What’s new?

Welcome to the Sectigo Certificate Manager (SCM) Enterprise release notes. This page highlights the most recent updates across SCM Enterprise and its connected integrations, covering the latest improvements, API updates, and resolved issues.

DNS connector v2.0

This release includes the following updates and improvements:

General updates

Change Reference number

Change	Reference number
The DNS connector now supports LEGO DNS providers, including all providers available up to LEGO version 4.31. These providers are bundled with the DNS connector and can be used with the `lego` provider type.	SCM-13509

The DNS connector now supports LEGO DNS providers, including all providers available up to LEGO version 4.31. These providers are bundled with the DNS connector and can be used with the lego provider type.

SCM-13509

Resolved issues

Change	Reference number
Starting with DNS connector 1.3, created entries for Cloudflare, DNSimple, and OVH would not be deleted after validation was complete.	SCM-14297

Change

Reference number

Starting with DNS connector 1.3, created entries for Cloudflare, DNSimple, and OVH would not be deleted after validation was complete.

SCM-14297

For earlier releases, see DNS connector release notes.

SCM v26.5

This release of SCM Enterprise includes the following updates and improvements:

General updates

Change	Reference number
Visual refresh to match Sectigo’s recent rebrand.
SCM now supports the Persistent Value DCV method using DNS TXT records. This enables long-lived DCV, reducing the need for frequent DNS updates to revalidate the domain.	SCM-13418
Enrollment for VMC/CMC certificates has been refined; CSRs are no longer required, and the final logo can be downloaded if validation modifies it.	SCM-14111
Access Control List (ACL) processing has been reworked to validate UI and API request IPs using all levels of ACLs. This change now applies to customer-level ALL CIDRs, customer-level MRAO or RAO_DRAO CIDRs, and org/dept-level RAO/DRAO CIDRs more consistently and logically.	SCM-12678
ACL management has been enhanced to show all applicable ACLs at each level.	SCM-9240
ACLs can now be disabled without being deleted to help with troubleshooting access issues.	SCM-812
Improved SSL/Mark certificate enrollment wizard to show additional domain licensing information.	SCM-14160
Certificate expiry notifications can now target a specific certificate profile for all certificate types.	SCM-14058
Improved filtering on Azure accounts in the UI and REST API.	SCM-14237
The TTL value of DNS records can now be configured per DNS Connector.	SCM-14218
Support for Thales Federal Luna SA key attestations with Code Signing (CS) certificates.	SCMSERVICE-1493
New option to support SSL certificate renewal with new key pair when using Enrollment Forms.	SCMSERVICE-1494
New SSL certificate filter options: Renewed field can filter by has value or has no value. This allows filtering based on whether a certificate has been renewed.	SCM-14095

Change

Reference number

Visual refresh to match Sectigo’s recent rebrand.

SCM now supports the Persistent Value DCV method using DNS TXT records. This enables long-lived DCV, reducing the need for frequent DNS updates to revalidate the domain.

SCM-13418

Enrollment for VMC/CMC certificates has been refined; CSRs are no longer required, and the final logo can be downloaded if validation modifies it.

SCM-14111

Access Control List (ACL) processing has been reworked to validate UI and API request IPs using all levels of ACLs. This change now applies to customer-level ALL CIDRs, customer-level MRAO or RAO_DRAO CIDRs, and org/dept-level RAO/DRAO CIDRs more consistently and logically.

SCM-12678

ACL management has been enhanced to show all applicable ACLs at each level.

SCM-9240

ACLs can now be disabled without being deleted to help with troubleshooting access issues.

SCM-812

Improved SSL/Mark certificate enrollment wizard to show additional domain licensing information.

SCM-14160

Certificate expiry notifications can now target a specific certificate profile for all certificate types.

SCM-14058

Improved filtering on Azure accounts in the UI and REST API.

SCM-14237

The TTL value of DNS records can now be configured per DNS Connector.

SCM-14218

Support for Thales Federal Luna SA key attestations with Code Signing (CS) certificates.

SCMSERVICE-1493

New option to support SSL certificate renewal with new key pair when using Enrollment Forms.

SCMSERVICE-1494

New SSL certificate filter options: Renewed field can filter by has value or has no value. This allows filtering based on whether a certificate has been renewed.

SCM-14095

REST API Enhancements

Change	Reference number
Improved SSL certificate REST API list/detail responses and added a new expiresIn filter.	SCM-14213
New REST API resource to manage ACLs.	SCM-11054

Change

Reference number

Improved SSL certificate REST API list/detail responses and added a new expiresIn filter.

SCM-14213

New REST API resource to manage ACLs.

SCM-11054

Resolved issues

Issue	Reference number
When renewing or replacing an SSL certificate via REST API, domains included in a CSR were not sanitized in the same way as in the original request. This could result in domain mismatches being detected incorrectly.	SCM-14047
Improved handling of the Allowed Key Types attribute on MS CA certificate profiles. All lengths shorter than the minimum key size in the ADCS template are removed.	SCM-13866
Details about HTTP/DNS entry names needed for VMC/CMC domain validation incorrectly showed the Sectigo domains instead of the issuing CA.	SCM-14114
Improved handling of long username/password and SSH key passphrases. Maximum supported value is now 256 characters.	SCM-14198
The label indicating that a domain’s DCV was automated via DNS Connector was not displaying correctly.	SCM-14358
Custom fields did not appear/disappear properly on enrollment forms when they were added/removed within SCM.	SCM-14251
Dashboard cards for certificate types were shown even when the customer and/or admin had no access to them.	SCM-14039

Issue

Reference number

When renewing or replacing an SSL certificate via REST API, domains included in a CSR were not sanitized in the same way as in the original request. This could result in domain mismatches being detected incorrectly.

SCM-14047

Improved handling of the Allowed Key Types attribute on MS CA certificate profiles. All lengths shorter than the minimum key size in the ADCS template are removed.

SCM-13866

Details about HTTP/DNS entry names needed for VMC/CMC domain validation incorrectly showed the Sectigo domains instead of the issuing CA.

SCM-14114

Improved handling of long username/password and SSH key passphrases. Maximum supported value is now 256 characters.

SCM-14198

The label indicating that a domain’s DCV was automated via DNS Connector was not displaying correctly.

SCM-14358

Custom fields did not appear/disappear properly on enrollment forms when they were added/removed within SCM.

SCM-14251

Dashboard cards for certificate types were shown even when the customer and/or admin had no access to them.

SCM-14039

For earlier releases, see SCM Enterprise release notes.

MS agent v4.4

This release includes the following updates and improvements:

General updates

Change	Reference number
The performance of the Certification Authority snap‑in has been enhanced, resulting in much faster loading and navigation of issued certificates in high‑volume deployments.	SCM-13143
There is improved HTTP proxy compatibility by including the port number in the CONNECT request as well as the Host header.	SCM-12270
Startup no longer converts CA private keys to non‑exportable by default; this can be enabled via the PrivateKeyNonExportable registry setting.	SCM-13903

Change

Reference number

The performance of the Certification Authority snap‑in has been enhanced, resulting in much faster loading and navigation of issued certificates in high‑volume deployments.

SCM-13143

There is improved HTTP proxy compatibility by including the port number in the CONNECT request as well as the Host header.

SCM-12270

Startup no longer converts CA private keys to non‑exportable by default; this can be enabled via the PrivateKeyNonExportable registry setting.

SCM-13903

Resolved issues

Change	Reference number
Fixed a regression in MS Agent 4.3 that caused certificate requests to fail for Active Directory Certificate Templates requiring manual SAN entry.	SCM-12534
Improved handling of network loss during initialization, which previously resulted in logging the error "The specified domain either does not exist or could not be contacted."	SCM-12995
Fixed an issue where CA names containing spaces were parsed incorrectly, preventing the CA’s AD Configuration container from being located during discovery.	SCM-13187
Resolved an issue where conflicting error codes caused incorrect permission‑related error messages to appear during enrollment.	SCM-13380
Fixed an issue where startup without SCM connectivity caused the CA console to hide existing certificate templates and delete the assigned template list when attempting to add a new one.	SCM-13922

Change

Reference number

Fixed a regression in MS Agent 4.3 that caused certificate requests to fail for Active Directory Certificate Templates requiring manual SAN entry.

SCM-12534

Improved handling of network loss during initialization, which previously resulted in logging the error "The specified domain either does not exist or could not be contacted."

SCM-12995

Fixed an issue where CA names containing spaces were parsed incorrectly, preventing the CA’s AD Configuration container from being located during discovery.

SCM-13187

Resolved an issue where conflicting error codes caused incorrect permission‑related error messages to appear during enrollment.

SCM-13380

Fixed an issue where startup without SCM connectivity caused the CA console to hide existing certificate templates and delete the assigned template list when attempting to add a new one.

SCM-13922

For earlier releases, see MS agent release notes.

Orchestration gateway v1.0

Introducing Sectigo Orchestration Gateway (SOG), a lightweight orchestration layer that extends SCM into operational environments. It provides a consistent way to execute certificate lifecycle tasks across hybrid and multi-cloud infrastructure, reducing reliance on custom scripts, manual steps, and environment-specific integrations.

Used alongside SCM, SOG orchestrates discovery, issuance, renewal, deployment, and revocation using standardized workflows. Its modular, extensible architecture is designed to support high certificate volumes, short renewal cycles, and evolving platform and cryptographic requirements, without adding significant operational overhead.

Key capabilities:

Orchestration of the full certificate lifecycle across different environments
Endpoint-based key generation with no shared or centralized key storage
One-to-many automation from a single gateway instance
Local and remote server/endpoint support using SSH, WinRM, and multiple authentication methods
Integration with local credential stores and enterprise vaults, including HashiCorp Vault, CyberArk Vault, and Delinea Secret Server
Support for Apache, Tomcat, Microsoft IIS, F5 BIG-IP, Nginx, and file-based endpoint types including PKCS#12, JKS, and PEM

Network agent v5.5

This release includes the following general updates:

Change	Reference number
Improved script that collects IIS server information to operate on Windows desktop operating systems that don’t have required IIS features installed.	SCM-12839
Resolved issue of installation of wildcard certificates to Apache servers from a Network Agent installed on Windows that would fail with an error saying “The filename, directory name, or volume label syntax is incorrect”.	SCM-12874

Change

Reference number

Improved script that collects IIS server information to operate on Windows desktop operating systems that don’t have required IIS features installed.

SCM-12839

Resolved issue of installation of wildcard certificates to Apache servers from a Network Agent installed on Windows that would fail with an error saying “The filename, directory name, or volume label syntax is incorrect”.

SCM-12874

For earlier releases, see Network agent release notes.

Private key agent v2.3

This release includes the following general updates:

Change	Reference number
On some systems, the agent would fail when generating CSR and key.	SCM-9723
Improved performance when processing large numbers of key generation requests.	SCM-11056

Change

Reference number

On some systems, the agent would fail when generating CSR and key.

SCM-9723

Improved performance when processing large numbers of key generation requests.

SCM-11056

For earlier releases, see Private key agent release notes.

CA connector v3.5

This release includes the following resolved issues:

Change	Reference number
The Sectigo CA Connector 3.4 installer was reporting itself as 3.3.	SCM-13345
Discovery of certificates in DigiCert found no certificates if the account contained a multiple of 20 certificates.	SCM-13287
There was a missing space between review_requests and create_longer_validity_order when describing missing DigiCert API permissions.	SCM-11284

Change

Reference number

The Sectigo CA Connector 3.4 installer was reporting itself as 3.3.

SCM-13345

Discovery of certificates in DigiCert found no certificates if the account contained a multiple of 20 certificates.

SCM-13287

There was a missing space between review_requests and create_longer_validity_order when describing missing DigiCert API permissions.

SCM-11284

For earlier releases, see CA connector release notes.