Skip to content

Distributed Issuer releases

Learn about current and past releases of Distributed Issuer (formerly known as Firefly). For the release lifecycle, see Supported versions.

Helm charts are public, but some container images require a pull secret. See Configuring access to the NGTS registry.

The latest stable version is v1.12.0
  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-public:v1.12.0
  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer:v1.12.0
  • Helm chart (FIPS): oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-fips:v1.12.0
  • Standard image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer:v1.12.0
  • Standard image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer:v1.12.0
  • FIPS image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-fips:v1.12.0
  • PKCS#11 base image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer-base-pkcs11:v1.12.0
  • PKCS#11 base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11:v1.12.0
  • PKCS#11 FIPS base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11-fips:v1.12.0
Download the binary

To download the Distributed Issuer PKCS#11 binary, use crane to extract it from the container image:

crane export registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer-base-pkcs11:v1.12.0 | tar --strip=1 -xf - /ko-app/distributed-issuer

Release 1.12.0

CyberArk Workload Identity Manager 1.12.0 was released on 9 June, 2026.

Key features

  • Distributed Issuer can now authenticate to Next-Gen Trust Security using Workload Identity Federation (WIF). With WIF, Distributed Issuer authenticates through a Kubernetes ServiceAccount token instead of a stored private key. To learn more, see Authenticate to NGTS with Workload Identity Federation.
  • HTTPS is now required for JWKS and OIDC endpoints. The installer rejects configurations that use HTTP.

Action required for HTTP endpoints

If you currently use HTTP for JWKS or OIDC endpoints, switch to HTTPS before upgrading.

Fixes and updates

  • Updated the following dependencies:

    • venafi-connection-lib to v0.6.1
    • grpc to v1.81.1
    • Kubernetes Go libraries to v0.36.1
    • controller-runtime to v0.24.1

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-public:v1.12.0
  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer:v1.12.0
  • Helm chart (FIPS): oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-fips:v1.12.0
  • Standard image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer:v1.12.0
  • Standard image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer:v1.12.0
  • FIPS image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-fips:v1.12.0
  • PKCS#11 base image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer-base-pkcs11:v1.12.0
  • PKCS#11 base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11:v1.12.0
  • PKCS#11 FIPS base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11-fips:v1.12.0

Release 1.11.0

CyberArk Workload Identity Manager 1.11.0 was released on 07 May, 2026.

Next-Gen Trust Security support

This release of Distributed Issuer adds support for Next-Gen Trust Security (NGTS). To learn more, see the NGTS documentation.

Key features

  • Distributed Issuer can now authenticate to NGTS using Workload Identity Federation (WIF). With WIF, Distributed Issuer authenticates through a Kubernetes ServiceAccount token instead of a stored private key. To learn more, see Authenticate to Next-Gen Trust Security with Workload Identity Federation.
  • HTTPS is now required for JWKS and OIDC endpoints. The installer rejects configurations that use HTTP.

Action required for HTTP endpoints

If you currently use HTTP for JWKS or OIDC endpoints, switch to HTTPS before upgrading.

Fixes and updates

  • Updated the following dependencies:

    • venafi-connection-lib to v0.6.1
    • grpc to v1.81.1
    • Kubernetes Go libraries to v0.36.1
    • controller-runtime to v0.24.1

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-public:v1.12.0
  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer:v1.12.0
  • Helm chart (FIPS): oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-fips:v1.12.0
  • Standard image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer:v1.12.0
  • Standard image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer:v1.12.0
  • FIPS image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-fips:v1.12.0
  • PKCS#11 base image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer-base-pkcs11:v1.12.0
  • PKCS#11 base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11:v1.12.0
  • PKCS#11 FIPS base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11-fips:v1.12.0

Release 1.11.0

CyberArk Workload Identity Manager 1.11.0 was released on 07 May, 2026.

Next-Gen Trust Security support

This release of Distributed Issuer adds support for Next-Gen Trust Security. To learn more, see the Next-Gen Trust Security documentation.

Key features

  • A new distributed-issuer binary and Helm chart now supports the Next-Gen Trust Security product.
  • The Helm chart can now automatically create VenafiConnection resources and associated role-based access control when connection.create is set to true.
  • You can now configure a custom container registry using the imageRegistry and imageNamespace Helm values.

Fixes and updates

  • Fixed CVE-2026-33186, a gRPC vulnerability.
  • Fixed no authenticator defined errors in certain deployment configurations.
  • The Helm chart image template helper has been renamed to avoid conflicts when Distributed Issuer is deployed as a sub-chart within an umbrella chart.
  • The tsgID field now accepts both string and numeric formats.
  • HSM and PKCS#11 initialization now run at startup, reducing latency on the first certificate request.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-public:v1.11.0
  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer:v1.11.0
  • Helm chart (FIPS): oci://registry.ngts.paloaltonetworks.com/charts/distributed-issuer-fips:v1.11.0
  • Standard image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer:v1.11.0
  • Standard image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer:v1.11.0
  • FIPS image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-fips:v1.11.0
  • PKCS#11 base image (public): registry.ngts.paloaltonetworks.com/distributed-issuer-public/distributed-issuer-base-pkcs11:v1.11.0
  • PKCS#11 base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11:v1.11.0
  • PKCS#11 FIPS base image: registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer-base-pkcs11-fips:v1.11.0