CA Gateway for Cryptographic Security Platform 1.0.0 fixes the following bugs.

Appliance deployment fails in multi-node (ATEAM-14813)

On appliances with more than one node, the CA Gateway deployment intermittently fails.

LDAP entry creation not properly managed by Management Console (ATEAM-15839)

The Management Console of the appliance does properly manage the create-ldap-entry parameter configuration parameter.

Mandatory Subject Alternative Name not enforced (ATEAM-16170)

When configured in a profile, the SAN (Subject Alternative Name) requirement is not enforced. That is, certificate enrollments do not fail when the profile requires a SAN but the request does not specify one.

Invalid date format for expiry date (ATEAM-16797)

When enrolling certificates, the CA Gateway API may return a collapsed date format when the seconds are 00 for certificate expiry.

Certificate enrollment does not return the certificate chain (ATEAM-16985)

CA Gateway does not return the certificate chain of the enrolled certificates, even when explicitly requested in the CSR.

Wrong spelling of UserPrincipleName (ATEAM-17046)

The  UserPrincipalName (UPN) certificate field was misspelled as "UserPrincipleName" in both the documentation and the configuration files.

Role selection not supported (ATEAM-17182)

When configuring an Entrust Deployment Manager installation of CA Gateway, the Management Console did not allow selecting the following roles:

• read-only-integrator
• read-only-tenant roles

Certificate lifetime error (ATEAM-17250 & ATEAM-17298)

When processing enrollments or renewals, the Entrust Certificate Authority plugin did not correctly verify validity dates if the certificate notAfter date was within an hour of the CA certificate notAfter date. This resulted in the cagw-4027 error with the following message.

Unowned files (ATEAM-17355)

Some configuration files can remain "unowned" on the CA Gateway host machine.

Bug resolution details: document in the "CA Gateway Requirements" section of the deployment guide that "User and group identifiers 1339 are reserved for CA Gateway images, so the host server should not use them".

startDate format not specified by Swagger documentation (ATEAM-17426)

The Swagger documentation of the CA Gateway API does not properly specify the required format for the startDate parameter of the certificate-events endpoint,

Invalid bitwise OR example in documentation (ATEAM-17501)

The "Enabling of Subject Alternative Name attributes in the enrollment request" section of the deployment guide for Microsoft CA includes an incorrect output for an OR operation.

Missing filter-list setting (ATEAM-17650)

The profile configuration schema in the Management Console does not include the filter-list setting.

Non-documented parameters (ATEAM-17651)

The CA Gateway configuration reference does not include the following parameters.

• dns.cache-enabled
• dns.response-theshold (Prior to CAGW 3.1)
• dns.response-threshold (as of CAGW 3.1)

CAA filter bypassed (ATEAM-17708)

The CAA (Certification Authority Authorization) filter does not always block requests for non-authorized domains when CA Gateway is deployed in the appliance.

• Bug cause. Kubernetes sets ndots to 5 by default, expecting a fully qualified domain name as  such:
  <service-name>.<namespace-name>.svc.<cluster-domain>
• Bug resolution. Modify the Kubernetes settings to bypass this limitation. 

CA Gateway cannot handle non-printable characters in subject names from msca-proxy (ATEAM-18063)

When issuing a certificate with a Microsoft CA, the following CA Gateway API endpoint stops processing events if the subject includes non-printable characters.

Bug resolution: enhance the Entrust Proxy for Microsoft CA to support non-printable chars in the subject name.

Mandatory subject variables not supported (ATEAM-18126)

For each variable added to the subject-variable-requirements list, CA Gateway ignores the required setting value.