Keytos Product Changelog

Monthly changelog of customer-facing features across Keytos products including EZCA, EZRADIUS, EZSSH, EZMonitor, and EZCMS.

Track the latest features, improvements, and updates across all Keytos products — EZCA, EZRADIUS, EZCMS, EZSSH, and EZMonitor.

April 2026

EZRADIUS

  • RadSec certificate logging — RadSec connections now log the certificate used during authentication, making it easier to audit and troubleshoot certificate-based network access events in your SIEM.
  • Strengthened DDoS resilience for RADIUS service availability. — Strengthened traffic filtering to keep your RADIUS service available during volumetric attacks and unexpected traffic spikes.
  • IP address support in certificate requests — CSRs for Local CAs now contain the IP address of the requesting server as a Subject Alternative Name, improving compatibility with network devices.
  • Microsoft Graph API migration — Migrated to the latest Microsoft Graph API to maintain full compatibility with Entra ID and Microsoft 365 as Microsoft retires older API versions.

EZCA

  • Username in smartcard certificates — Issued smartcard certificates now include the user’s username as a Subject Alternative Name, improving compatibility with systems that rely on UPN-based identity matching.
  • Certificate expiry dashboard improvements — The certificate expiry monitoring dashboard has been redesigned for clearer at-a-glance visibility into upcoming renewals and expirations.
  • Required field indicators — Required fields are now clearly marked throughout the EZCA portal, reducing configuration errors and making onboarding faster for new administrators.
  • Automated ADCS migration — New tooling to automate migration from on-premises Active Directory Certificate Services (ADCS) to EZCA, significantly reducing manual effort and migration risk.
  • Full Certificate Chain Support in Azure Key Vault — Certificates issued by EZCA can now include the full certificate chain when stored in Azure Key Vault, improving compatibility with applications that require intermediate certificates for proper validation.

EZSSH

  • GitHub Enterprise SCIM provisioning — EZGIT now supports SCIM-based user provisioning for GitHub Enterprise, enabling automated user lifecycle management so access is granted and revoked in sync with your identity provider.

EZCMS

  • Request Tokens In the Application — Users can now request their Smartcard or YubiKey token directly from the EZCMS application, streamlining the onboarding process and reducing reliance on email-based token distribution.

March 2026

All Tools

  • CloudWatch, Datadog, and Huntress log forwarding — All Keytos products now support forwarding logs directly to CloudWatch, Datadog, and Huntress, giving your security team unified visibility across tools without custom integrations.

EZRADIUS

  • RADIUS attribute formatting fixes — Resolved formatting issues with certain RADIUS attribute values to improve compatibility with a wider range of network equipment and NPS policies.

EZCA

  • Custom EKU-only CA mode — CAs can now be restricted to issuing certificates with only custom Extended Key Usages (EKUs), giving you tighter control over certificate purpose in specialized or regulated environments.
  • Certificate renewal agent for macOS and Linux — The automated certificate renewal agent now runs on macOS and Linux, expanding coverage beyond Windows for servers and workloads across your environment.
  • File system certificate storage — The renewal agent can now save renewed certificates directly to the file system in addition to the Windows certificate store, making it easier to integrate with Linux services and applications that read certificates from disk.

EZCMS

  • Second certificate on YubiKey secondary PIV slot — YubiKeys can now hold a second certificate in the secondary PIV slot, supporting workflows that require separate certificates for different purposes on a single key.

EZMonitor

  • Pre-certificate logging — EZMonitor now detects and logs pre-certificates from Certificate Transparency logs, giving you earlier warning of certificates issued for your domains — before the final certificate is published.

February 2026

EZRADIUS

  • UAE region — EZRADIUS is now available in the United Arab Emirates, providing local data residency and low-latency authentication for customers in the Middle East.

EZCMS

  • macOS YubiKey onboarding — Mac users can now complete the full YubiKey onboarding and enrollment process on macOS without needing a Windows machine.
  • ECDSA key support for YubiKey onboarding — YubiKey enrollment now supports ECDSA keys in addition to RSA, enabling stronger certificates with smaller key sizes and faster cryptographic operations.

January 2026

EZRADIUS

  • RADIUS Class attribute (Attribute 25) support — EZRADIUS can now send the RADIUS Class attribute in authentication responses, allowing policies to pass arbitrary data to network devices for use in access control, logging, and VLAN assignment.

EZCA

  • Inter-CA (IACA) linking — EZCA now supports linking Inter-CA certificates, enabling more complex CA hierarchies and multi-root trust chain configurations.

EZSSH

  • SSH certificate deletion — SSH certificates now are automatically deleted from the ssh-agent after their expiration time, reducing the risk of overloading the agent with expired credentials and improving security hygiene.

EZMonitor

  • Database migration — Migrated to a new database backend for improved query performance and higher reliability when monitoring large certificate inventories.

December 2025

All Tools

  • Engineering Improvements — Multiple performance and reliability improvements across all Keytos products, including faster API response times, reduced memory usage, and improved error handling during high load.

EZRADIUS

  • RadSec reliability enhancement — Multiple reliability fixes to the RadSec (RADIUS over TLS) implementation, reducing connection drops and improving behavior under sustained high load.
  • RADIUS lifecycle improvements — More graceful handling of server restarts and configuration updates, minimizing disruption to active authentication sessions during maintenance.

November 2025

All Tools

  • .NET 10 upgrade — All Keytos services have been upgraded to .NET 10, bringing measurable performance improvements, reduced memory usage, and the latest platform security patches.

EZRADIUS

  • NAS IP and NAS Identifier in authentication logs — RADIUS authentication events now include the NAS IP address and NAS Identifier, making it straightforward to trace exactly which network device handled each authentication request in your SIEM.

October 2025

EZRADIUS

  • Billing system overhaul — Rebuilt the EZRADIUS billing system to provide more accurate usage tracking and clearer cost reporting.
  • Access policy control improvements — Access policy configuration in the EZRADIUS portal has been streamlined for easier setup and clearer visibility into which policies are active.
  • Lifecycle management tooling — New tools for provisioning, updating, and decommissioning RADIUS server instances, reducing the operational overhead of managing RADIUS fleet.
  • South Africa region — EZRADIUS is now available in South Africa, enabling low-latency authentication for customers in Sub-Saharan Africa.

EZCA

  • Certificate revocation UX improvements — Simplified the revocation workflow in the EZCA portal with clearer confirmation dialogs and real-time status feedback after revocation.

September 2025

EZRADIUS

  • Local EZRADIUS proxy — Released the local EZRADIUS proxy, which lets you run a RADIUS endpoint on your own network that forwards authentication requests to the EZRADIUS cloud service. Ideal for legacy network devices that cannot reach cloud RADIUS endpoints directly.

August 2025

EZRADIUS

  • Latin America region — EZRADIUS is now available in Latin America, providing local data residency and low-latency RADIUS authentication for customers in the region.
  • Richer authentication event logging — Authentication events now include additional metadata, giving SIEM integrations more context for investigating authentication failures and suspicious activity.

EZCA

  • Certificate inventory in EZMonitor — Certificates issued by EZCA are now automatically surfaced in EZMonitor, providing a unified view of certificate health and upcoming expirations across your PKI.
  • Certificate renewal v2 — Revamped certificate renewal engine with improved reliability, better error handling, and broader compatibility across certificate types and enrollment methods.

EZCMS

  • Feitian biometric cards v2 — Updated support for Feitian biometric security keys with compatibility for the latest card firmware and more reliable enrollment flows.
  • Yubico biometric cards v2 — Updated support for YubiKey Bio series keys with improved fingerprint enrollment reliability and more consistent authentication performance.
  • PC/SC exclusive session mode — EZCMS can now open an exclusive PC/SC session with the card reader, preventing conflicts when multiple applications attempt to access the smartcard simultaneously.
  • CTAP biometric error handling — Clearer error messages and smoother recovery flows when fingerprint verification fails during FIDO2 authentication, reducing user frustration during enrollment and login.

July 2025

EZRADIUS

  • Certificate subject name in SIEM events — Authentication events for certificate-based logins now include the certificate subject name, making it easier to correlate network access events with specific user identities in your SIEM.

EZCA

  • ACME agent for Linux — Released a native ACME agent for Linux servers, enabling fully automated certificate issuance and renewal without manual intervention or custom scripting.
  • Custom certificate subject names — Certificate subject names can now be configured directly in EZCA, giving administrators more control over the identity information encoded in issued certificates.
  • CA certificate dialog improvements — The CA certificate details view has been redesigned for clarity, making it easier to inspect certificate chain information and CA configuration at a glance.

EZCMS

  • Authentrend biometric card support — Added enrollment and management support for Authentrend biometric security keys, expanding the range of FIDO2 hardware compatible with EZCMS.

June 2025

EZRADIUS

  • Enhanced RadSec event logging — RadSec connection events now include client certificate details and TLS version information, providing richer audit trails for troubleshooting and compliance reporting.

May 2025

EZRADIUS

  • Australia region — EZRADIUS is now available in Australia, supporting local data residency and low-latency authentication for customers in the Asia-Pacific region.
  • Multiple values for RADIUS attributes — EZRADIUS can now return multiple values for the same RADIUS attribute in a single response, improving compatibility with network equipment that uses repeated attributes for group membership and policy enforcement.
  • PROXY protocol support — EZRADIUS now correctly identifies the originating client IP when deployed behind a load balancer or proxy, ensuring accurate logging and IP-based policy enforcement.
  • Stale session cleanup — Improved cleanup of expired session and cache data to keep RADIUS performance consistent over time.
  • Portal usability improvements — General improvements to navigation and status displays throughout the EZRADIUS portal.

EZCA

  • Authentrend smartcard support — EZCA now supports certificate issuance to Authentrend smartcards, expanding the range of compatible hardware security devices for certificate-based authentication.
  • Automatic CA certificate renewal — CA certificates approaching expiration are now automatically renewed, preventing CA downtime and ensuring uninterrupted certificate issuance without administrator intervention.
  • New database backend — Migrated to a new database implementation for improved performance, reliability, and scalability as certificate volumes grow.

EZCMS

  • YubiKey FIDO2 biometric support — EZCMS now supports enrolling and managing FIDO2 biometric credentials on YubiKey Bio series keys, enabling fingerprint-based passwordless authentication.
  • Global FIDO2 toggle — Administrators can now enable or disable FIDO2 authentication globally from the EZCMS admin portal, making it easy to control rollout timing across the organization.
  • Authentrend certificate support — EZCMS can now issue and manage certificates stored on Authentrend security keys.