ManageEngine Key Manager Plus - Release Notes

Key Manager Plus Release 5610 (Aug 2018)

New Features / Enhancements

  • Root based certificate signing: Key Manager Plus now enables administrators to sign and issue certificates to end-servers within the network environment, based on a root certificate that is trusted within the network.
  • Domain expiry notification: Administrators can now keep a track of expiring domains from Key Manager Plus facilitated through 'Whois Lookup', and also receive periodic email notifications regarding the same.
  • Key Manager Plus now expedites domain validation for Let's Encrypt certificate renewal through automated verification of DNS-01 challenges (for Azure and Cloudflare DNS).
  • Key Manager Plus now includes provisions to import certificate files to keystore by automatically pinning its corresponding private key with the acquired certificate.

Bugfixes:

  • Previously, there were a few format issues during SSH keys import. This has now been fixed.

Key Manager Plus Release 5600 (May 2018)

New Features / Enhancements

  • Provision to control the exposure of personal data in reports
    Key Manager Plus now has provisions to control the exposure of personal data in reports, allowing administrators to mask or hide personal data in reports exported from Key Manager Plus as well as in e-mail notifications for scheduled report generation.
  • Password protection for exports
    Administrators can now enable password protection for exports, thus enforce an additional layer of security for files (certificates, certificate private key, certificate signing request, PDF and CSV reports, SSH public key, SSH private key, keys secured in keystore) exported from Key Manager Plus.
  • Administrator acknowledgement of data transfer for third-party integrationsKey Manager Plus has now made it mandatory for administrators to acknowledge the transfer of personal data when setting up integration with third parties—such as certificate requests from Let's Encrypt and other trusted third-party CAs, integration with ServiceDesk Plus' CMDB—where there is flow of personal data from Key Manager Plus.
  • Provision to purge audit trails
    Key Manager Plus now includes the provision to purge audit trails, giving administrators the privilege of erasure of personal data that are no longer required in relation to the purposes for which they were originally recorded.
  • Database-level encryption of sensitive personal information
    Key Manager Plus now offers encryption of sensitive personal data at the database-level providing a greater level of data integrity and privacy.
  • Provision to manage non-user email addresses
    Key Manager Plus now separately lists and tracks unmapped email addresses—those that are not associated with any Key Manager Plus users but are being used for sending notifications regarding scheduled tasks, license expiration—and also grants administrators the privilege to delete them if needed.
  • Key Manager Plus now provides administrators the option to enable or disable API access.
  • Users can now export keystore files attached to certificates in various formats (PKCS12 / JKS).
  • Key Manager Plus now provides additional options to configure email notifications for certificate expiry and private key rotation.

Bug fixes:

  • Previously, Key Manager Plus imported certificates that had no common name or SAN during SSL certificate discovery. This has now been fixed and import will be successful only if either of the two parameters are present.

Key Manager Plus Release 5510 (Apr 2018)

New Features / Enhancements

  • Key Manager Plus now supports DNS based domain verification for certificates requested from Let's Encrypt CA.
  • Template-based SSL certificate discovery option, for certificates stored by Microsoft Certificate Authority.
  • Option to transfer files using Secure Copy Protocol (SCP) to user accounts with SSH key based authentication.

Bug Fixes

  • Previously, there were issues when parsing SSH key passphrases that contained special characters. This has now been fixed.

Key Manager Plus Release 5.5 (Jan 2018)

New Features / Enhancements

  • Microsoft CA certificate signing :
    Key Manager Plus now allows users to get certificate requests signed from Microsoft Certificate Authority, thereby facilitating complete life cycle management for certificates issued by Microsoft Certificate Authority.
  • Integration with CMDB :
    Key Manager Plus now provides the option to sync SSL certificates in its repository with ManageEngine Service Desk Plus CMDB, allowing administrators to map certificates to specific servers / applications in the CMDB and monitor their usage and expiration from Service Desk Plus' CMDB.
  • SSL Certificate group :
    This enhancement allows users to organize SSL certificates into logical groups based on various criteria and execute actions in bulk on the groups.
  • Option to enforce access restrictions by assigning users to specific certificate groups during user additions.
  • Date based discovery filter for Microsoft Certificate Authority certificate discovery.
  • Option to separately track and manage various versions of the same SSL certificate (with the same common name).
  • Option to change Key Manager Plus' web server port directly from the user interface.
  • Option to import and map a private key to certificate has been supported.

Bug Fixes

  • Earlier, when generating certificate signing requests with SAN names, the SAN names were not updated. This has now been fixed.
  • Earlier, there were issues with fetching the system locale on Microsoft CA discovery. This has now been fixed.

Key Manager Plus Release 5.2 (Aug 2017)

New features / Enhancements:

  • SSL certificate vulnerability scan:
    Users can now scan for vulnerabilities in SSL certificates managed using Key Manager Plus. Vulnerability scan is performed on SSL certificates as well as the end-point servers. Key Manager Plus will check for certificate revocation status, certificate-server mismatch, usage of weak encryption algorithms (such as the SHA-1) pertaining to the selected certificate. Also, the end-point servers are scanned for configuration vulnerabilities such as HEARTBLEED, POODLE and usage of weak protocols and cipher suites.
  • Users can also schedule periodic vulnerability scan on selected or all certificates in Key Manager Plus repository, obtain e-mail notifications and comprehensive reports post the scan.
  • Graphical representation of private-key availability for a given certificate in the SSL → Certificates view.
  • Option to download keystore, pfx and private-key files for a given SSL Certificate.
  • Option to install SSL certificate for Key Manager Plus server from the product interface.

Bug fixes:

  • Earlier, Edit resource group action was being redirected to Add Resource Group window. This has now been fixed.

Key Manager Plus Release 5.1 (May 2017)

New features / Enhancements:

  • Landing server support for SSH key management:
    Option to connect to remote networks through landing servers, thereby overcoming the barriers created by network segmentation. Also supports ssh key management for these remote servers.
  • Option to deploy certificates onto Windows server (Internet Information Services) and Microsoft Certificate Store directly from product interface.
  • Option to identify the different versions of certificates deployed and also the list of servers in which a certificate is deployed.
  • Option to add user generated private keys when requesting for certificates from Let's Encrypt CA.
  • Key Manager Plus now supports MSSQL as database back end.
  • Option to fetch latest authorized_key file,edit and push the file to respective user accounts.

Bug fixes:

  • Earlier, there were display issues with SSH home directory settings. This has now been fixed.
  • Earlier, there were issues while adding .der encoded certificates using Add certificate option. This has now been fixed.

Key Manager Plus Release 5.0 (Feb 2017)

New Features / Enhancements 

  • End-to-end certificate life-cycle management through integration with Let's Encrypt CA:Key Manager Plus now allows you to request, procure, deploy and automatically renew SSL certificates for your domains from Let's Encrypt, the renowned Certificate Authority.
  • Discovery:
    • Option to discover and manage certificates from Windows Certificate store.
    • Option to exclusively discover and manage certificates issued by Windows Certificate Authority.
  • Deployment: Option to deploy SSL certificates as well as JKS/PCKS12 keys to end-point servers directly from the product interface.
  • Reports: Additional reports on certificate deployment, certificates deployed on multiple servers, SHA-1 certificates, Let's Encrypt certificates, Let's Encrypt certificate requests.
  • Option to export audit records on key and certificate discovery.
  • Enhancements to identify SSH user home directory.
  • Certificate request workflow enhancements:
    • Options to specify device name/ IP address while raising a certificate request.
    • Options to automatically import the obtained certificate into .pfx/.keystore file.
    • Option to e-mail certificate and JKS/PKCS keys while closing a certificate request.

Bug Fixes

  • Earlier, there were connection issues with ubuntu16.04 server. This has now been fixed.
  • Earlier, operator users can view all the users in various user groups. This has now been fixed. The operator users can now view only those users present in their own user groups.

Key Manager Plus Release 4.5 (Oct 2016)

New Features / Enhancements 

  • RESTful APIs for SSL, SSH and Key store:  Key Manager Plus now provides RESTful APIs, which help you to connect, interact and integrate any application with Key Manager Plus directly. The APIs also allow applications to create, fetch, associate digital keys and add, retrieve or manage users programmatically.
  • Option to discover and manage certificates mapped to user accounts in Active Directory. Both on-demand and scheduled discovery options are supported.
  • Support to leverage RADIUS server authentication.
  • New report on wildcard certificates deployment scenario.
  • Report on the user certificates imported from Active Directory.

Bug Fixes

  • Earlier, there were issues with date based sorting in the certificates and scheduled views. This has been fixed.
  • Earlier, SSL discovery schedule took too long to complete on failure cases. This has been fixed.
  • Earlier, email address was mandatory while saving schedules. This has been made optional.

Key Manager Plus Release 4.1 (Aug 2016)

New Features / Enhancements 

  • Option to push the private key, public key or both to remote user accounts. This feature is also available as part of key rotation schedule.
  • Administrator users can now add commands, restrict hosts and carry out other actions on a public key and push the authorized_key file to the remote user account. They can also view the current authorized_key file content.
  • Administrator users can now be able to view the passphrase of the SSH keys, SSL certificates and other keys.
  • Option to import multiple SSL certificates is supported now.
  • Option to effectively track SSL certificate expiry through a new scheduled task.
  • Dashboard settings will be persisted in the database.

Bug Fixes

  • Earlier, when root credentials were incorrect and key based authentication is enabled, there was an issue in associating private keys to users. This has been fixed.
  • Earlier, there was an issue in importing .pfx (personnel certificates) through import keystore option. This has been fixed.
  • Active Directory authentication issue in Key Manager Plus Windows 32 bit build has been fixed.

Key Manager Plus - Release 4.0 (June, 2016)

New Features

  • SSL Certificate Management- Key Manager Plus provides visibility and centralized control over the entire life cycle of SSL certificates across any network and thereby helps prevent downtime, compliance issues, and security breaches.

    Highlights of SSL certificate management include:

    • Discovery: Discovers all SSL certificates deployed in the network, irrespective of the issuing certificate authority (CA), including self-signed ones.
    • Centralized Inventory: Consolidates all discovered certificates and stores them in a secure, centralized repository for easy access and management.
    • Track Certificate Details: Tracks all certificate information, including name of the CA, date of issue, encryption algorithm, key length and other vital details.
    • Control Certificate Signing Requests: Centrally controls new CSR process. Handles key-pair creation process and provides ready-to-use CSR data files to be sent to the CA for getting new certificates.
    • Expiration Alerts: Tracks certificate validity and sends alerts about the certificates that are about to expire. Generates reports on expiry status of certificates.
    • Flag SHA-1 Certificates: Identifies certificates that use SHA-1 hashing function (which is found to be weak), prompting administrators to revoke the certificates and create new ones.
    • Ensure Compliance: Ensures that the encryption algorithms and underlying key lengths comply with various industry regulations.

  • Key Store- Key Manager Plus provides a secure repository for the storage of any digital key.

    Using the Key Store feature of Key Manager Plus, you can:

    • Add any digital key file (< 1MB) to the Key Manager Plus repository.
    • Map the digital key to a particular application, instance, and location (i.e, AWS, Azure data centers etc), to easily locate, track, and maintain them.
    • Maintain versions of the digital key files.
    • Generate report of all digital keys in use along with their details.

Enhancements

  • Earlier, for SSH key management, user accounts could be added only if their associated credentials were provided. Now, a feature has been added to manage users using only SSH key pairs (without providing their passwords).
  • SSH Private Key Group : This enhancement helps to organize SSH private keys as a logical group and execute key rotation, report creation, key group deployment and other operations in bulk.
  • SSH User Group : This enhancement helps to organize SSH users into a group and execute actions in bulk on the group.
  • Earlier, the private keys were deployed in the default location. Now, option has been provided to change the remote server user account authorized_key file location (i.e /home/test/.ssh to var/home/test/.ssh) both in bulk and for individual user accounts.
  • Support is now provided for JUNOS based Juniper devices.

Changes

  • Earlier, licensing was based on the number of SSH users. Henceforth, licensing would be based on the number of keys, which includes SSH private keys, SSL certificates, and the number of keys in the Key Store, which are managed using Key Manager Plus.