FAQs
New Network Agent and Discovery Enhancements
Certificate Discovery Buckets
Certificate Discovery has undergone a significant change for the new release, aiming to improve performance, user experience and enable new features in the future.
A new object is introduced in this release called a certificate bucket in which all discovery tasks (both network and MS AD) will store results.
Discovery tasks no longer have assignment rules attached to them. Assignment rules are applied to the certificate buckets. This allows discovery tasks to be performed without worrying about assignment rules initially.
Certificate buckets can be global or delegated to organizations/departments, similarly to certificate profiles. If delegated, an administrator must manage all organizations (and departments) the bucket is delegated to be able to manage it.
Certificates in a bucket can be manually assigned to organizations/departments if required.
Each certificate discovered can be assigned to an organization (or department) only once to ensure consistent behavior when the scans are repeated.
To summarize, a certificate discovered can be assigned to an organization (or department) and certificate type through:
(a) assignment rules automatically
(b) the “Assign All” function, which will apply the selected assignment to all certificates in the bucket that have not been assigned yet
(c) manual individual assignment.
Certificate buckets support audit events.
Certificate Discovery Assignment Rules Enhancements
Assignment rules now support specifying the final certificate type. No more does the import guess what certificate type the certificate should be based on hard coded rules.
Assignment rule conditions now include options for:
• Key Usage
• Extended Key Usage
• Host Name
Certificate Discovery Tasks Enhancements
Discovery tasks now support audit events.
Assignment of network discovery tasks to agents has changed. It is no longer possible to assign a task automatically based on CIDR ranges. The configuration of CIDR ranges for a network agent has been removed. Instead, all network discovery tasks must be explicitly assigned to a network agent or to the new Sectigo hosted cloud scanning service.
The new Sectigo hosted cloud scanning service scans public servers significantly faster than previous implementation.
Import of network discovery tasks from CSV will now require indicating the bucket ID which they should be assigned to.
Certificate Discovery UI Changes
The Network Assets page has been removed.
The Network Discovery section of this page is replaced with viewing results in a bucket.
The Active Directory section has been removed to simplify user experience. All the certificates from an MS AD discovery task will appear in a bucket as well.
The certificates shown in the Web Servers section can be seen using the Nodes button for a selected Network Agent.
Certificate Discovery Notification Changes
The “Discovery Scan Summary” notification template is updated. A customized template of this type will be reverted to the default content due to the updated list of variables that are supported.
This means that if configured, this notification will be preserved, however, if it has been customized previously, please navigate to Settings > Notification Templates > select Discovery Scan Summary to customize again using the updated list of variables.
Certificate Discovery Report Changes
The following reports are removed:
• Network Discovery Results
• Network Discovery Tasks
Instead, the corresponding details can be exported to a .csv file from the relevant section in the UI.
Navigate to Discovery > Network Discovery Tasks or Certificate Buckets and click, or Discovery > Network Discovery Tasks (or MS AD Discovery Tasks) > History > select the scan needed > click Details and then click the Down Arrow to download.
Certificate Discovery Migration
To migrate your discovery assets to the new architecture, a certificate bucket will be automatically added for each existing discovery task.
The old scan results will not be migrated. Please start a new scan where needed to get results.
The agent assignment to the task will occur according to the following guideline:
• The agent which conducted the last successful scan will be assigned to the task.
• Where “Auto” agent was assigned to the task, it will be assigned to one of the agents which conducted the last successful scan.
• The “Cloud” agent will be assigned to the task if there have been no successful scans upon this task.
REST API Enhancements
The Discovery Report resource has been removed. The response format is incompatible with the new Discovery architecture. Any calls to /api/report/v1/discovery will return a 404 status code with a message about removal.
There’s a new resource for Discovery certificate buckets. It supports methods to create/list/update/delete buckets, plus methods to perform certificate assignment directly or via assignment rules.
There’s an updated resource for Discovery assignment rules. Rules now specify a certificate type, so the new cert Type field could exist in a response. If not specified during creation, it defaults to SSL.
The Discovery task resource now only supports a v2 version of the API. The old v1 API is incompatible with the new Discovery architecture. Any calls to /api/discovery/v1/task will return 404 status code with message about removal.
See the Discovery resource sections in Certificate Manager 23.2 REST API guide.
There is a new version of the REST API function for sending an invitation to a Person that matches the new enrollment endpoint architecture (reference to accountID instead of term, key type and profileID).
See the following sections in Certificate Manager 23.2 REST API guide:
• Send invitation to person by ID
Certificate Viewer Enhancements
The Discovery and Private Key sections in the Management tab of the certificate viewer are merged into the Locations section introduced in SCM 22.12 for ACME clients.
The Locations section lists all known locations for the certificate.
The Location of the certificate can also be added manually if needed. Note, the renewal operation removes custom locations.
Possible location types:
• Network Agent (SSL certificate only)
• Server Node/Port (SSL certificate only)
• Legacy Key Archive (Client certificate only)
• Sectigo Key Vault (Client certificate only)
• ACME Client Details (SSL certificate only)
• Network Host (SSL certificate only)
• Active Directory Entry
• Azure Key Vault (SSL certificate only)
• Private Key Agent (SSL certificate only)
• Custom
The custom location type can be added to any certificate to record other information about where the certificate is being used. More than one custom location is supported.
Agent/Connector Download Enhancements
The downloading of Network Agent, MS Agent or CA connector is no longer automatic when adding. All installation packages that can be reused are static.
When adding an agent or connector, you will see an installation token instead, plus links to the installation packages. The installation token provides information about your account and access credentials. It uniquely identifies the agent or connector and cannot be reused. Installation packages can also be downloaded at any time from the About page.
All installation packages are served from https://dist.sectigo.com via direct URL. The download service does not support generic browsing.
The installation token is available until the first connection has been completed.
Network Agent Enhancements
This SCM release includes Network Agent 3.0.
The Network Agent installation packages have been rewritten as Windows Installer installation package, Linux self-extracting installer and Linux native packages. The installation packages are now static, they can be reused and are downloadable separate from the installation token required to connect an agent to Sectigo Certificate Manager.
Due to changes in Certificate Discovery, it is no longer required to specify CIDR ranges owned by each agent.
The alternative name for a Network Agent has been removed. Existing alternative names are merged into the comments field.
The SSL certificate auto-installation process has been significantly improved and now supports detailed status updates and audits.
The Auto-Installation section on the Management tab of the SSL certificate viewer now shows all the configured server nodes the certificate will be installed to along with status of the operation, server and network agent.
Management of server nodes is also possible, adding new ones before or after auto-install has been completed, changing ports, and deleting individual server nodes.
Certificate Discovery has undergone a significant change for the new release, aiming to improve performance, user experience and enable new features in the future.
A new object is introduced in this release called a certificate bucket in which all discovery tasks (both network and MS AD) will store results.
Discovery tasks no longer have assignment rules attached to them. Assignment rules are applied to the certificate buckets. This allows discovery tasks to be performed without worrying about assignment rules initially.
Certificate buckets can be global or delegated to organizations/departments, similarly to certificate profiles. If delegated, an administrator must manage all organizations (and departments) the bucket is delegated to be able to manage it.
Certificates in a bucket can be manually assigned to organizations/departments if required.
Each certificate discovered can be assigned to an organization (or department) only once to ensure consistent behavior when the scans are repeated.
To summarize, a certificate discovered can be assigned to an organization (or department) and certificate type through:
(a) assignment rules automatically
(b) the “Assign All” function, which will apply the selected assignment to all certificates in the bucket that have not been assigned yet
(c) manual individual assignment.
Certificate buckets support audit events.
Certificate Discovery Assignment Rules Enhancements
Assignment rules now support specifying the final certificate type. No more does the import guess what certificate type the certificate should be based on hard coded rules.
Assignment rule conditions now include options for:
• Key Usage
• Extended Key Usage
• Host Name
Certificate Discovery Tasks Enhancements
Discovery tasks now support audit events.
Assignment of network discovery tasks to agents has changed. It is no longer possible to assign a task automatically based on CIDR ranges. The configuration of CIDR ranges for a network agent has been removed. Instead, all network discovery tasks must be explicitly assigned to a network agent or to the new Sectigo hosted cloud scanning service.
The new Sectigo hosted cloud scanning service scans public servers significantly faster than previous implementation.
Import of network discovery tasks from CSV will now require indicating the bucket ID which they should be assigned to.
Certificate Discovery UI Changes
The Network Assets page has been removed.
The Network Discovery section of this page is replaced with viewing results in a bucket.
The Active Directory section has been removed to simplify user experience. All the certificates from an MS AD discovery task will appear in a bucket as well.
The certificates shown in the Web Servers section can be seen using the Nodes button for a selected Network Agent.
Certificate Discovery Notification Changes
The “Discovery Scan Summary” notification template is updated. A customized template of this type will be reverted to the default content due to the updated list of variables that are supported.
This means that if configured, this notification will be preserved, however, if it has been customized previously, please navigate to Settings > Notification Templates > select Discovery Scan Summary to customize again using the updated list of variables.
Certificate Discovery Report Changes
The following reports are removed:
• Network Discovery Results
• Network Discovery Tasks
Instead, the corresponding details can be exported to a .csv file from the relevant section in the UI.
Navigate to Discovery > Network Discovery Tasks or Certificate Buckets and click, or Discovery > Network Discovery Tasks (or MS AD Discovery Tasks) > History > select the scan needed > click Details and then click the Down Arrow to download.
Certificate Discovery Migration
To migrate your discovery assets to the new architecture, a certificate bucket will be automatically added for each existing discovery task.
The old scan results will not be migrated. Please start a new scan where needed to get results.
The agent assignment to the task will occur according to the following guideline:
• The agent which conducted the last successful scan will be assigned to the task.
• Where “Auto” agent was assigned to the task, it will be assigned to one of the agents which conducted the last successful scan.
• The “Cloud” agent will be assigned to the task if there have been no successful scans upon this task.
REST API Enhancements
The Discovery Report resource has been removed. The response format is incompatible with the new Discovery architecture. Any calls to /api/report/v1/discovery will return a 404 status code with a message about removal.
There’s a new resource for Discovery certificate buckets. It supports methods to create/list/update/delete buckets, plus methods to perform certificate assignment directly or via assignment rules.
There’s an updated resource for Discovery assignment rules. Rules now specify a certificate type, so the new cert Type field could exist in a response. If not specified during creation, it defaults to SSL.
The Discovery task resource now only supports a v2 version of the API. The old v1 API is incompatible with the new Discovery architecture. Any calls to /api/discovery/v1/task will return 404 status code with message about removal.
See the Discovery resource sections in Certificate Manager 23.2 REST API guide.
There is a new version of the REST API function for sending an invitation to a Person that matches the new enrollment endpoint architecture (reference to accountID instead of term, key type and profileID).
See the following sections in Certificate Manager 23.2 REST API guide:
• Send invitation to person by ID
Certificate Viewer Enhancements
The Discovery and Private Key sections in the Management tab of the certificate viewer are merged into the Locations section introduced in SCM 22.12 for ACME clients.
The Locations section lists all known locations for the certificate.
The Location of the certificate can also be added manually if needed. Note, the renewal operation removes custom locations.
Possible location types:
• Network Agent (SSL certificate only)
• Server Node/Port (SSL certificate only)
• Legacy Key Archive (Client certificate only)
• Sectigo Key Vault (Client certificate only)
• ACME Client Details (SSL certificate only)
• Network Host (SSL certificate only)
• Active Directory Entry
• Azure Key Vault (SSL certificate only)
• Private Key Agent (SSL certificate only)
• Custom
The custom location type can be added to any certificate to record other information about where the certificate is being used. More than one custom location is supported.
Agent/Connector Download Enhancements
The downloading of Network Agent, MS Agent or CA connector is no longer automatic when adding. All installation packages that can be reused are static.
When adding an agent or connector, you will see an installation token instead, plus links to the installation packages. The installation token provides information about your account and access credentials. It uniquely identifies the agent or connector and cannot be reused. Installation packages can also be downloaded at any time from the About page.
All installation packages are served from https://dist.sectigo.com via direct URL. The download service does not support generic browsing.
The installation token is available until the first connection has been completed.
Network Agent Enhancements
This SCM release includes Network Agent 3.0.
The Network Agent installation packages have been rewritten as Windows Installer installation package, Linux self-extracting installer and Linux native packages. The installation packages are now static, they can be reused and are downloadable separate from the installation token required to connect an agent to Sectigo Certificate Manager.
Due to changes in Certificate Discovery, it is no longer required to specify CIDR ranges owned by each agent.
The alternative name for a Network Agent has been removed. Existing alternative names are merged into the comments field.
The SSL certificate auto-installation process has been significantly improved and now supports detailed status updates and audits.
The Auto-Installation section on the Management tab of the SSL certificate viewer now shows all the configured server nodes the certificate will be installed to along with status of the operation, server and network agent.
Management of server nodes is also possible, adding new ones before or after auto-install has been completed, changing ports, and deleting individual server nodes.
Need help?
Need help making a purchase? Contact us today to get your certificate issued right away.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
