Change Log
Last updated
Was this helpful?
Last updated
Was this helpful?
If you'd like to stay up to date on the latest changes and news in the SCEPman changelog, you can subscribe to our email update service. Subscribers will receive email notifications when there are new updates to the changelog.
Smaller Improvements, e.g.
Increased robustness when dependent services fail
Updates to the SCEPman splash page
Adjusted log levels of some log messages to avoid clutter and highlight important messages
Allow adding a CDP to issued certificates
Specify a specific version of a Key Vault certificate as CA certificate
Library Updates, including
an update to Microsoft.Identity.Web 3.8.2, fixing
Overhaul of Certificate Request UI
Submission of CSR for web servers (requires SCEPman 2.10)
Allowed for users with the Request.Server role in addition to those with Request.All and Admin.Full
Users can modify the SAN DNS entries in the enrollment form
Improved performance when creating certificates via the forms method
Smaller Improvements, e.g.
Fixed an issue where the "Forbidden" page was not displayed to unauthorized users
SAN entries of type IP
The User certificates form features adding email addresses as SAN entries
Library Updates, including
an update to Microsoft.Identity.Web 3.8.2, fixing
SCEPman 2.9.1294
Smaller improvements, e.g.
Configure default EKUs for the REST API, allowing you to enforce specific EKUs
Logging improvements to make the log more concise
Improved connectivity status evaluation on splash page
OCSP Response for the status of SCEPman's CA certificate (for compatibility with a Palo Alto setup)
Library Updates, including
Certificate Master 2.9.858
Smaller improvements
Library Updates, including
SCEPman PowerShell Module 2.9
Starting with this version, the SCEPman PowerShell Module with have the same major and minor version number as the corresponding SCEPman release.
SCEPman 2.8.1225
Fix for CRL generation if SCEPman is a Subordinate Certification Authority.
SCEPman 2.8.1155
SCEPman uses a newer URL and data format for the Jamf Bearer authentication, which is required when using Jamf ~11.5.0 and newer, which has disabled the older URL alongside Basic Authentication
SCEPman 2.8.1135
Improvements to OCSP response times
Logging improvements
Tweaking of log levels to better emphasize important information
Additional information about certificate revocations
Less log clutter
A transaction ID in the logs allows to correlate log entries that belong to the same SCEP or OCSP request
Update to .NET 8
Library updates
Small improvements, including:
Use a Managed Identity when logging to Azure Event Hub
Certificate Master 2.8.773
Live Revocation Check telling whether a certificate is currently valid and explaining the reason if it isn't
Update to .NET 8
Library updates
Small fixes and improvements including:
Fixed a bug where the certificates were not displayed when there was a certificate in the list without CN field.
Fixed a bug where a user with only the MANAGE_INTUNE or MANAGE_INTUNE_READ role couldn't see revoked certificates enrolled over Intune.
Fixed an issue where device certificates were bound to their Intune objects where they should have been bound to their Entra ID objects.
Fixed an issue with generating the Root CA in new installations of SCEPman.
Support storing certificates enrolled via Intune in the Storage Account for easier searching.
SCEPman's EST endpoint allows certificate renewal using mTLS ("simplereenroll"). This is useful for unmanaged devices like web servers and Linux clients.
Device certificates enrolled via Intune can now contain any Subject, as long as they have a URI in the Subject Alternative Name in the format IntuneDeviceId://{{DeviceId}}
.
SCEPman can use a User-Assigned Managed Identity instead of a System-Assigned Managed Identity. This is useful for large geo-redundant deployments, where you do not want to configure the System-assigned Managed Identity on all instances.
Fixes and small improvements, including:
Automatic analysis of OCSP responses with performance issues
Fixed a case of a broken view of manually revoked certificates enrolled via Intune.
Show certificates enrolled via Intune from the Storage Account.
When downloading certificates in PFX format, you can select whether to use a modern cryptographic algorithm required for example by OpenSSL 2.x or a legacy algorithm required by MacOS and Windows Server 2016.
Small improvements, including:
Improved performance for large numbers of certificates in the database
Logging to Azure Event Hub like SCEPman
Document Signing Certificates
Adjustable PFX password length with a default of 24 instead of 32 characters for increased compatibility
Robustness for various special cases
Select Extended Key Usages for each certificate
Small UI improvements
Bugfix: OCSP Responses encoded GeneralizedTime with fraction of seconds, which is not compliant to RFC 5280, Section 4.1.2.5.2 and caused some clients to reject the OCSP response (we know about Checkpoint).
Library Updates
Bugfixes and small improvements, including:
streamlined GCC High installation experience
UI improvements
Robustness for some special cases
Improvement/fix for displaying Intune certificates
Download certificates + private keys in PEM format
Revocation audit trail
Library Updates
Minor bugfixes and improvements, including
UI search button bugfix
Prevent double submissions of CSRs
Algorithms with improved compatibility (e.g. AES and SHA-256 for PKCS#12 CertBags)
Library and Framework updates, including .NET 7
Bugfixes and improvements
Form to request Code Signing certificates
Form to request Sub CA certificates, e.g. for Firewalls that inspect TLS traffic
Form to manually request user certificates for Client Authentication, e.g. on websites
UI optimizations
Library and Framework updates, including .NET 7
Minor bugfixes and improvements, including:
In some cases, revoked Intune certificates were still display in the list of Intune certificates
Hide Intune certificates that are not issued by SCEPman
Certificates for Jamf devices could show up as "Unknown" in the list of Jamf certificates
Partial support of ECC CAs
Better error messages on some faults
Improvements to compliance checks
An additional extension better suppresses usage of ephemeral certificates on Windows
An additional SCEP endpoint for Apple devices prevents issuance of ephemeral certificates
Minor bugfixes/improvements
Better compatibility with Microsoft's API changes to list certificate issued via Intune
Minor improvements
Improved installation experience
Library updates
UI improvements
Additional certificate file formats for Certificate Master
Library updates
Library and Framework updates
Improved Performance with .NET 6
Other library updates
Robustness
Bearer Authentication for Jamf Classic API
Minor Improvements
Manually issue TLS Server certificates
Revoke manually issued certificates
Search for manual certificates
Library and Framework updates
Improved Performance with .NET 5
Azure Key Vault
Other library updates
New UI
So beautiful and with a new logo
Detailed information on activated SCEP endpoints
Various minor improvements
Also working for Windows devices during enrollment
Minor advancements
Improved error messages
Improved robustness in exceptional situations
Correct answers to invalid OCSP requests, which may occur rarely for certificates issued by SCEPman 1.5 or earlier
Logging
Less log clutter on Info level
Performance
Caching some repeated requests to Graph API
Bugfix regarding OCSP checks for certificates issued via JAMF
Minor advancements
Workaround a bug on some Android versions to gain correct validity periods
SCEPman CA certificates receive an Extended Key Usage to improve compatibility with some versions of Cisco ISE
Further improvements to error messages
Updated some dependencies
Improved Homepage
Bugfix where some OCSP requests were unanswered
Bugfix impacting local logging
Improved error logging
Bug fixing
Key Usage, Extended Key Usage, and validity period configured in the request (i.e. in Intune)
Improved performance when answering certificate and OCSP requests
Performance enhancements
Bug fixing
Support for Authentication-Only user certificates (VPN, Wifi, network) in addition to device certificates.
Support for Intune blade certificate list
Changed Log component
Support for SAN Attributes
Sanity Checks
First release of Community Edition
Initial release
the update to Azure.Identity 1.12, fixing ,
the update to Bouncy Castle .NET 2.4, fixing .
the update of Azure.Identity to 1.12, fixing ,
the update to Bouncy Castle .NET 2.4, fixing .
New CMDlet Update-CertificateViaEST
for on Windows
Configure default Extended Key Usages (EKUs) and Key Usages for each SCEP endpoint, e.g. if
Including the update of Azure.Identity to 1.11, fixing . Currently, the exploit is not publicly disclosed, so the scope of the issue is unclear, but the published information indicates that SCEPman is likely not affected.
Including the update of Azure.Identity to 1.11, fixing . Currently, the exploit is not publicly disclosed, so the scope of the issue is unclear, but the published information indicates that SCEPman is likely not affected.
Logging to
Library Updates, including the update to Azure.Identity 1.10.3, fixing . Currently, the exploit is not publicly disclosed, so the scope of the issue is unclear, but the published information indicates that SCEPman is likely not affected.
Library Updates, including the update to Azure.Identity 1.10.3, fixing . Currently, the exploit is not publicly disclosed, so the scope of the issue is unclear, but the published information indicates that Certificate Master is likely not affected.
Define an , during which devices are allowed to be incompliant.
SCEPman can to certificates, mitigating
Store certificates issued via , , , and endpoints in Storage Account (and allow manual revocation in Certificate Master)
for cases where a CRL is technically required (the CRL contains no entries yet, though)
(requires an additional permission for which you must )
Certificate Master lists issued client certificates for manual revocation (requires an additional permission for which you must )
Update to the
Improved compatibility
Improved Compatibility with ISE with
Option to configure a "Clock Skew" for clients with clocks running slow (> 10 minutes), which
Solution for
Support for
Separate Certificate Lifetimes for each endpoint, e.g. for
Moved the release path to . Please update your setting WEBSITE_RUN_FROM_PACKAGE as described in Section .
Preview of
Support for certificates for , especially for use in Windows Hello for Business (Enterprise Edition only)
Generic support for