It’s more important than ever to be crypto-agile. Customers love using Keyfactor Command to gain control over their certificate inventory and deal with the unexpected, like DigiCert’s revocation announcement and Google’s pending distrust in Entrust. Now more than ever, it’s important to diversify your organization’s public certificate authorities (CAs) and utilize a CA-agnostic solution like Keyfactor Command.
With Keyfactor Command 12.3, we’re continuing to deliver customer enhancements and prepare our customers for the inevitable certificate landscape changes.
Here’s your TL;DR:
- Improved User Management: With the introduction of the Smart Certificate Owner Role, it’s easier than ever to have the right certificate owner set automatically according to your configuration. Workflows can notify multiple, comma-separated emails listed in one step to keep stakeholders up to date.
- Faster and More Powerful Administration: You can now see certificate expirations a full year out, download certificate details in a new format, and see more of recent inventory job history.
- Revocation Monitoring Enhancements: Customers can now adjust their CRL monitoring alert schedule and reduce CA load for mass revocations by delaying publishing CRLs after revocations.
Let’s dive into the details.
Automated and Improved User Management
Internally, organizations can work with tens if not hundreds of certificate owners. Keeping on top of who in an organization owns what can be complicated. To make user management and certificate ownership even easier to manage, Keyfactor Command can set the Certificate Owner Role automatically with Smart Certificate Owner Role. It sets this property in a few ways, like:
- Via the enrollment UI, where administrators can configure the Certificate Owner Role to be required, optional, or hidden via a template setting used by end users
- Enrollment API endpoints will validate the submitted Certificate Owner Role matches one of the user roles, and API users will see the roles they have access to
- During certificate discovery via CA sync or SSL scanning it will use the template or global default owner role to set the property
- At renewals and re-enrollments the property will inherit the existing owner’s role
- Administrators are able to manually modify this property via the Certificate Details page or when they manually import certificates
Smart Certificate Owner Role will save administrators time and ensure more accurate data. This feature will make it easier to report on owners automatically as certificate inventories grow.
As more and more organizations deploy certificates in websites, applications, and DevOps workflows, keeping stakeholders updated about certificate lifecycle events like renewals is essential. If customers need to notify large groups of end users, they can now use a comma-separated list of email addresses in one step for notifications via workflows. This improves the ease of setting up workflows, especially for administrators at larger organizations.
Faster and More Powerful Administration
In addition to some big user management updates, we’re also making updates to streamline administration and make it easier to get to the information you need, fast.
Need to understand at a glance what’s changed recently with your certificate inventory? Maybe you had a renewal-heavy day or made updates impacting a significant portion of your certificates. We’ve removed the limitation on seeing only the 3 most recently-completed inventory jobs in the Inventory Job History page. Now you can see as many as you need right from the page, without pulling a report, saving you time so you can get back to more important things (like seeing if that new taco spot lives up to the hype).
Customers can now download certificates in a new format, fully qualified domain name, or FQDN, which is important for customers using subdomains to distinguish that information correctly in reporting.
Understanding your entire certificate inventory and their current renewal status from one report can be important – whether it’s for an audit or keeping stakeholders updated. Our Expiration Report now lets you view all certificates and their status one-year out, providing a comprehensive view of your entire certificate inventory in one place.
Revocation Enhancements for Improved Crypto-Agility
It’s increasingly important to maintain crypto-agility, and our enhanced revocation features simplify this process. Customers can now adjust their certificate revocation list (CRL) monitoring schedule directly in Keyfactor Command settings, allowing for more flexible responses to revocation events.
Additionally, to optimize performance, certificates can now be revoked immediately with the option to publish the CRL later, reducing the processing load, especially during large-scale revocations.
Don't Get Left Behind
No team has time to manually manage their certificate inventory effectively, which is why thousands of leading enterprises worldwide use a tool like Keyfactor Command. Want to see Keyfactor Command in action? Get a customized demo or take a deeper dive into how you can orchestrate and automate PKI and machine identities at scale.