New Features

Introduced support for resuming or re-triggering failed or partially completed workflow requests from any selected stage. This enhancement enables users to restart execution from a specific stage without re-running the entire workflow.

Added support for capturing approval and rejection comments in Email Palette-based workflow approvals. Comment capture can be configured as optional or mandatory within the workflow design based on business requirements.

Added support for onboarding and full life‑cycle management of F5 21.x ADC devices for both LTM and GTM modules . Version support is included in existing OOB workflows

Introduced provisioning and lifecycle management support for F5 rSeries tenants on host devices.Enables administrators to create and manage tenant instances from AppViewX with operational consistency.Improves readiness for large-scale rSeries adoption in enterprise ADC environments.

Added rSeries host/tenant software image upload capability as part of the "Device Bulk Image Transfer" workflow.

Implemented rSeries host software upgrade execution from AppViewX.It includes rollback in failure case.

Enabled secure download of externally stored backup files directly from AppViewX UI.Users can now retrieve backup artifacts locally without direct access to external backup servers.

Delivered AI-based ADC reporting support with secure access to relevant device and ADC datasets.Provides context-aware reporting for use cases such as state/status, unused report, orphan report.

Applied updated AppViewX branding across ADC user-facing and generated components.Refreshed logos, color themes, and product naming in UI, APIs, templates, logs, and communications.Delivers a consistent platform branding experience for users, admins, and integrators.

Added a reports workflow to automatically discover F5 rSeries host devices and collect CPU and TMM memory utilization metrics. Provides centralized host health monitoring through a consolidated tabular operational view. Improves visibility into resource utilization trends for proactive performance monitoring and capacity planning.

The Sectigo CA integration has been enhanced to synchronize and discover both mandatory and optional certificate attributes. This ensures that discovered certificates contain complete metadata required for renewal, reissue, compliance, and automation workflows, reducing manual intervention.

AppViewX now supports automated daily metadata synchronization with GoDaddy CA. This ensures all GoDaddy CA certificates, enrolled as well externally discovered, retain the necessary order and renewal attributes required for smooth renewal workflows.

The DigiCert CA integration has been enhanced to synchronize and discover both mandatory and optional certificate attributes, including vendor-specific metadata. This ensures complete certificate information is available for renewal, reissue, compliance, and automation workflows, reducing manual effort and improving operational efficiency.

SQL Server certificate binding operations now automatically validate and grant the required private key permissions to the SQL Server service account. This ensures certificates can be loaded successfully during service startup, preventing restart failures and maintaining secure TLS communication.

AppViewX now optimizes CA attribute synchronization by accurately associating certificates with their issuing CA accounts through a daily synchronization process. A new CA Attribute Sync option allows administrators to specify which CA accounts participate in attribute synchronization, reducing unnecessary CA calls, improving renewal efficiency, and minimizing synchronization failures. This enhancement is currently supported for DigiCert, GoDaddy, and Sectigo CA integrations.

Added flexible enforcement modes for key policy fields in re-enrollment: inherit, strict single value, or allow-list with default fallback.Ensures consistent behavior across UI and automation workflows when evaluating certificate renewal constraints.Improves traceability by recording policy decisions as Inherited, Allowed, or Overridden.

Enabled intelligent manual re-enrollment that auto-detects the applicable CA, template, and policy from certificate context.Applies group-specific policy mapping with automatic fallback to default re-enrollment policy when no explicit mapping exists.Reduces manual input and operational errors while delivering a streamlined one-click renewal experience.

Enhanced auto re-enrollment to automatically resolve both certificate template and CSR generation source.Preserves original key security posture by honoring source context such as Product, Endpoint Agent, or HSM.Enables fully hands-free renewals without compromising private key handling controls.

Introduced template-level re-enrollment action control to explicitly select Renew or Regenerate behavior for Sectigo CA flows.Ensures the platform invokes the correct CA API path based on configured lifecycle intent.Improves compatibility with CA-side order/subscription handling and billing/tracking models.

Introduced improvements to the MS ADCS template configuration, allowing administrators to define how re-enrollment should behave for a particular account. This provides more predictable and consistent Certificate lifecycle behavior for MS ADCS integrations across re-enrollment operations.

Implemented configurable re-enrollment action behavior for DigiCert CertCentral templates.Supports precise selection of Renew versus Regenerate to align with organizational lifecycle policies.Improves control and predictability for certificate renewal workflows integrated with DigiCert APIs.

Introduced a CA-specific template for GlobalSign SSL CA that allows administrators to define how re-enrollment should behave for a particular account. This helps ensure consistent and predictable CA interaction during both manual and automated certificate lifecycle operations.

Added upgrade-time migration to support CA-specific template mapping using CA vendor and account context.Introduced contextual lookup with automatic fallback to default template when no exact match is available.Ensures continuity of re-enrollment operations with minimal disruption during template model transition.

Updated Windows Gateway and related Cloud Connector-integrated components to CLM branding.Replaced legacy product naming references in package identity and diagnostic/log outputs.Improves branding consistency across deployed components and operational troubleshooting artifacts.

Introduced MCP-based retrieval of detailed certificate lifecycle and metadata information for AI and automation use cases.Enables security and PKI teams to consume certificate intelligence programmatically without relying on UI navigation.Reduces investigation time by integrating certificate detail access into external operational workflows.

Added MCP capability to query filtered certificate inventories along with relevant metadata for broad audits.Supports AI-assisted and programmatic posture assessments across machine identity environments.Improves scalability of certificate discovery and audit workflows beyond interactive UI-based operations.

The CMP Server has been enhanced to support Initialization Request (IR) mode in addition to existing P10CR and CCR modes, improving compatibility with CMP-based AppViewX Native PKI and EJBCA environments. This enhancement enables processing of IR requests, certificate issuance through supported CAs, and configuration of the preferred CMP authentication mode.

SCEP integrations now support both static and dynamic challenge passwords, including support for FleetDM as an MDM vendor. This enhancement introduces secure dynamic challenge password generation and retrieval, enabling streamlined and secure certificate enrollment workflows for supported MDM platforms.

Introduced automated certificate revocation for devices marked as Retired or Wiped in Microsoft Intune. A scheduled job is added to fetch device status and identify associated certificates in AppViewX. A configurable settings has been enabled for revocation trigger, certificate type, and mapping attributes. It also supports CN-based matching using device/user identifiers.

The loading time for the Age (Validity Period) and Certificates by Issuing CAs widgets on the SLC dashboard has been improved by replacing synchronous chart generation with asynchronous data retrieval and pre-populated chart data. This optimization enhances dashboard responsiveness and delivers a faster user experience.

Moved additional DNS server configuration from app metadata to cert_metadata to eliminate the need for ACME server pod restarts. This applies to AppViewX DNS Validation and Enterprise Secure Challenge methods only. This enhancement improves flexibility and operational efficiency for DNS-based ACME validations.

Certificate retrieval during WAEP enrollment has been improved by enhancing polling behavior after CSR submission. The update adds retry handling for pending certificates and improves error processing to distinguish temporary delays from actual failures, resulting in more reliable certificate issuance workflows.

AppViewX now offers a guided migration workflow for transitioning Microsoft ADCS environments to AppViewX Native PKI. The utility validates prerequisites, discovers and maps CA instances, migrates AD certificate templates, and provides progress tracking and validation to support a smooth and auditable migration process.

Enabled the ability to push Root and Intermediate CA certificates to Cloud Connectors with comprehensive validation. The system verifies successful certificate deployment, ensures correct association between Intermediate and Root certificates, and confirms connector visibility in the unified view. Post-deployment checks validate that EST and ACME enrollments function without SSL handshake issues, ensuring end-to-end trust chain integrity.

Introduced support for Kerberos authentication in WAEP to replace deprecated NTLM. Added an Authentication Mode option (NTLM/Kerberos) with a configurable Communication Protocol (HTTP/HTTPS) when Kerberos is selected.

• Appviewx has introduced configurable certificate discovery settings for Microsoft Server devices, including Location Type (File System, Certificate Store, Port Scan) and Keystore Formats (for example, CRT, CER, PEM, PFX, JKS). At least one option must be selected in each category to proceed.

• Added support for defining global defaults via Global Device Settings (GDS), with all discovery sources and keystore formats selected by default.

• Established preference order: Device-level configuration > GDS > System defaults.

• Applied configurations across device onboarding, updates, manual/scheduled discovery, and config sync operations.

InfinityAI now enables AI-assisted assignment of certificate-related permissions to user groups, eliminating the need for manual role and permission creation. Based on administrator intent, the system can recommend existing roles or automatically create custom roles, resources, and required ACF permissions. Support covers certificate discovery, inventory operations, lifecycle management, trust store actions, dashboards, groups, policies, and approval workflows, simplifying RBAC administration and accelerating access provisioning.

Introduced regex-based policy assignment rules to automatically associate policies with clusters (and optional namespaces) during onboarding.On policy match, the platform auto-applies the policy, pushes associated CA YAML configuration, and provisions certificates per policy settings.This reduces manual onboarding effort, improves consistency at scale, and lowers operational errors in dynamic Kubernetes environments.

Renamed product references from Kube+ to Kube across platform experiences to align with the new branding direction.Applied updates across major UI and operational surfaces, including menus, policy flows, onboarding paths, audit logs, chatbot text, and pop-up/error messages.Delivers a consistent product identity across user interfaces, workflows, and supporting system messages.

AppViewX now provides a guided CA migration workflow to transition from AppViewX Standard CA (GCP-backed) to AppViewX Native CA. The workflow supports cloning, creating, or mapping Native CAs with custodian approval, preserves existing RBAC and ACL configurations, tracks migration progress, optimizes license usage, and enables retirement of legacy GCP-backed CAs after migration.

AppViewX now supports migration of end-entity certificate issuance from external CAs such as GCP CAS, Microsoft ADCS, and EJBCA to AppViewX Native PKI. Administrators can migrate individual or multiple certificates while preserving certificate attributes and application bindings, with optional support for PQC and hybrid algorithms. The migration process is available through both the UI and API, with comprehensive audit logging for traceability and compliance.

AppViewX now provides a guided migration workflow to simplify the transition from Microsoft ADCS to AppViewX Native PKI. The workflow automates CA discovery, template migration, prerequisite validation, and Windows Auto-Enrollment Proxy (WAEP) configuration, while providing step-by-step guidance, progress tracking, and validation to ensure a secure and auditable migration experience.

AppViewX Native PKI now supports uploading Certification Practice Statement (CPS) documents in PDF format. The system parses the uploaded CPS, extracts structured policy-relevant sections using an AI framework service, and presents the interpreted output including validity limits, Extended Key Usage constraints, wildcard rules, and naming restrictions in a dedicated review interface. Users can approve, edit, or reject each extracted value individually, or use Approve All for efficiency. Once values are confirmed, the Generate Policy action creates a CLM Certificate Policy using only the approved inputs, with missing mandatory fields prompted before creation and optional fields auto populated with defaults. Generated policies are associated with AppViewX Native CA Certificate Authorities, are fully editable post-creation, and carry an auditable link back to the governing CPS via the tenant CPS URL extension. Users can also download the original CPS PDF, replace or re-upload a document, and navigate directly from a CPS entry to its generated policy using the View Policy option.

AppViewX now provides direct access to HSM onboarding from the PKI Get Started page, enabling users to quickly onboard and manage Fortanix or other HSMs without navigating to the Platform HSM module. Access is controlled through existing HSM onboarding permissions.

AppViewX now provides proactive health monitoring for HSM integrations, including Entrust, Fortanix, Utimaco, and Thales. The system performs periodic health checks and generates in-product notifications and email alerts when issues are detected, helping ensure HSM availability and reducing operational downtime.

Enabled direct creation and onboarding of Fortanix HSM accounts within AppViewX for customers with valid HSM licenses. The Fortanix HSM account setup option is conditionally available based on HSM licensing and supports automated account creation and registration. Additionally, HSM credential update workflows have been introduced, allowing SRE teams to securely update credentials for Fortanix HSM accounts.

AppViewX now provides self-diagnosis and remediation capabilities for Cloud Connector connectivity issues and Kubernetes certificate failures. Added centralized Cloud Connector self-diagnosis through avxctl as a single customer-facing troubleshooting utility. Introduced diagnostic checks for flannel, connectivity configuration, CoreDNS, and firewalld, with automated fixes where applicable. Improves self-service operations by enabling faster issue identification and remediation directly from the Cloud Connector VM.

AppViewX now propagates non-localhost entries from /etc/hosts in the Cloud Connector host to CoreDNS NodeHosts ConfigMap for in-cluster name resolution. This ensures custom hostnames are resolvable from pods in K3s environments. The update includes controlled restart handling to prevent duplicate CoreDNS rollouts during nameserver update operations.

Cloud Connector third-party images and binaries have been upgraded to newer supported versions. This improves security by reducing known vulnerabilities and aligns runtime dependencies with updated platform standards for better stability, compliance, and maintainability.

Added support for installing Cloud Connector on SUSE Linux using the existing standalone deployment model. Extends the same installation pattern already available for RHEL and Rocky Linux to SUSE environments. Maintains consistent installation workflow and runtime behavior across supported Linux platforms.

AppViewX now provides an AI-powered RBAC configuration experience for certificate lifecycle management through Infinity AI. Administrators can assign and retrieve certificate group (resource) mappings and certificate-related permissions for user groups using natural language inputs and guided conversational prompts, eliminating the need to navigate multiple disjointed screens across the platform. When assigning certificate operation permissions such as renew, revoke, or regenerate, AppViewX Infinity AI automatically associates the appropriate Visual Workflow (VWF) approval behavior with the user group's resource, enforcing the correct approval path at execution time. To support these workflows, the Infinity AI interface now dynamically renders interactive data grids with built-in search, pagination, multiselect, and action button support, replacing plain-text responses with structured, actionable components. Administrators can also query existing RBAC configurations, including cert group mappings and assigned roles and permissions, directly through the Infinity AI interface.

AppViewX now supports the Model Context Protocol (MCP), expanding integration capabilities for AI agents, LLM-powered applications, and automation platforms. By adopting a standardized protocol for tool discovery and execution, organizations can more easily connect AppViewX with MCP-compatible hosts. This creates a common extensibility layer across AppViewX products, providing a foundation for consistent AI-driven interactions and enabling future MCP-based integrations across the platform.In this release, MCP is available through the STDIO transport mode and is delivered as a downloadable MCP plugin through the Agents & Downloads section. The plugin package includes the required artifacts and setup guidance to simplify deployment and integration with AI tools that support MCP over STDIO. Running locally, the plugin enables MCP-compatible hosts to securely access AppViewX capabilities through a standardized interface.The initial MCP toolset focuses on AppViewX CLM read-only capabilities, with additional AppViewX products and tools planned for future expansion.

Introduced template-driven lifecycle stage controls in Policy Engine to define approvals, schedules, implementation, and post-actions per policy stage.Supports selecting multiple templates with rule-based execution (for example sequential, first success/failure) and dynamic resolution using CA and certificate attributes.Improves governance and auditability with stage-wise execution visibility, configurable failure handling, and controlled override behavior.

AppViewX now integrates with third-party CMDB systems to run configuration and certificate PQC readiness scans and retrieve business context such as application, owner, criticality, and CMDB status. This enables better prioritization of risks and assignment of remediation based on business impact. Two scheduled jobs Certificate and Endpoint CMDB Business Context Synchronization maintain updated CMDB data and must be enabled after integration, with results surfaced in scan and certificate inventories through new CMDB-related fields.

A new PQC Evaluation Status column has been added to the CLM on-demand discovery inventory to indicate the post-quantum readiness status of cryptographic assets, including certificates, cipher suites, TLS/protocol versions, and cryptographic libraries. The evaluation data is sourced from ASM, IP ranges, subnets, and other integrations to provide unified visibility into the cryptographic security posture. For Tenable non-certificate assets, the QTH detection tag must be enabled in the integration settings.

AppViewX now supports SSH certificate-specific settings within SSH Key Policies, allowing administrators to configure certificate validity, extensions, and critical options. The update includes validation and persistence of certificate configuration settings across policy creation and updates.

A migration process has been introduced to populate missing SSH certificate configuration fields with OpenSSH-aligned default values during upgrades. The migration updates only missing values, preserves existing configurations, and provides logging and metrics for improved upgrade visibility and monitoring.

Renamed the Provision Key menu item to Provision Key and Certificate. The option continues to open the existing SSH provisioning page with pre-populated fields, providing a unified entry point to view and manage key and certificate provisioning details.

A new stepper-based SSH provisioning workflow guides users through key details, endpoint configuration, vault configuration, and review steps. The update also enhances endpoint management with dynamic Infra Access Group selection, duplicate endpoint prevention, hostname support, multi-user management, and SSH certificate path validation.

Added an SSH Certificate toggle to the Provision Key and Certificate page. When enabled, the UI displays certificate-specific fields such as SSH Cert Key ID, Principal(s), Certificate Validity, and Extensions. When disabled, the page functions as standard SSH key provisioning.

The SSH provisioning workflow has been enhanced to support SSH certificate provisioning alongside key provisioning. The update captures certificate-specific details, provides separate server and client endpoint views, and improves traceability of provisioning inputs, execution steps, and endpoint responses.

Stored complete provisioning configurations (including certificate settings and server/client details) in the AppViewX database upon submission. Ensured atomic, idempotent, and tenant-safe persistence to support execution, inventory visibility, auditing, and retry workflows.

SSH certificate provisioning is now fully integrated into the provisioning workflow, enabling automated certificate deployment to Linux endpoints with input validation, prerequisite checks, detailed execution tracking, audit visibility, and retry support. The process also verifies trust bootstrap requirements before provisioning to ensure successful and secure certificate deployment.

Extended the existing SSH provisioning API (or introduced a backward-compatible version) to support end-to-end SSH certificate provisioning. Enabled the API to accept and validate certificate inputs (e.g., cert ID, validity) along with Client and Server endpoint mappings.

Added a new workflow stage to display host trust provisioning details for SSH certificate requests. This enhancement improves visibility into prerequisite trust configuration during certificate provisioning.

Updated endpoints’ known_hosts to trust the Host CA using OpenSSH-compliant @cert-authority entries. This enables host certificate-based verification and ensures the update is idempotent, validated, and safely applied.

Enabled configuration of allowed principals on server endpoints during SSH certificate provisioning. The system updates OpenSSH settings to use an Authorized Principals file, ensuring only specified identities are permitted for certificate-based authentication.

Code Signing now includes a centralized dashboard that provides real-time and historical visibility into signing activities and policy usage. The dashboard offers interactive analytics, drill-down reporting, advanced search, data export capabilities, user-based filtering, and comprehensive RBAC and audit logging support to improve operational visibility and reporting.