Release Notes

MTG CLM Documentation just turned interactive! Within the refactored Introduction and Guides & How Tos sections, you will now find numerous and action-packed widgets. Our newfound and disruptive approach serves as a unique way to learn more about hidden MTG CLM features and to engage directly with enhanced documentation content. The list of pages containing such widgets is bound to continue expanding in future releases.

Added new certificate provider PCSP.

Added support for MS Teams notifications. For more instructions on how to integrate, refer to this page.

Fixed evaluation of end-user permissions for displaying edit button on CA details page in MTG CLM UI.

During the connection to CLM, Keycloak, and OpenSearch server, the system now checks whether TLSv1.3 is supported. If it is, TLSv1.3 is used.

During the connection to CLM and Keycloak the system now checks whether TLSv1.3 is supported. If it is, TLSv1.3 is used.

Added support for RA mode, enabling the use of certificate request command without requiring prior end entity configuration. For more information, refer to the dedicated guide section.

During the connection to CARA and OpenSearch server, the system now checks whether TLSv1.3 is supported. If it is, TLSv1.3 is used.

Certificate validity is now configured at the policy level. All certificates issued with a given policy inherit its single validity period. Request-level validity settings are no longer used.

Added new variable placeholders in notifications templates that allow fast navigation to certificate and certificate request details page.

Included minor performance enhancements.

To effectively disable implicit notifications, users can now select an empty list of implicit events in MTG CLM UI.

Included several UI/UX enhancements in MTG CLM UI.

Fixed bug on refreshing table pages on MTG CLM UI.

Changed the default value of the configuration parameter scep.getcacert.include.cachain.onmessage from true to false.

Option --valid-for of create certificate command is now redundant and has been removed, due to validity requested from providers being moved from certificate request to policy.

Introduced a new, flexible and highly configurable notifications mechanism. Using channel types, event types, templates, contacts and subscriptions, the user has fine-grained control over the notifications they receive. For more information, see Notifications.

Added new configuration parameters, see Notification Related Properties.

The configuration parameter frontend.base.url is now mandatory.

Removed configuration parameter: notify.cert.expiring.time.intervals.

Due to the new notifications mechanism, the mailing list entities and the configurations EXPIRING_CERT_NOTIFICATION_INTERVAL_DAYS and MAIL_SIGNATURE got deprecated and removed.

Added support for importing certificates discovered using CT Logs, in MTG CLM UI , see Certificate Import Methods

Added endpoint to allow certificate discovery using CT Logs, using crt.sh, a service provided by Sectigo®.

Global configuration of TLS version has been removed, TLS version is configured automatically for each base URL instead. The system first attempts to establish TLS 1.3 connections and falls back to TLS 1.2, when necessary. This automatic negotiation ensures maximum security while also maintaining backwards compatibility. The change eliminates manual TLS configuration, while providing better performance through improved handshake process within TLS 1.3.

Implemented UI/UX improvements on role details page in MTG CLM UI.

Added link to CLI tool page to documentation page in MTG CLM UI. Users of the platform can now download directly from the dedicated section of the CLI page.

It now integrates with Microsoft Intune. It is possible to request certificates by configuring the SCEP-based connector at Microsoft Intune by simply providing the MTG SCEP URL and the Root CA. More information can be found here.

It now supports OCSP GET requests. This is useful in lightweight environments.

CLM roles were migrated from realm namespace to client namespace in Keycloak (you can find more details for client roles in official Keycloak documentation). As a result, CLM_ prefix is no longer required and was removed from existing CLM roles.

Fixed an issue where existing end entities were unable to receive certificates.

Added more descriptive error messages when requesting certificate using ACME.

In some cases, migrating to version 5.0.1 still may take longer than expected, potentially causing errors. This version optimizes the process to prevent such issues.

During the migration to version 5.0.0, users with accounts created using Keycloak versions older than 24.0.0 may encounter errors. This version addresses the issue and prevents these errors from occurring.

In some cases, migrating to version 5.0.0 may take longer than expected, potentially causing errors. This version optimizes the process to prevent such issues.

In certain cases after upgrading to version 5.0.0, duplicate end entities in the same realm may still appear. This update enhances the process by seamlessly merging them.

It now supports a CertConfirmContent with an empty statusInfo.

While end entity strategies and aliases are a powerful mechanism for identifying and managing end entities across different use cases and protocols, they sometimes led to restrictions on certificate issuance for different policies. Additionally, choosing the proper strategy has been challenging for software users. As a result, all end entity strategy values apart from END_ENTITY_DATA_SET have been removed. Strategies are no longer visible in MTG CLM UI, and users can no longer select a strategy. This new method simplifies policy creation and reduces the number of declined certificate requests.

Removed endpoint that sets end entity alias.

End entities with same dataset is not allowed in same realm.

Removed endpoint that finds end entity based on data that are included in provided PKCS10 Request.

Stopped displaying Strategy field in policy and end entity pages in MTG CLM UI, since it always defaults to END_ENTITY_DATA_SET.

Stopped displaying Alias field in end entity pages in MTG CLM UI.

Removed pages related to end entity alias in MTG CLM UI.

Added documentation page in MTG CLM UI, with links for general CLM Documentation and CLM API Documentation.

Displayed current version at the bottom of the side menu in MTG CLM UI.

Included several UI/UX enhancements in MTG CLM UI.

Adjusted health endpoint to only return healthy status after the initialization of global, required parameters has been concluded.

Users and API client are stored exclusively in keycloak.

Because users and API client are stored exclusively in keycloak, synchronize operations are redundant and the corresponding endpoints in MTG CLM Server and actions in MTG CLM UI have been removed.

It has been adjusted to accommodate the removal of end entity strategies.

It has been adjusted to accommodate the removal of end entity strategies.

Some devices add quotation marks at the beginning and end of the challenge password. To support these devices, the software now removes them before evaluation.

It has been adjusted to accommodate the removal of end entity strategies.

It now supports publishing certificate revocation lists (CRL) to an LDAP directory. More information can be found here.

Configuration parameters have been renamed.

It now supports extending the cache’s lifetime if CARA is unavailable. More information can be found here.

Introducing endpoint that requests MAC verification using provided policy and any end entity with provided CommonName.

A new constraint has been added for unique realm names.

The side menu has been restructured to improve user experience in the MTG CLM UI.

New methods to identify an end entity have been introduced. More information can be found here.

The server starts up independently of whether CARA is available.

Several performance enhancements regarding the dashboards have been implemented.

The Realm Data section in dashboard has been removed in MTG CLM UI. Also, the corresponding endpoint has been removed from MTG CLM.

Resolved issues in dashboard of MTG CLM UI.

Several performance enhancements have been realized.

Checking revocation of RA-mode certificate.

The JSON format of error messages has been changed to simple text.

Resolved an issue with preset search values when the lazy user search feature is enabled in MTG CLM UI.

Added a button to the role details page in MTG CLM UI to navigate to the role details in the Keycloak UI.

Attribute mail of AD is provided as property in the end entity.

Checking revocation of client certificate, additionally in the authorization layer.

Endpoints /admin/import-provider-clients and /admin/import-provider-users have been renamed to /admin/sync-provider-clients and /admin/sync-provider-users, respectively. Additionally, keycloak clients that have been removed using keycloak UI are now gracefully handled when /admin/sync-provider-clients is invoked.

Added endpoints that return the roles that provide access to a provided end entity, policy, certificate request or certificate and added section to display them in details page in MTG CLM UI.

Endpoint /roles/users got replaced with /roles/users/assign and /roles/users/unassign, and /roles/api-clients with /roles/api-clients/assign and /roles/api-clients/unassign, respectively. Role actions were adjusted accordingly in MTG CLM UI.

Added options in role details page to assign/unassign role to multiple users/API clients in MTG CLM UI.

Naming method for default realm role has changed. It uses the name of the realm instead of the ID.

Introduced roles which substitute permissions set directly to user or API clients. In this version permissions are assigned to roles and roles are assigned to users or API clients. See Appendix A for more details about the migration from the previous version.

Introduced realm default roles. See Appendix A for more details.

Added buttons in API client details page for resetting secret and deleting API client in MTG CLM UI.

Deleted deprecated and unused permissions.

CockroachDB is not supported anymore.

Added support for decrypting the client message with an RA certificate/private key rather than that of the CA. Also, the response can be signed with the RA certificate/private key.

The ScepPermission must be set at the application role of the CLM application in CARA, if it is not already set.

Several performance enhancements have been realized.

The Java built-in HTTP client is used as default instead of the Reactor Netty HTTP client.

Added option to opt-in java http client instead of reactor netty http client.

Added functionality to be able to configure the content of a password, for end entities, API clients, and private keys.

Updates in MTG CLM UI regarding the PSW - Public CAs certificate provider, to increase usability and user experience.

Fixed an issue when importing certificates with the same common name within the same PEM file.

Fixed an issue in MTG CLM UI that prevented to set the active crypto module.

Added better error message when an already requested certificate is requested again.

Updated bom files to schema version 1.5.

Updated bom files to schema version 1.5.

SCEP requests can be logged. This is configurable.

Updated bom files to schema version 1.5.

Updated bom files to schema version 1.5.

Updated bom files to schema version 1.5.

Updated bom files to schema version 1.5.

Updated bom files to schema version 1.5.

Added new certificate provider PSW - Public CAs.

Removed UI-blocking elements in Dashboard page in MTG CLM UI.

Introduced Crypto Modules used for encryption, decryption, and random number generation. See Migration of 3.10.0 to 4.0.0.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Added de-duplication of alerts in MTG CLM UI.

The search filter in users table is not pre-filled by default, instead this behaviour can be configured in MTG CLM UI.

Introduced allowWildcard parameter in CLM Policies to allow/restrict wildcards certificates.

Refactored statistics in new, separate API Endpoints.

Performance enhancement to Dashboard page in MTG CLM UI.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Introduced new configuration parameters.

Extended HttpClient configurability to prevent memory leaks.

Re-organized cryptographic restrictions section in policy creation/editing.

Issue with retrieving the certificate providers for users with non-admin permissions has been fixed.

Issue with empty subject distinguished name in certificate fixed.

Fixed issue during certificate creation of more than 10 end entities. Added pagination at bulk creation.

When certificates are imported over MTG CLM UI, then they are immediately created if the corresponding certificate request is in status APPROVED.

Renamed internal directory name of response artifact when multiple certificates are requested.

Added the X.509 certificate in the response artifact when multiple certificates with server-generated key are requested.

Additional data contained in the extensions of the PKCS#10 request can be used for issuing the certificate.

The shared.secret configuration parameter can be set also as a hexadecimal representation of the SHA-256 hash output of the plain value.

Added a new field to supply the name of the CA in a Microsoft CA certificate provider. This accelerates access to services of Microsoft CA.

Read access for CAs is not restricted to users with administrator rights anymore. Any authenticated user has read access.

Latest audit events are only fetched for selected realm.

The search filter in users table is pre-filled with the ID of the logged-in user. Additionally, users are not fetched after each keystroke, instead they are fetched after pressing Enter.

Extended mapping file to support permissions for the use of a template to issue a certificate.

Added new certificate provider Microsoft CA.

Download certificate key pair/private key is hidden when not available in MTG CLM UI.

Policies' allowed cryptographic algorithms are restricted by selected certificate provider’s type.

Renamed some labels related to certificate providers in MTG CLM UI.

Fixed an issue related to self-signed certificates batch creation.

Fixed certificates' search by expiration date.

Dashboard’s Certificates expiring shortly ~ View All in MTG CLM UI navigates to all realm’s certificates expiring shortly instead of all certificates of the realm.

Add search for certificate request based on end entity’s CN.

Added support for HTTP-based reverse proxying. AJP is still supported.

Configuration parameters have been added and one parameter has been renamed. Please consult the administration manual.

Added support for HTTP-based reverse proxying. AJP is still supported.

Configuration parameter has been renamed. Please consult the administration manual.

Server responses do not contain user provided secrets and sensitive data.

Thorough refactor of permission mechanism to increase performance of the application.

Added option to download certificate’s private key in PEM format.

Added column Created Date on certificate requests table in MTG CLM UI.

Fixed issues regarding sorting in MTG CLM UI.

Search for end entities when the policy is provided in search filter have been refactored. Now, all end entities are returned with an additional property. This property indicates whether the end entity violates or not the constraints posed be the end entity rules of the policy. In the MTG CLM UI, if the end entity violates the rules then it is displayed, but it cannot be selected.

Updated API endpoint that issues certificates from multiple certificate requests (api/v1/certificates/cert-requests) to handle all certificate requests (PKCS10, Public Key, Server Generated, Self-signed).

Updated API endpoint that issues certificates from multiple certificate requests (api/v1/certificates/cert-requests), added optional query parameter omitArtifacts with default value false. If set to true, then no artifacts are included in server response.

Updated API endpoint that issues certificates from multiple certificate requests (api/v1/certificates/cert-requests), artifacts are not flat into the zip file, but in a directory named after the corresponding certificate request ID.

The URLs that use the policy ID are changed, to be consistent to the RFC specification.

Added new application parameter to configure whether the complete chain is included in the SCEP-SuccessResponse.

Added new application parameter to configure whether the complete chain is included in the GetCACert response.

Fine-granular database transaction handling in challenge requests. This mitigates issues with deadlocks in MariaDB.

If the AD account is a computer, then the FQDN is set as CN.

Added Edwards-curve Digital Signature Algorithm (EdDSA) support for certificate requests.

Added new billing endpoints for active end entities.

Added Edwards-curve Digital Signature Algorithm (EdDSA) support for PKCS10, public key, self-signed and server generated certificates.

Added signed audit logging for calls to the API.

Added policy and template handling to drop requirement on Windows Microsoft CA, CEP, and CES.

New parameter allows to configure the SASL protection modes.

More specific instead of a generic error on policy violation is sent to the client.

Default value has been provided for one configuration property.