Tanium Cloud Release Notes Certificate Manager
Release Start Date: June 11, 2026
Important notes
- The Certificate Manager November 4, 2025 release added the ability to use profiles that target settings by computer group. Profiles require Endpoint Toolset 2.20.86 or later. Profiles replace the ability to set global settings on the Settings page. The certificate audit settings will be removed from the Settings page in a future release. For more detail, see Deploying Certificate Audits in the Tanium Certificate Manager User Guide.
New features
- Certificate Manager data and replacement workflows are now available in Atlas. For more information about Atlas, see Tanium Atlas User Guide.
Improvements
- Added new “Risks” section to Overview page and migrated several existing panels. This change includes a new “Certificate Type” toggle within “Risks” section to differentiate between all certificates or only those in use by a listen port.
- Added new charts called “Protocols Over Time” and “User Trusted” to Overview page.
- Renamed “Total Endpoints Inventoried” panel on Overview page to “Tanium-Managed Endpoints”.
- Added ability to add replacement certificate and private key to same certificate store on Windows as original certificate.
- Removes Replacement Status virtual sensor on uninstall.
- Updated the Certificate Manager service to no longer leverage the System User Service (SUS).
Bug Fixes
- Fixed an issue where exported results from Certificate Details sensor were misaligned where tildes are included in directory path name.
- Fixed an issue where the default profile would fail to create in some instances upon upgrade.
- Fixed an issue where the Action Confirmation dialog within the Configuration package saw a delay in closing.
- Fixed an issue where the Run button on the Run Configuration Package page got stuck in a disabled state.
- Fixed an issue where status of certificate retrieval on Activity Log page remained “In Progress” indefinitely.
Known issues
- In some instances, certificate signing request may fail due to private key not being exportable from Windows Certificate Store. Users will see failure immediately upon CSR generation.
Release Start Date: June 4, 2026
Important notes
The Certificate Manager November 4, 2025 release added the ability to use profiles that target settings by computer group. Profiles require Endpoint Toolset 2.20.86 or later. Profiles replace the ability to set global settings on the Settings page. The certificate audit settings will be removed from the Settings page in a future release. For more detail, see Deploying Certificate Audits in the Tanium Certificate Manager User Guide.
Improvements
- Upgraded various third-party libraries to newer versions.
Known issues
- In some instances, certificate signing request may fail due to private key not being exportable from Windows Certificate Store. Users will see failure immediately upon CSR generation.
Release Start Date: March 14, 2026
Important notes
The Certificate Manager November 4, 2025 release added the ability to use profiles that target settings by computer group. Profiles require Endpoint Toolset 2.20.86 or later. Profiles replace the ability to set global settings on the Settings page. The certificate audit settings will be removed from the Settings page in a future release. For more detail, see Deploying Certificate Audits in the Tanium Certificate Manager User Guide.
Improvements
- Upgraded various third-party libraries to newer versions.
Known issues
- In some instances, certificate signing request may fail due to private key not being exportable from Windows Certificate Store. Users will see failure immediately upon CSR generation.
Release Start Date: March 5, 2026
Important notes
The Certificate Manager November 4, 2025 release added the ability to use profiles that target settings by computer group. Profiles require Endpoint Toolset 2.20.86 or later. Profiles replace the ability to set global settings on the Settings page. The certificate audit settings will be removed from the Settings page in a future release. For more detail, see Deploying Certificate Audits in the Tanium Certificate Manager User Guide.
Improvements
- Upgraded various third-party libraries to newer versions.
Bug fixes
- Fixed an issue where a null character in the Subject Alternative Name caused the Certificate Details sensor results to truncate and Total Certificates Inventoried count on Overview page to drop.
- Fixed an issue where a large number of configured port exclusions could cause default profile creation to fail during deployment.
Known issues
- In some instances, certificate signing request may fail due to private key not being exportable from Windows Certificate Store. Users will see failure immediately upon CSR generation.
Release Start Date: February 9, 2026
Important notes
The Certificate Manager November 4, 2025 release added the ability to use profiles that target settings by computer group. Profiles require Endpoint Toolset 2.20.86 or later. Profiles replace the ability to set global settings on the Settings page. The certificate audit settings will be removed from the Settings page in a future release. For more detail, see Deploying Certificate Audits in the Tanium Certificate Manager User Guide.
Bug fixes
- Fixed an issue that caused service logs to be renamed with an invalid suffix.
Known issues
- In some instances, certificate signing request may fail due to private key not being exportable from Windows Certificate Store. Users will see failure immediately upon CSR generation.
Release Start Date: January 20, 2026
Important notes
The Certificate Manager November 4, 2025 release added the ability to use profiles that target settings by computer group. Profiles require Endpoint Toolset 2.20.86 or later. Profiles replace the ability to set global settings on the Settings page. The certificate audit settings will be removed from the Settings page in a future release. For more detail, see Deploying Certificate Audits in the Tanium Certificate Manager User Guide.
Improvements
- Added new chart to Health section of Overview page to display endpoints with profiles deployed, but no certificates found.
- Added Computer Groups column on the Profiles page.
- Upgraded various third-party libraries to newer versions.
Bug fixes
- Fixed an issue where certificate counts on the Certificate Inventory page can fluctuate despite complete retrieval status.
- Updated the Endpoints with Profiles Needing Attention chart under the Health section of the Overview page to include endpoints whose Index scans stopped running.
Known issues
- In some instances, certificate signing request may fail due to private key not being exportable from Windows Certificate Store. Users will see failure immediately upon CSR generation.
Release Start Date: December 15, 2025
Important notes
The Certificate Manager November 4, 2025 release added the ability to use profiles that target settings by computer group. Profiles require Endpoint Toolset 2.20.86 or later. Profiles replace the ability to set global settings on the Settings page. The certificate audit settings will be removed from the Settings page in a future release. For more detail, see Deploying Certificate Audits in the Tanium Certificate Manager User Guide.
New features
Introduced Guide observations to receive alerts on certificate expiration in the console. For more detail, see Tanium Autonomous IT Platform in Certificate Manager in the Tanium Certificate Manager User Guide.
Improvements
- Distributed TPowershell.exe within Windows certificate replacement template package in cases where user is running 64-bit specific PowerShell cmdlets.
- Added a new custom script file to the non-Windows certificate replacement template package to help customers edit their own script independent of Tanium. Customers can now test their replacement script on the command line without using Tanium.
- Added columns to the Certificate Inventory page to include SHA1 Fingerprint and Serial Number.
- Added SHA1 Fingerprint and Serial Number to Certificate Inventory page flyout.
- Added column to the Certificate Inventory page to include lifetime of certificate.
- Added new sensor Certificate Manager – Profile Details to provide profile name and whether the listening port scan is enabled on that endpoint.
- Added new parameterized sensor Certificates Asserting OID to search for certificates with specific OIDs associated with them.
Bug fixes
- Fixed an issue where certificate signing request was unable to be regenerated a second time in cases where certificate replacement may have failed.
- Fixed an issue where the Certificate Manager – SSL Certificate Process Details sensor did not return values for the Owning Process and Owning Process Description fields for IIS on Windows 10.
- Fixed an issue calculating expiration status in cases where user runs sensor before database is updated (for example, when machine has been shut down for long periods).
Known issues
- In some instances, certificate signing request may fail due to private key not being exportable from Windows Certificate Store. Users will see failure immediately upon CSR generation.
Release Start Date: November 4, 2025
Note: Functionality related to Profiles and Certificate Locations features contained in this release require endpoint toolset of 2.20.86 or later.
New features
- Introduced a Configuration tab containing new Profiles page that provides for targeting settings by computer group. For more detail, see “Deploying Certificate Audits” in the Tanium Certificate Manager User Guide.
- Introduced a Certificate Locations page within the Configuration tab that expands upon default paths to search for at-rest certificate locations. This page provides customers with a default set of Index subscriptions and also allows for inputting customized locations by file name regex or magic number. For more detail, see “Configuring Certificate Locations” in the Tanium Certificate Manager User Guide.
- Created a new “Default Config” profile targeting all computers, mirroring the customer’s current settings of the legacy global configuration. Profile is enabled upon upgrade, but user must deploy the profile for it to take effect; user may edit or delete as needed before deploying.
- Provided visibility into Java KeyStores, like JCEKS.
Improvements
- For endpoints with endpoint Toolset version 2.20.86 or later, Certificate Manager now leverages Endpoint Configuration (ECF) Toolset to complete certificate audits via the Software Manager client extension (CX). This enables the ability to target settings, like listening port scan exclusions, by computer group. Customers can choose to switch to CX auditing, versus current Python tooling, by enabling and deploying a profile. For endpoints with endpoint toolset version earlier than 2.20.86, certificate audits will continue to be governed by Python tooling.
- Added new Health section at the bottom of the Overview page to show where profiles are in use and where CX scan errors have occurred. To view troubleshooting steps for CX scan errors, see “Endpoint with profile needs attention" in the Tanium Certificate Manager User Guide.
- Added banner to Overview page specifying when profiles and certificate locations need to be deployed, indicating changes were made in the UI (but not yet deployed to endpoints) on these respective pages.
- Added banner to legacy global configuration Settings, specifying proper endpoint toolset version.
- Added ability to exclude Tanium client ports from audits when configuring a Profile.
- Added column filters to the Certificate Inventory page to more easily locate specific certificates.
- Added 'read sensor' privilege to the Certificate Manager Operator role for the Client Management content set, allowing the operator to view action logs for their replacement configuration actions.
- Added ability to view intermediate certificates on the Certificate Replacement page where applicable, whereas previously the UI only displayed the leaf certificate.
- For configuration packages used during the replacement process, added ability to run at-rest audit without a listening port scan.
- Updated template packages for certificate replacement feature to support new CX audits.
- Added ability to view "Action Log" beside configuration results on the Certificate Replacement page.
- Added new RBAC role called “Certificate Manager Configuration Manager” that can view, update, distribute and manage configuration profiles and other configurations.
- Upgraded various third-party libraries to newer versions.
Bug fixes
- Fixed an issue where certificate signing requests with missing or invalid key lengths were able to be submitted.
- Fixed an issue where the count of certificates on the Certificate Inventory page didn’t match the CSV file export in some cases.
Known issues
- In some instances, certificate signing request may fail due to private key not being exportable from Windows Certificate Store. Users will see failure immediately upon CSR generation.
Release Start Date: October 23, 2025
Improvements
- Upgraded various third-party libraries to newer versions
Release Start Date: August 26, 2025
Improvements
- Upgraded various third-party libraries to newer versions
Release Start Date: May 27, 2025
Improvements
- Upgraded various third-party libraries to newer versions
Release Start Date: March 26, 2025
Improvements
- Introduced a certificate replacement action to swap expired certificates on multiple endpoints. This feature is initiated for a given certificate contained within the Certificate Inventory page and supports both listening services and at-rest certificates. For more detailed information about the process, see "Replace certificates" in the Tanium Certificate Manager User Guide.
- Introduced an Activity Log page to capture the status of certificate replacements and retrievals. For more information, see "Replace certificates" in the Tanium Certificate Manager User Guide.
- Added a Certificate Manager Package Author role to enable users to unpack and configure replacement certificates on endpoints.
- Added a Certificate Manager Audit read permission to view the audit log through the Certificate Manager API.
- Upgraded various third-party libraries to newer versions.
- Added support for Python 3.12.
Bug Fixes
- Fixed error banner after creating read-only roles, then switching personas. For-read only roles, the Certificate Inventory page now contains a warning that read access is not allowed.
- Fixed a misalignment issue of the columns on the Certificate Inventory page when users edit their order preference.
- Fixed need for a hard refresh on the Certificate Inventory page in instances when the browser window was left open for a lengthy period, then accessed again to change filter.
- Fixed an issue where, when traversing to port settings through the banner warning, users were unable to select other settings tabs.
- Fixed an issue where the Certificate Details panel toggle on the Certificate Inventory page was available to users who do not have Certificate Manager Certificate read permission. Users are now prevented from toggling the panel when they do not have the necessary privileges.
- Fixed an issue where reports were missing from the Certificate Manager Overview page after upgrade.
Release Start Date: March 19, 2025
Improvements
- Upgraded various third-party libraries to newer versions
Release Start Date: February 24, 2025
Improvements
- Upgraded various third-party libraries to newer versions
Release Start Date: October 1, 2024
Improvements
- Upgraded various third-party libraries to newer versions
Release Start Date: August 26, 2024
IMPORT CONFIGURATION CHANGE In this release, port scanning is disabled by default. Prior to this release, the default setting was to enable port scanning. If a customer disabled port scanning and then re-enabled port scanning prior to this release, port scanning remains enabled upon upgrade.
If a customer never changed port scanning options and used the default option of enabled port scans, the default changes to disabled port scans upon upgrade and a warning banner appears on the Certificate Manager Overview page. Customers who want port scanning enabled can follow the link on the banner to change the default option. For information on configuring audit settings, see Tanium Certificate Manager User Guide: Configure audit setting.
Improvements
- Introduces a new Certificate Inventory page that contains a list of both listening service and at-rest certificates.
- The Certificate Inventory page contains actions to download a given certificate, export certificates to CSV, or exclude certificates from inventory.
- The Certificate Manager Overview page banner now shows a banner when listen port scanning is disabled.
- An import status now appears when uploading a bundle of certificates during single file import.
- The Certificate Audit Status sensor results now contain the OpenSSL version for the endpoint.
- Includes the ability to Click to Copy text on the Certificate Authority page.
- Raises a service crash warning when the service stops responding during audit.
- Switches approved ciphers description to IANA guidelines vs. NIST.
- Contains new PowerShell code signing certificate so that endpoints that require PowerShell scripts to be signed can verify that signature.
Bug Fixes
- Fixes an issue where certificate audits were running more frequently than configured in some instances.
- Fixes an issue blocking reporting for at-rest certificates on Windows machines where SSL service scanning was disabled.
- Fixes an issue filtering on 'Total Certificate Inventory' panel.
- Fixes an issue where Version 1 self-signed certificates might generate an error when adding a valid certificate authority.
- Fixes the missing Location column on the Short Keys report.
- Removes the duplicate Root Certificate Details report.
Release Start Date: March 11, 2024
Improvements
- Ships new PowerShell code signing certificate so that endpoints requiring PowerShell scripts to be signed can verify that signature.
- Sign PowerShell scripts with new certificate
Bug Fixes
- Fixes an issue where users reached a timeout while enumerating user certificates.
Requirements
- Tanium™ Core Platform 7.5.5.1140 or later
- Tanium™ Client Management 1.12.77 or later
- Tanium™ Reporting 1.13.76 or later
- Tanium™ RDB 1.2.211 or later
Tools Versions
- Includes core-python: 3.3.59
Release Start Date: February 21, 2024
Bug Fixes
- Fixes an issue where the Certificate Details sensor was unable to report at-rest certificates on Windows machines where SSL service scanning has been disabled.
- Fixes an issue where the Total Certificate Inventory panel reported a positive number of certificates inventoried before endpoints were scanned.
- Fixes an issue where the Certificate Manager service fails to start when sensors are not configured correctly to harvest sensor data.
Requirements
- Tanium™ Core Platform 7.5.5.1140 or later
- Tanium™ Client Management 1.12.77 or later
- Tanium™ Reporting 1.13.76 or later
- Tanium™ RDB 1.2.211 or later
Tools Versions
- Includes core-python: 3.1.43
Known Issues
- Might fail to enumerate Windows user certificate stores
Release Start Date: December 4, 2023
Improvements
- Adds support for Endpoint Change Management.
Release Start Date: October 3, 2023
Bug Fixes
- Fixes an issue where the cipher setting page would fail to load if the last modified user is missing from the user list.
Release Start Date: August 30, 2023
Improvements
- Expiration sensor fields now show time along with date.
- Improved user experience by consolidating the audit timeout to be managed by the package itself and removes the UI option to modify the setting.
Bug Fixes
- Fixes an issue where the SSL Service Cipher Suite Approval sensor might not respond for some Linux machines.
- Fixes issues related to the Benchmark Certificate Details sensor.
- Fixes an issue where the Certificate Manager operator role is unable to edit Certificate Manager settings.
- Fixes an issue where the Issuer and Subject columns are inverted on the Certificate Details sensor for at-rest certificates.
- Fixes an issue where restricted targeting might not be respected upon import on new installations.
- Fixes issues around ECF Approvals for clarity and effectiveness.
- Fixes a cosmetic issue where certificate fingerprints case is inconsistent.
Release Start Date: August 17, 2023
Bug Fixes
- Removes default certificate exclusions which can result in a drop of audited certificates.
Release Start Date: August 14, 2023
Enhancements
- Cipher suite approval feature has been enhanced. Default cipher suite approvals are now based on IANA recommended cipher suites and the strength references have been removed. Several supporting dashboard panels, reports, and sensors have been created or deleted.
Improvements
- Improves the reliability of sensor data for backwards tool compatibility.
- Improves filtering of the Exclusion List settings page.
- Updates tool tips and descriptions for clarity and new feature information
- Improves UTF-8 handling to better support non-ascii character language based operating systems.
- Improves signed Certificate Manager PowerShell script trusts and execution.
- Updates to dashboard for clarity and to support the new cipher approval feature.
- Includes enhancements to logging to improve supportability.
- Users can now bulk modify Certificates Authorities in settings.
- Adds MD5 and SHA1 certificate thumbprints to Certificate Details sensor to provide additional filtering for users.
- Shows the default excluded certificates in the Certificate Manager settings page.
- Removes sensors, reports, and dashboard panels referring to cipher strength.
Bug Fixes
- Fixes an issue where unauthorized users can view portions of the Certificate Manager settings page. The pages do not render correctly, and users are unable to edit or view the settings.
- Fixes an issue where an endpoint will scan SSL services even after disabling the listening port scan.
- Fixes an issue where certain sensors will error if the certificate audit is attempted before the Certificate Manager tools and configuration are deployed to the endpoint.
- Fixes an undefined column in the Exclusions List settings page.
- Fixes an issue where the duplicate certificates are surfaced on listening services.
- Fixes an issue where an improper response from any IP address listening on a given port will invalidate the port from audit entirely.
- Fixes an issue where an existing note on an excluded certificate is not displayed when the user attempts to edit that note.
- Fixes an issue where extended key use features might surface in the standard key usage sensor field.
- Fixes an issue where a user can upload an invalid Certificate Authority and Certificate Manager does not provide feedback to the user.
- Fixes an issue where the Certificate Manager Overview page might flash and scroll slightly while viewing dashboard panels.
- Fixes an issue where filtering the Exclusions List with the Active/Inactive buttons will cause certificates to no longer appear.
- Fixes an issue where Certificate Manager will check for Endpoint Configuration approval status multiple times unnecessarily.
- Fixes an issue where configuration changes are not indicating that there are approvals waiting when Endpoint Configuration approvals are enabled.
Release Date: August 7, 2023
Improvements
- Adds the Benchmark Certificate Details sensor for Certificate Manager integration with Tanium Benchmark.
Release Date: July 26th, 2023
Improvements
- Improved cleanup when uninstalling Certificate Manager to support trial and POC instances in Tanium Cloud.
- Default targeting for Certificate Manager Action Group is now configured to "All Computers" on initial installation.
Bug Fixes
- Fixes an issue where reinstalling Certificate Manager in environments with ECF approvals enabled can cause service issues.
Release Date: July 6th, 2023
Enhancements
- Tanium Certificate Manager configuration and audit settings are now incorporated into a workbench. This new workbench allows customers to easily schedule certificate audits, add approved certificates authorities and ciphers, and exclude certificates from auditing. Certificate Manager is now easier to deploy and maintain for both new and existing customers.
Improvements
- Adds customer-editable cipher approvals to certificate audits and reports.
- Adds support for dynamic Tanium Client and Tanium Client API port exclusion.
- Improves code efficiency and performance in endpoint tools.
- Updates Dashboards and Reports for clarity and support of new cipher approvals feature in Certificate Manager.
- Updates the Subject and Issuer sensor fields to match standard LDAP formatting.
Bug Fixes
- Fixes an issue where some authorized certificates are categorized as self-signed.
- Fixes an issue where additional values from EV certificates are not properly handled.
- Fixes an issue where Linux listen port audit fails when a null pointer error is raised on the endpoint.
- Fixes an issue where not all generated extensions are returned on certain endpoints.
- Fixes an issue where sensor and report results do not return correctly against endpoints when the certificate audit was run with the Listen Port Scan option disabled.
- Moves the Certificate Manager - Minimum Service Cipher Suite Strength from the Default to the Certificate Manager content set.
Release Date: May 25, 2023
Bug Fixes
- Fixes an issue where sensor results return with errors on endpoints that never ran the listening port scan.
Release Date: May 18, 2023
Improvements
- Improvements added for certificate audit logging for clarity and efficiency.
- Adds the ability to remove all port exclusions from through the Certificate Audit Delete Port Exclusions package.
Bug Fixes
- Fixes an issue where Windows endpoints may not complete the listen port audit when IPv6 Is enabled.
- Fixes an issue where certain sensors may return [no results]. These sensors will now return a default response.
- Fixes an issue on Windows endpoints with the a locale applied that return a UTF-8 error while running an audit.
- Fixes an issue where Certificate Manager may fail to audit all listening ports when a service has an invalid SSL Content Type.
- Fixes the parameter validation for the Certificate Audit Add Port Exclusions and Certificate Audit Delete Port Exclusions packages.
- Fixes the Certificate Audit Port Exclusions senor column data type. This allows for better sorting of the results.
- Fixes an issue where endpoints stop auditing listening service after an upgrade of the Certificate Manager module.
- Fixes an issue where Windows endpoints would stop showing sensor results if the validity time was over 32,000 days.
- Fixes an issue where Coverage Status would not raise an out of date version of Windows PowerShell.
- Fixes an issue where the at-rest certificate audit would not complete if a listening service scan was never attempted.
Release Date: April 27, 2023
Improvements
- Significant efficiency improvements when scanning cipher suites.
- Updates dashboards and reports for better visibility of data.
- Updates PowerShell script invocation with AllSigned flag.
- Provides the ability for certificate audits to run without port scanning.
- Adds Certificate Audit Age sensor to TDS capture for more flexibility of data in reports and dashboards.
- Certificate Details sensor now includes the SHA256 hash in the output.
- Coverage Status Details Status Initializing State now reports if an endpoint has not run its first certificate audit.
- Certificate Manager now provides logging levels that match other Tanium modules.
- Logs are now centralized in the Tanium Client Logs folder for Certificate Manager.
- Adds new Certificate Manager roles.
Bug Fixes
- Fixes a visual issue where there might be a case mismatch on the SHA256 certificate thumbprint for listen ports when compared to at-rest certificates.
- Fixes an issue where sensors might return an unexpected trusted root path.
- Fixes an issue where endpoints with ports listening on OpenSSL 3.0 only might not have their certificates captured by the audit.
- Fixes an issue where the audit might not identify SSL2 only servers.
- Fixes an issue where IPv6 addresses are parsed incorrectly on Linux.
Initial Release Date: March 8, 2023
Features
- Certificate Manager provides modernized visibility into your digital certificates across your endpoint estate
- Surface expired or expiring certificates in your environment to help reduce outage and vulnerabilities
- Pinpoint location of wildcard certificates in use by both services, and in certificate stores
- Identify weak cryptographic algorithms and key lengths for both general security and to prepare for quantum-safe cryptographic standards
- Surface self-signed and unauthorized CA certificates