What’s new?

Welcome to the Sectigo Certificate Manager (SCM) Enterprise release notes. This page highlights the most recent updates across SCM Enterprise and its connected integrations, covering the latest improvements, API updates, and resolved issues.

SCM v26.1

This release of SCM Enterprise provides the following updates:

General updates

Change	Reference number
This release of Sectigo Certificate Manager introduces ordering and management of Verified Mark (VMC) and Common Mark (CMC) certificates. For more information, contact your Sectigo account manager.	SCM-13311
In preparation for the limiting of public SSL certificate lifetimes to less than 200 days in March, this release automatically adds a 199-day term to public SSL certificate profiles using any soon-to-be invalid term.	SCM-13372
SCM now shows the backing certificate product and available inventory within the Request SSL Certificate wizard if subscriptions are enabled.	SCM-13224
SCM now shows the backing certificate product in the Certificate Profiles page table.	SCM-13223
Certificate reports have been enhanced to contain significantly more fields, especially for certificate types other than SSL. In some cases, column names have been renamed to modern terminology and to be consistent across certificate types. For SSL certificate reports: Renamed Type to Profile Name Renamed Type_Id to Profile Id Renamed Org_Id to Org Id Added KU, EKU, Public Key Type, Subject, and SHA256 Hash For client certificate reports: Renamed Type to Profile Name Renamed Enrolled to Requested Renamed Expire to Expires Added Subject Alternative Names, SAN Count, Status, Valid From, Term (days), KU, EKU, Org Id, Profile Id, Issuer, Issued, Signature Algorithm, Public Key Type, MD5 Hash, SHA1 Hash, SHA256 Hash, Country Removed Enroll Type as it was a duplicate of Requested via For code signing certificate reports: Renamed Expire to Expires Added Subject Alternative Names, SAN Count, Status, Valid From, Term (days), KU, EKU, Org Id, Profile Id, Profile Name, Issuer, Signature Algorithm, Public Key Type, MD5 Hash, SHA1 Hash, SHA256 Hash, City, State/Province, Country Added custom fields For device certificate reports: Renamed Certificate Type Name to Profile Name Renamed Enrolled to Issued Renamed Expire to Expires Renamed Enroll Type to Requested via Added Subject Alternative Names, SAN Count, Valid From, Term (days), Org Id, Profile Id, Issuer, Approved, Declined, Requested, Public Key Type, MD5 Hash, SHA1 Hash, SHA256 Hash	SCM-13225
Notifications for MS Agent and Network Agent disconnected now have variables for last seen and disconnected timestamps.	SCM-10329
SHA-256 hashes of certificates are now shown in the SCM UI. These only exist for certificates issued or imported after SCM 25.8.	SCM-13115
The DNS entry created by the DNS Connector is now deleted immediately after validation is completed.	SCM-12803
Client certificates imported to the Sectigo Key Vault via Admin REST API are now exported to Intune if that feature is enabled for the target organization.	SCM-13269
The Create Private CA wizard now shows the issuer subject on the final page of the wizard to allow confirmation before creation.	SCM-13248

Change

Reference number

This release of Sectigo Certificate Manager introduces ordering and management of Verified Mark (VMC) and Common Mark (CMC) certificates.

For more information, contact your Sectigo account manager.

SCM-13311

In preparation for the limiting of public SSL certificate lifetimes to less than 200 days in March, this release automatically adds a 199-day term to public SSL certificate profiles using any soon-to-be invalid term.

SCM-13372

SCM now shows the backing certificate product and available inventory within the Request SSL Certificate wizard if subscriptions are enabled.

SCM-13224

SCM now shows the backing certificate product in the Certificate Profiles page table.

SCM-13223

Certificate reports have been enhanced to contain significantly more fields, especially for certificate types other than SSL. In some cases, column names have been renamed to modern terminology and to be consistent across certificate types.

For SSL certificate reports:

Renamed Type to Profile Name
Renamed Type_Id to Profile Id
Renamed Org_Id to Org Id
Added KU, EKU, Public Key Type, Subject, and SHA256 Hash

For client certificate reports:

Renamed Type to Profile Name
Renamed Enrolled to Requested
Renamed Expire to Expires
Added Subject Alternative Names, SAN Count, Status, Valid From, Term (days), KU, EKU, Org Id, Profile Id, Issuer, Issued, Signature Algorithm, Public Key Type, MD5 Hash, SHA1 Hash, SHA256 Hash, Country
Removed Enroll Type as it was a duplicate of Requested via

For code signing certificate reports:

Renamed Expire to Expires
Added Subject Alternative Names, SAN Count, Status, Valid From, Term (days), KU, EKU, Org Id, Profile Id, Profile Name, Issuer, Signature Algorithm, Public Key Type, MD5 Hash, SHA1 Hash, SHA256 Hash, City, State/Province, Country
Added custom fields

For device certificate reports:

Renamed Certificate Type Name to Profile Name
Renamed Enrolled to Issued
Renamed Expire to Expires
Renamed Enroll Type to Requested via
Added Subject Alternative Names, SAN Count, Valid From, Term (days), Org Id, Profile Id, Issuer, Approved, Declined, Requested, Public Key Type, MD5 Hash, SHA1 Hash, SHA256 Hash

SCM-13225

Notifications for MS Agent and Network Agent disconnected now have variables for last seen and disconnected timestamps.

SCM-10329

SHA-256 hashes of certificates are now shown in the SCM UI. These only exist for certificates issued or imported after SCM 25.8.

SCM-13115

The DNS entry created by the DNS Connector is now deleted immediately after validation is completed.

SCM-12803

Client certificates imported to the Sectigo Key Vault via Admin REST API are now exported to Intune if that feature is enabled for the target organization.

SCM-13269

The Create Private CA wizard now shows the issuer subject on the final page of the wizard to allow confirmation before creation.

SCM-13248

REST API updates

Change	Reference number
The SCM REST API documentation can now be found at the SCM DevX Hub.
New method to get the renewal history of an SSL certificate.	SCM-13286
Added requested and expires to the response of client certificate list APIs.	SCM-6297

Change

Reference number

The SCM REST API documentation can now be found at the SCM DevX Hub.

New method to get the renewal history of an SSL certificate.

SCM-13286

Added requested and expires to the response of client certificate list APIs.

SCM-6297

For earlier releases, see SCM Enterprise release notes.

Private key agent v2.3

This release includes the following general updates:

Change	Reference number
On some systems, the agent would fail when generating CSR and key.	SCM-9723
Improved performance when processing large numbers of key generation requests.	SCM-11056

Change

Reference number

On some systems, the agent would fail when generating CSR and key.

SCM-9723

Improved performance when processing large numbers of key generation requests.

SCM-11056

For earlier releases, see Private key agent release notes.

Network agent v5.5

This release includes the following general updates:

Change	Reference number
Improved script that collects IIS server information to operate on Windows desktop operating systems that don’t have required IIS features installed.	SCM-12839
Resolved issue of installation of wildcard certificates to Apache servers from a Network Agent installed on Windows that would fail with an error saying “The filename, directory name, or volume label syntax is incorrect”.	SCM-12874

Change

Reference number

Improved script that collects IIS server information to operate on Windows desktop operating systems that don’t have required IIS features installed.

SCM-12839

Resolved issue of installation of wildcard certificates to Apache servers from a Network Agent installed on Windows that would fail with an error saying “The filename, directory name, or volume label syntax is incorrect”.

SCM-12874

For earlier releases, see Network agent release notes.

MS agent v4.3

This release includes the following updates and improvements:

General updates

Change	Reference number
The MS agent now saves the Template Enrollment Flags and Template General Flags into the local CA DB instead of setting it to 0. This is purely informational, most of these flags have no impact on the MS Agent. However, the Publish certificate in Active Directory Flag is now supported.	SCM-12032
There is improved connection to TLS-based proxy by including SNI information in the initial handshake.	SCM-12278
The MS Agent now supports renewal of the local CA certificate.	SCM-9611
There is improved logging to include more details during startup.	SCM-11876, SCM-11858

Change

Reference number

The MS agent now saves the Template Enrollment Flags and Template General Flags into the local CA DB instead of setting it to 0. This is purely informational, most of these flags have no impact on the MS Agent. However, the Publish certificate in Active Directory Flag is now supported.

SCM-12032

There is improved connection to TLS-based proxy by including SNI information in the initial handshake.

SCM-12278

The MS Agent now supports renewal of the local CA certificate.

SCM-9611

There is improved logging to include more details during startup.

SCM-11876, SCM-11858

Resolved issues

Change	Reference number
The MS Agent stopped processing commands from Sectigo Certificate Manager if during startup it could not start its revocation subsystem. This was usually caused by MS Agent being unable to connect to the required locations in Active Directory.	SCM-11760, SCM-11880
Error logs would contain entries for Failed to check CA permissions for Authenticated Users when language packs were installed on the MS Agent computer.	SCM-11834
Updating the local CA CRL was failing. This expired CRL would impact any enrollment requiring key escrow.	SCM-12178

Change

Reference number

The MS Agent stopped processing commands from Sectigo Certificate Manager if during startup it could not start its revocation subsystem. This was usually caused by MS Agent being unable to connect to the required locations in Active Directory.

SCM-11760, SCM-11880

Error logs would contain entries for Failed to check CA permissions for Authenticated Users when language packs were installed on the MS Agent computer.

SCM-11834

Updating the local CA CRL was failing. This expired CRL would impact any enrollment requiring key escrow.

SCM-12178

For earlier releases, see MS agent release notes.

DNS connector v1.2

This release includes the following general updates:

Change	Reference number
There is now support for two additional DNS providers: Infoblox NIOS DDI BIND via RFC2136 protocol
There is now support for Account API tokens with CloudFlare in addition to support for User API tokens.	SCM-12523

Change

Reference number

There is now support for two additional DNS providers:

Infoblox NIOS DDI
BIND via RFC2136 protocol

There is now support for Account API tokens with CloudFlare in addition to support for User API tokens.

SCM-12523

For earlier releases, see DNS connector release notes.

CA connector v3.5

This release includes the following resolved issues:

Change	Reference number
The Sectigo CA Connector 3.4 installer was reporting itself as 3.3.	SCM-13345
Discovery of certificates in DigiCert found no certificates if the account contained a multiple of 20 certificates.	SCM-13287
There was a missing space between review_requests and create_longer_validity_order when describing missing DigiCert API permissions.	SCM-11284

Change

Reference number

The Sectigo CA Connector 3.4 installer was reporting itself as 3.3.

SCM-13345

Discovery of certificates in DigiCert found no certificates if the account contained a multiple of 20 certificates.

SCM-13287

There was a missing space between review_requests and create_longer_validity_order when describing missing DigiCert API permissions.

SCM-11284

For earlier releases, see CA connector release notes.