobalSign PS1 orders - ADDED: Allow using campaign code for GlobalSign mSSL and Personal Sign 1 product orders - ADDED: Allow issuing GlobalSign IntranetSSL certificates for private domains, i.e. not restricted by domain-id - ADDED: Show submitted request status on self-service S/MIME certificate request page - ADDED: Enable KeyTalk client to automatically set Address Book to Outlook for Windows - CHANGED: Disallow PR generation by service admin, service operator and self-service - CHANGED: Split self-service page on slot management page and S/MIME certificate request page - CHANGED: Use email coming from SAN overwrites of internal modules in the subject of the generated GlobalSign ePKI cert 5.5.2 (13 March 2019) ---------------------------- - ADDED: Added DevID CN to be used for matching CN of client cert for self-service logins and as CN attribute in generated certs (KEYTALK-514) - ADDED: Allow querying public IP address of KeyTalk server - ADDED: Disallow service operators from mass-enrolling and mass-revoking/removing user certificates 5.5.1 (22 February 2019) ---------------------------- - ADDED: Allow ordering GlobalSign Personal Sign 1 (PS1) certificates - ADDED: Allow for alternative validation CA for client-certificate logins to KeyTalk - CHANGED: Move the template messages per service to the NOTIFICATION tab - CHANGED: Move SMS & SMTP tab from System to Notifications - CHANGED: Disallow self-service logins as well as enrolling S/MIME certificates for 3rd party S/MIME certificate recipient services 5.5.0 (18 January 2019) ---------------------------- - ADDED: TRUSTZONE (https://www.trustzone.com/) CA provider - ADDED: Option to enforce SMS password on mail cert when allowing requesting of cert for 3rd parties - ADDED: REST API to check availability of S/MIME certificate enrolment for 3rd parties - ADDED: REST API for self-service to enroll S/MIME certificates for 3rd parties - ADDED: Extend HWSIG with random number to support hardwarefootprint uniqueness in virtual environments (Windows, Linux) - ADDED: Allow using coupon code for GlobalSign mSSL orders - ADDED: Add SERVICE-level flag instructing KeyTalk Windows app to install the received cert (and keypair) to the machine certificate store - ADDED: Allow the certificate validity replacment theshold "certificate validity percentage" additionally in absolute time - ADDED: Pre-check max length of subject attributes before generating a certificate - CHANGED: Force GlobalSign profile to GCC "production" platform 5.4.2 (12 December 2018) ---------------------------- - ADDED: Provide external (non-KeyTalk) users with S/MIME certificates from a selected CS Source - ADDED: Enable manual enforce storing certificate to LDAP using the Web admin interface - CHANGED: Automate removing revoked certificate from LDAP using the Web admin interface - ADDED: Allow admin to specify DN of LDAP Address Book on the Web admin interface - CHANGED: Tolerate errors storing certificate to LDAP (and/or address book) without affecting end-user - CHANGED: Set friendly name of the generated certificate to blank iso filling it with a username - CHANGED: Certificate TFC (time-for-correction) cannot be configured by an admin any more. Always set to -3600 seconds. - FIXED: More robust and flexible writing of address book to LDAP/AD 5.4.1 (02 November 2018) ---------------------------- - ADDED: REST API authentication connector - ADDED: Cluster administrator role - CHANGED: Try storing S/MIME certificate to LDAP as a real user first falling back upon failure to LDAP service user if one defined - FIXED: Do not renew GlobalSign orders expired more than 7 days ago given updated GlobalSign policy 5.4.0 (16 October 2018) ---------------------------- Support upgrades from v5.2.1 and higher Support import of settings created in v5.2.0-v5.3.3, v4.6.0 and v4.6.2 - ADDED: Allow using OS logon username as KeyTalk client username - ADDED: Add Bcrypt support for MySQL authentication connector - ADDED: Try renewing GlobalSign mSSL order iso requesting a new one whenever possible - ADDED: Optionally force reboot the server after 1 day after pending reboot as a result of installed updates - FIXED: The just enrolled certificate does not show up on WebUI because validity margin for cert. reuse is not satisfied 5.3.3 (13 September 2018) ---------------------------- Support upgrades from v5.2.1 and higher Support import of settings created in v5.2.0-v5.3.2p2, v4.6.0 and v4.6.2 - ADDED: Kerberos (Windows domain) authentication support - FIXED: User-certificate pre-enrollment now respects certificate mappings defined for LDAP/AD and MySQL Db - FIXED: User-certificate pre-enrollment now stores the generated (SMIME) cert to the LDAP/AD - CHANGED shared Db schema: version 3.1-> 3.2 5.3.2.p2 (17 August 2018) ---------------------------- Support upgrades from v5.2.1 and higher Support import of settings created in v5.2.0-v5.3.2, v4.6.0 and v4.6.2 - ADDED: Machine certificate issuance from GlobalSign (when the CN is an email address, OR mail attribute mapping in KeyTalk fetches an email address an S/MIME certificate is issued. When no mail address is available then a machine certificate is issued.) 5.3.2.p1 (24 July 2018) ---------------------------- Support upgrades from v5.2.1 and higher Support import of settings created in v5.2.0-v5.3.2, v4.6.0 and v4.6.2 - FIXED: Key-roll-over on a user account level instead on a user device level 5.3.2 (6 July 2018) ---------------------------- Support upgrades from v5.2.1 and higher Support import of settings created in v5.2.0-v5.3.2, v4.6.0 and v4.6.2 - ADDED: Support TPM 2.0 by Windows client - ADDED: Support for storing certificate data to AltSecurityIdentities - ADDED: REST API to check self-service is enabled for the given account - ADDED: REST API to retrieve address books - ADDED: End-user mass-certificate pre-enrollment via DevID import - ADDED: Revocation support - FIXED: More robust custom routes configuration - FIXED: Logging stalls sometimes as a result of log rotation - CHANGED shared Db schema: version 3.0 -> 3.1 5.3.1 (29 May 2018) ---------------------------------------- - ADDED: HTTP Proxy support - ADDED: AES 256 based certificate and key roll-over encryption - ADDED: Retrieving Signing CA chain from the server using CA REST API - CHANGED: KeyTalk REST API updated to version 2.2.0 - FIXED: Dual NIC KeyTalk firmware upgrade bug 5.3.0 (14 May 2018) intermediate release ---------------------------------------- - FIXED: KeyTalk server runs out of disk space due to Ubuntu bug - FIXED: Error connecting with KeyTalk Windows 7 client by IP - FIXED: improve robustness of server Problem Report generation - FIXED: excessive server logging results in huge PR file - ADDED: Allow any MS CA as 3rd party certificate provider using NDES - ADDED: Add ePKI S/MIME GlobalSign as 3rd party certificate provider - ADDED: store issued S/MIME certificate to AD and OpenLDAP (userCertificate field) - ADDED: store S/MIME to a separate LDAP Address Book server (add an extra LDAP server as addressbook only) - ADDED: allow reusing a previously issued user certificate to multiple user devices on the same account, ie key and certificate roll-over - ADDED: added service admin role to manage KeyTalk via the web admin panel - ADDED: added first itteration of webbased user self-service portal to manage devices via the KeyTalk web admin panel (requires client certificate authentication!) - ADDED: 4-eye principle to allow service operator download certificate and key with approval of Service Admin or Sys Admin - ADDED: REST-API Allow RCDP caller to request a certificate download URL iso certificate BLOB for Apple support - ADDED: added client certificate authentication against MySQL connector Db - CHANGED: Reduced max validity for GlobalSign Organization SSL certificates from 36 to 24 months due to Globalsign policy change - CHANGED: add HwSig check for MySQL connector - CHANGED: always use KeyTalk DevID component to store and check HWSIG - CHANGED: flexible hashing of the MySQL credentials - CHANGED: flexible MySQL Db field mapping for MySQL user table - CHANGED: log rotation configuration moved from /etc/logrotate.d/keytalk-* to /etc/keytalk/logrotate.conf and is triggered hourly iso daily 5.2.3 (07 December 2017) ------------------------ - ADDED Allow logins to Web admin panel with client certificates - ADDED Auditor, network admin and service operator roles to manage KeyTalk via Web admin panel - ADDED Open the originally requested URL after logging in to the web admin panel - CHANGED Dropped support for http proxy in RCCD ini files - FIXED Do not show warning on the Web admin panel when the default gateway is not pingable - FIXED certificate generation error caused by ill-placed GlobalSign validation 5.2.2 (13 August 2017) ---------------------- - ADDED Add support for ePKI GlobalSign PersonalSign product - ADDED Add support for IntranetSSL GlobalSign product - ADDED Automatically install system updates and notify admin if reboot required - ADDED Diagnose the absence of Internet connectivity and communicate it via the admin panel UI - ADDED Networking update script for initial enrolment - CHANGED Ceased to support RSA keys smaller than 2048 bit until a busienss case requires 1024 bit to be added again - FIXED Effectuate saved nameservers immediately without a need for reboot - FIXED Improve usability of nameserver management on the admin panel UI - FIXED Improve performance of querying KeyTalk service from on the admin panel UI Known issues: - Service-wide GlobalSign SAN configuration is not preserved (emptied) after upgrade and after loading settings from previous versions - False positives visual only on KeyTalk internet connectivity when ping is blocked 5.2.1 (3 July 2017) ------------------- - ADDED Allow importing KeyTalk server VM in HyperV and Azure environments (VHD format) - ADDED Show KeyTalk version and IP address for console pre-login welcome message - ADDED /usr/local/bin/keytalk/netconf tool to setup network interfaces - FIXED MySQL SSL connection establishment inconsistency 5.2.0 (15 June 2017) -------------------- - FIXED Parse version with empty devstage - ADDED Disallow multiple fw upgrades and settings load to run in parallel - ADDED Show the latest fw upgrade status on the main page of the Web admin panel - ADDED Make SAN field obligatory when generating client-server and WebUI certificates on admin Web panel - ADDED Allow generating 8192-bit RSA CAs from KeyTalk webadmin panel - CHANGED Changed network interface name from 'ens33' set by Ubuntu 16 by default to the traditional 'eth0' to support Azure/Hyper-V 5.1.0 (6 June 2017) ------------------- - FIXED Ill-formed HTTP response (not closed) was returned to WebUI admin just before restarting webserver - FIXED Use ISO 3166-1 alpha-2 for country codes used for certificate generation - FIXED Set default VM name during import to "KeyTalk 5" - FIXED Updated WebUI tooltips - FIXED Set server timezone to UTC - CHANGED Set HWSIG for KeyTalk server to 20GB disk, 4 GB RAM and 2 CPUs - CHANGED Removing service from admin Web panel causes automatic removal of the associated authentication connectors and DevID users - CHANGED Removed server-server certificate and key from KeyTalk server certificate tree (HSM communication will then need to be uploaded by an admin) - ADDED Allow configuring SAN for SQLITE authentication modules that will have preference over the service-wide SAN (ported from 4.6.2) - ADDED Extended HWSIG codes with a random generated during app installation (included by default) - ADDED Allow selective download of certificate and/or key from cert&keys page of the Web admin panel - ADDED Allow downloading certificates in DER format from cert&keys page of the Web admin panel - ADDED Allow import 4.6.2 settings incl. GlobalSign configuration and mod_sqlite SAN setting - ADDED Allow regenerating client-server communication cert/key and WebUI cert/key from WebUI admin panel - ADDED Create server firmware for multiple profiles - ADDED Display user-friendly error messages for Db-related errors on the Web admin panel - ADDED Allow KeyTalk server cluster member to automatically discover fw upgrade in the Db and install it 5.0.0 (2 May 2017) ------------------- - CHANGED Migrated KeyTalk server from BSD to Linux - CHANGED Merged DevID into KeyTalk server - FIXED WebUI page is not automatically reloaded in Chrome - ADDED Allow to use GlobalSign for certificate creation - ADDED Included installed KeyTalk CAs into the client-side problem reports -------------------------------------------------- -------------------------------------------------- End of life KeyTalk 4.6.x per 19-May-2018 Known issues KeyTalk 4.x : - KeyTalk OVF results in a warning on VMware ESX(i) that the OS is unknown, due to OpenBSD being supported under "other Linux". This will not cause any issues. Important!!: - When running KeyTalk 4.x/DevID 1.x in High Availability on VMware, you must set promiscuous mode on the virtual switch within VMware. This is currently the only way VMware allows the use of Carp/Virtual IPs which is used to allow for HA within KeyTalk and DevID. However Promiscuous mode may have a significant security impact affecting your non-secure traffic. We strongly advice to run the KeyTalk virtual appliance on VMWare in its own VLAN when using HA. 4.6.2 (11 May 2017) ---------------------------- - ADDED internal authentication Db SAN matching support for any connected Certificate Authority - ADDED GlobalSign EVSSL certificate support based on the GlobalSign GCC environment 4.6.1 (2 December 2016) ---------------------------- - ADDED SOAP API Support - ADDED GlobalSign mSSL API UI interfacing 4.6.0 (16 June 2016) ---------------------------- - ADDED New RESTful client-server protocol RCDPv2 - FIXED Improved usability when CA tree generation from WebUI takes a long time - FIXED Blocking behavior of SSL/XML-RPC calls caused incorrect synchronization within a CARP redundancy cluster - FIXED Disallow positive TFC for server service configuration 4.4.4 ---------------------------- - NOTE After upgrading to 4.4.4 your logfile configuration will be reset due to newly added features - ADDED MySQL support as of v5.7 due to secure TLS support - ADDED integrated KeyTalk Real Client Configuration Data (RCCD) config file generation. Still requires signing on the KeyTalk partner portal. - ADDED logfile timestamps for both UTC and corrected local time - ADDED extended logging for LDAP support - ADDED simultanious local and remote logging - CHANGED Default CA to use SHA2 4.4.3 ---------------------------- - ADDED HSM support (tested on OpenHSM and SafeNet Luna) - ADDED option to extend DNS entires beyond 5 lines - ADDED BackEnd authentiction API DevID link support - UPDATED to latest LibreSSL libraries (hardened) - UPDATED BlackBerry 10 hardware component recognition 4.4.2 ---------------------------- - ADDED CRL support in KeyTalk issued short lived certificates for those customers who's target application expects a CRL reference - ADDED Allow for KeyTalk advanced constraint certificate extensions - ADDED possibility to block HWSIG made from zero-HWSIG formula - ADDED "backup certificates for DevID" on certificates WebUI page - ADDED Allow changing order of LDAP and RADIUS servers on KT WebUI - ADDED Host ssh public keys HWSIG component for Linux clients 4.4.1 ---------------------------- - FIXED Disabled SSL3 on the webserver to protect from POODLE attacks (CVE-2014-3566) on the management interface 4.4.0 --------------------------- - FIXED Hardware ID registration in auto-learn mode for DevID purposes - ADDED Logout button - ADDED future option for multi-admin login and delegated authorization - ADDED enhanced comm protocol security - ADDED new license model option: license per certificate transaction 4.3.3p --------------------------- - FIXED the Heartbleed bug on the management interface Note: only the management interface was affected, the actual secure certificate distribution mechanism was never compromised 4.3.3 --------------------------- - FIXED Saving Local DNS Lookup Database settings will empty Name Server list - FIXED Improved client-server crypto - FIXED updated HTTP Server Version - FIXED Upgrade OpenBSD 5.0 -> 5.3 on KeyTalk server - FIXED Restart CAD whenever a relevant cert/key gets uploaded, restored or generated - FIXED Cannot change AD password with KeyTalk client when username formed as user@domain - FIXED Country value is lost when configuring certificate tree generation page - ADDED SHA2 hashing for both CA tree generation and client certificate generation - ADDED option to split username to the CN certificate field on the @ symbol in the username - ADDED option to select AD/LDAP password cannot be blank, in cases where AD/LDAP allows for anonymous authentication 4.3.2 --------------------------- - FIXED Client-server protocol does not correctly handle credentials containing some non-ASCIIs - FIXED Allow WebUI to be started without IPv6 - FIXED Management interface does not start when no connectivity for external interface available - FIXED Displaying bind password on KeyTalk LDAP Auth module page no longer possible - ADDED Full support for RADIUS SecurID protocol - ADDED Allow changing hostname from WebUI - ADDED Allow editing local DNS Db from WebUI - ADDED Both side clients-server RCDP version negotiation - CHANGED Only link-local IPv6 are included in default image 4.3.1.production - FIXED OVF version now supports SCSI - ADDED User must change password upon next logon for Active Directory 4.3.0.production --------------------------- - FIXED Misleading losing of focus by IE client - ADDED Download package KeyTalk configuration - ADDED Client compatibility Windows server 2003/2008/2012 - CHANGED Rebranding KeyMaster Client to KeyTalk - CHANGED Rebranding KeyMaster Client tools to KeyTalk - CHANGED Rebranding KeyMaster Server to KeyTalk 4.3.0.a1 --------------------------- - FIXED Opening ntp server page redirects to home when browsing with Google Chrome browser - FIXED More descriptive error needed on WebUI when the imported license is signed with incorrect cert - FIXED No way to select user during first phase of CR authentication - ADDED Virtualize KT server to run on WMWare - ADDED Replicate more state between redundant RESEPT Servers in HA setup - ADDED possibility to make binary backendauthd release - ADDED Add wmic bios get serialnumber to the list of Windows desktop client HWID components - ADDED Password expiration support for LDAP/AD - ADDED KM Client shall support Windows 8 - ADDED DEVID reference to user-known device identity - ADDED KeyMaster client LDAP/AD password change support - ADDED Support for RADIUS CR and OTP authentication including EAP-TTLS, PEAP, EAP-MD5, LEAP, EAP-MSCHAPv2, EAP-GTC, EAP-TLS, SIM/AKA and OTP - CHANGED Question mark in URL doesn't trigger RESEPT Client 4.2.0.p2 --------------------------- - CHANGED Changed default application and installer logos to KeyTalk 4.2.0.p1 --------------------------- - FIXED Error when restoring configuration 4.2.0 --------------------------- - ADDED Production license keys. Delivery package now can be made in 2 variants: with production (default) or demo license keys 4.2.0.b3 --------------------------- - FIXED It was possible to install RESEPT Client 4.2 on top of the already installed client version 4.3+ which resulted in corrupted installation since both products installed side-by-side 4.2.0.b1 --------------------------- - FIXED Error changing provider in multi-provider setup - CHANGED Question mark in URL doesn't trigger RESEPT Client 4.2.0.b1 --------------------------- - CHANGED Ported HA mechanism from DEVID to RESEPT Server 4.2.0.a1 --------------------------- - FIXED Ambiguity with LDAP bind errors caused by invalid DN - FIXED LDAP secure connection failing for AD - ADDED Advanced logged in users information - ADDED Client message to user on successful login - ADDED Add admin GUI action confirmation button - ADDED A possibility to do key ceremony via WebUI - ADDED button to remove 10% of the oldest logged-in users to WebUI - ADDED Show RESEPT Version on RESEPT Client - ADDED Suppport for wildcarded subdomains in service URL - ADDED Check for DNS validity - ADDED Allow for per-NIC gateway configuration - ADDED Web-partner interface for RCCD & license file creation - CHANGED Descriptive names of cert/key files - CHANGED Make more specific names for files downloaded from RESEPT Server to easier identifying them by an admin - CHANGED BHO doesn't check service of certificates, just the provider 4.1.0 --------------------------- - ADDED Possibility to upgrade the system by uploading the image to the server - ADDED WebUI->main statistics on logged-in users