ManageEngine Key Manager Plus - Release Notes

Key Manager Plus Release 5800 (August 2019)

New features 

  • Integration with DigiCert SSL: Key Manager Plus brings forth integration with DigiCert—leading provider of TLS/SSL, IoT and various other PKI solutions—enabling users to request, acquire, create, deploy, renew and automate the end-to-end management of SSL/TLS certificates issued by DigiCert, all directly from Key Manager Plus' web interface.
  • CSR templates: Key Manager Plus now allows users to create and use predefined templates for CSR (Certificate Signing Request) generation.
  • Users can now choose to exclude specific certificates from being added to Key Manager Plus repository when performing SSL discovery or during manual addition.
  • Key Manager Plus now supports creation and management of SSH keys using ECDSA and ED25519 key algorithms.
  • Key Manager Plus now supports RFC2136 DNS updates to complete domain control validation when acquiring certificates from public certificate authorities.


  • Key Manager Plus now includes provisions that allow users to sign CSRs (either using your internal Microsoft CA or a root certificate) as and when they are generated.
  • Key Manager Plus now supports file-based discovery for scheduled SSH and SSL discovery tasks.
  • A new dashboard widget that provides data about SSL configuration vulnerabilities has now been added.
  • Two new REST APIs have been added: REST API for SSL certificate addition and REST API for SSH key deletion

Key Manager Plus Release 5750 (May 2019)


SSL discovery

  • Agent based discovery:Key Manager Plus now supports agent based SSL discovery that allows administrators to discover and import certificates present across a network by installing one or more instances of agent software on target systems. The agent, which is available as a compressed package with all the necessary configurations in Key Manager Plus interface, once installed in the required end servers, performs certificate discovery and updates the certificate database in a timely manner.
  • Load balancer certificate discovery:Key Manager Plus now allows administrator users to discover and consolidate SSL certificates deployed to Linux based load balancers such as Nginx and F5 through a process tunneled via SSH.
  • When performing Certificate Store and MS CA discovery, administrators can now make use of Key Manager Plus service account credentials to login to target systems, using the dedicated option provided, without having to manually enter them.

SSL / TLS encryption for mail server configuration:Key Manager Plus now allows users to encrypt communication for email notifications sent from the application using the SSL / TLS option available in SMTP configuration settings.

Bug Fixes
  • Multiple server icon issue:Previously, when a certificate was deployed to two servers and then if one of the deployed servers was deleted, the "Multiple Servers" icon still continued to be enabled. This has now been fixed.
  • Previously, when discovering multiple certificates from a single resource, changing the DNS name of one of those certificates caused it to be reflected across all the discovered certificates. This has now been fixed.
  • Previously, when scheduled discovery operations failed (both SSH and SSL), the audit records were not updated correctly for a few cases. This has now been fixed.

Key Manager Plus Release 5710 (May 2019)


  • SSH and SSL Discovery:
    • Key Manager Plus now provides a subnet discovery option for both SSH and SSL discovery, allowing administrators to discover keys and certificates from specific subnetworks within an IP range.
    • Users can now choose to exclude specific IP addresses when performing bulk discovery from an IP address range.
  • Certificate Deployment:Key Manager Plus now provides an additional key based authentication functionality (apart from the conventional password authentication) which users can leverage to deploy certificates to password-less Linux end servers.
  • Besides Azure and Cloudflare DNS, Key Manager Plus now supports Amazon Route 53 DNS to complete the domain control validation procedure when acquiring certificates from public certificate authorities.
Bug Fixes
  • Previously, in the following scenarios—Microsoft Certificate Store discovery, server certificate upload and Radius server configuration (server secret field)—if the password entered contained special characters, a "harmful content" error was being thrown. This has now been fixed.
  • Previously, certificates that did not have a common name (the SAN name is taken as the common name by default in these cases) failed to update after running a scheduled discovery. This issue has now been fixed.
  • Previously, the 'Days' filter in the SSL Expiry Report failed to render correct results. This has now been fixed.

Key Manager Plus Release 5700 (April 2019)

New features / Enhancements

  • Integration with public certificate authorities: Key Manager Plus facilitates end-to-end life cycle management of certificates obtained from trusted certificate authorities (CAs) enabling users to request, consolidate, deploy, renew and track certificates issued by multiple commercial CAs from a single interface. This functionality powered through a seamless API integration with The SSL Store™—one of the largest platinum partners of world's leading CAs—provides users the option to acquire and manage certificates from the following third-party CAs directly from Key Manager Plus' web interface: Sectigo (formerly Comodo), Symantec, Thawte, Geotrust, and RapidSSL.
  • Audit notifications: Users can now choose to receive audit log notifications for various operations performed in Key Manager Plus. The alerts can be configured in the form of email notifications, or SNMP traps / Syslog messages to management systems within your network.
  • Key Manager Plus now provides users the option to update credentials for SSH resources in bulk, which is useful in cases where multiple resources operate with the same credentials.
Bug Fixes
  • Previously, the DNS based domain control validation procedure was unsuccessful for Let's Encrypt sub domain certificate requests. This has now been fixed.
  • Previously, those certificates that contained string parameter "WITH" (in this format, eg., SHA256WITHRSA) in the signature algorithm could not be classified as root certificates. This issue has now been fixed.
  • Previously, when pushing key files to users after key association, dissociation or editing authorized_keys file via SCP, there were issues with accessing the file post transfer due to file name issue. This has now been resolved by generating a random file name before transferring to the appropriate user accounts.
  • In Key Manager Plus build 5650, the global search for certificates based on common name and SAN failed to retrieve proper results. This has now been fixed.
  • Previously, the file-based discovery of SSL certificates failed for large file sizes (more than 50 thousand IP addresses). This has now been resolved.
  • Previously, there were issues with resetting the password for Key Manager Plus account (local authentication) using the "Forgot Password" option. This issue has now been fixed.

Key Manager Plus Release 5650 (Jan 2019)

New features

  • Failover service (FOS) with common MS SQL clusters: Key Manager Plus now provides administrator users the option to map redundant Key Manager Plus server instances to a common MS SQL cluster. Therefore, if one Key Manager Plus instance fails, the other instance(s) that are configured to the same database take over ensuring uninterrupted access to the application.
  • Let's Encrypt wildcard certificate management support: Users can now request, acquire and manage wildcard certificates issued by Let's Encrypt certificate authority from Key Manager Plus.
  • Administrators can now create scheduled tasks for discovering and importing certificates from Microsoft Certificate Store and certificates issued by Microsoft Certificate Authority.
  • Users can now import certificate signing requests (CSRs) generated outside Key Manager Plus, forward to trusted certificate authorities and track their statuses from Key Manager Plus.


  • Key Manager Plus now offers a more simplified workflow to establish connection with SSH resources that utilize password-less, key based authentication.
  • During resource deletion, users are now provided with the option to either dissociate or retain the SSH keys associated to the resource using Key Manager Plus. This option was not available in the earlier versions and the associated key was automatically dissociated.
  • Users now have the option to import certificate signing requests (CSRs) generated outside Key Manager Plus when placing GoDaddy certificate orders.
  • Key Manager Plus now provides users an additional option to export only the private key during CSR export.
Bug Fixes
  • Harmful content fix on non-English, Windows operating system: Previously, Key Manager Plus installed on non-English Windows operating system had traces of harmful content in schedule creation and audit records. This has now been fixed.
  • Previously, during SSH resource deletion, the SSH keys manually imported into Key Manager Plus and associated to specific user accounts from the application were supposed to be dissociated after the resource had been deleted. However, the keys remained associated to the user accounts even after resource deletion. This has been fixed and also, users can now choose to either dissociate or retain the associated keys (Refer enhancement 2).
  • Previously, when enumerating user accounts for resources that utilized password-less, key based connection establishment, the SSH keys in the user accounts were not discovered. This has now been fixed.
  • Previously, SSH key import was unsuccessful if the key passphrase contained special characters like '~', '?', '<' and '>'. This has now been fixed.

Key Manager Plus Release 5630 (Dec 2018)

New features / Enhancements

  • Key Manager Plus now supports SMTP server certificate discovery that allows administrators to exclusively discover and manage SSL certificates used by mail servers.
Bug Fix
  • Previously, when deploying SSL certificates to Microsoft Internet Information Services (IIS) server, the private key exported with the certificate was being corrupted on deployment. This has now been fixed.
  • Previously, administrators were unable to sign certificates with custom root CA if Subject Alternative Name (SAN) wasn't provided during CSR generation. This has now been fixed.

Security Fix

  • Previously, when performing template-based discovery of certificates issued by the Microsoft Certificate Authority (MS CA), the CA server's account credentials were being stored in clear text in the Key Manager Plus server's log files. This has now been fixed.

Note: The potential for exposure was limited only to customers matching specific conditions. A detailed advisory was sent to customers to check for such conditions and in the unlikely case of exposure happening, the advisory included instructions to sanitize the exposure and fix the conditions.

Key Manager Plus Release 5620 (Oct 2018)

New features / Enhancements

Integration with GoDaddy SSL: Key Manager Plus now supports lifecycle management of SSL certificates issued by GoDaddy certificate authority. This enhancement, powered through a seamless integration with GoDaddy's API, allows administrators request, consolidate, deploy, renew, revoke and manage life cycles of certificates issued by GoDaddy certificate authority from a single interface.

Key benefits

  • Fully automated, end-to-end management of certificate lifecycles.
  • Complete visibility and control over demand, CSR generation, certificate deployment and revocation.
  • Centralized tracking of certificate requests with an at a glance view of their status parameters.
  • Custom expiration alerts through periodic email notifications.

Key Manager Plus Release 5610 (Aug 2018)

New Features / Enhancements

  • Root based certificate signing: Key Manager Plus now enables administrators to sign and issue certificates to end-servers within the network environment, based on a root certificate that is trusted within the network.
  • Domain expiry notification: Administrators can now keep a track of expiring domains from Key Manager Plus facilitated through 'Whois Lookup', and also receive periodic email notifications regarding the same.
  • Key Manager Plus now expedites domain validation for Let's Encrypt certificate renewal through automated verification of DNS-01 challenges (for Azure and Cloudflare DNS).
  • Key Manager Plus now includes provisions to import certificate files to keystore by automatically pinning its corresponding private key with the acquired certificate.


  • Previously, there were a few format issues during SSH keys import. This has now been fixed.

Key Manager Plus Release 5600 (May 2018)

New Features / Enhancements

  • Provision to control the exposure of personal data in reports
    Key Manager Plus now has provisions to control the exposure of personal data in reports, allowing administrators to mask or hide personal data in reports exported from Key Manager Plus as well as in e-mail notifications for scheduled report generation.
  • Password protection for exports
    Administrators can now enable password protection for exports, thus enforce an additional layer of security for files (certificates, certificate private key, certificate signing request, PDF and CSV reports, SSH public key, SSH private key, keys secured in keystore) exported from Key Manager Plus.
  • Administrator acknowledgement of data transfer for third-party integrationsKey Manager Plus has now made it mandatory for administrators to acknowledge the transfer of personal data when setting up integration with third parties—such as certificate requests from Let's Encrypt and other trusted third-party CAs, integration with ServiceDesk Plus' CMDB—where there is flow of personal data from Key Manager Plus.
  • Provision to purge audit trails
    Key Manager Plus now includes the provision to purge audit trails, giving administrators the privilege of erasure of personal data that are no longer required in relation to the purposes for which they were originally recorded.
  • Database-level encryption of sensitive personal information
    Key Manager Plus now offers encryption of sensitive personal data at the database-level providing a greater level of data integrity and privacy.
  • Provision to manage non-user email addresses
    Key Manager Plus now separately lists and tracks unmapped email addresses—those that are not associated with any Key Manager Plus users but are being used for sending notifications regarding scheduled tasks, license expiration—and also grants administrators the privilege to delete them if needed.
  • Key Manager Plus now provides administrators the option to enable or disable API access.
  • Users can now export keystore files attached to certificates in various formats (PKCS12 / JKS).
  • Key Manager Plus now provides additional options to configure email notifications for certificate expiry and private key rotation.

Bug fixes

  • Previously, Key Manager Plus imported certificates that had no common name or SAN during SSL certificate discovery. This has now been fixed and import will be successful only if either of the two parameters are present.

Key Manager Plus Release 5510 (Apr 2018)

New Features / Enhancements

  • Key Manager Plus now supports DNS based domain verification for certificates requested from Let's Encrypt CA.
  • Template-based SSL certificate discovery option, for certificates stored by Microsoft Certificate Authority.
  • Option to transfer files using Secure Copy Protocol (SCP) to user accounts with SSH key based authentication.

Bug Fixes

  • Previously, there were issues when parsing SSH key passphrases that contained special characters. This has now been fixed.

Key Manager Plus Release 5.5 (Jan 2018)

New Features / Enhancements

  • Microsoft CA certificate signing :
    Key Manager Plus now allows users to get certificate requests signed from Microsoft Certificate Authority, thereby facilitating complete life cycle management for certificates issued by Microsoft Certificate Authority.
  • Integration with CMDB :
    Key Manager Plus now provides the option to sync SSL certificates in its repository with ManageEngine Service Desk Plus CMDB, allowing administrators to map certificates to specific servers / applications in the CMDB and monitor their usage and expiration from Service Desk Plus' CMDB.
  • SSL Certificate group :
    This enhancement allows users to organize SSL certificates into logical groups based on various criteria and execute actions in bulk on the groups.
  • Option to enforce access restrictions by assigning users to specific certificate groups during user additions.
  • Date based discovery filter for Microsoft Certificate Authority certificate discovery.
  • Option to separately track and manage various versions of the same SSL certificate (with the same common name).
  • Option to change Key Manager Plus' web server port directly from the user interface.
  • Option to import and map a private key to certificate has been supported.

Bug Fixes

  • Earlier, when generating certificate signing requests with SAN names, the SAN names were not updated. This has now been fixed.
  • Earlier, there were issues with fetching the system locale on Microsoft CA discovery. This has now been fixed.

Key Manager Plus Release 5.2 (Aug 2017)

New features / Enhancements

  • SSL certificate vulnerability scan:
    Users can now scan for vulnerabilities in SSL certificates managed using Key Manager Plus. Vulnerability scan is performed on SSL certificates as well as the end-point servers. Key Manager Plus will check for certificate revocation status, certificate-server mismatch, usage of weak encryption algorithms (such as the SHA-1) pertaining to the selected certificate. Also, the end-point servers are scanned for configuration vulnerabilities such as HEARTBLEED, POODLE and usage of weak protocols and cipher suites.
  • Users can also schedule periodic vulnerability scan on selected or all certificates in Key Manager Plus repository, obtain e-mail notifications and comprehensive reports post the scan.
  • Graphical representation of private-key availability for a given certificate in the SSL → Certificates view.
  • Option to download keystore, pfx and private-key files for a given SSL Certificate.
  • Option to install SSL certificate for Key Manager Plus server from the product interface.

Bug fixes

  • Earlier, Edit resource group action was being redirected to Add Resource Group window. This has now been fixed.

Key Manager Plus Release 5.1 (May 2017)

New features / Enhancements

  • Landing server support for SSH key management:
    Option to connect to remote networks through landing servers, thereby overcoming the barriers created by network segmentation. Also supports ssh key management for these remote servers.
  • Option to deploy certificates onto Windows server (Internet Information Services) and Microsoft Certificate Store directly from product interface.
  • Option to identify the different versions of certificates deployed and also the list of servers in which a certificate is deployed.
  • Option to add user generated private keys when requesting for certificates from Let's Encrypt CA.
  • Key Manager Plus now supports MSSQL as database back end.
  • Option to fetch latest authorized_key file,edit and push the file to respective user accounts.

Bug fixes

  • Earlier, there were display issues with SSH home directory settings. This has now been fixed.
  • Earlier, there were issues while adding .der encoded certificates using Add certificate option. This has now been fixed.

Key Manager Plus Release 5.0 (Feb 2017)

New Features / Enhancements 

  • End-to-end certificate life-cycle management through integration with Let's Encrypt CA:Key Manager Plus now allows you to request, procure, deploy and automatically renew SSL certificates for your domains from Let's Encrypt, the renowned Certificate Authority.
  • Discovery:
    • Option to discover and manage certificates from Windows Certificate store.
    • Option to exclusively discover and manage certificates issued by Windows Certificate Authority.
  • Deployment: Option to deploy SSL certificates as well as JKS/PCKS12 keys to end-point servers directly from the product interface.
  • Reports: Additional reports on certificate deployment, certificates deployed on multiple servers, SHA-1 certificates, Let's Encrypt certificates, Let's Encrypt certificate requests.
  • Option to export audit records on key and certificate discovery.
  • Enhancements to identify SSH user home directory.
  • Certificate request workflow enhancements:
    • Options to specify device name/ IP address while raising a certificate request.
    • Options to automatically import the obtained certificate into .pfx/.keystore file.
    • Option to e-mail certificate and JKS/PKCS keys while closing a certificate request.

Bug Fixes

  • Earlier, there were connection issues with ubuntu16.04 server. This has now been fixed.
  • Earlier, operator users can view all the users in various user groups. This has now been fixed. The operator users can now view only those users present in their own user groups.

Key Manager Plus Release 4.5 (Oct 2016)

New Features / Enhancements 

  • RESTful APIs for SSL, SSH and Key store:  Key Manager Plus now provides RESTful APIs, which help you to connect, interact and integrate any application with Key Manager Plus directly. The APIs also allow applications to create, fetch, associate digital keys and add, retrieve or manage users programmatically.
  • Option to discover and manage certificates mapped to user accounts in Active Directory. Both on-demand and scheduled discovery options are supported.
  • Support to leverage RADIUS server authentication.
  • New report on wildcard certificates deployment scenario.
  • Report on the user certificates imported from Active Directory.

Bug Fixes

  • Earlier, there were issues with date based sorting in the certificates and scheduled views. This has been fixed.
  • Earlier, SSL discovery schedule took too long to complete on failure cases. This has been fixed.
  • Earlier, email address was mandatory while saving schedules. This has been made optional.

Key Manager Plus Release 4.1 (Aug 2016)

New Features / Enhancements 

  • Option to push the private key, public key or both to remote user accounts. This feature is also available as part of key rotation schedule.
  • Administrator users can now add commands, restrict hosts and carry out other actions on a public key and push the authorized_key file to the remote user account. They can also view the current authorized_key file content.
  • Administrator users can now be able to view the passphrase of the SSH keys, SSL certificates and other keys.
  • Option to import multiple SSL certificates is supported now.
  • Option to effectively track SSL certificate expiry through a new scheduled task.
  • Dashboard settings will be persisted in the database.

Bug Fixes

  • Earlier, when root credentials were incorrect and key based authentication is enabled, there was an issue in associating private keys to users. This has been fixed.
  • Earlier, there was an issue in importing .pfx (personnel certificates) through import keystore option. This has been fixed.
  • Active Directory authentication issue in Key Manager Plus Windows 32 bit build has been fixed.

Key Manager Plus - Release 4.0 (June, 2016)

New Features

  • SSL Certificate Management- Key Manager Plus provides visibility and centralized control over the entire life cycle of SSL certificates across any network and thereby helps prevent downtime, compliance issues, and security breaches.

    Highlights of SSL certificate management include:

    • Discovery: Discovers all SSL certificates deployed in the network, irrespective of the issuing certificate authority (CA), including self-signed ones.
    • Centralized Inventory: Consolidates all discovered certificates and stores them in a secure, centralized repository for easy access and management.
    • Track Certificate Details: Tracks all certificate information, including name of the CA, date of issue, encryption algorithm, key length and other vital details.
    • Control Certificate Signing Requests: Centrally controls new CSR process. Handles key-pair creation process and provides ready-to-use CSR data files to be sent to the CA for getting new certificates.
    • Expiration Alerts: Tracks certificate validity and sends alerts about the certificates that are about to expire. Generates reports on expiry status of certificates.
    • Flag SHA-1 Certificates: Identifies certificates that use SHA-1 hashing function (which is found to be weak), prompting administrators to revoke the certificates and create new ones.
    • Ensure Compliance: Ensures that the encryption algorithms and underlying key lengths comply with various industry regulations.

  • Key Store- Key Manager Plus provides a secure repository for the storage of any digital key.

    Using the Key Store feature of Key Manager Plus, you can:

    • Add any digital key file (< 1MB) to the Key Manager Plus repository.
    • Map the digital key to a particular application, instance, and location (i.e, AWS, Azure data centers etc), to easily locate, track, and maintain them.
    • Maintain versions of the digital key files.
    • Generate report of all digital keys in use along with their details.


  • Earlier, for SSH key management, user accounts could be added only if their associated credentials were provided. Now, a feature has been added to manage users using only SSH key pairs (without providing their passwords).
  • SSH Private Key Group : This enhancement helps to organize SSH private keys as a logical group and execute key rotation, report creation, key group deployment and other operations in bulk.
  • SSH User Group : This enhancement helps to organize SSH users into a group and execute actions in bulk on the group.
  • Earlier, the private keys were deployed in the default location. Now, option has been provided to change the remote server user account authorized_key file location (i.e /home/test/.ssh to var/home/test/.ssh) both in bulk and for individual user accounts.
  • Support is now provided for JUNOS based Juniper devices.


  • Earlier, licensing was based on the number of SSH users. Henceforth, licensing would be based on the number of keys, which includes SSH private keys, SSL certificates, and the number of keys in the Key Store, which are managed using Key Manager Plus.