Introducing the 2024 PKI & Digital Trust Report     | Download the Report

Command 11 Brings OAuth, Renewal Tracking, and Enrollment Enhancements

Tech Updates

Today, we’re excited to announce that Keyfactor Command 11, the latest update to our certificate lifecycle automation solution, is now generally available. This release introduces new capabilities that simplify certificate renewal tracking, improve policy and governance, and make it even easier to deploy and integrate with your modern identity stack.

Here’s what’s new in Command 11:

  • Simplified renewal tracking: Easily filter out already-renewed certificates from expiration alerts and reports and ensure users renew the right certificate.
  • Automation made easier: Simplify certificate discovery and management with a new lightweight container-based Orchestrator.
  • More granular policies: Enforce policy compliance and simplify enrollment for application owners with new template-level policies.
  • Flexible IdP support: Integrate with the identity provider (IdP) of your choice with built-in support for OAuth 2.0 and Open ID Connect (OIDC).

Let’s take a closer look at the new enhancements in Command 11.

Simplified renewal tracking

Most companies nowadays have thousands, if not hundreds of thousands, of digital certificates. Keeping track of these certificates and ensuring that each one is renewed before it expires is no easy task. Keyfactor Command helps teams solve this problem by providing centralized visibility and control over their PKI and certificate landscape.

With Command 11, tracking certificate renewals just got even easier. The new Certificate Renewal Tracking feature ensures that certificates that are renewed via the platform are tracked with a unique renewal ID.

Using this unique ID, Command now notifies users if they attempt to renew a certificate that has already been renewed. This ensures that the user is renewing the latest certificate, so any changes that were made in the previous renewal aren’t missed. It also simplifies expiration alerts and reports by allowing administrators to filter out already-renewed certificates.

Here’s a quick preview of the Certificate Renewal Tracking feature:

Automation made easier

If Command is the hive, Orchestrators are the worker bees; they continuously search for and pull certificates into the centralized “hive” for easy management. Orchestrators also perform critical certificate management tasks, including network-based certificate discovery, certificate store inventory and management, and automated provisioning.

As an extension of the Command platform, an Orchestrator can run on either Windows or Linux and be deployed in highly distributed network and cloud environments, without requiring heavy network or firewall configuration.

In Command 11, we’ve made the Keyfactor Universal Orchestrator even quicker and easier to deploy, now as a lightweight container image. It’s everything our customers know and love about Orchestrators in a containerized form.

More granular policies

One-click renewal template-level policy

A fan-favorite feature of Command is one-click renewal. This feature is every application owner’s dream. No manual processes, no waiting in the request line. One-click renewal is exactly how it sounds. It takes the often complex multi-step process of renewing a certificate and cuts it down to just a simple click. Powerful, right? Sometimes, too powerful.

In some cases, administrators may not want renewal to be quite so simple. Perhaps approval is required, or manual renewal is preferred. Now, we’ve made it easy for admins to enable and disable one-click renewal for specific certificate templates.

Key size and algorithm template-level policy

A new policy defines which key sizes and algorithms can be selected during enrollment via the Command interface. By setting rules for enrollment, admins can ensure that end-users only enroll for certificates that meet minimum key size and algorithm requirements.

With the transition to quantum-safe algorithms on the horizon, the ability to centrally manage policies for digital certificates becomes critical. Implementing policy guardrails ensures that certificates are compliant with corporate policy, but more importantly, it will make it much easier to transition the quantum-safe algorithms in the future.

We're breaking free from AD with OAuth 2.0 and OIDC

Whether you like it or not, we all know it. Over the years, Active Directory’s tentacles have grown deep into most companies’ IT infrastructures, not least because it’s been included “free” in Windows Server since 2000. A lot has changed since then, but AD just hasn’t kept pace.

Most teams today have a love-hate relationship with AD. For others, it’s a downright headache. To relieve the pain, organizations embraced identity providers like Azure AD (now Entra ID), Okta, and others, to extend identity into their modern IT stack.

To help our customers take advantage of external identity providers and limit dependence on AD, we’ve introduced support for OAuth 2.0 and Open ID Connect (OIDC). With Command 11, customers can now integrate with the identity provider (IdP) of their choice. In other words, we’re officially breaking it off with AD. That said, we’ve decided to remain friends for now, and customers can continue to use AD with Command.

Check out the video below to see flexible IdP support in action:

While you're at it, say goodbye to Microsoft PKI

As organizations like yours modernize their identity infrastructure, one major gap often remains – their PKI. Active Directory Certificate Services (ADCS), a server role built into AD, was once the de facto choice for enterprise PKI. However, as organizations make the switch from AD to modern identity providers, they’re left empty-handed.

Keyfactor has helped hundreds of companies large and small make the shift from ADCS (aka Microsoft PKI) to a modern PKI platform that’s better suited for the scale and complexity of today’s IT environments. With Keyfactor EJBCA, our customers deploy faster, run anywhere, and integrate with their modern IT stack using a wide range of supported protocols and interfaces.

The best part is that you can deploy your PKI however and wherever you need it. EJBCA is available as a turnkey software appliance, a hardware appliance with a built-in HSM, a container, SaaS-delivered, and even a fully managed PKI combined with Keyfactor Command.

Want to learn more about EJBCA? Take it for a test drive with a 30-day free trial on Azure.