Skip to content

Distributed Issuer releases

Learn about current and past releases of Distributed Issuer (formerly known as Firefly). For the release lifecycle, see Supported versions.

Helm charts are public, but some container images require a pull secret. See Configuring access to the NGTS registry.

The latest stable version is v1.11.0
  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-public:v1.11.0
  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer:v1.11.0
  • Helm chart (FIPS): oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-fips:v1.11.0
  • Standard image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer:v1.11.0
  • Standard image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer:v1.11.0
  • FIPS image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-fips:v1.11.0
  • PKCS#11 base image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer-base-pkcs11:v1.11.0
  • PKCS#11 base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11:v1.11.0
  • PKCS#11 FIPS base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11-fips:v1.11.0
Download the binary

To download the Distributed Issuer PKCS#11 binary, use crane to extract it from the container image:

crane export registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer-base-pkcs11:v1.11.0 | tar --strip=1 -xf - /ko-app/distributed-issuer

Release 1.11.0

CyberArk Workload Identity Manager 1.11.0 was released on 07 May, 2026.

Next-Gen Trust Security support

This release of Distributed Issuer adds support for Next-Gen Trust Security. To learn more, see the Next-Gen Trust Security documentation.

Key features

  • A new distributed-issuer binary and Helm chart now supports the Next-Gen Trust Security product.
  • The Helm chart can now automatically create VenafiConnection resources and associated role-based access control when connection.create is set to true.
  • You can now configure a custom container registry using the imageRegistry and imageNamespace Helm values.

Fixes and updates

  • Fixed CVE-2026-33186, a gRPC vulnerability.
  • Fixed no authenticator defined errors in certain deployment configurations.
  • The Helm chart image template helper has been renamed to avoid conflicts when Distributed Issuer is deployed as a sub-chart within an umbrella chart.
  • The tsgID field now accepts both string and numeric formats.
  • HSM and PKCS#11 initialization now run at startup, reducing latency on the first certificate request.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-public:v1.11.0
  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer:v1.11.0
  • Helm chart (FIPS): oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-fips:v1.11.0
  • Standard image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer:v1.11.0
  • Standard image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer:v1.11.0
  • FIPS image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-fips:v1.11.0
  • PKCS#11 base image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer-base-pkcs11:v1.11.0
  • PKCS#11 base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11:v1.11.0
  • PKCS#11 FIPS base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11-fips:v1.11.0