ManageEngine Key Manager Plus - Release Notes
Key Manager Plus Release 5920 (June 2020)
- The 'Certificate Renewal Report' page under the 'Reports' tab now comes with a column chooser.
- Users can now view all the certificates associated with a particular agent by clicking the 'Host Name' of the agent listed under 'SSL >> Windows Agents'.
- Now, users can tailor schedules by adding custom email content and a unique signature.
- Now, users can discover certificates issued by a particular 'Microsoft Certificate Authority' just
by entering the MSCA name in the text box provided, during discovery. Remember, this additional option will be available for Key Manager Plus installations in Windows server machines only.
- Now, it is possible to add the Wildcard name in the SAN field while creating a CSR or a self-signed certificate. With the Wildcard certificates, one can secure an unlimited number of subdomains for a registered base-domain.
- Earlier, Certificate Expiry Notification emails sent to the email addresses specified in additional fields followed a fixed format. Now, the customization settings configured for notification emails in 'Notification' and 'Schedule' tabs will be applied to the emails sent via email addresses in the additional fields as well.
- Agent got duplicated when re-installed from a different IP address. This has been fixed.
- The 'Common name' column sorting issue in the 'Certificate Sign Report' wizard has been
- The issue in MSCA auto-renewal with the EC key has been fixed.
- Get Templates issues that existed with the non - English languages have been fixed.
Key Manager Plus Release 5910 (May 2020)
- New Certificate Format - PEM
A new certificate format, Privacy Enhanced Mail (PEM), has been added, in addition to the already available
certificate export formats, Keystore and PFX, where the PEM format is used for digital certificates and
keys, deployed in web server platforms (e.g., Apache).
- Support for GoDaddy DNS
From now on, Key Manager Plus supports GoDaddy DNS to complete the domain control validation procedure while
acquiring certificates from public Certificate Authorities, along with the already available DNS support
types, Azure DNS, Cloudflare DNS, Amazon route 53, and RFC2136 Update. Using GoDaddy DNS, users can update
the DNS record for GoDaddy domain validation from the Key Manager Plus portal itself.
- This release comes with an exclusive page for 'Windows Agents', accessible from the SSL tab, from where
users will be able to perform all agent-specific operations such as SSL Discovery using agent, deployment of
SSL certificates in certificate groups using agent and CSR Signing with MSCA agent.
- Certificate deployment in multiple servers has now been made simpler by using an agent, provided the agent
is running in the server to be deployed, and both the agent name and the server DNS name are the same.
- Now, auto-renewal of certificates is possible for the 'MSCA using agent' sign type as well, from 'Settings
>> SSL >> Certificate Renewal'.
- The 'Certificate Sign Report' comes with the following MSCA/Third party CA signing details; Certificate
Authority, Certificate Template, Sign Type column.
- The 'Certificate Renewal report' comes with the 'Renewed By' column relevant to MSCA and 3rdPartyCA renewal
- A new option 'Reissue Certificate' has been added under 'SSL >> GlobalSign' that allows users to
request GlobalSign to reissue an SSL certificate.
- The new 'GlobalSign Orders Report' allows the GlobalSign orders to be added as individual reports, which
provide a detailed view of certificate orders requested from the GlobalSign CA.
- From now on, users can add a "Key Comment' while importing a new SSH key and editing an existing key
from the repository. Also, users can avail the checkbox "Update comment in associated users" to
update the Key comment to the associated end servers automatically.
- Now, it is possible to add additional properties to a certificate while creating it, by using the 'Advanced
Options' menu. It allows users to choose from a list of Key Usage and Advanced Key Usage properties, and add
them to the new certificate. Examples for the Key Usage properties include; Digital Signature, Decipher
Only, Encipher Only, and Certificate Sign.
- The DigiCert CA page has been enhanced with a new menu 'Show' that has four options, Expired, Revoked,
Rejected, and Others, used to filter the DigiCert CA list view.
- Now, while adding or modifying the Certificate Groups, it is possible to set 'additional fields' also as one
of the 'By Criteria' filters for certificates.
- While creating an additional field, users are allowed to choose if it is applicable for SSH/SSL/both. The
'Additional fields' option is now available under 'Settings'.
- New REST APIs 'GET CSR list' and 'Sign CSR' have been added.
- The 'Expiry Notification' has been enhanced with the custom mail content, 'Title' and 'Signature'.
In the below set of REST APIs, the fetch details format is modified is such a way that the "details"
attribute holds all the data; GetCertificateDetails, getallsslcertificates, getAllSSLCertsExpiryDate,
sslCertSingleDiscovery, sslCertRangeDiscovery, getallsshkeys, GetSSHKey,
getAllSSHUsers,getAllKeyStoreKeys,GetSSHKeysForUser and GetAllAssociatedUsers.
- The Key Manager Plus server's SSL TLS has been upgraded to version 1.2.
- The Key Manager Plus agent's TLS has been upgraded to version 1.2. This is configurable in 'Agent.conf'.
- Earlier, during API calls, the Authentication token was passed as a request parameter. Hereafter, each API
call made to the application requires the Authentication token to be passed in the request header.
- Earlier, the Keystore password of the certificate uploaded into the server was appended in the URL, which
posed a security risk. From now on, the Keystore password will be sent as the 'RequestBody' to maintain
- A local File Intrusion issue during MS store discovery has been fixed.
- The operator user was able to view the admin terminal audit. This has been fixed.
- Server certificate update failed in case of Key Store with multiple alias names. This has been fixed.
- In the build of 5900, the certificate repository column order and also the column values got altered after
adding the 'Port' column. This has been fixed.
- The root and intermediate certificates of PEM format got added as separate entries in the certificates
repository. This has been fixed now.
Key Manager Plus Release 5900 (March 2020)
Key Manager Plus now supports integration with GlobalSign SSL—atrusted certificate authority and a
leading cloud-based PKI solutions provider. This integration enables users to request, acquire, import,
deploy, renew and automate the end-to-end lifecycle management of SSL/TLS certificates issued by GlobalSign,
directly from the Key Manager Plus web interface.
- Certificate Deployment using Agent
Key Manager Plus can already deploy and bind certificates to IIS servers belonging to the domain, where Key
Manager Plus also resides. Now, Key Manager Plus can also deploy certificates to IIS servers in
demilitarized zones and also bind them to websites in IIS, all using an agent. This makes Key Manager Plus
more scalable, as it can deploy and bind certificates in IIS servers, irrespective of whether they are in
the same or different domain.
- CSR Signing using Agent
In addition to the already available two sign types namely, 'MS Certificate Authority' and 'Sign with Root',
used to sign certificates from Key Manager Plus, a third sign type 'MS Certificate Authority with Agent' has
been introduced. This new sign type is mainly used to sign certificates originating from a distinct domain,
i.e., other than the domain to which Key Manager Plus belongs.
- System Integration - ServiceDesk Plus and Service Now
From release 5900, Key Manager Plus integrates with enterprise ticketing systems namely ServiceDesk Plus
(on-premise) and ServiceNow. This integration ensures that automatic service requests are created in the
ticketing environment to notify administrators of SSL certificates that are at the risk of expiring and
certificates that are deemed vulnerable after a vulnerability scan in Key Manager Plus. Users can set
notification policies to govern the frequency of service request creation for expiring and vulnerable
- It is now possible to customize notifications and their intervals. Users can now choose not to receive
notifications regarding the expired certificates, and send a separate email and customized subject per
certificate, from 'Settings >> Notification'. The same actions can be done while
creating new schedules under 'Schedule >> Add Schedule', where you have to select the
Schedule Type as 'SSL Expiry'.
- It is now possible to bulk edit the additional fields for multiple SSH keys and certificates.
- The column chooser was introduced in the version 5850 in the SSL window. Now, the IP address and Port are
added in the column chooser which allows the users to display the selected columns in the list view.
- It is now possible to provide ephemeral access (validity in hours and minutes) to certificates created using
the 'Create Certificate' Rest API.
- Earlier, Key Manager Plus allowed signing and deployment of certificates only from Windows systems. Now, it
is possible to perform certificate signing and deployment to Windows systems from Linux installations
- It is now possible to provide customized subjects in schedules.
Earlier, PostgreSQL data directories in Windows installations were entirely accessible to all locally
authenticated users. Now, as a security practice, we have exerted the following measures, applicable for
installations under the 'Program Files' directory:
- No inherited permissions are allowed for data and configurations directories
- "Authenticated Users" permission has been excluded entirely
Only the CREATOR OWNER, SYSTEM, Installation User, NT AUTHORITY\Network Service and Administrators groups will
have the Full Control over the directories and also can start PostgreSQL.
Key Manager Plus Release 5860 (January 2020)
- Pretty Good Privacy (PGP) Keys
PGP encryption is used to enhance cryptographic privacy and authentication for online communication by
encrypting and decrypting texts, emails, files, etc. It uses a combination of data compression, hashing, and
public-key cryptography to boost confidentiality. Now, Key Manager Plus brings you this PGP functionality in
the form of PGP key generation, where the keys are used to encrypt the data like emails, texts, etc. Create,
store and manage PGP keys under 'KMP >> Key Store >> PGP Keys'. Modify the key description
anytime, export private/public keys, export keys to multiple email ids, and generate, view, and schedule
reports. You can also send expiry notification emails to admins. This feature allows you to share and
collaborate information securely among your trusted groups of users and businesses.
Key Manager Plus Release 5850 (December 2019)
- SSL Certificate Deployment and Binding - IIS Server
From release 5850, you can both deploy a certificate to the IIS server and also bind it to the desired
website in the IIS, all from the Key Manager Plus interface itself, without the need to access the IIS
server separately. Also, an option has been provided to automatically restart the IIS server for the
deployment and binding to take effect, thereby eliminating the need for the manual restart from the IIS end.
- Additional Fields
Key Manager Plus now brings you the 'Additional Fields' feature, configured from 'Settings >> General
Settings' that is used to include any additional information about SSH keys and SSL certificates, stored in
the repository. There are four different categories to add the additional fields: character, numeric, date
and email. Users can choose to add or remove the additional fields from SSH and SSL views.
- Column Chooser
The 5850 version of Key Manager Plus comes with the Column Chooser feature that allows users to show or hide
columns at runtime, and also rearrange the columns from the current view via drag-and-drop.
- Now, it is possible to use the Key Manager Plus service account credentials for authentication while
deploying certificates in Windows servers.
- Henceforth, while creating a certificate, users can provide ephemeral access (validity in hours and minutes)
to the certificate, after which the certificate auto-expires. This eliminates the need for compulsory
permanent access credentials to access target systems and also explicit access repeal.
- It is now possible to perform SNI-based SSL discovery using the Common Name and IP Address combination.
- The option to filter certificates based on the key length and signature algorithm within specific expiry
days has been added to the 'getAllSSLCertificates' Rest API.
- During all AD-related operations performed from the Key Manager Plus interface, the 'Connection Mode' got
saved as 'No SSL' only, even if the 'SSL' mode was chosen. This issue has been fixed now.
- Earlier, MSCA signing supported 'java keytool' CSR only. Now, from this release, all CSRs will be supported
by MSCA signing.
- During certificate creation, all values entered in the SAN field were all together categorized as 'DNS'
only. Now, the values are segregated as 'DNS' and 'IP Address' categories.
Key Manager Plus Release 5810 (October 2019)
- Key Manager Plus now enables users to discover, import, and configure expiry notifications for SSL
certificates hosted in the following Amazon Web Services: AWS Certificate Manager (ACM) and AWS Identity and
Access Management (IAM).
- Key Manager Plus now supports automated renewal of self-signed certificates in addition to Microsoft CA
- Key Manager Plus now provides additional insights on agent activity such as heartbeat interval, latest
response time and operation performed.
- Key Manager Plus now provides an option to edit the email ID associated with the Let's Encrypt user account.
- Key Manager Plus now supports the discovery of SSH keys with ECDSA and ED25519 signature algorithms.
- A new REST API—to view the private key passphrase of SSL certificates—has now been added.
- For scheduled SSL expiry task, users now have the option to choose whether or not, to receive email
notifications when no certificates in that particular schedule are nearing expiration.
- Key Manager Plus offers automatic bundling of individual private key (.key) files and certificate files
(.cer/.pem) into 'JKS' and 'PKCS' keystore file formats and provides export option for the same.
- Two extra categories have been added for criteria-based certificate group creation: AWS service and
- Previously, certificate deployment failed if the field "Store Password" contained a space
character when creating certificates from SSL → Certificates tab. This has now been fixed.
- Previously, when performing bulk operations, the "Create and Deploy" action failed when executed
on SSH user groups, for RSA and DSA signature algorithms. This has now been fixed.
- Previously, when there was a "space" character present in a certificate group name, attempting to
fetch the SSL certificates report pertaining to that group from the Reports tab threw the following error:
"Invalid field format". This has now been fixed.
- Previously, even after the certificate private key was imported and attached to a certificate in Key Manager
Plus' certificate repository, the "Export Keystore/PFX" was still disabled. This has now been
Key Manager Plus Release 5800 (August 2019)
- Integration with DigiCert SSL: Key Manager Plus brings forth integration
with DigiCert—leading provider of TLS/SSL, IoT and various other PKI solutions—enabling
users to request, acquire, create, deploy, renew and automate the end-to-end management of SSL/TLS
certificates issued by DigiCert, all directly from Key Manager Plus' web interface.
- CSR templates: Key Manager Plus now allows users to create and use predefined
templates for CSR (Certificate Signing Request) generation.
- Users can now choose to exclude specific certificates from being added to Key Manager Plus repository when
performing SSL discovery or during manual addition.
- Key Manager Plus now supports creation and management of SSH keys using ECDSA and ED25519 key algorithms.
- Key Manager Plus now supports RFC2136 DNS updates to complete domain control validation when acquiring
certificates from public certificate authorities.
- Key Manager Plus now includes provisions that allow users to sign CSRs (either using your internal Microsoft
CA or a root certificate) as and when they are generated.
- Key Manager Plus now supports file-based discovery for scheduled SSH and SSL discovery tasks.
- A new dashboard widget that provides data about SSL configuration vulnerabilities has now been added.
- Two new REST APIs have been added: REST API for SSL certificate addition and REST API for SSH key deletion
Key Manager Plus Release 5750 (May 2019)
- Agent based discovery:Key Manager Plus now supports agent based SSL discovery that allows
administrators to discover and import certificates present across a network by installing one or more
instances of agent software on target systems. The agent, which is available as a compressed package with
all the necessary configurations in Key Manager Plus interface, once installed in the required end servers,
performs certificate discovery and updates the certificate database in a timely manner.
- Load balancer certificate discovery:Key Manager Plus now allows administrator users to
discover and consolidate SSL certificates deployed to Linux based load balancers such as Nginx and F5
through a process tunneled via SSH.
- When performing Certificate Store and MS CA discovery, administrators can now make use of Key Manager Plus
service account credentials to login to target systems, using the dedicated option provided, without having
to manually enter them.
SSL / TLS encryption for mail server configuration:Key Manager Plus now allows users to encrypt
communication for email notifications sent from the application using the SSL / TLS option available in SMTP
- Multiple server icon issue:Previously, when a certificate was deployed to two servers and
then if one of the deployed servers was deleted, the "Multiple Servers" icon still continued to be
enabled. This has now been fixed.
- Previously, when discovering multiple certificates from a single resource, changing the DNS name of one of
those certificates caused it to be reflected across all the discovered certificates. This has now been
- Previously, when scheduled discovery operations failed (both SSH and SSL), the audit records were not
updated correctly for a few cases. This has now been fixed.
Key Manager Plus Release 5710 (May 2019)
- SSH and SSL Discovery:
- Key Manager Plus now provides a subnet discovery option for both SSH and SSL discovery, allowing
administrators to discover keys and certificates from specific subnetworks within an IP range.
- Users can now choose to exclude specific IP addresses when performing bulk discovery from an IP
- Certificate Deployment:Key Manager Plus now provides an additional key based authentication
functionality (apart from the conventional password authentication) which users can leverage to deploy
certificates to password-less Linux end servers.
- Besides Azure and Cloudflare DNS, Key Manager Plus now supports Amazon Route 53 DNS to
complete the domain control validation procedure when acquiring certificates from public certificate
- Previously, in the following scenarios—Microsoft Certificate Store discovery, server certificate
upload and Radius server configuration (server secret field)—if the password entered contained special
characters, a "harmful content" error was being thrown. This has now been fixed.
- Previously, certificates that did not have a common name (the SAN name is taken as the common name by
default in these cases) failed to update after running a scheduled discovery. This issue has now been fixed.
- Previously, the 'Days' filter in the SSL Expiry Report failed to render correct results.
This has now been fixed.
Key Manager Plus Release 5700 (April 2019)
New features / Enhancements
- Integration with public certificate authorities: Key Manager Plus facilitates end-to-end
life cycle management of certificates obtained from trusted certificate authorities (CAs) enabling users to
request, consolidate, deploy, renew and track certificates issued by multiple commercial CAs from a single
interface. This functionality powered through a seamless API integration with The SSL Store™—one
of the largest platinum partners of world's leading CAs—provides users the option to acquire and
manage certificates from the following third-party CAs directly from Key Manager Plus' web interface:
Sectigo (formerly Comodo), Symantec, Thawte, Geotrust, and RapidSSL.
- Audit notifications: Users can now choose to receive audit log notifications for various
operations performed in Key Manager Plus. The alerts can be configured in the form of email notifications,
or SNMP traps / Syslog messages to management systems within your network.
- Key Manager Plus now provides users the option to update credentials for SSH resources in bulk, which is
useful in cases where multiple resources operate with the same credentials.
- Previously, the DNS based domain control validation procedure was unsuccessful for Let's Encrypt sub domain
certificate requests. This has now been fixed.
- Previously, those certificates that contained string parameter "WITH" (in this format, eg.,
SHA256WITHRSA) in the signature algorithm could not be classified as root certificates. This issue has now
- Previously, when pushing key files to users after key association, dissociation or editing authorized_keys
file via SCP, there were issues with accessing the file post transfer due to file name issue. This has now
been resolved by generating a random file name before transferring to the appropriate user accounts.
- In Key Manager Plus build 5650, the global search for certificates based on common name and SAN failed to
retrieve proper results. This has now been fixed.
- Previously, the file-based discovery of SSL certificates failed for large file sizes (more than 50 thousand
IP addresses). This has now been resolved.
- Previously, there were issues with resetting the password for Key Manager Plus account (local
authentication) using the "Forgot Password" option. This issue has now been fixed.
Key Manager Plus Release 5650 (Jan 2019)
- Failover service (FOS) with common MS SQL clusters: Key Manager Plus now provides
administrator users the option to map redundant Key Manager Plus server instances to a common MS SQL
cluster. Therefore, if one Key Manager Plus instance fails, the other instance(s) that are configured to the
same database take over ensuring uninterrupted access to the application.
- Let's Encrypt wildcard certificate management support: Users can now request, acquire and
manage wildcard certificates issued by Let's Encrypt certificate authority from Key Manager Plus.
- Administrators can now create scheduled tasks for discovering and importing certificates from Microsoft
Certificate Store and certificates issued by Microsoft Certificate Authority.
- Users can now import certificate signing requests (CSRs) generated outside Key Manager Plus, forward to
trusted certificate authorities and track their statuses from Key Manager Plus.
- Key Manager Plus now offers a more simplified workflow to establish connection with SSH resources that
utilize password-less, key based authentication.
- During resource deletion, users are now provided with the option to either dissociate or retain the SSH keys
associated to the resource using Key Manager Plus. This option was not available in the earlier versions and
the associated key was automatically dissociated.
- Users now have the option to import certificate signing requests (CSRs) generated outside Key Manager Plus
when placing GoDaddy certificate orders.
- Key Manager Plus now provides users an additional option to export only the private key during CSR export.
- Harmful content fix on non-English, Windows operating system: Previously, Key Manager Plus
installed on non-English Windows operating system had traces of harmful content in schedule creation and
audit records. This has now been fixed.
- Previously, during SSH resource deletion, the SSH keys manually imported into Key Manager Plus and
associated to specific user accounts from the application were supposed to be dissociated after the resource
had been deleted. However, the keys remained associated to the user accounts even after resource deletion.
This has been fixed and also, users can now choose to either dissociate or retain the associated keys (Refer
- Previously, when enumerating user accounts for resources that utilized password-less, key based connection
establishment, the SSH keys in the user accounts were not discovered. This has now been fixed.
- Previously, SSH key import was unsuccessful if the key passphrase contained special characters like '~',
'?', '<' and '>'. This has now been fixed.
Key Manager Plus Release 5630 (Dec 2018)
New features / Enhancements
- Key Manager Plus now supports SMTP server certificate discovery that allows administrators to exclusively
discover and manage SSL certificates used by mail servers.
- Previously, when deploying SSL certificates to Microsoft Internet Information Services (IIS) server, the
private key exported with the certificate was being corrupted on deployment. This has now been fixed.
- Previously, administrators were unable to sign certificates with custom root CA if Subject Alternative Name
(SAN) wasn't provided during CSR generation. This has now been fixed.
- Previously, when performing template-based discovery of certificates issued by the Microsoft Certificate
Authority (MS CA), the CA server's account credentials were being stored in clear text in the Key Manager
Plus server's log files. This has now been fixed.
Note: The potential for exposure was limited only to customers
matching specific conditions. A detailed advisory was sent to customers to check for such conditions and in the
unlikely case of exposure happening, the advisory included instructions to sanitize the exposure and fix the
Key Manager Plus Release 5620 (Oct 2018)
New features / Enhancements
Integration with GoDaddy SSL: Key Manager Plus now supports lifecycle management of SSL
certificates issued by GoDaddy certificate authority. This enhancement, powered through a seamless integration
with GoDaddy's API, allows administrators request, consolidate, deploy, renew, revoke and manage life cycles of
certificates issued by GoDaddy certificate authority from a single interface.
- Fully automated, end-to-end management of certificate lifecycles.
- Complete visibility and control over demand, CSR generation, certificate deployment and revocation.
- Centralized tracking of certificate requests with an at a glance view of their status parameters.
- Custom expiration alerts through periodic email notifications.
Key Manager Plus Release 5610 (Aug 2018)
New Features / Enhancements
- Root based certificate signing: Key Manager Plus now enables administrators to sign and
issue certificates to end-servers within the network environment, based on a root certificate that is
trusted within the network.
- Domain expiry notification: Administrators can now keep a track of expiring domains from
Key Manager Plus facilitated through 'Whois Lookup', and also receive periodic email notifications regarding
- Key Manager Plus now expedites domain validation for Let's Encrypt certificate renewal through automated
verification of DNS-01 challenges (for Azure and Cloudflare DNS).
- Key Manager Plus now includes provisions to import certificate files to keystore by automatically pinning
its corresponding private key with the acquired certificate.
- Previously, there were a few format issues during SSH keys import. This has now been fixed.
Key Manager Plus Release 5600 (May 2018)
New Features / Enhancements
- Provision to control the exposure of personal data in reports
Key Manager Plus now has provisions to control the exposure of personal data in reports, allowing
administrators to mask or hide personal data in reports exported from Key Manager Plus as well as in e-mail
notifications for scheduled report generation.
- Password protection for exports
Administrators can now enable password protection for exports, thus enforce an additional layer of security
for files (certificates, certificate private key, certificate signing request, PDF and CSV reports, SSH
public key, SSH private key, keys secured in keystore) exported from Key Manager Plus.
- Administrator acknowledgement of data transfer for third-party integrationsKey Manager Plus
has now made it mandatory for administrators to acknowledge the transfer of personal data when setting up
integration with third parties—such as certificate requests from Let's Encrypt and other trusted
third-party CAs, integration with ServiceDesk Plus' CMDB—where there is flow of personal data from Key
- Provision to purge audit trails
Key Manager Plus now includes the provision to purge audit trails, giving administrators the privilege of
erasure of personal data that are no longer required in relation to the purposes for which they were
- Database-level encryption of sensitive personal information
Key Manager Plus now offers encryption of sensitive personal data at the database-level providing a greater
level of data integrity and privacy.
- Provision to manage non-user email addresses
Key Manager Plus now separately lists and tracks unmapped email addresses—those that are not
associated with any Key Manager Plus users but are being used for sending notifications regarding scheduled
tasks, license expiration—and also grants administrators the privilege to delete them if needed.
- Key Manager Plus now provides administrators the option to enable or disable API access.
- Users can now export keystore files attached to certificates in various formats (PKCS12 / JKS).
- Key Manager Plus now provides additional options to configure email notifications for certificate expiry and
private key rotation.
- Previously, Key Manager Plus imported certificates that had no common name or SAN during SSL certificate
discovery. This has now been fixed and import will be successful only if either of the two parameters are
Key Manager Plus Release 5510 (Apr 2018)
New Features / Enhancements
- Key Manager Plus now supports DNS based domain verification for certificates requested from Let's Encrypt
- Template-based SSL certificate discovery option, for certificates stored by Microsoft Certificate Authority.
- Option to transfer files using Secure Copy Protocol (SCP) to user accounts with SSH key based
- Previously, there were issues when parsing SSH key passphrases that contained special characters. This has
now been fixed.
Key Manager Plus Release 5.5 (Jan 2018)
New Features / Enhancements
- Microsoft CA certificate signing :
Key Manager Plus now allows users to get certificate requests signed from Microsoft Certificate Authority,
thereby facilitating complete life cycle management for certificates issued by Microsoft Certificate
- Integration with CMDB :
Key Manager Plus now provides the option to sync SSL certificates in its repository with ManageEngine
Service Desk Plus CMDB, allowing administrators to map certificates to specific servers / applications in
the CMDB and monitor their usage and expiration from Service Desk Plus' CMDB.
- SSL Certificate group :
This enhancement allows users to organize SSL certificates into logical groups based on various criteria and
execute actions in bulk on the groups.
- Option to enforce access restrictions by assigning users to specific certificate groups during user
- Date based discovery filter for Microsoft Certificate Authority certificate discovery.
- Option to separately track and manage various versions of the same SSL certificate (with the same common
- Option to change Key Manager Plus' web server port directly from the user interface.
- Option to import and map a private key to certificate has been supported.
- Earlier, when generating certificate signing requests with SAN names, the SAN names were not updated. This
has now been fixed.
- Earlier, there were issues with fetching the system locale on Microsoft CA discovery. This has now been
Key Manager Plus Release 5.2 (Aug 2017)
New features / Enhancements
- SSL certificate vulnerability scan:
Users can now scan for vulnerabilities in SSL certificates managed using Key Manager Plus. Vulnerability
scan is performed on SSL certificates as well as the end-point servers. Key Manager Plus will check for
certificate revocation status, certificate-server mismatch, usage of weak encryption algorithms (such as the
SHA-1) pertaining to the selected certificate. Also, the end-point servers are scanned for configuration
vulnerabilities such as HEARTBLEED, POODLE and usage of weak protocols and cipher suites.
- Users can also schedule periodic vulnerability scan on selected or all certificates in Key Manager Plus
repository, obtain e-mail notifications and comprehensive reports post the scan.
- Graphical representation of private-key availability for a given certificate in the SSL →
- Option to download keystore, pfx and private-key files for a given SSL Certificate.
- Option to install SSL certificate for Key Manager Plus server from the product interface.
- Earlier, Edit resource group action was being redirected to Add Resource Group window. This has now been
Key Manager Plus Release 5.1 (May 2017)
New features / Enhancements
- Landing server support for SSH key management:
Option to connect to remote networks through landing servers, thereby overcoming the barriers created by
network segmentation. Also supports ssh key management for these remote servers.
- Option to deploy certificates onto Windows server (Internet Information Services) and Microsoft Certificate
Store directly from product interface.
- Option to identify the different versions of certificates deployed and also the list of servers in which a
certificate is deployed.
- Option to add user generated private keys when requesting for certificates from Let's Encrypt CA.
- Key Manager Plus now supports MSSQL as database back end.
- Option to fetch latest authorized_key file,edit and push the file to respective user accounts.
- Earlier, there were display issues with SSH home directory settings. This has now been fixed.
- Earlier, there were issues while adding .der encoded certificates using Add certificate option. This has now
Key Manager Plus Release 5.0 (Feb 2017)
New Features / Enhancements
- End-to-end certificate life-cycle management through integration with Let's Encrypt CA:Key
Manager Plus now allows you to request, procure, deploy and automatically renew SSL certificates for your
domains from Let's Encrypt, the renowned Certificate Authority.
- Option to discover and manage certificates from Windows Certificate store.
- Option to exclusively discover and manage certificates issued by Windows Certificate Authority.
- Deployment: Option to deploy SSL certificates as well as JKS/PCKS12 keys to end-point
servers directly from the product interface.
- Reports: Additional reports on certificate deployment, certificates deployed on multiple
servers, SHA-1 certificates, Let's Encrypt certificates, Let's Encrypt certificate requests.
- Option to export audit records on key and certificate discovery.
- Enhancements to identify SSH user home directory.
- Certificate request workflow enhancements:
- Options to specify device name/ IP address while raising a certificate request.
- Options to automatically import the obtained certificate into .pfx/.keystore file.
- Option to e-mail certificate and JKS/PKCS keys while closing a certificate request.
- Earlier, there were connection issues with ubuntu16.04 server. This has now been fixed.
- Earlier, operator users can view all the users in various user groups. This has now been fixed. The operator
users can now view only those users present in their own user groups.
Key Manager Plus Release 4.5 (Oct 2016)
New Features / Enhancements
- RESTful APIs for SSL, SSH and Key store: Key Manager Plus now provides RESTful APIs,
which help you to connect, interact and integrate any application with Key Manager Plus directly. The APIs
also allow applications to create, fetch, associate digital keys and add, retrieve or manage users
- Option to discover and manage certificates mapped to user accounts in Active Directory. Both on-demand and
scheduled discovery options are supported.
- Support to leverage RADIUS server authentication.
- New report on wildcard certificates deployment scenario.
- Report on the user certificates imported from Active Directory.
- Earlier, there were issues with date based sorting in the certificates and scheduled views. This has been
- Earlier, SSL discovery schedule took too long to complete on failure cases. This has been fixed.
- Earlier, email address was mandatory while saving schedules. This has been made optional.
Key Manager Plus Release 4.1 (Aug 2016)
New Features / Enhancements
- Option to push the private key, public key or both to remote user accounts. This feature is also available
as part of key rotation schedule.
- Administrator users can now add commands, restrict hosts and carry out other actions on a public key and
push the authorized_key file to the remote user account. They can also view the current authorized_key file
- Administrator users can now be able to view the passphrase of the SSH keys, SSL certificates and other keys.
- Option to import multiple SSL certificates is supported now.
- Option to effectively track SSL certificate expiry through a new scheduled task.
- Dashboard settings will be persisted in the database.
- Earlier, when root credentials were incorrect and key based authentication is enabled, there was an issue in
associating private keys to users. This has been fixed.
- Earlier, there was an issue in importing .pfx (personnel certificates) through import keystore option. This
has been fixed.
- Active Directory authentication issue in Key Manager Plus Windows 32 bit build has been fixed.
Key Manager Plus - Release 4.0 (June, 2016)
- Earlier, for SSH key management, user accounts could be added only if their associated credentials were
provided. Now, a feature has been added to manage users using only SSH key pairs (without providing their
- SSH Private Key Group : This enhancement helps to organize SSH private keys as a logical
group and execute key rotation, report creation, key group deployment and other operations in bulk.
- SSH User Group : This enhancement helps to organize SSH users into a group and execute
actions in bulk on the group.
- Earlier, the private keys were deployed in the default location. Now, option has been provided to change the
remote server user account authorized_key file location (i.e /home/test/.ssh to var/home/test/.ssh) both in
bulk and for individual user accounts.
- Support is now provided for JUNOS based Juniper devices.
- Earlier, licensing was based on the number of SSH users. Henceforth, licensing would be based on the number
of keys, which includes SSH private keys, SSL certificates, and the number of keys in the Key Store, which
are managed using Key Manager Plus.