ManageEngine Key Manager Plus - Release Notes
Key Manager Plus Release 6151 (Hotfix) (October 2021)
- Earlier, on some occasions, the 'Edit User' form under 'Settings >> User Management >>Users' displayed UI glitches for users with the 'Operator' user role. This issue has been fixed.
- Earlier, operations such as account creation and placing certificate requests performed through 'Let's Encrypt CA' failed. This issue has been fixed.
Key Manager Plus Release 6150 (September 2021)
- Support for SAML-based Single-Sign-On (SSO)
Key Manager Plus integrates with federated identity management solutions to act as the SAML service provider and works with SAML identity providers to offer single sign-on. Through this feature, you can leverage a third-party SAML identity provider's authentication mechanism to access the Key Manager Plus interface without supplying your existing local authentication credentials for Key Manager Plus. Key Manager Plus supports several SAML SSO identity providers including, Okta, Azure SAML SSO, and AD FS.
- New Tools Category Added:
Key Manager Plus now comes with a 'Tools' category that will allow users to independently perform certificate conversion, SSL/CSR parsing, and vulnerability scanning without adding certificates into the Key Manager Plus repository.
i. Certificate Signing Requests (CSR) and SSL Parser - The parser tool allows users to upload certificates or their contents directly to the interface and sort the attributes into a readable format.
ii. Certificate Format Converter - The converter tool supports one-click conversion for a wide range of certificate formats.
iii. Scan Vulnerabilities - The scanner tool allows users to scan any domain for vulnerabilities by entering the domain name and port directly. Unlike the SSL Vulnerability scan, this tool checks for vulnerabilities in any domain, without adding the certificate to the repository.
- Certificates Synchronization Status Check
From Key Manager Plus build 6150 onwards, Key Manager Plus allows you to perform regular checks on the synchronization status of SSL certificates deployed to multiple servers directly. Additionally, you can schedule the synchronization check and generate a 'Certificate Sync Status' report based on the results.
- From build 6150, after certificate renewal, the expired certificate's details can be sent via email. Configure the required setting under 'Settings >> SSL >> Certificate Renewal'.
- From build 6150, Key Manager Plus will display the hosted SSL certificate's CommonName, Serial number, and SyncStatus with the managed servers and include them in the 'Deployed Servers' report.
- Earlier, scheduled tasks were performed only during the scheduled time. Now, from build 6150 onwards, scheduled tasks can be performed anytime by using the 'Execute' button available under the 'Schedules' tab.
- From build 6150, KMP allows you to check the SyncStatus using Agent. For this to work, the agent should also be updated to version 6150.
- From build 6000, certificates were managed based on their Serial Number. From build 6150, certificates having the same common name and different serial numbers can be grouped by enabling 'Managing Certificate History Settings' under 'SSL >> Certificate History'.
- From build 6150, after certificate renewal, the old certificate will be listed under 'Certificate History'.
- From build 6150, Key Manager Plus allows you to add additional properties to CSR while signing with root by using the 'Advanced Options' menu. It allows users to choose from a list of Key Usage and Advanced Key Usage properties, and add them to the new certificate. Examples for the Key Usage properties include; Digital Signature, Decipher Only, Encipher Only, and Certificate Sign.
- From build 6150, Key Manager Plus allows you to import PGP keys created using third party tools.
- Earlier, certificate order creation for GoDaddy's 100 UCC SAN SSL certificates was failing. This issue is fixed now.
- Earlier, while importing SSL certificates from the GoDaddy portal, Key Manager Plus failed to import some of the certificates. This issue is fixed now.
- Earlier, when an MSCA certificate was discovered from a different domain, the 'MSCA' type certificate was changed to the type 'Domain', which caused the auto-renewal process to fail. This issue has been fixed now.
- A path traversal vulnerability has been fixed.
Key Manager Plus Release 6100 (May 2021)
- Active Directory Synchronization
Key Manager Plus now comes with the Active Directory (AD) synchronization feature that allows users to set up recurring synchronization schedules for single or multiple domains during AD user import. AD synchronization schedules can be created to import users from user groups or organizational units that are part of multiple AD domains.
- Earlier, when certificates were renewed, the deployed servers and the credentials had to be mentioned manually. From now on, the renewed certificates will automatically inherit the deployed servers and their credentials.
- Henceforth, the SSL certificates can be manually mapped with deployed servers list to any server directly from 'Inventory >> More >> Add Deployed Server'.
- Earlier, only the administrators were able to perform CSR signing. Hereafter, the administrators can allow the operators as well to sign the certificates.
- From now on, certificates/CSRs/certificate groups will have an email field to which the SSL expiry email notifications can be sent, where the expiry notification email address can be provided while creating the Certificate and CSR.
- A new option - Deploy to Microsoft certificate store user account, has been added, which facilitates the deployment of the Microsoft Store deployed certificates to the respective user accounts, in addition to deploying to the computer accounts.
- The SSL Certificate Expiry Notification set up under "Settings >> Notifications >> Expiry" will now include Issuer, FingerPrint, and Serial Number fields in the Certificate Expiry email.
- The auto-renewal duplication issue has been fixed.
- There was an issue in exporting the certificates as password-protected zips when password protection for exports was enabled under Privacy Settings. This issue has been fixed now.
- There was a failure in Linux deployment from the ServiceDesk Plus request. This issue has been fixed now.
Key Manager Plus Release 6002 (April 2021)
- Privilege escalation vulnerabilities (ZVE-2021-0959 and ZVE-2021-0958 ) in the Report view and during data export, reported by Ranjit Pahan, have been fixed.
- An XSS vulnerability (ZVE-2021-0956) that occurred during Linux shared file discovery, reported by Ranjit Pahan, has been fixed.
Key Manager Plus Release 6001 (March 2021)
- An XSS issue with the AD imported user details in the user management page, reported by Matt (CVE-2021-28382), has been fixed.
- MSCA discovery, when carried out using an agent without any filter, failed. This issue is fixed now.
- An issue that caused incomplete Scheduled LoadBalancer discovery and failed audit has been fixed.
Key Manager Plus Release 6000 (February 2021)
- SSL Certificate Rediscovery
Key Manager Plus allows you to rediscover SSL certificates from the same source using the server details entered during the previous discovery operation.
- Integration with Buypass Go SSL and ZeroSSL
Key Manager Plus now integrates with Buypass Go SSL and ZeroSSL—two certificate authorities that use the Automatic Certificate Management Environment (ACME) protocol to provide free, secure SSL certificates. Users can now request, acquire, create, deploy, renew, and automate the end-to-end management of SSL/TLS certificates issued by Buypass Go SSL and ZeroSSL, all directly from the Key Manager Plus web interface.
- Integration with ManageEngine Mobile Device Manager (MDM) Plus
Key Manager Plus now integrates with ManageEngine Mobile Device Manager (MDM) Plus. This integration uses ManageEngine MDM APIs to discover and deploy SSL certificates to and from the mobile devices managed by your MDM server. Key Manager Plus then lets you filter the discovered SSL certificates based on the OS type such as iOS, Android, Windows, Chrome OS, Mac OS, and Apple tvOS. It is also possible to export reports of the MDM certificates managed in the Key Manager Plus repository within a selected period. Additionally, you can schedule periodic generation of MDM certificate reports.
- Certificate Discovery from UNC Shared Path for Linux/Mac OS
Key Manager Plus now supports SSL certificate discovery from UNC (Universal Naming Convention) shared paths for Linux and Mac OS machines. Use this feature to discover SSL certificates stored in a folder path within a server that is accessible by Key Manager Plus. After the discovery, Key Manager Plus will consolidate the newly-discovered SSL certificates in its certificate repository. This option is also available during scheduled certificate discovery.
- MSCA Discovery with Agent using Multiple Templates
Users can now select up to five certificate templates while performing agent-based certificate discovery of local CA certificates. Before using this enhancement, please ensure if the Agent is upgraded to version 6000.
- Support for .CRT Extension
Henceforth, certificates can be exported/deployed with the .CRT extension too.
- Search-Enabled Custom Columns
Key Manager Plus allows you to search within custom columns for SSL Certificates and SSH keys.
- Multiple Servers List
Now you can include multiple servers for certificates in SSL certificate expiry notifications.
- GoDaddy Certificates Import
From now on, users can directly import the existing certificates from their GoDaddy account into the Key Manager Plus repository.
- Local Disassociation of Keys
It is now possible to dissociate keys locally if remote dissociation fails for users whose access has been discontinued.
- New Fields in the deployCertificate Rest API
In the deployCertificate Rest API, serial number and server name have been added in input data, where the server name is an optional field used to select a specific server to deploy a certificate.
- APIs - Serial Number as the Mandatory Field
Earlier, the Serial Number field, which was optional in the below APIs, has now been made mandatory; To get a certificate, To get certificate keystore, and To delete a certificate.
- Serial Number in the getCertificateDetails Rest API
In the getCertificateDetails Rest API, Serial Number has been added as an optional field, filling which fetches the details of that particular certificate alone.
- During SSL discovery, discovery from servers with mutual authentication failed. This issue has been fixed now.
- In build 5970, the Agent authentication failed for AD Users. This issue has been fixed now.
From now on, all certificates with unique serial numbers will be listed under the 'Certificates' tab. However, the existing users can manage their already added certificates from the History section, which has now been moved under the Column Chooser.
Key Manager Plus Release 5970 (December 2020)
- From now on, Key Manager Plus supports ClouDNS to complete domain control validation while acquiring certificates from public Certificate Authorities.
- Support for 'Load Balancer' SSL Certificates discovery for Citrix devices.
- Support for AES256-encrypted PKCS12 Keys tores while adding certificate Keystores.
- For security reasons, henceforth, HTTP security headers will be added to all response URLs.
Key Manager Plus Release 5960 (November 2020)
- Certificate Discovery from UNC Shared Path
Key Manager Plus now supports SSL certificate discovery from UNC (Universal Naming Convention) shared paths. Use this feature to discover SSL certificates stored in a folder path within a server that is accessible by Key Manager Plus. After the discovery, Key Manager Plus will consolidate the newly-discovered SSL certificates in its certificate repository. This option is available during scheduled certificate discovery also.
- Certificate Discovery in DMZ Machines using Agent
It is now possible to discover the SSL certificates from directories in remote machines that are not directly accessible by Key Manager Plus—all through the Key Manager Plus Agent. This option is available during scheduled certificate discovery also.
- Browser Deployment of Certificates
Users will now be able to deploy SSL certificates in browsers from Key Manager Plus for the following server types: Windows, Linux, and MacOS.
- SSH Key Association using "Elevate to root user" Option
This release comes with the new "Elevate to root user" option. Now, as a security measure, it is possible to restrict users from directly accessing root users by disabling the root user login. Enabling this option elevates a user login from a non-root user to a root user and associate keys to all other users in the server.
- New RestApi
The new REST API, 'Deploy Certificate', has been added.
- We have upgraded the PostgreSQL server to version 9.5.21.
- Users can now select up to five certificate templates while performing template-based SSL certificate discovery.
- Users can now bypass proxy server settings while performing SSL certificate discovery. If this option is selected, Key Manager Plus will bypass the proxy server and directly perform online certificate discovery. This option is available during scheduled certificate discovery also.
- Earlier, after certificate renewal, users will have to deploy MSCA/-self-signed certificates manually. Now, it is possible to deploy these certificates automatically if the user credentials are available.
- Users will now be able to choose the Certificate type [CER/DER/P7B] and Keystore type [JKS/PKCS/PEM/KEY] while deploying Certificates to Windows and Linux machines and while exporting certificates.
- Now, it is possible to renew MSCA type Certificates with a new private key if a private key not available already.
- Earlier, it was possible to add or modify IISBinding only by giving the 'hostname'. This issue has been fixed, and now 'hostname' is not mandatory to create or update IISBinding.
- Certificates renewal happened without SAN names when the renewal was carried out using the 'Renew'' button in inventory.
- Earlier, MSCA templates showed the OID instead of the template name. This issue is fixed.
Key Manager Plus Release 5950 (August 2020)
- On-demand Renewal of Certificates
This release comes with a 'Renew' option under 'SSL >> Certificates' that allows users to initiate the renewal of Self Signed, Root Signed, Microsoft CA Signed, and Agent-signed certificates, and also the certificates issued by the third-party CAs.
- LDAP Authentication and Scheduled Users Sync
In addition to Active Directory and RADIUS authentication, Key Manager Plus now supports user import and user authentication using LDAP servers as well. Use LDAP integration to import Active Directory (AD) users from Microsoft AD and OpenLDAP into Key Manager Plus Linux installations, and also regularly update the user database through the sync operation provided by Key Manager Plus. Besides, users can use LDAP authentication for access, bypassing the local authentication provided by Key Manager Plus. Supported LDAP server types are Microsoft Active Directory and OpenLDAP.
- Key Manager Plus now supports scheduled SSL discovery and MS Certificate Store Discovery tasks with agent.
- Previously, the certificates due for expiry in 10 days or less got automatically renewed. Now, users will be able to customize the number of days to auto-renew the certificates before they expire.
- From now on, during CSR signing of SSL certificates using the agent, it is possible to specify the Agent timeout value, in seconds.
- Henceforth, users will be able to select specific Certificates or Certificate Groups while generating the 'SSL Certificates Report' Schedule type (under 'Schedule >> Add Schedule').
- Users will now be able to add and edit the deployed servers list under 'SSL >> Certificates >> Multiple Servers (icon)'. Newly added servers will be mapped with the latest certificate version in the certificate repository.
- Key Manager Plus now supports IP range discovery for MS Certificate store discovery ('Discovery >> MS Certificate Store') using the KMP service with the domain Admin account. This allows administrators to discover certificates across networks.
- Key Manager Plus now supports 'Load Balancer' Certificates discovery for 'SSL Discovery' schedule type. Use this schedule type to discover certificates from load balancers, such as BIG-IP F5, Nginx, etc., which support SSH access on a scheduled basis.
- Certificates and CSR generation pages have been enhanced with the Random Password generation feature.
- Under 'Settings >> SSL >> IIS Binding', binding list retrieval failed for bindings with a protocol other than HTTP/HTTPs. This issue has been fixed.
- Earlier during Digicert import, Key Manager Plus failed to import client/personal certificates into KMP. This issue is now fixed.
- Earlier, the date format had the month as a part of the value, due to which sorting did not work. Now, this issue has been resolved by modifying the date format in the CSV file to be the standard date format.
- Earlier while discovering certificates using a load balancer, there were problems with commands other than the standard Linux commands. This issue has been fixed.
- Get templates issue fixed for CA name-based fetch.
- Previously, the proxy configuration was not supported in GlobalSign integration, due to which users with proxy were unable to use the integration. This issue has been fixed now.
Key Manager Plus Release 5920 (June 2020)
- The 'Certificate Renewal Report' page under the 'Reports' tab now comes with a column chooser.
- Users can now view all the certificates associated with a particular agent by clicking the 'Host Name' of the agent listed under 'SSL >> Windows Agents'.
- Now, users can tailor schedules by adding custom email content and a unique signature.
- Now, users can discover certificates issued by a particular 'Microsoft Certificate Authority' just by entering the MSCA name in the text box provided, during discovery. Remember, this additional option will be available for Key Manager Plus installations in Windows server machines only.
- Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a registered base-domain.
- Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional fields followed a fixed format. Now, the customization settings configured for notification emails in 'Notification' and 'Schedule' tabs will be applied to the emails sent via email addresses in the additional fields as well.
- Agent got duplicated when re-installed from a different IP address. This has been fixed.
- The 'Common name' column sorting issue in the 'Certificate Sign Report' wizard has been fixed.
- The issue in MSCA auto-renewal with the EC key has been fixed.
- Get Templates issues that existed with the non - English languages have been fixed.
Key Manager Plus Release 5910 (May 2020)
- New Certificate Format - PEM
A new certificate format, Privacy Enhanced Mail (PEM), has been added, in addition to the already available certificate export formats, Keystore and PFX, where the PEM format is used for digital certificates and keys, deployed in web server platforms (e.g., Apache).
- Support for GoDaddy DNS
From now on, Key Manager Plus supports GoDaddy DNS to complete the domain control validation procedure while acquiring certificates from public Certificate Authorities, along with the already available DNS support types, Azure DNS, Cloudflare DNS, Amazon route 53, and RFC2136 Update. Using GoDaddy DNS, users can update the DNS record for GoDaddy domain validation from the Key Manager Plus portal itself.
- This release comes with an exclusive page for 'Windows Agents', accessible from the SSL tab, from where users will be able to perform all agent-specific operations such as SSL Discovery using agent, deployment of SSL certificates in certificate groups using agent and CSR Signing with MSCA agent.
- Certificate deployment in multiple servers has now been made simpler by using an agent, provided the agent is running in the server to be deployed, and both the agent name and the server DNS name are the same.
- Now, auto-renewal of certificates is possible for the 'MSCA using agent' sign type as well, from 'Settings >> SSL >> Certificate Renewal'.
- The 'Certificate Sign Report' comes with the following MSCA/Third party CA signing details; Certificate Authority, Certificate Template, Sign Type column.
- The 'Certificate Renewal report' comes with the 'Renewed By' column relevant to MSCA and 3rdPartyCA renewal details.
- A new option 'Reissue Certificate' has been added under 'SSL >> GlobalSign' that allows users to request GlobalSign to reissue an SSL certificate.
- The new 'GlobalSign Orders Report' allows the GlobalSign orders to be added as individual reports, which provide a detailed view of certificate orders requested from the GlobalSign CA.
- From now on, users can add a "Key Comment' while importing a new SSH key and editing an existing key from the repository. Also, users can avail the checkbox "Update comment in associated users" to update the Key comment to the associated end servers automatically.
- Now, it is possible to add additional properties to a certificate while creating it, by using the 'Advanced Options' menu. It allows users to choose from a list of Key Usage and Advanced Key Usage properties, and add them to the new certificate. Examples for the Key Usage properties include; Digital Signature, Decipher Only, Encipher Only, and Certificate Sign.
- The DigiCert CA page has been enhanced with a new menu 'Show' that has four options, Expired, Revoked, Rejected, and Others, used to filter the DigiCert CA list view.
- Now, while adding or modifying the Certificate Groups, it is possible to set 'additional fields' also as one of the 'By Criteria' filters for certificates.
- While creating an additional field, users are allowed to choose if it is applicable for SSH/SSL/both. The 'Additional fields' option is now available under 'Settings'.
- New REST APIs 'GET CSR list' and 'Sign CSR' have been added.
- The 'Expiry Notification' has been enhanced with the custom mail content, 'Title' and 'Signature'.
In the below set of REST APIs, the fetch details format is modified is such a way that the "details" attribute holds all the data; GetCertificateDetails, getallsslcertificates, getAllSSLCertsExpiryDate, sslCertSingleDiscovery, sslCertRangeDiscovery, getallsshkeys, GetSSHKey, getAllSSHUsers,getAllKeyStoreKeys,GetSSHKeysForUser and GetAllAssociatedUsers.
- The Key Manager Plus server's SSL TLS has been upgraded to version 1.2.
- The Key Manager Plus agent's TLS has been upgraded to version 1.2. This is configurable in 'Agent.conf'.
- Earlier, during API calls, the Authentication token was passed as a request parameter. Hereafter, each API call made to the application requires the Authentication token to be passed in the request header.
- Earlier, the Keystore password of the certificate uploaded into the server was appended in the URL, which posed a security risk. From now on, the Keystore password will be sent as the 'RequestBody' to maintain optimal security.
- A local File Intrusion issue during MS store discovery has been fixed.
- The operator user was able to view the admin terminal audit. This has been fixed.
- Server certificate update failed in case of Key Store with multiple alias names. This has been fixed.
- In the build of 5900, the certificate repository column order and also the column values got altered after adding the 'Port' column. This has been fixed.
- The root and intermediate certificates of PEM format got added as separate entries in the certificates repository. This has been fixed now.
Key Manager Plus Release 5900 (March 2020)
Key Manager Plus now supports integration with GlobalSign SSL—atrusted certificate authority and a leading cloud-based PKI solutions provider. This integration enables users to request, acquire, import, deploy, renew and automate the end-to-end lifecycle management of SSL/TLS certificates issued by GlobalSign, directly from the Key Manager Plus web interface.
- Certificate Deployment using Agent
Key Manager Plus can already deploy and bind certificates to IIS servers belonging to the domain, where Key Manager Plus also resides. Now, Key Manager Plus can also deploy certificates to IIS servers in demilitarized zones and also bind them to websites in IIS, all using an agent. This makes Key Manager Plus more scalable, as it can deploy and bind certificates in IIS servers, irrespective of whether they are in the same or different domain.
- CSR Signing using Agent
In addition to the already available two sign types namely, 'MS Certificate Authority' and 'Sign with Root', used to sign certificates from Key Manager Plus, a third sign type 'MS Certificate Authority with Agent' has been introduced. This new sign type is mainly used to sign certificates originating from a distinct domain, i.e., other than the domain to which Key Manager Plus belongs.
- System Integration - ServiceDesk Plus and Service Now
From release 5900, Key Manager Plus integrates with enterprise ticketing systems namely ServiceDesk Plus (on-premise) and ServiceNow. This integration ensures that automatic service requests are created in the ticketing environment to notify administrators of SSL certificates that are at the risk of expiring and certificates that are deemed vulnerable after a vulnerability scan in Key Manager Plus. Users can set notification policies to govern the frequency of service request creation for expiring and vulnerable tickets.
- It is now possible to customize notifications and their intervals. Users can now choose not to receive notifications regarding the expired certificates, and send a separate email and customized subject per certificate, from 'Settings >> Notification'. The same actions can be done while creating new schedules under 'Schedule >> Add Schedule', where you have to select the Schedule Type as 'SSL Expiry'.
- It is now possible to bulk edit the additional fields for multiple SSH keys and certificates.
- The column chooser was introduced in the version 5850 in the SSL window. Now, the IP address and Port are added in the column chooser which allows the users to display the selected columns in the list view.
- It is now possible to provide ephemeral access (validity in hours and minutes) to certificates created using the 'Create Certificate' Rest API.
- Earlier, Key Manager Plus allowed signing and deployment of certificates only from Windows systems. Now, it is possible to perform certificate signing and deployment to Windows systems from Linux installations through agents.
- It is now possible to provide customized subjects in schedules.
Earlier, PostgreSQL data directories in Windows installations were entirely accessible to all locally authenticated users. Now, as a security practice, we have exerted the following measures, applicable for installations under the 'Program Files' directory:
- No inherited permissions are allowed for data and configurations directories
- "Authenticated Users" permission has been excluded entirely
Only the CREATOR OWNER, SYSTEM, Installation User, NT AUTHORITY\Network Service and Administrators groups will have the Full Control over the directories and also can start PostgreSQL.
Key Manager Plus Release 5860 (January 2020)
- Pretty Good Privacy (PGP) Keys
PGP encryption is used to enhance cryptographic privacy and authentication for online communication by encrypting and decrypting texts, emails, files, etc. It uses a combination of data compression, hashing, and public-key cryptography to boost confidentiality. Now, Key Manager Plus brings you this PGP functionality in the form of PGP key generation, where the keys are used to encrypt the data like emails, texts, etc. Create, store and manage PGP keys under 'KMP >> Key Store >> PGP Keys'. Modify the key description anytime, export private/public keys, export keys to multiple email ids, and generate, view, and schedule reports. You can also send expiry notification emails to admins. This feature allows you to share and collaborate information securely among your trusted groups of users and businesses.
Key Manager Plus Release 5850 (December 2019)
- SSL Certificate Deployment and Binding - IIS Server
From release 5850, you can both deploy a certificate to the IIS server and also bind it to the desired website in the IIS, all from the Key Manager Plus interface itself, without the need to access the IIS server separately. Also, an option has been provided to automatically restart the IIS server for the deployment and binding to take effect, thereby eliminating the need for the manual restart from the IIS end.
- Additional Fields
Key Manager Plus now brings you the 'Additional Fields' feature, configured from 'Settings >> General Settings' that is used to include any additional information about SSH keys and SSL certificates, stored in the repository. There are four different categories to add the additional fields: character, numeric, date and email. Users can choose to add or remove the additional fields from SSH and SSL views.
- Column Chooser
The 5850 version of Key Manager Plus comes with the Column Chooser feature that allows users to show or hide columns at runtime, and also rearrange the columns from the current view via drag-and-drop.
- Now, it is possible to use the Key Manager Plus service account credentials for authentication while deploying certificates in Windows servers.
- Henceforth, while creating a certificate, users can provide ephemeral access (validity in hours and minutes) to the certificate, after which the certificate auto-expires. This eliminates the need for compulsory permanent access credentials to access target systems and also explicit access repeal.
- It is now possible to perform SNI-based SSL discovery using the Common Name and IP Address combination.
- The option to filter certificates based on the key length and signature algorithm within specific expiry days has been added to the 'getAllSSLCertificates' Rest API.
- During all AD-related operations performed from the Key Manager Plus interface, the 'Connection Mode' got saved as 'No SSL' only, even if the 'SSL' mode was chosen. This issue has been fixed now.
- Earlier, MSCA signing supported 'java keytool' CSR only. Now, from this release, all CSRs will be supported by MSCA signing.
- During certificate creation, all values entered in the SAN field were all together categorized as 'DNS' only. Now, the values are segregated as 'DNS' and 'IP Address' categories.
Key Manager Plus Release 5810 (October 2019)
- Key Manager Plus now enables users to discover, import, and configure expiry notifications for SSL certificates hosted in the following Amazon Web Services: AWS Certificate Manager (ACM) and AWS Identity and Access Management (IAM).
- Key Manager Plus now supports automated renewal of self-signed certificates in addition to Microsoft CA certificate renewal.
- Key Manager Plus now provides additional insights on agent activity such as heartbeat interval, latest response time and operation performed.
- Key Manager Plus now provides an option to edit the email ID associated with the Let's Encrypt user account.
- Key Manager Plus now supports the discovery of SSH keys with ECDSA and ED25519 signature algorithms.
- A new REST API—to view the private key passphrase of SSL certificates—has now been added.
- For scheduled SSL expiry task, users now have the option to choose whether or not, to receive email notifications when no certificates in that particular schedule are nearing expiration.
- Key Manager Plus offers automatic bundling of individual private key (.key) files and certificate files (.cer/.pem) into 'JKS' and 'PKCS' keystore file formats and provides export option for the same.
- Two extra categories have been added for criteria-based certificate group creation: AWS service and certificate template.
- Previously, certificate deployment failed if the field "Store Password" contained a space character when creating certificates from SSL → Certificates tab. This has now been fixed.
- Previously, when performing bulk operations, the "Create and Deploy" action failed when executed on SSH user groups, for RSA and DSA signature algorithms. This has now been fixed.
- Previously, when there was a "space" character present in a certificate group name, attempting to fetch the SSL certificates report pertaining to that group from the Reports tab threw the following error: "Invalid field format". This has now been fixed.
- Previously, even after the certificate private key was imported and attached to a certificate in Key Manager Plus' certificate repository, the "Export Keystore/PFX" was still disabled. This has now been fixed.
Key Manager Plus Release 5800 (August 2019)
- Integration with DigiCert SSL: Key Manager Plus brings forth integration with DigiCert—leading provider of TLS/SSL, IoT and various other PKI solutions—enabling users to request, acquire, create, deploy, renew and automate the end-to-end management of SSL/TLS certificates issued by DigiCert, all directly from Key Manager Plus' web interface.
- CSR templates: Key Manager Plus now allows users to create and use predefined templates for CSR (Certificate Signing Request) generation.
- Users can now choose to exclude specific certificates from being added to Key Manager Plus repository when performing SSL discovery or during manual addition.
- Key Manager Plus now supports creation and management of SSH keys using ECDSA and ED25519 key algorithms.
- Key Manager Plus now supports RFC2136 DNS updates to complete domain control validation when acquiring certificates from public certificate authorities.
- Key Manager Plus now includes provisions that allow users to sign CSRs (either using your internal Microsoft CA or a root certificate) as and when they are generated.
- Key Manager Plus now supports file-based discovery for scheduled SSH and SSL discovery tasks.
- A new dashboard widget that provides data about SSL configuration vulnerabilities has now been added.
- Two new REST APIs have been added: REST API for SSL certificate addition and REST API for SSH key deletion
Key Manager Plus Release 5750 (May 2019)
- Agent based discovery:Key Manager Plus now supports agent based SSL discovery that allows administrators to discover and import certificates present across a network by installing one or more instances of agent software on target systems. The agent, which is available as a compressed package with all the necessary configurations in Key Manager Plus interface, once installed in the required end servers, performs certificate discovery and updates the certificate database in a timely manner.
- Load balancer certificate discovery:Key Manager Plus now allows administrator users to discover and consolidate SSL certificates deployed to Linux based load balancers such as Nginx and F5 through a process tunneled via SSH.
- When performing Certificate Store and MS CA discovery, administrators can now make use of Key Manager Plus service account credentials to login to target systems, using the dedicated option provided, without having to manually enter them.
SSL / TLS encryption for mail server configuration:Key Manager Plus now allows users to encrypt communication for email notifications sent from the application using the SSL / TLS option available in SMTP configuration settings.
- Multiple server icon issue:Previously, when a certificate was deployed to two servers and then if one of the deployed servers was deleted, the "Multiple Servers" icon still continued to be enabled. This has now been fixed.
- Previously, when discovering multiple certificates from a single resource, changing the DNS name of one of those certificates caused it to be reflected across all the discovered certificates. This has now been fixed.
- Previously, when scheduled discovery operations failed (both SSH and SSL), the audit records were not updated correctly for a few cases. This has now been fixed.
Key Manager Plus Release 5710 (May 2019)
- SSH and SSL Discovery:
- Key Manager Plus now provides a subnet discovery option for both SSH and SSL discovery, allowing administrators to discover keys and certificates from specific subnetworks within an IP range.
- Users can now choose to exclude specific IP addresses when performing bulk discovery from an IP address range.
- Certificate Deployment:Key Manager Plus now provides an additional key based authentication functionality (apart from the conventional password authentication) which users can leverage to deploy certificates to password-less Linux end servers.
- Besides Azure and Cloudflare DNS, Key Manager Plus now supports Amazon Route 53 DNS to complete the domain control validation procedure when acquiring certificates from public certificate authorities.
- Previously, in the following scenarios—Microsoft Certificate Store discovery, server certificate upload and Radius server configuration (server secret field)—if the password entered contained special characters, a "harmful content" error was being thrown. This has now been fixed.
- Previously, certificates that did not have a common name (the SAN name is taken as the common name by default in these cases) failed to update after running a scheduled discovery. This issue has now been fixed.
- Previously, the 'Days' filter in the SSL Expiry Report failed to render correct results. This has now been fixed.
Key Manager Plus Release 5700 (April 2019)
New features / Enhancements
- Integration with public certificate authorities: Key Manager Plus facilitates end-to-end life cycle management of certificates obtained from trusted certificate authorities (CAs) enabling users to request, consolidate, deploy, renew and track certificates issued by multiple commercial CAs from a single interface. This functionality powered through a seamless API integration with The SSL Store™—one of the largest platinum partners of world's leading CAs—provides users the option to acquire and manage certificates from the following third-party CAs directly from Key Manager Plus' web interface: Sectigo (formerly Comodo), Symantec, Thawte, Geotrust, and RapidSSL.
- Audit notifications: Users can now choose to receive audit log notifications for various operations performed in Key Manager Plus. The alerts can be configured in the form of email notifications, or SNMP traps / Syslog messages to management systems within your network.
- Key Manager Plus now provides users the option to update credentials for SSH resources in bulk, which is useful in cases where multiple resources operate with the same credentials.
- Previously, the DNS based domain control validation procedure was unsuccessful for Let's Encrypt sub domain certificate requests. This has now been fixed.
- Previously, those certificates that contained string parameter "WITH" (in this format, eg., SHA256WITHRSA) in the signature algorithm could not be classified as root certificates. This issue has now been fixed.
- Previously, when pushing key files to users after key association, dissociation or editing authorized_keys file via SCP, there were issues with accessing the file post transfer due to file name issue. This has now been resolved by generating a random file name before transferring to the appropriate user accounts.
- In Key Manager Plus build 5650, the global search for certificates based on common name and SAN failed to retrieve proper results. This has now been fixed.
- Previously, the file-based discovery of SSL certificates failed for large file sizes (more than 50 thousand IP addresses). This has now been resolved.
- Previously, there were issues with resetting the password for Key Manager Plus account (local authentication) using the "Forgot Password" option. This issue has now been fixed.
Key Manager Plus Release 5650 (Jan 2019)
- Failover service (FOS) with common MS SQL clusters: Key Manager Plus now provides administrator users the option to map redundant Key Manager Plus server instances to a common MS SQL cluster. Therefore, if one Key Manager Plus instance fails, the other instance(s) that are configured to the same database take over ensuring uninterrupted access to the application.
- Let's Encrypt wildcard certificate management support: Users can now request, acquire and manage wildcard certificates issued by Let's Encrypt certificate authority from Key Manager Plus.
- Administrators can now create scheduled tasks for discovering and importing certificates from Microsoft Certificate Store and certificates issued by Microsoft Certificate Authority.
- Users can now import certificate signing requests (CSRs) generated outside Key Manager Plus, forward to trusted certificate authorities and track their statuses from Key Manager Plus.
- Key Manager Plus now offers a more simplified workflow to establish connection with SSH resources that utilize password-less, key based authentication.
- During resource deletion, users are now provided with the option to either dissociate or retain the SSH keys associated to the resource using Key Manager Plus. This option was not available in the earlier versions and the associated key was automatically dissociated.
- Users now have the option to import certificate signing requests (CSRs) generated outside Key Manager Plus when placing GoDaddy certificate orders.
- Key Manager Plus now provides users an additional option to export only the private key during CSR export.
- Harmful content fix on non-English, Windows operating system: Previously, Key Manager Plus installed on non-English Windows operating system had traces of harmful content in schedule creation and audit records. This has now been fixed.
- Previously, during SSH resource deletion, the SSH keys manually imported into Key Manager Plus and associated to specific user accounts from the application were supposed to be dissociated after the resource had been deleted. However, the keys remained associated to the user accounts even after resource deletion. This has been fixed and also, users can now choose to either dissociate or retain the associated keys (Refer enhancement 2).
- Previously, when enumerating user accounts for resources that utilized password-less, key based connection establishment, the SSH keys in the user accounts were not discovered. This has now been fixed.
- Previously, SSH key import was unsuccessful if the key passphrase contained special characters like '~', '?', '<' and '>'. This has now been fixed.
Key Manager Plus Release 5630 (Dec 2018)
New features / Enhancements
- Key Manager Plus now supports SMTP server certificate discovery that allows administrators to exclusively discover and manage SSL certificates used by mail servers.
- Previously, when deploying SSL certificates to Microsoft Internet Information Services (IIS) server, the private key exported with the certificate was being corrupted on deployment. This has now been fixed.
- Previously, administrators were unable to sign certificates with custom root CA if Subject Alternative Name (SAN) wasn't provided during CSR generation. This has now been fixed.
- Previously, when performing template-based discovery of certificates issued by the Microsoft Certificate Authority (MS CA), the CA server's account credentials were being stored in clear text in the Key Manager Plus server's log files. This has now been fixed.
Note: The potential for exposure was limited only to customers matching specific conditions. A detailed advisory was sent to customers to check for such conditions and in the unlikely case of exposure happening, the advisory included instructions to sanitize the exposure and fix the conditions.
Key Manager Plus Release 5620 (Oct 2018)
New features / Enhancements
Integration with GoDaddy SSL: Key Manager Plus now supports lifecycle management of SSL certificates issued by GoDaddy certificate authority. This enhancement, powered through a seamless integration with GoDaddy's API, allows administrators request, consolidate, deploy, renew, revoke and manage life cycles of certificates issued by GoDaddy certificate authority from a single interface.
- Fully automated, end-to-end management of certificate lifecycles.
- Complete visibility and control over demand, CSR generation, certificate deployment and revocation.
- Centralized tracking of certificate requests with an at a glance view of their status parameters.
- Custom expiration alerts through periodic email notifications.
Key Manager Plus Release 5610 (Aug 2018)
New Features / Enhancements
- Root based certificate signing: Key Manager Plus now enables administrators to sign and issue certificates to end-servers within the network environment, based on a root certificate that is trusted within the network.
- Domain expiry notification: Administrators can now keep a track of expiring domains from Key Manager Plus facilitated through 'Whois Lookup', and also receive periodic email notifications regarding the same.
- Key Manager Plus now expedites domain validation for Let's Encrypt certificate renewal through automated verification of DNS-01 challenges (for Azure and Cloudflare DNS).
- Key Manager Plus now includes provisions to import certificate files to keystore by automatically pinning its corresponding private key with the acquired certificate.
- Previously, there were a few format issues during SSH keys import. This has now been fixed.
Key Manager Plus Release 5600 (May 2018)
New Features / Enhancements
- Provision to control the exposure of personal data in reports
Key Manager Plus now has provisions to control the exposure of personal data in reports, allowing administrators to mask or hide personal data in reports exported from Key Manager Plus as well as in e-mail notifications for scheduled report generation.
- Password protection for exports
Administrators can now enable password protection for exports, thus enforce an additional layer of security for files (certificates, certificate private key, certificate signing request, PDF and CSV reports, SSH public key, SSH private key, keys secured in keystore) exported from Key Manager Plus.
- Administrator acknowledgement of data transfer for third-party integrationsKey Manager Plus has now made it mandatory for administrators to acknowledge the transfer of personal data when setting up integration with third parties—such as certificate requests from Let's Encrypt and other trusted third-party CAs, integration with ServiceDesk Plus' CMDB—where there is flow of personal data from Key Manager Plus.
- Provision to purge audit trails
Key Manager Plus now includes the provision to purge audit trails, giving administrators the privilege of erasure of personal data that are no longer required in relation to the purposes for which they were originally recorded.
- Database-level encryption of sensitive personal information
Key Manager Plus now offers encryption of sensitive personal data at the database-level providing a greater level of data integrity and privacy.
- Provision to manage non-user email addresses
Key Manager Plus now separately lists and tracks unmapped email addresses—those that are not associated with any Key Manager Plus users but are being used for sending notifications regarding scheduled tasks, license expiration—and also grants administrators the privilege to delete them if needed.
- Key Manager Plus now provides administrators the option to enable or disable API access.
- Users can now export keystore files attached to certificates in various formats (PKCS12 / JKS).
- Key Manager Plus now provides additional options to configure email notifications for certificate expiry and private key rotation.
- Previously, Key Manager Plus imported certificates that had no common name or SAN during SSL certificate discovery. This has now been fixed and import will be successful only if either of the two parameters are present.
Key Manager Plus Release 5510 (Apr 2018)
New Features / Enhancements
- Key Manager Plus now supports DNS based domain verification for certificates requested from Let's Encrypt CA.
- Template-based SSL certificate discovery option, for certificates stored by Microsoft Certificate Authority.
- Option to transfer files using Secure Copy Protocol (SCP) to user accounts with SSH key based authentication.
- Previously, there were issues when parsing SSH key passphrases that contained special characters. This has now been fixed.
Key Manager Plus Release 5.5 (Jan 2018)
New Features / Enhancements
- Microsoft CA certificate signing :
Key Manager Plus now allows users to get certificate requests signed from Microsoft Certificate Authority, thereby facilitating complete life cycle management for certificates issued by Microsoft Certificate Authority.
- Integration with CMDB :
Key Manager Plus now provides the option to sync SSL certificates in its repository with ManageEngine Service Desk Plus CMDB, allowing administrators to map certificates to specific servers / applications in the CMDB and monitor their usage and expiration from Service Desk Plus' CMDB.
- SSL Certificate group :
This enhancement allows users to organize SSL certificates into logical groups based on various criteria and execute actions in bulk on the groups.
- Option to enforce access restrictions by assigning users to specific certificate groups during user additions.
- Date based discovery filter for Microsoft Certificate Authority certificate discovery.
- Option to separately track and manage various versions of the same SSL certificate (with the same common name).
- Option to change Key Manager Plus' web server port directly from the user interface.
- Option to import and map a private key to certificate has been supported.
- Earlier, when generating certificate signing requests with SAN names, the SAN names were not updated. This has now been fixed.
- Earlier, there were issues with fetching the system locale on Microsoft CA discovery. This has now been fixed.
Key Manager Plus Release 5.2 (Aug 2017)
New features / Enhancements
- SSL certificate vulnerability scan:
Users can now scan for vulnerabilities in SSL certificates managed using Key Manager Plus. Vulnerability scan is performed on SSL certificates as well as the end-point servers. Key Manager Plus will check for certificate revocation status, certificate-server mismatch, usage of weak encryption algorithms (such as the SHA-1) pertaining to the selected certificate. Also, the end-point servers are scanned for configuration vulnerabilities such as HEARTBLEED, POODLE and usage of weak protocols and cipher suites.
- Users can also schedule periodic vulnerability scan on selected or all certificates in Key Manager Plus repository, obtain e-mail notifications and comprehensive reports post the scan.
- Graphical representation of private-key availability for a given certificate in the SSL → Certificates view.
- Option to download keystore, pfx and private-key files for a given SSL Certificate.
- Option to install SSL certificate for Key Manager Plus server from the product interface.
- Earlier, Edit resource group action was being redirected to Add Resource Group window. This has now been fixed.
Key Manager Plus Release 5.1 (May 2017)
New features / Enhancements
- Landing server support for SSH key management:
Option to connect to remote networks through landing servers, thereby overcoming the barriers created by network segmentation. Also supports ssh key management for these remote servers.
- Option to deploy certificates onto Windows server (Internet Information Services) and Microsoft Certificate Store directly from product interface.
- Option to identify the different versions of certificates deployed and also the list of servers in which a certificate is deployed.
- Option to add user generated private keys when requesting for certificates from Let's Encrypt CA.
- Key Manager Plus now supports MSSQL as database back end.
- Option to fetch latest authorized_key file,edit and push the file to respective user accounts.
- Earlier, there were display issues with SSH home directory settings. This has now been fixed.
- Earlier, there were issues while adding .der encoded certificates using Add certificate option. This has now been fixed.
Key Manager Plus Release 5.0 (Feb 2017)
New Features / Enhancements
- End-to-end certificate life-cycle management through integration with Let's Encrypt CA:Key Manager Plus now allows you to request, procure, deploy and automatically renew SSL certificates for your domains from Let's Encrypt, the renowned Certificate Authority.
- Option to discover and manage certificates from Windows Certificate store.
- Option to exclusively discover and manage certificates issued by Windows Certificate Authority.
- Deployment: Option to deploy SSL certificates as well as JKS/PCKS12 keys to end-point servers directly from the product interface.
- Reports: Additional reports on certificate deployment, certificates deployed on multiple servers, SHA-1 certificates, Let's Encrypt certificates, Let's Encrypt certificate requests.
- Option to export audit records on key and certificate discovery.
- Enhancements to identify SSH user home directory.
- Certificate request workflow enhancements:
- Options to specify device name/ IP address while raising a certificate request.
- Options to automatically import the obtained certificate into .pfx/.keystore file.
- Option to e-mail certificate and JKS/PKCS keys while closing a certificate request.
- Earlier, there were connection issues with ubuntu16.04 server. This has now been fixed.
- Earlier, operator users can view all the users in various user groups. This has now been fixed. The operator users can now view only those users present in their own user groups.
Key Manager Plus Release 4.5 (Oct 2016)
New Features / Enhancements
- RESTful APIs for SSL, SSH and Key store: Key Manager Plus now provides RESTful APIs, which help you to connect, interact and integrate any application with Key Manager Plus directly. The APIs also allow applications to create, fetch, associate digital keys and add, retrieve or manage users programmatically.
- Option to discover and manage certificates mapped to user accounts in Active Directory. Both on-demand and scheduled discovery options are supported.
- Support to leverage RADIUS server authentication.
- New report on wildcard certificates deployment scenario.
- Report on the user certificates imported from Active Directory.
- Earlier, there were issues with date based sorting in the certificates and scheduled views. This has been fixed.
- Earlier, SSL discovery schedule took too long to complete on failure cases. This has been fixed.
- Earlier, email address was mandatory while saving schedules. This has been made optional.
Key Manager Plus Release 4.1 (Aug 2016)
New Features / Enhancements
- Option to push the private key, public key or both to remote user accounts. This feature is also available as part of key rotation schedule.
- Administrator users can now add commands, restrict hosts and carry out other actions on a public key and push the authorized_key file to the remote user account. They can also view the current authorized_key file content.
- Administrator users can now be able to view the passphrase of the SSH keys, SSL certificates and other keys.
- Option to import multiple SSL certificates is supported now.
- Option to effectively track SSL certificate expiry through a new scheduled task.
- Dashboard settings will be persisted in the database.
- Earlier, when root credentials were incorrect and key based authentication is enabled, there was an issue in associating private keys to users. This has been fixed.
- Earlier, there was an issue in importing .pfx (personnel certificates) through import keystore option. This has been fixed.
- Active Directory authentication issue in Key Manager Plus Windows 32 bit build has been fixed.
Key Manager Plus - Release 4.0 (June, 2016)
- Earlier, for SSH key management, user accounts could be added only if their associated credentials were provided. Now, a feature has been added to manage users using only SSH key pairs (without providing their passwords).
- SSH Private Key Group : This enhancement helps to organize SSH private keys as a logical group and execute key rotation, report creation, key group deployment and other operations in bulk.
- SSH User Group : This enhancement helps to organize SSH users into a group and execute actions in bulk on the group.
- Earlier, the private keys were deployed in the default location. Now, option has been provided to change the remote server user account authorized_key file location (i.e /home/test/.ssh to var/home/test/.ssh) both in bulk and for individual user accounts.
- Support is now provided for JUNOS based Juniper devices.
- Earlier, licensing was based on the number of SSH users. Henceforth, licensing would be based on the number of keys, which includes SSH private keys, SSL certificates, and the number of keys in the Key Store, which are managed using Key Manager Plus.