New Features

Introduced support for resuming or re-triggering failed or partially completed workflow requests from any selected stage. This enhancement enables users to restart execution from a specific stage without re-running the entire workflow.

Added support for capturing approval and rejection comments in Email Palette-based workflow approvals. Comment capture can be configured as optional or mandatory within the workflow design based on business requirements.

Added support for onboarding and full life‑cycle management of F5 21.x ADC devices for both LTM and GTM modules . Version support is included in existing OOB workflows

Introduced provisioning and lifecycle management support for F5 rSeries tenants on host devices.Enables administrators to create and manage tenant instances from AppViewX with operational consistency.Improves readiness for large-scale rSeries adoption in enterprise ADC environments.

Added rSeries host/tenant software image upload capability as part of the "Device Bulk Image Transfer" workflow.

Implemented rSeries host software upgrade execution from AppViewX.It includes rollback in failure case.

Enabled secure download of externally stored backup files directly from AppViewX UI.Users can now retrieve backup artifacts locally without direct access to external backup servers.

Delivered AI-based ADC reporting support with secure access to relevant device and ADC datasets.Provides context-aware reporting for use cases such as state/status, unused report, orphan report.

Applied updated AppViewX branding across ADC user-facing and generated components.Refreshed logos, color themes, and product naming in UI, APIs, templates, logs, and communications.Delivers a consistent platform branding experience for users, admins, and integrators.

Added a reports workflow to automatically discover F5 rSeries host devices and collect CPU and TMM memory utilization metrics. Provides centralized host health monitoring through a consolidated tabular operational view. Improves visibility into resource utilization trends for proactive performance monitoring and capacity planning.

The Sectigo CA integration has been enhanced to synchronize and discover both mandatory and optional certificate attributes. This ensures that discovered certificates contain complete metadata required for renewal, reissue, compliance, and automation workflows, reducing manual intervention.

AppViewX now supports automated daily metadata synchronization with GoDaddy CA. This ensures all GoDaddy CA certificates, enrolled as well externally discovered, retain the necessary order and renewal attributes required for smooth renewal workflows.

The loading time for the Age (Validity Period) and Certificates by Issuing CAs widgets on the SLC dashboard has been improved by replacing synchronous chart generation with asynchronous data retrieval and pre-populated chart data. This optimization enhances dashboard responsiveness and delivers a faster user experience.

The DigiCert CA integration has been enhanced to synchronize and discover both mandatory and optional certificate attributes, including vendor-specific metadata. This ensures complete certificate information is available for renewal, reissue, compliance, and automation workflows, reducing manual effort and improving operational efficiency.

SQL Server certificate binding operations now automatically validate and grant the required private key permissions to the SQL Server service account. This ensures certificates can be loaded successfully during service startup, preventing restart failures and maintaining secure TLS communication.

AppViewX now optimizes CA attribute synchronization by accurately associating certificates with their issuing CA accounts through a daily synchronization process. A new CA Attribute Sync option allows administrators to specify which CA accounts participate in attribute synchronization, reducing unnecessary CA calls, improving renewal efficiency, and minimizing synchronization failures. This enhancement is currently supported for DigiCert, GoDaddy, and Sectigo CA integrations.

Added flexible enforcement modes for key policy fields in re-enrollment: inherit, strict single value, or allow-list with default fallback.Ensures consistent behavior across UI and automation workflows when evaluating certificate renewal constraints.Improves traceability by recording policy decisions as Inherited, Allowed, or Overridden.

Enabled intelligent manual re-enrollment that auto-detects the applicable CA, template, and policy from certificate context.Applies group-specific policy mapping with automatic fallback to default re-enrollment policy when no explicit mapping exists.Reduces manual input and operational errors while delivering a streamlined one-click renewal experience.

Enhanced auto re-enrollment to automatically resolve both certificate template and CSR generation source.Preserves original key security posture by honoring source context such as Product, Endpoint Agent, or HSM.Enables fully hands-free renewals without compromising private key handling controls.

Introduced template-level re-enrollment action control to explicitly select Renew or Regenerate behavior for Sectigo CA flows.Ensures the platform invokes the correct CA API path based on configured lifecycle intent.Improves compatibility with CA-side order/subscription handling and billing/tracking models.

Introduced improvements to the MS ADCS template configuration, allowing administrators to define how re-enrollment should behave for a particular account. This provides more predictable and consistent Certificate lifecycle behavior for MS ADCS integrations across re-enrollment operations.

Implemented configurable re-enrollment action behavior for DigiCert CertCentral templates.Supports precise selection of Renew versus Regenerate to align with organizational lifecycle policies.Improves control and predictability for certificate renewal workflows integrated with DigiCert APIs.

Introduced a CA-specific template for GlobalSign SSL CA that allows administrators to define how re-enrollment should behave for a particular account. This helps ensure consistent and predictable CA interaction during both manual and automated certificate lifecycle operations.

Added upgrade-time migration to support CA-specific template mapping using CA vendor and account context.Introduced contextual lookup with automatic fallback to default template when no exact match is available.Ensures continuity of re-enrollment operations with minimal disruption during template model transition.

Updated Windows Gateway and related Cloud Connector-integrated components to CLM branding.Replaced legacy product naming references in package identity and diagnostic/log outputs.Improves branding consistency across deployed components and operational troubleshooting artifacts.

Introduced MCP-based retrieval of detailed certificate lifecycle and metadata information for AI and automation use cases.Enables security and PKI teams to consume certificate intelligence programmatically without relying on UI navigation.Reduces investigation time by integrating certificate detail access into external operational workflows.

Added MCP capability to query filtered certificate inventories along with relevant metadata for broad audits.Supports AI-assisted and programmatic posture assessments across machine identity environments.Improves scalability of certificate discovery and audit workflows beyond interactive UI-based operations.

The CMP Server has been enhanced to support Initialization Request (IR) mode in addition to existing P10CR and CCR modes, improving compatibility with CMP-based AppViewX Native PKI and EJBCA environments. This enhancement enables processing of IR requests, certificate issuance through supported CAs, and configuration of the preferred CMP authentication mode.

SCEP integrations now support both static and dynamic challenge passwords, including support for FleetDM as an MDM vendor. This enhancement introduces secure dynamic challenge password generation and retrieval, enabling streamlined and secure certificate enrollment workflows for supported MDM platforms.

Introduced automated certificate revocation for devices marked as Retired or Wiped in Microsoft Intune. A scheduled job is added to fetch device status and identify associated certificates in AppViewX. A configurable settings has been enabled for revocation trigger, certificate type, and mapping attributes. It also supports CN-based matching using device/user identifiers.

• Appviewx has introduced configurable certificate discovery settings for Microsoft Server devices, including Location Type (File System, Certificate Store, Port Scan) and Keystore Formats (for example, CRT, CER, PEM, PFX, JKS). At least one option must be selected in each category to proceed.

• Added support for defining global defaults via Global Device Settings (GDS), with all discovery sources and keystore formats selected by default.

• Established preference order: Device-level configuration > GDS > System defaults.

• Applied configurations across device onboarding, updates, manual/scheduled discovery, and config sync operations.

Introduced regex-based policy assignment rules to automatically associate policies with clusters (and optional namespaces) during onboarding.On policy match, the platform auto-applies the policy, pushes associated CA YAML configuration, and provisions certificates per policy settings.This reduces manual onboarding effort, improves consistency at scale, and lowers operational errors in dynamic Kubernetes environments.

Renamed product references from Kube+ to Kube across platform experiences to align with the new branding direction.Applied updates across major UI and operational surfaces, including menus, policy flows, onboarding paths, audit logs, chatbot text, and pop-up/error messages.Delivers a consistent product identity across user interfaces, workflows, and supporting system messages.

AppViewX now provides a guided CA migration workflow to transition from AppViewX Standard CA (GCP-backed) to AppViewX Native CA. The workflow supports cloning, creating, or mapping Native CAs with custodian approval, preserves existing RBAC and ACL configurations, tracks migration progress, optimizes license usage, and enables retirement of legacy GCP-backed CAs after migration.

AppViewX now supports migration of end-entity certificate issuance from external CAs such as GCP CAS, Microsoft ADCS, and EJBCA to AppViewX Native PKI. Administrators can migrate individual or multiple certificates while preserving certificate attributes and application bindings, with optional support for PQC and hybrid algorithms. The migration process is available through both the UI and API, with comprehensive audit logging for traceability and compliance.

AppViewX now provides a guided migration workflow to simplify the transition from Microsoft ADCS to AppViewX Native PKI. The workflow automates CA discovery, template migration, prerequisite validation, and Windows Auto-Enrollment Proxy (WAEP) configuration, while providing step-by-step guidance, progress tracking, and validation to ensure a secure and auditable migration experience.

AppViewX now provides direct access to HSM onboarding from the PKI Get Started page, enabling users to quickly onboard and manage Fortanix or other HSMs without navigating to the Platform HSM module. Access is controlled through existing HSM onboarding permissions.

AppViewX now provides proactive health monitoring for HSM integrations, including Entrust, Fortanix, Utimaco, and Thales. The system performs periodic health checks and generates in-product notifications and email alerts when issues are detected, helping ensure HSM availability and reducing operational downtime.

Enabled direct creation and onboarding of Fortanix HSM accounts within AppViewX for customers with valid HSM licenses. The Fortanix HSM account setup option is conditionally available based on HSM licensing and supports automated account creation and registration. Additionally, HSM credential update workflows have been introduced, allowing SRE teams to securely update credentials for Fortanix HSM accounts.

Introduced template-driven lifecycle stage controls in Policy Engine to define approvals, schedules, implementation, and post-actions per policy stage.Supports selecting multiple templates with rule-based execution (for example sequential, first success/failure) and dynamic resolution using CA and certificate attributes.Improves governance and auditability with stage-wise execution visibility, configurable failure handling, and controlled override behavior.

AppViewX now integrates with third-party CMDBAI-Driven CPS Interpretation and Policy Enforcement systems to run configuration and certificate PQC readiness scans and retrieve business context such as application, owner, criticality, and CMDB status. This enables better prioritization of risks and assignment of remediation based on business impact. Two scheduled jobs Certificate and Endpoint CMDB Business Context Synchronization maintain updated CMDB data and must be enabled after integration, with results surfaced in scan and certificate inventories through new CMDB-related fields.

A new PQC Evaluation Status column has been added to the CLM on-demand discovery inventory to indicate the post-quantum readiness status of cryptographic assets, including certificates, cipher suites, TLS/protocol versions, and cryptographic libraries. The evaluation data is sourced from ASM, IP ranges, subnets, and other integrations to provide unified visibility into the cryptographic security posture. For Tenable non-certificate assets, the QTH detection tag must be enabled in the integration settings.

AppViewX now supports SSH certificate-specific settings within SSH Key Policies, allowing administrators to configure certificate validity, extensions, and critical options. The update includes validation and persistence of certificate configuration settings across policy creation and updates.

A migration process has been introduced to populate missing SSH certificate configuration fields with OpenSSH-aligned default values during upgrades. The migration updates only missing values, preserves existing configurations, and provides logging and metrics for improved upgrade visibility and monitoring.

Renamed the Provision Key menu item to Provision Key and Certificate. The option continues to open the existing SSH provisioning page with pre-populated fields, providing a unified entry point to view and manage key and certificate provisioning details.

A new stepper-based SSH provisioning workflow guides users through key details, endpoint configuration, vault configuration, and review steps. The update also enhances endpoint management with dynamic Infra Access Group selection, duplicate endpoint prevention, hostname support, multi-user management, and SSH certificate path validation.

Added an SSH Certificate toggle to the Provision Key and Certificate page. When enabled, the UI displays certificate-specific fields such as SSH Cert Key ID, Principal(s), Certificate Validity, and Extensions. When disabled, the page functions as standard SSH key provisioning.

The SSH provisioning workflow has been enhanced to support SSH certificate provisioning alongside key provisioning. The update captures certificate-specific details, provides separate server and client endpoint views, and improves traceability of provisioning inputs, execution steps, and endpoint responses.

Stored complete provisioning configurations (including certificate settings and server/client details) in the AppViewX database upon submission. Ensured atomic, idempotent, and tenant-safe persistence to support execution, inventory visibility, auditing, and retry workflows.

SSH certificate provisioning is now fully integrated into the provisioning workflow, enabling automated certificate deployment to Linux endpoints with input validation, prerequisite checks, detailed execution tracking, audit visibility, and retry support. The process also verifies trust bootstrap requirements before provisioning to ensure successful and secure certificate deployment.

Extended the existing SSH provisioning API (or introduced a backward-compatible version) to support end-to-end SSH certificate provisioning. Enabled the API to accept and validate certificate inputs (e.g., cert ID, validity) along with Client and Server endpoint mappings.

Added a new workflow stage to display host trust provisioning details for SSH certificate requests. This enhancement improves visibility into prerequisite trust configuration during certificate provisioning.

Updated endpoints’ known_hosts to trust the Host CA using OpenSSH-compliant @cert-authority entries. This enables host certificate-based verification and ensures the update is idempotent, validated, and safely applied.

Enabled configuration of allowed principals on server endpoints during SSH certificate provisioning. The system updates OpenSSH settings to use an Authorized Principals file, ensuring only specified identities are permitted for certificate-based authentication.

Code Signing now includes a centralized dashboard that provides real-time and historical visibility into signing activities and policy usage. The dashboard offers interactive analytics, drill-down reporting, advanced search, data export capabilities, user-based filtering, and comprehensive RBAC and audit logging support to improve operational visibility and reporting.