CLI tool for CyberArk Certificate Manager releases¶

Learn about current and past releases of the CLI tool for CyberArk Certificate Manager (formerly known as the Venafi CLI tool).

Latest release¶

The latest stable version of CLI tool for CyberArk Certificate Manager is v1.23.0.

Select the file appropriate for your platform below:

Latest Release	OS	Architecture	GPG Signature
CLI tool for CyberArk Certificate Manager	Linux	AMD64 / x86-64	Signature
CLI tool for CyberArk Certificate Manager	Linux	ARM64	Signature
CLI tool for CyberArk Certificate Manager	macOS	AMD64 / x86-64	Signature
CLI tool for CyberArk Certificate Manager	macOS	ARM64, Apple Silicon	Signature
CLI tool for CyberArk Certificate Manager	Windows	AMD64 / x86-64	Signature
Checksums (SHA256)

Verifying CLI tool for CyberArk Certificate Manager archives after download¶

Once you have downloaded the CLI tool for CyberArk Certificate Manager archive and its corresponding signature file, you can verify by executing a command similar to the following:

gpg --verify venctl-linux-amd64.zip.sig venctl-linux-amd64.zip

For a valid signature, the output is similar to the example below:

gpg: Signature made Wed Dec  6 11:09:05 2023 UTC
gpg:                using RSA key BA2F4B4442D945F0A2810A686B99EC1CEEE83892
gpg:                issuer "gpg-vaas@venafi.com"
gpg: Good signature from "Venafi, Inc. <gpg-vaas@venafi.com>" [ultimate]

If you see the error message Can't check signature: No public key., it means that you haven't trusted Venafi's GPG (GNU Privacy Guard) signing key yet. To prevent this error, make sure to trust Venafi's GPG signing key manually before verifying the CLI tool for CyberArk Certificate Manager archive.

Trusting the Venafi GPG signing key

Download the Venafi GPG public key:

curl -O https://dl.venafi.cloud/vaaskey.pub

Import the key into your GPG keyring:
```
gpg --import ./vaaskey.pub
```

Set ownertrust for Venafi Inc. to ultimate:

echo -e "trust\n5\ny\n" | gpg --no-tty --command-fd 0 --edit-key "gpg-vaas@venafi.com"

Verify the key in your keyring:

gpg --list-keys

The result should look similar to the following:

/home/user/.gnupg/pubring.kbx
-----------------------------
pub   rsa4096 2022-03-18 [SCEA]
      BA2F4B4442D945F0A2810A686B99EC1CEEE83892
uid           [ultimate] Venafi, Inc. <gpg-vaas@venafi.com>
sub   rsa2048 2022-03-22 [A]
sub   rsa2048 2022-03-22 [E]

Release 1.23.0¶

CLI tool for CyberArk Certificate Manager 1.23.0 was released on 4 November, 2025.

Key features¶

The version of Go used was updated to v.1.25.3.

The following is a full list of the component versions installable by default in release 1.23.0.

Component	Default version for this release
Approver Policy	v0.22.2
Enterprise Approver Policy for CyberArk Certificate Manager	v0.22.0
AWS Private CA Issuer	v1.7.0
cert-manager	v1.19.1
CSI Driver	v0.11.1
CSI Driver for SPIFFE	v0.10.1
CyberArk Workload Identity Manager	v1.9.3
Istio CSR	v0.14.3
OpenShift Routes for cert-manager	v0.8.3
Trust Manager	v0.20.2
Connection for CyberArk Certificate Manager	v0.5.1
Enterprise Issuer for CyberArk Certificate Manager	v0.17.2
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.7.1.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.23.0	Linux	AMD64 / x86-64	7c12af4085a9c15ac965e0e33ebcc62a0d07a496c5608a61f6b951668ed77d42	Signature
CLI tool for CyberArk Certificate Manager 1.23.0	Linux	ARM64	9c4d6b41460b19e08e30635c828936b281884c2d606e953c7981b79ca2233d04	Signature
CLI tool for CyberArk Certificate Manager 1.23.0	macOS	AMD64 / x86-64	260c167c42250e675eb04af0ce798803994544df2321105bbf245da743171890	Signature
CLI tool for CyberArk Certificate Manager 1.23.0	macOS	ARM64, Apple Silicon	87d14a5d159be29dc090a333631594e6fc846058b489b488d24a2d25701f9e53	Signature
CLI tool for CyberArk Certificate Manager 1.23.0	Windows	AMD64 / x86-64	425a813db968796e40a1728b5f6aa7f235c11200cb50ddbc571a70e90d22402f	Signature
Checksums (SHA256)

Release 1.22.0¶

CLI tool for CyberArk Certificate Manager 1.22.0 was released on 6 October, 2025.

Key features¶

New API for JWT authentication

This release adds support for the new JWT_STANDARD_CLAIMS clientAuthentication type released in CyberArk Workload Identity Manager v1.9.0, and also adds migration logic to migrate the Policies field.
JSON Unmarshal error fix

Release v1.22.0 fixes a JSON Unmarshal error affecting the venctl installation cluster connect and venctl components kubernetes apply commands. The fix separates any warnings and extracts only the JSON array before unmarshalling.
Error handling for duplicated names in cluster

This release provides correct error handling for duplicated names in a cluster. This affected the venctl installation cluster connect command. When a duplicated name in cluster connection workflow is detected the CLI now returns a comprehensive error.
Go updates

The Go toolchain was upgraded to v1.24.5 along with synced ancillary build tools. Go dependencies were also updated.
venctl installation cluster connect command update

The venctl installation cluster connect command no longer installs Connection for CyberArk Certificate Manager by default.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.22.0.

Component	Default version for this release
Approver Policy	v0.21.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.21.0
AWS Private CA Issuer	v1.7.0
cert-manager	v1.18.2
CSI Driver	v0.11.0
CSI Driver for SPIFFE	v0.10.0
CyberArk Workload Identity Manager	v1.9.1
Istio CSR	v0.14.2
OpenShift Routes for cert-manager	v0.8.2
Trust Manager	v0.19.0
Connection for CyberArk Certificate Manager	v0.5.0
Enterprise Issuer for CyberArk Certificate Manager	v0.17.1
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.6.0.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.22.0	Linux	AMD64 / x86-64	75aa9d17a2b3142e14b9f0cadac1c4df6dbe8be0d9ae2def68989da061458cef	Signature
CLI tool for CyberArk Certificate Manager 1.22.0	Linux	ARM64	d0ac7c24dd10c830a59517b4173ab71a3aebe093be663e06fd94c963c1ba7c9f	Signature
CLI tool for CyberArk Certificate Manager 1.22.0	macOS	AMD64 / x86-64	7a2190e9fb8cb7d2744b78778363e18dcc98a94351005fb76d6b8c64690ebecc	Signature
CLI tool for CyberArk Certificate Manager 1.22.0	macOS	ARM64, Apple Silicon	66b16db62286646d94bcd04548161ddea39fca079113e49b187490f6927671ae	Signature
CLI tool for CyberArk Certificate Manager 1.22.0	Windows	AMD64 / x86-64	00faa1c7f02f1da3072300d1364687e2c09bdf90ed56154704b8b03f5e412633	Signature
Checksums (SHA256)

Release 1.21.0¶

CLI tool for CyberArk Certificate Manager 1.21.0 was released on 9 July, 2025.

Key features¶

Workload Identity Manager configuration fixes

This release contains fixes for issues with the advanced settings object generated in the Workload Identity Manager configuration file.
Go dependency updates

Several Go dependencies were updated in this release, including github.com/go-viper/mapstructure/v2 which was updated to address GHSA-fv92-fjc5-jj9h.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.21.0.

Component	Default version for this release
Approver Policy	v0.21.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.21.0
AWS Private CA Issuer	v1.6.0
cert-manager	v1.18.2
CSI Driver	v0.10.4
CSI Driver for SPIFFE	v0.10.0
CyberArk Workload Identity Manager	v1.8.1
Istio CSR	v0.14.2
OpenShift Routes for cert-manager	v0.8.0
Trust Manager	v0.18.0
Connection for CyberArk Certificate Manager	v0.4.0
Enterprise Issuer for CyberArk Certificate Manager	v0.16.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.6.0.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.21.0	Linux	AMD64 / x86-64	09994b08d59e97f43d926f61548faed598aea73cd03c800b8b8a3a2cb29b304d	Signature
CLI tool for CyberArk Certificate Manager 1.21.0	Linux	ARM64	71daf08258fa8169441eafc6c19347b58400d2b9af34e1b9194815741ec2a30a	Signature
CLI tool for CyberArk Certificate Manager 1.21.0	macOS	AMD64 / x86-64	0e8e11bba90c5e75c548c257924e8cc527bba90e77ae5742a17da0422b3e0134	Signature
CLI tool for CyberArk Certificate Manager 1.21.0	macOS	ARM64, Apple Silicon	f911a9258a44aacf7bbb18beae72be5e038fb44213eb856381f4f9b167be3cad	Signature
CLI tool for CyberArk Certificate Manager 1.21.0	Windows	AMD64 / x86-64	1fd9a56d4b05de180e6125c742829265179c9af32a0f6e9985b44f5d26ddd5a7	Signature
Checksums (SHA256)

Release 1.20.0¶

CLI tool for CyberArk Certificate Manager 1.20.0 was released on 16 June, 2025.

Key features¶

UK and AU registry support updates

Updates were made in this release for upcoming new CyberArk OCI registries for United Kingdom (UK) and Australia (AU) CyberArk Certificate Manager - SaaS regions.
Error reporting improvements

This release includes improved error messages and installation prompts when either Helm or the helm-diff plugin are missing if using commands which require them.
Go updated

The version of Go used was updated to v1.24.4 in this release.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.20.0.

Component	Default version for this release
Approver Policy	v0.20.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.20.0
AWS Private CA Issuer	v1.5.0
cert-manager	v1.17.2
CSI Driver	v0.10.3
CSI Driver for SPIFFE	v0.9.1
CyberArk Workload Identity Manager	v1.7.0
Istio CSR	v0.14.0
OpenShift Routes for cert-manager	v0.7.0
Trust Manager	v0.17.1
Connection for CyberArk Certificate Manager	v0.4.0
Enterprise Issuer for CyberArk Certificate Manager	v0.15.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.5.0.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.20.0	Linux	AMD64 / x86-64	9754a6f95d28ed7271b123f5d54c89a3b313abf045985ba571e1e7d1dcafeb0d	Signature
CLI tool for CyberArk Certificate Manager 1.20.0	Linux	ARM64	3a5e2d74638007877c307c3aec02f2d4585de76bb8e07db9414bdfaa16f95e45	Signature
CLI tool for CyberArk Certificate Manager 1.20.0	macOS	AMD64 / x86-64	13997b5f499e05285e75b83978bc6f043957cfac9abcd49f8663a8f792906aee	Signature
CLI tool for CyberArk Certificate Manager 1.20.0	macOS	ARM64, Apple Silicon	3a5e2d74638007877c307c3aec02f2d4585de76bb8e07db9414bdfaa16f95e45	Signature
CLI tool for CyberArk Certificate Manager 1.20.0	Windows	AMD64 / x86-64	9d0fea23f2edc64bbefe0b0eb1f62520dae0446ec9e90c0d9251fb64ef48cb86	Signature
Checksums (SHA256)

Release 1.19.0¶

CLI tool for CyberArk Certificate Manager 1.19.0 was released on 28 May, 2025.

Key features¶

Canada and Singapore registry and CyberArk Certificate Manager - SaaS support

This release introduces support for the upcoming Canada and Singapore private OCI registries by adding ca and sgoptions for the --region flag for the venctl components kubernetes manifest generate and venctl components kubernetes apply commands. In addition, when the upcoming connection features for Canada and Singapore become available, support for connection to Certificate Manager - SaaS in Canada and Singapore for commands such as venctl installation cluster connect and venctl iam service-accounts firefly create. For more information, see the CLI tool for CyberArk Certificate Manager reference guide.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.19.0.

Component	Default version for this release
Approver Policy	v0.19.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.20.0
AWS Private CA Issuer	v1.4.1
cert-manager	v1.17.1
CSI Driver	v0.10.2
CSI Driver for SPIFFE	v0.8.2
CyberArk Workload Identity Manager	v1.6.0
Istio CSR	v0.14.0
OpenShift Routes for cert-manager	v0.7.0
Trust Manager	v0.16.0
Connection for CyberArk Certificate Manager	v0.4.0
Enterprise Issuer for CyberArk Certificate Manager	v0.15.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.4.1

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.19.0	Linux	AMD64 / x86-64	f06795cde250da2a366358cc4fab333781a1e969bdbb5a71fd252f08109854cb	Signature
CLI tool for CyberArk Certificate Manager 1.19.0	Linux	ARM64	bac6b37b5068a5215624bdfe6d2897cb7011a9fb0172fe724654ae536a991fc5	Signature
CLI tool for CyberArk Certificate Manager 1.19.0	macOS	AMD64 / x86-64	2b232734f6cb377cbe1bcf2e637c36de32d5db0119350e9190fbebfcb89aafff	Signature
CLI tool for CyberArk Certificate Manager 1.19.0	macOS	ARM64, Apple Silicon	00132fd085073d8d9a0294e44db0e1cb9edaadb29acde75cca9c8b1f0121b4cb	Signature
CLI tool for CyberArk Certificate Manager 1.19.0	Windows	AMD64 / x86-64	20c01e10f809930f332360306092e222ab7a89e17725a93f77cb553b7a7c9c92	Signature
Checksums (SHA256)

Release 1.18.1¶

CLI tool for CyberArk Certificate Manager 1.18.1 was released on April 17, 2025.

Key features¶

Release 1.18.1 includes improved validation for the Workload Identity Manager security configuration. Several bugs were fixed, and the error messages improved.
More commands now support the --insecure-skip-tls-verify flag. Note that this flag eliminates the server certificate validity check, which makes the HTTPS connection insecure. For more information, see the Reference: venctl commands page.
This release also includes a new venafi configuration firefly delete command for deleting Workload Identity Manager security configurations from Certificate Manager - Self-Hosted. For more information, see the Reference: venctl commands page.
CyberArk Certificate Manager Operator for Red Hat OpenShift now warns you when the user stores its PKCS11 pin in the Workload Identity Manager security configuration file. For privacy reasons, it's preferable that the pin is not stored there, but entered manually on push instead.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.18.1.

Component	Default version for this release
Approver Policy	v0.19.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.20.0
AWS Private CA Issuer	v1.4.1
cert-manager	v1.17.1
CSI Driver	v0.10.2
CSI Driver for SPIFFE	v0.8.2
CyberArk Workload Identity Manager	v1.6.0
Istio CSR	v0.14.0
OpenShift Routes for cert-manager	v0.7.0
Trust Manager	v0.16.0
Connection for CyberArk Certificate Manager	v0.4.0
Enterprise Issuer for CyberArk Certificate Manager	v0.15.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.4.1

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.18.1	Linux	AMD64 / x86-64	bdf3966459de21718593bcf5501f41a3c3eaa5265d583b83ad63ffa28bd9d6da	Signature
CLI tool for CyberArk Certificate Manager 1.18.1	Linux	ARM64	372ac4fd4a0424e3aff2e2ad6b2e727697dc4077f7016c47798dc1882324c818	Signature
CLI tool for CyberArk Certificate Manager 1.18.1	macOS	AMD64 / x86-64	8c2089895dfa9ba242c1958a267ce94df49e5b496f30cc650da09d8b81f23cd4	Signature
CLI tool for CyberArk Certificate Manager 1.18.1	macOS	ARM64, Apple Silicon	def22d752d02735e8461b0e64d2e3fd7303ac610d17e42d1a52aeb835c2ca406	Signature
CLI tool for CyberArk Certificate Manager 1.18.1	Windows	AMD64 / x86-64	3c0ba9112666bb4b16d8708da87b569ba5b2986877854f15b70693ecc03c7f9f	Signature
Checksums (SHA256)

Release 1.18.0¶

CLI tool for CyberArk Certificate Manager 1.18.0 was released on April 3, 2025.

Key features¶

CyberArk Workload Identity Manager configuration commands

This release introduces three new configuration commands for Workload Identity Manager.

The venctl configuration firefly command has been added to assist users to configure Workload Identity Manager security settings when managed by Certificate Manager - Self-Hosted. This command includes subcommands to generate a sample security configuration file, which can be modified according to the user's needs and then pushed to or pulled from the Certificate Manager - Self-Hosted. Workload Identity Manager can be configured to pull and bootstrap the security configuration directly from Certificate Manager - Self-Hosted.

For more information on all these commands, see the venctl command reference page.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.18.0.

Component	Default version for this release
Approver Policy	v0.19.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.20.0
AWS Private CA Issuer	v1.4.1
cert-manager	v1.17.1
CSI Driver	v0.10.2
CSI Driver for SPIFFE	v0.8.2
CyberArk Workload Identity Manager	v1.5.2
Istio CSR	v0.14.0
OpenShift Routes for cert-manager	v0.7.0
Trust Manager	v0.16.0
Connection for CyberArk Certificate Manager	v0.3.1
Enterprise Issuer for CyberArk Certificate Manager	v0.15.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.4.0

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.18.0	Linux	AMD64 / x86-64	858ac25a9a0e8b63ec59d0eb1cc259177e66d880686939115a902c61aa664653	Signature
CLI tool for CyberArk Certificate Manager 1.18.0	Linux	ARM64	a25551f4a61e02e253cfbce030935d1880b04b736c32ca8a7626a63e0c999433	Signature
CLI tool for CyberArk Certificate Manager 1.18.0	macOS	AMD64 / x86-64	bddecb6db5324a2462688a4f8051cec19f065a0b3f433e9eb81b4a2268bec5b0	Signature
CLI tool for CyberArk Certificate Manager 1.18.0	macOS	ARM64, Apple Silicon	412e0fcb8438c3711a064e4335e68fb73b440db83f0a6e2208fe7c4c35eea492	Signature
CLI tool for CyberArk Certificate Manager 1.18.0	Windows	AMD64 / x86-64	ba44e5e014ca43ca8bbe6f83ed6c04cc5e678e21c7f43287c0d783ef83902f0d	Signature
Checksums (SHA256)

Release 1.17.0¶

CLI tool for CyberArk Certificate Manager 1.17.0 was released on February 25, 2025.

Key features¶

United Kingdom registry and CyberArk Certificate Manager - SaaS support

This release introduces support for the upcoming United Kingdom private OCI registry by adding an uk option for the --region flag for the venctl components kubernetes manifest generate and venctl components kubernetes apply commands. In addition, when the upcoming connection features for United Kingdom become available, support for connection to Certificate Manager - SaaS in United Kingdom for commands such as venctl installation cluster connect and venctl iam service-accounts firefly create. For more information, see the CLI tool for CyberArk Certificate Manager reference guide.
Dependency updates
- Go was updated to 1.23.6
- github.com/Khan/genqlient was updated to v0.8.0
- github.com/Masterminds/semver/v3 was updated to v3.3.1
- github.com/docker/cli was updated to v27.5.1+incompatible
- github.com/evertras/bubble-table was updated to v0.17.1
- github.com/fatih/color was updated to v1.18.0
- github.com/goccy/go-yaml was updated to v1.15.20
- github.com/lmittmann/tint was updated to v1.0.7
- github.com/oapi-codegen/runtime was updated to v1.1.1
- github.com/spf13/pflag was updated to v1.0.6
- github.com/spf13/viper was updated to v1.19.0
- golang.org/x/crypto was updated to v0.33.0
- golang.org/x/exp was updated to v0.0.0-20250210185358-939b2ce775ac
- golang.org/x/mod was updated to v0.23.0
- helm.sh/helm/v3 was updated to v3.17.0
- k8s.io/api was updated to v0.32.1
- k8s.io/apimachinery was updated to v0.32.1
- k8s.io/client-go was updated to v0.32.1
- k8s.io/utils was updated to v0.0.0-20241210054802-24370beab758

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.17.0.

Component	Default version for this release
Approver Policy	v0.19.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.20.0
AWS Private CA Issuer	v1.4.1
cert-manager	v1.17.1
CSI Driver	v0.10.2
CSI Driver for SPIFFE	v0.8.2
CyberArk Workload Identity Manager	v1.5.2
Istio CSR	v0.14.0
OpenShift Routes for cert-manager	v0.7.0
Trust Manager	v0.16.0
Connection for CyberArk Certificate Manager	v0.3.1
Enterprise Issuer for CyberArk Certificate Manager	v0.15.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.4.0

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.17.0	Linux	AMD64 / x86-64	818a21581fae6820dbe4df3e0e8ed157800d70cd03ed1f443877e9f04525087d	Signature
CLI tool for CyberArk Certificate Manager 1.17.0	Linux	ARM64	c3b9a2e48b55592d5a4e4d1501b107b31bd3458e7b73326b640080f767e2c44b	Signature
CLI tool for CyberArk Certificate Manager 1.17.0	macOS	AMD64 / x86-64	4ebd3a5f74c5f74697afbe5a51e0d8a53235816bb5fadfed39ca2af24934161d	Signature
CLI tool for CyberArk Certificate Manager 1.17.0	macOS	ARM64, Apple Silicon	f953e712c544dd73fa9709ffe51a0a3c6836ad04b9a9e698bef31e440c5052d0	Signature
CLI tool for CyberArk Certificate Manager 1.17.0	Windows	AMD64 / x86-64	6f3d2c53ac4088030860dfee1bf266a335e329315e549539714ba53b2e3e6357	Signature
Checksums (SHA256)

Release 1.16.0¶

CLI tool for CyberArk Certificate Manager 1.16.0 was released on January 23, 2025.

Key features¶

Australian registry and CyberArk Certificate Manager - SaaS support

This release includes support for the upcoming Australian private OCI registry by adding an au option for the --region flag for the venctl components kubernetes manifest generate and venctl components kubernetes apply commands. In addition, when the upcoming connection features for Australia become available, support for connection to Certificate Manager - SaaS in Australia for commands such as venctl installation cluster connect and venctl iam service-accounts firefly create. For more information, see the CLI tool for CyberArk Certificate Manager reference guide.
--vcp-region flag updates

The --vcp-region is no longer a global flag and has been removed from commands therefore for which it is not relevant.
Dependency updates
- Go was updated to v1.23.5
- k8s.io/api was updated to v0.31.1
- k8s.io/apimachinery was updated to v0.31.1
- k8s.io/client-go was updated to v0.31.1
- k8s.io/utils was updated to v0.0.0-20240921022957-49e7df575cb6
- sigs.k8s.io/controller-runtime was updated to v0.19.0

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.16.0.

Component	Default version for this release
Approver Policy	v0.18.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.20.0
AWS Private CA Issuer	v1.4.0
cert-manager	v1.16.3
CSI Driver	v0.10.2
CSI Driver for SPIFFE	v0.8.2
CyberArk Workload Identity Manager	v1.5.0
Istio CSR	v0.14.0
OpenShift Routes for cert-manager	v0.7.0
Trust Manager	v0.15.0
Connection for CyberArk Certificate Manager	v0.3.1
Enterprise Issuer for CyberArk Certificate Manager	v0.15.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.4.0

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.16.0	Linux	AMD64 / x86-64	26e7b7a7e134f1cf1f3ffacf4ae53ec6849058db5007ce4088d51f404ededb4a	Signature
CLI tool for CyberArk Certificate Manager 1.16.0	Linux	ARM64	76409e5d807ec77b39a7d29ee8faf41dcc5ed30a23bf4827577d43499d8641c5	Signature
CLI tool for CyberArk Certificate Manager 1.16.0	macOS	AMD64 / x86-64	2e76693901abcb2c018f66d3a10558c66ca09d1a3be912258bcd6c58e89aae80	Signature
CLI tool for CyberArk Certificate Manager 1.16.0	macOS	ARM64, Apple Silicon	4350912d67683773302655e2a0151320514d1ccf82ee99c895e6780f86b6f031	Signature
CLI tool for CyberArk Certificate Manager 1.16.0	Windows	AMD64 / x86-64	e2329fd590ed9b6e0848844b07c89d98aee40dcfc402d442e0af43b4d29fe768	Signature
Checksums (SHA256)

Release 1.15.4¶

CLI tool for CyberArk Certificate Manager 1.15.4 was released on November 25, 2024.

Important

If you have installed CLI tool for CyberArk Certificate Manager v1.15.3, you are advised to update to this version if you intend to install the Discovery Agent.

Key features¶

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.15.4.

Component	Default version for this release
Approver Policy	v0.17.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.19.0
AWS Private CA Issuer	v1.4.0
cert-manager	v1.16.2
CSI Driver	v0.10.1
CSI Driver for SPIFFE	v0.8.1
CyberArk Workload Identity Manager	v1.5.0
Istio CSR	v0.12.0
OpenShift Routes for cert-manager	v0.7.0
Trust Manager	v0.13.0
Connection for CyberArk Certificate Manager	v0.2.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.4.0

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.15.4	Linux	AMD64 / x86-64	9e8b1d366b16d457c73ea26436f09f1fca1d0f55b4d66170fb852a64c5dc20a6	Signature
CLI tool for CyberArk Certificate Manager 1.15.4	Linux	ARM64	20fc481faa828426e50d2e8ab12d3ed3dee7c182499cef5a2317de15758d6bdd	Signature
CLI tool for CyberArk Certificate Manager 1.15.4	macOS	AMD64 / x86-64	260e6aefba3915fe37d3d95097b7b9f91abaa09660d6b7b6c787c06669a1643b	Signature
CLI tool for CyberArk Certificate Manager 1.15.4	macOS	ARM64, Apple Silicon	1decb7f144e374e77a6407f4cf207fbbc63499ebf685ee23b040c8a121bfc9a0	Signature
CLI tool for CyberArk Certificate Manager 1.15.4	Windows	AMD64 / x86-64	0b93b5c4873ab0cb65df2d5bdfcb8b45efb23c970d7b365c3fb459309e0db086	Signature
Checksums (SHA256)

Release 1.15.3¶

CLI tool for CyberArk Certificate Manager 1.15.3 was released on November 21, 2024.

No longer available

This release is no longer available.

Key features¶

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.15.3.

Component	Default version for this release
Approver Policy	v0.16.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.19.0
AWS Private CA Issuer	v1.4.0
cert-manager	v1.16.1
CSI Driver	v0.10.1
CSI Driver for SPIFFE	v0.8.1
CyberArk Workload Identity Manager	v1.5.0
Istio CSR	0.12.0
OpenShift Routes for cert-manager	0.7.0
Trust Manager	v0.13.0
Connection for CyberArk Certificate Manager	v0.2.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.3.0

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.15.3	Linux	AMD64 / x86-64	7208b3167ff368ef95bb02feb6756254876fdec88b8e5dd7aa5a6c522f35eb29	Signature
CLI tool for CyberArk Certificate Manager 1.15.3	Linux	ARM64	071b8434e0e98dd2cf6fb771982405dd149aec9a83d23465f26870d1bf7b513e	Signature
CLI tool for CyberArk Certificate Manager 1.15.3	macOS	AMD64 / x86-64	8d6a61bdb6a6b4e6a835f6fd2c1197c249572c37a387f5f11d2130c50ee50528	Signature
CLI tool for CyberArk Certificate Manager 1.15.3	macOS	ARM64, Apple Silicon	3b8b1039ab7900b39de33a4e7092f17516a7979d71f2114b24395b142e0569b0	Signature
CLI tool for CyberArk Certificate Manager 1.15.3	Windows	AMD64 / x86-64	2d00d595fc9b8a4949f414a10fc0d5f9576b498595c6ddc1c30b0ee46b042632	Signature
Checksums (SHA256)

Release 1.15.2¶

CLI tool for CyberArk Certificate Manager 1.15.2 was released on October 30, 2024.

Key features¶

venctl installation cluster connect command updates

This release includes an update to the venctl installation cluster connect command to improve the connectivity process to Certificate Manager - SaaS.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.15.2.

Component	Default version for this release
Approver Policy	v0.16.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.18.1
AWS Private CA Issuer	v1.4.0
cert-manager	v1.16.1
CSI Driver	v0.10.1
CSI Driver for SPIFFE	v0.8.1
CyberArk Workload Identity Manager	v1.5.0
Istio CSR	0.12.0
OpenShift Routes for cert-manager	0.7.0
Trust Manager	v0.12.0
Connection for CyberArk Certificate Manager	v0.2.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.1.0

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.15.2	Linux	AMD64 / x86-64	c98a1f8fb54dccbf9005e8286098c6570530b8fccb86c21f11b0bec8d6e40e5d	Signature
CLI tool for CyberArk Certificate Manager 1.15.2	Linux	ARM64	69d8a2cb0c76555db7c3975d5f2b4695af7ec6c6ecb62d2cac5c4780870a6825	Signature
CLI tool for CyberArk Certificate Manager 1.15.2	macOS	AMD64 / x86-64	0da2bd6ed1fc340be0d4d126557e6184b1882f8e77432dac79e3201d1ca9c44b	Signature
CLI tool for CyberArk Certificate Manager 1.15.2	macOS	ARM64, Apple Silicon	2120a2f25791d0d04b253e65466087cd6351874325f281d8082af5335ab64299	Signature
CLI tool for CyberArk Certificate Manager 1.15.2	Windows	AMD64 / x86-64	ac7be5176e2d703736e9f16492a127ece87511f2f5139d20d953efa6428ffa5e	Signature
Checksums (SHA256)

Release 1.15.1¶

CLI tool for CyberArk Certificate Manager 1.15.1 was released on October 15, 2024.

Key features¶

Version output fix

This release fixes an issue where the venctl version command and the associated auto update feature of venctl mistakenly reported the version as being dev.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.15.1.

Component	Default version for this release
Approver Policy	v0.15.2
Enterprise Approver Policy for CyberArk Certificate Manager	v0.18.1
AWS Private CA Issuer	v1.3.0
cert-manager	v1.16.1
CSI Driver	v0.10.1
CSI Driver for SPIFFE	v0.8.1
CyberArk Workload Identity Manager	v1.5.0
Istio CSR	0.12.0
OpenShift Routes for cert-manager	0.7.0
Trust Manager	v0.12.0
Connection for CyberArk Certificate Manager	v0.1.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.0.0

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.15.1	Linux	AMD64 / x86-64	c1754c1b40fc2be8d29d5560332bb55af564633289b956e92298d0d10a89a6cd	Signature
CLI tool for CyberArk Certificate Manager 1.15.1	Linux	ARM64	3f1888724e07cf2e8845034231540e118e6745c91c208ffd0c638c8e05ac4361	Signature
CLI tool for CyberArk Certificate Manager 1.15.1	macOS	AMD64 / x86-64	ab9dbb1381b41f8e3b541f32846ffd537fad5f541ddb472ccb13f26f49544dd9	Signature
CLI tool for CyberArk Certificate Manager 1.15.1	macOS	ARM64, Apple Silicon	994774246cc7e3c4254b733b97d12e4aed57a4822268e62429351c34884fc709	Signature
CLI tool for CyberArk Certificate Manager 1.15.1	Windows	AMD64 / x86-64	4a11828d0aeebf830a1671f55dbe2fd247a2dc7c4dce8f0ef96d613f2c51bdf8	Signature
Checksums (SHA256)

Release 1.15.0¶

CLI tool for CyberArk Certificate Manager 1.15.0 was released on October 4, 2024.

Known issue

The venctl version command and the associated auto update feature of venctl will mistakenly report the version as being dev. This will be fixed in the next release.

Key features¶

Manifest tool for CyberArk Certificate Manager environment variable support

The Manifest tool now supports the VENAFI_KUBERNETES_AGENT_CLUSTER_NAME environment variable for setting the cluster name when installing the agent. This means you no longer have to create a custom values.yaml per cluster.
Manifest tool for CyberArk Certificate Manager bug fix

Release 1.15.0 corrects an issue where the Manifest tool attempted to set the topologySpreadConstraints field for the cert-manager startupapicheck, which doesn't exist.
Go version updated

The version of Go used was updated to v1.23.2.

Default component versions for this release

This release upgrades some dependency versions proactively to address CVEs reported by scanners but which weren't exploitable.

The following is a full list of the component versions installable by default in release 1.15.0.

Component	Default version for this release
Approver Policy	v0.15.2
Enterprise Approver Policy for CyberArk Certificate Manager	v0.18.1
AWS Private CA Issuer	v1.3.0
cert-manager	v1.16.0
CSI Driver	v0.10.1
CSI Driver for SPIFFE	v0.8.1
CyberArk Workload Identity Manager	v1.5.0
Istio CSR	0.12.0
OpenShift Routes for cert-manager	0.7.0
Trust Manager	v0.12.0
Connection for CyberArk Certificate Manager	v0.1.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.0.0

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.15.0	Linux	AMD64 / x86-64	ff8e9f041e7dc6b05c8a506d4b394917879ac48b8f17461d2fe3aaad0ef2935d	Signature
CLI tool for CyberArk Certificate Manager 1.15.0	Linux	ARM64	9aa9119beaa4ceb3b8bf0e00551ac921eb34f361d1054a802c31fa61b9bd34b8	Signature
CLI tool for CyberArk Certificate Manager 1.15.0	macOS	AMD64 / x86-64
ba5b366cbc8c18ed79d71d0b0ae6ba52c3dad48510262848903eb3c81aa50372	Signature
CLI tool for CyberArk Certificate Manager 1.15.0	macOS	ARM64, Apple Silicon	eb5ea50d8f1ac3467befe357240d3bdfccd1707e93c1a8dc86e0bc25d16344da	Signature
CLI tool for CyberArk Certificate Manager 1.15.0	Windows	AMD64 / x86-64	b0eb56a6ce4c266e01f8acf7153fcfa8d2d983e2801770b80b8dd9d65f6d3e32	Signature
Checksums (SHA256)

Release 1.14.1¶

CLI tool for CyberArk Certificate Manager 1.14.1 was released on September 11, 2024.

Important

If you have downloaded and installed v1.14.0, you should upgrade to v1.14.1 using the venctl update command or, for Homebrew users, brew upgrade venctl.

Key features¶

Bug fixes An issue where venctl installation cluster connect failed in release v1.14.0.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.14.1.

Component	Default version for this release
Approver Policy	v0.15.1
Enterprise Approver Policy for CyberArk Certificate Manager	v0.18.1
AWS Private CA Issuer	v1.3.0
cert-manager	v1.15.3
CSI Driver	v0.10.1
CSI Driver for SPIFFE	v0.8.1
CyberArk Workload Identity Manager	v1.5.0
Istio CSR	0.12.0
OpenShift Routes for cert-manager	0.6.0
Trust Manager	v0.12.0
Connection for CyberArk Certificate Manager	v0.1.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.0.0

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.14.1	Linux	AMD64 / x86-64	ff9b8fd0dcff6a58f4e9b8d8bfb956f393b7d3b3567ee84153ba034cdfcccd37	Signature
CLI tool for CyberArk Certificate Manager 1.14.1	Linux	ARM64	644bddbc32aea0ebd55a0e297ecf8e40450c9277ed4a9132f4ab35df388b8948	Signature
CLI tool for CyberArk Certificate Manager 1.14.1	macOS	AMD64 / x86-64	803d3864fc013a06ac611a1a1cb2f9fef9fa45b0c1c9bfcb95847c60132c20e2	Signature
CLI tool for CyberArk Certificate Manager 1.14.1	macOS	ARM64, Apple Silicon	9c88704d436a6f52dc9d3f2e3bdd15679aba2eecf2a8988b87ee81afb9df14b7	Signature
CLI tool for CyberArk Certificate Manager 1.14.1	Windows	AMD64 / x86-64	aa8d7f8998935ae59eed701a49854d3d4ff40d34ae05d15d403770c09af14c73	Signature
Checksums (SHA256)

Release 1.14.0¶

CLI tool for CyberArk Certificate Manager 1.14.0 was released on September 11, 2024.

Key features¶

OpenShift Routes for cert-manager support Release v1.14.0 adds support for installing the OpenShift Routes for cert-manager component.
Discovery Agent manifest improvements You can now generate manifests for agents without needing to specify a client ID.
Manifest comments Generated manifests now include a comment at the top containing the command used to generate the manifest. This helps you to edit or recreate a manifest if required later..
Istio CSR support This release adds support for Istio CSR with extra objects defined at manifest generation time.
Bug fixes An issue where the CLI tool for CyberArk Certificate Manager incorrectly required a TTY when the --no-prompts flags is used was corrected.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.14.0.

Component	Default version for this release
Approver Policy	v0.15.1
Enterprise Approver Policy for CyberArk Certificate Manager	v0.18.1
AWS Private CA Issuer	v1.3.0
cert-manager	v1.15.3
CSI Driver	v0.10.1
CSI Driver for SPIFFE	v0.8.1
CyberArk Workload Identity Manager	v1.5.0
Istio CSR	0.12.0
OpenShift Routes for cert-manager	0.6.0
Trust Manager	v0.12.0
Connection for CyberArk Certificate Manager	v0.1.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v1.0.0

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.14.0	Linux	AMD64 / x86-64	602c7af3ce6101e529801be13fb65bf71c43f1dd84a3228b0e945d86a643fe76	Signature
CLI tool for CyberArk Certificate Manager 1.14.0	Linux	ARM64	eb1dabe8ec2fde60835f9f615e1dd46c6a1d4378f7aac08358171150720416be	Signature
CLI tool for CyberArk Certificate Manager 1.14.0	macOS	AMD64 / x86-64	fe849b5c561375f143bee00dde77a8337e95df509029953be4928910c3396f27	Signature
CLI tool for CyberArk Certificate Manager 1.14.0	macOS	ARM64, Apple Silicon	74b1f94596f3967e8b110f40f848f526a47d4cf2446f9e947c2eebad2537a8fb	Signature
CLI tool for CyberArk Certificate Manager 1.14.0	Windows	AMD64 / x86-64	71af55b11b0a45e44a4ebe57912e314280dea7124312f3db13628a2d689b3b25	Signature
Checksums (SHA256)

Release 1.13.0¶

CLI tool for CyberArk Certificate Manager 1.13.0 was released on August 6, 2024.

Known issue

When installing the Istio CSR component, the 1.13.0 release of the CLI tool for CyberArk Certificate Manager does not set the DNS names for the serving certificates it generates. As a workaround, use a custom values.yaml file to set the value manually. See the example below:

values.yaml

app:
tls:
    certificateDNSNames:
    - cert-manager-istio-csr.venafi.svc

You can install Istio CSR with this custom values.yaml file using the following command:

venctl components kubernetes manifest generate --cert-manager --istio-csr --istio-csr-values-files values.yaml --default-approver

A future release of the CLI tool for CyberArk Certificate Manager will set this value automatically.

Key features¶

Istio CSR support

The CLI tool for CyberArk Certificate Manager now allows you to install Istio CSR in addition to the other CyberArk Kubernetes components.
New Helm custom chart repository CA options added

The CLI tool for CyberArk Certificate Manager includes new custom chart repository CA flags for the venctl components kubernetes manifest generate and venctl components kubernetes apply commands to indicate the path to PEM-formatted CA bundles used to validate the Helm repository for component charts. Learn more
Go version updated

The version of Go used was updated to v1.22.5.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.13.0.

Component	Default version for this release
Approver Policy	v0.15.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.18.0
AWS Private CA Issuer	v1.3.0
cert-manager	v1.15.2
CSI Driver	v0.10.0
CSI Driver for SPIFFE	v0.8.0
CyberArk Workload Identity Manager	v1.4.2
Istio CSR	0.11.0
Trust Manager	v0.12.0
Connection for CyberArk Certificate Manager	v0.1.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v0.1.49

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.13.0	Linux	AMD64 / x86-64	7296e4a56e2c80c172efe2112dea98f18ef7bed46c7600a9829e4e029fd0852a	Signature
CLI tool for CyberArk Certificate Manager 1.13.0	Linux	ARM64	6a427f90545975d4cbbd0033f087fe93593d9227398a281dcabac8e256aefe98	Signature
CLI tool for CyberArk Certificate Manager 1.13.0	macOS	AMD64 / x86-64	a4f46264bc8f343622c720d52bdd256666376c44eae7e281da9a15b9154c0038	Signature
CLI tool for CyberArk Certificate Manager 1.13.0	macOS	ARM64, Apple Silicon	499d2f9b28a9c4053ab5e842c756e2275e53f87aef971851019cee043deffca9	Signature
CLI tool for CyberArk Certificate Manager 1.13.0	Windows	AMD64 / x86-64	5ce0a6eee52c6ced562e123ef3de3a5cc631bf3c9ac300882ea680ebcaafb71f	Signature
Checksums (SHA256)

Release 1.12.0¶

CLI tool for CyberArk Certificate Manager 1.12.0 was released on July 18, 2024.

Key features¶

Helm chart repository authentication

This release adds new authentication parameters for protected OCI (credential configuration) and non-OCI (username and password) Helm chart repositories. Learn more.

If you are using a protected Helm registry you may be required to provide additional authentication. New flags for the venctl components kubernetes manifest generate and venctl components kubernetes apply commands allow you to authenticate to protected Helm registries.

For an OCI-based Helm registry you can provide a docker_config.json file containing authentication credentials:
```
venctl components kubernetes apply \
  --cert-manager \
  --custom-chart-repository oci://my-registry.example.com/charts \
  --custom-chart-repository-config docker_config.json
```
For HTTPs-based Helm registry you can specify the username and password:
```
venctl components kubernetes apply \
  --cert manager \
  --custom-chart-repository https://my-charts.example.com/ \
  --custom-chart-repository-username <username> \
  --custom-chart-repository-password <password>
```

enterprise-cert-manager scope renamed to cert-manager-components

The enterprise-cert-manager value for the --scopes flag used with the venctl iam service-accounts registry create command is deprecated in favor of cert-manager-components.

A sample venctl iam service-accounts registry create command using the new flag:

venctl iam service-accounts registry create --name "My Service Account" --output-file "venafi-image-pull-secret.json" --owning-team "My Platform Team" --scopes "cert-manager-components" --validity 365 --api-key xyz

An example of the same command in previous releases:

venctl iam service-accounts registry create --name "My Service Account" --output-file "venafi-image-pull-secret.json" --owning-team "My Platform Team" --scopes "enterprise-cert-manager" --validity 365 --api-key xyz

Repository updates for livenessprobe and csi-node-driver-registrar images

CLI tool for CyberArk Certificate Manager was updated to install the livenessprobe and csi-node-driver-registrar images from the private-registry.venafi.cloud/csi-driver-spiffe repository.
Connection for CyberArk Certificate Manager dependency for Enterprise Approver Policy for CyberArk Certificate Manager added to the Manifest tool for CyberArk Certificate Manager

This release includes a fix for an issue where the Connection for CyberArk Certificate Manager dependency for Enterprise Approver Policy for CyberArk Certificate Manager was not installed by the Manifest tool by default.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.12.0.

Component	Default version for this release
Approver Policy	v0.14.1
Enterprise Approver Policy for CyberArk Certificate Manager	v0.17.2
AWS Private CA Issuer	v1.2.7
cert-manager	v1.15.1
CSI Driver	v0.9.0
CSI Driver for SPIFFE	v0.7.0
CyberArk Workload Identity Manager	v1.4.1
Trust Manager	v0.11.1
Connection for CyberArk Certificate Manager	v0.1.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v0.1.49

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.12.0	Linux	AMD64 / x86-64	e084de3724e3f2d8c62848ca3a26798a65db7a304e5b2f7f4814d6d99f9d567c	Signature
CLI tool for CyberArk Certificate Manager 1.12.0	Linux	ARM64	c2f48894c7ca2b45ed6ec79a31dae90d89a518f110cb15b76fcabfab0e2afb0d	Signature
CLI tool for CyberArk Certificate Manager 1.12.0	macOS	AMD64 / x86-64	22792ed6c07277f323f148d1fccf3e2d954e7068e5d2fc26c8c386464718a3b7	Signature
CLI tool for CyberArk Certificate Manager 1.12.0	macOS	ARM64, Apple Silicon	d9a255a003d4765fa924148906d5c0c357a807eb7dc718afb9a720fa093c7c24	Signature
CLI tool for CyberArk Certificate Manager 1.12.0	Windows	AMD64 / x86-64	f8952536092760150abaed2acdff441c80967c2b40d4356ec3d484ca8e3fc408	Signature
Checksums (SHA256)

Release 1.11.0¶

CLI tool for CyberArk Certificate Manager 1.11.0 was released on June 6, 2024.

Key features¶

Default component versions for this release

Release 1.11.0 updates the Manifest tool for CyberArk Certificate Manager to allow you to install the latest version of cert-manager and Trust Manager.

The following is a full list of the component versions installable by default in release 1.11.0.

Component	Default version for this release
Approver Policy	v0.14.1
Enterprise Approver Policy for CyberArk Certificate Manager	v0.17.0
AWS Private CA Issuer	v1.2.7
cert-manager	v1.15.0
CSI Driver	v0.8.1
CSI Driver for SPIFFE	v0.6.0
CyberArk Workload Identity Manager	v1.3.4
Trust Manager	v0.11.0
Connection for CyberArk Certificate Manager	v0.1.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v0.1.48

Go dependency updated

This release also updates the version of Go used for the build to 1.22.4.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.11.0	Linux	AMD64 / x86-64	ce22c820e83b3f18e4485555d7fdeef929296eb30f720d0437c8c5ad85a5c72b	Signature
CLI tool for CyberArk Certificate Manager 1.11.0	Linux	ARM64	f91e7c7ef61b9e9910733eb54c901f6bc0ebf92102ff43bd107eba5117d40982	Signature
CLI tool for CyberArk Certificate Manager 1.11.0	macOS	AMD64 / x86-64	958e81cd153697011f123b4462f84ef5c05e9310a1af7f05867c72367ebfb021	Signature
CLI tool for CyberArk Certificate Manager 1.11.0	macOS	ARM64, Apple Silicon	eb257247b1b2a98f884d56da29c3908490e8a0fcca433e2f62d27a6f6815b23f	Signature
CLI tool for CyberArk Certificate Manager 1.11.0	Windows	AMD64 / x86-64	42eac19daf0883eb09946044ffa41daae051453f834524169481b53285c544b0	Signature
Checksums (SHA256)

Release 1.10.0¶

CLI tool for CyberArk Certificate Manager 1.10.0 was released on May 22, 2024.

Key features¶

Install CSI Driver for SPIFFE

Release 1.10.0 updates the Manifest tool for CyberArk Certificate Manager to allow you to install the CSI Driver for SPIFFE component. Learn more
Minor improvements

This release introduces improvements to the venctl command:
- When deploying the Discovery Agent using venctl installation cluster connect, you can now modify the agent's deployment without encountering errors.
- A pre-requisite check for the minimum required Helm version has been added to commands that use the Helm binary. This ensures compatibility and avoids potential issues.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.10.0.

Component	Default version for this release
Approver Policy	v0.14.1
Enterprise Approver Policy for CyberArk Certificate Manager	v0.17.0
AWS Private CA Issuer	v1.2.7
cert-manager	v1.14.5
CSI Driver	v0.8.1
CSI Driver for SPIFFE	v0.6.0
CyberArk Workload Identity Manager	v1.3.4
Trust Manager	v0.10.0
Connection for CyberArk Certificate Manager	v0.1.0
Enterprise Issuer for CyberArk Certificate Manager	v0.14.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v0.1.48

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.10.0	Linux	AMD64 / x86-64	97fdd47fae913be92fab900a74d0c8e911b52a4c4351b8cd855e9fbe523ceb88	Signature
CLI tool for CyberArk Certificate Manager 1.10.0	Linux	ARM64	2f44064a60e0469e45885476e0ab59dede20276f58bae75c73fa07541d0d0f15	Signature
CLI tool for CyberArk Certificate Manager 1.10.0	macOS	AMD64 / x86-64	c027bbe4acda75ed434927f5beb5b918c779ee050a8f836e84671c99f2802408	Signature
CLI tool for CyberArk Certificate Manager 1.10.0	macOS	ARM64, Apple Silicon	f41d62f8a94d0c2e8bcb3a7f143c0d446b51737415bb11a411d4b729ba396dd1	Signature
CLI tool for CyberArk Certificate Manager 1.10.0	Windows	AMD64 / x86-64	4e9be84020463d1000acc6e61e62cd6b743fe364ce1cfa619eda9533266f9b74	Signature
Checksums (SHA256)

Release 1.9.0¶

CLI tool for CyberArk Certificate Manager 1.9.0 was released on May 8, 2024.

Breaking Changes¶

This release contains the following breaking changes:

The following flags have been renamed in all commands to which they apply:

--output has been renamed to --log-format.

A sample command using the new flag:

venctl iam service-accounts describe --api-key xyz -n myaccount --log-format json --no-prompts >> accinfo.json

An example of the same command in previous releases:

venctl iam service-accounts describe --api-key xyz -n myaccount --output json --no-prompts >> accinfo.json

--credential-format has been renamed to --output.

A sample command using the new flag:

venctl iam service-accounts firefly create --output secret --name sa-firefly --api-key xyz

An example of the same command in previous releases:

venctl iam service-accounts firefly create --credential-format secret --name sa-firefly --api-key xyz

--credential-file has been renamed to --output-file.

A sample command using the new flag:

venctl iam service-accounts registry create --name "My Service Account" --output-file "venafi-image-pull-secret.json" --owning-team "My Platform Team" --scopes "enterprise-cert-manager" --validity 365 --api-key xyz

An example of the same command in previous releases:

venctl iam service-accounts registry create --name "My Service Account" --credential-file "venafi-image-pull-secret.json" --owning-team "My Platform Team" --scopes "enterprise-cert-manager" --validity 365 --api-key xyz

The output from the iam service-accounts registry create output dockerconfig has been updated to contain only dockerconfig content rather than being nested in a JSON object.

The following is a sample of the output in this release:

{
    "auths": {
            "private-registry.venafi.cloud": {
                    "username": "sa-us@1cef4d3d-f28b-11ee-9365-c29bc6f4bab0",
                    "auth": "c2EtdXNAMWNlZjRkM2QtZjI4Yi0xMWVlLTkzNjUtYzI5YmM2ZjRiYWIwOnlWNE5jZHZ5SG1jY2FYU2thQ1FKbUJzZktsZERqRVA5eW11dW5XY1V6c0d2ZWtpamVhZWNBR3o5MlppQ0d5eXVJRmVua2RqalpGY3NrWXZ6WXFPdWlQZnVPd2NCRlRYRVJJcXEyaEloNDVHaEx2c01HNkRtNVJNZHJzNUVCd2Zx"
            }
    }
}

The following is an example of the output from previous releases:

{
    "client_id": "f95b37ac-f28c-11ee-a4ea-bad1c4de4f71",
    "image_pull_secret": "{\"auths\":{\"private-registry.venafi.cloud\":{\"username\":\"sa-us@f95b37ac-f28c-11ee-a4ea-bad1c4de4f71\",\"auth\":\"c2EtdXNAZjk1YjM3YWMtZjI4Yy0xMWVlLWE0ZWEtYmFkMWM0ZGU0ZjcxOkVXVFlLTHFRZ0o3U2M4UTlSTDg2SEh2SldVTWlvT2VZSEhDaWpwRmVVRENNM2FIbEhQdURDb1p3RE1pQ0pRVGZOWlpxWExId3VGb0RLS1NrYW9tbDVsUEdxSG1zeVl2cWc2UURFSFlWSVdzblZ2S2ZSZHdvbnhldjF5NG5iUW5V\"}}}\n"
}

The --name, --validity, and --owning-team flags are now only available in the subcommands where they are relevant. These flags have been removed from the main venctl iam service-accounts command and added to each applicable subcommand.

Key features¶

Dependency updates

This release updates the version of Go used to 1.22.3. This release also includes a fix for the following Hashicorp go-getter library vulnerability: CVE-2024-3817.

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.9.0.

Component	Default version for this release
Approver Policy	v0.14.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.16.0
AWS Private CA Issuer	v1.2.7
cert-manager	v1.14.5
CSI Driver	v0.8.0
CyberArk Workload Identity Manager	v1.3.4
Trust Manager	v0.9.2
Connection for CyberArk Certificate Manager	v0.0.20
Enterprise Issuer for CyberArk Certificate Manager	v0.13.3
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v0.1.47

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.9.0	Linux	AMD64 / x86-64	cfb0a86b98f68b9a7684ab00b8176577c42162c3dfa976b8c99cf02064a092bb	Signature
CLI tool for CyberArk Certificate Manager 1.9.0	Linux	ARM64	78dd48ae03c9a6931d0981d66443fcdb103a055af61db104493c166d5d67831c	Signature
CLI tool for CyberArk Certificate Manager 1.9.0	macOS	AMD64 / x86-64	667b8773980ce1342d51466e4f78e0fca1ab95819fca2d1c6b8a2a81198df4e6	Signature
CLI tool for CyberArk Certificate Manager 1.9.0	macOS	ARM64, Apple Silicon	d68c5959bc8be6f9e9d2f5d1eec39293414cf466bbb2eb306b3f40817711e9d5	Signature
CLI tool for CyberArk Certificate Manager 1.9.0	Windows	AMD64 / x86-64	12c779814fa53e8d5b05a7a1f33e07637004d28c067ad7c3e897c25535c01160	Signature
Checksums (SHA256)

Release 1.8.0¶

CLI tool for CyberArk Certificate Manager 1.8.0 was released on April 5, 2024.

Breaking changes¶

The output from the venctl iam service-accounts agent create and venctl iam service-accounts firefly create commands now return the raw private key rather than a base64-encoded string.

The following is a sample of the output in this release:

{
        "client_id": "7dd207f4-f1ae-11ee-83f9-3a7af823c704",
        "private_key": "-----BEGIN PRIVATE KEY-----\nMHcCAQEEIKcGfBGimDbNqTrv0zw2h8W2OavVY8WHATEH89VIrQmBoAoGCCqGSM49\nAwEHoUQDQgAEzwbbEkbMMxvRBPLkmAJ/jkJZIHwpskxtBNXZU18jqAW+J8TSfuv6\nkPGe/frubEqyT+w496F45Vqi3Y9ha/6Ozg==\n-----END PRIVATE KEY-----\n"
}

The following is an example of the output from previous releases:

{
        "client_id": "7dd207f4-f1ae-11ee-83f9-3a7af823c704",
        "private_key": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tXG5NSGNDQVFFRUlLY0dmQkdpbURiTnFUcnYwencyaDhXMk9hdlZZOFdIQVRFSDg5VklyUW1Cb0FvR0NDcUdTTTQ5XG5Bd0VIb1VRRFFnQUV6d2JiRWtiTU14dlJCUExrbUFKL2prSlpJSHdwc2t4dEJOWFpVMThqcUFXK0o4VFNmdXY2XG5rUEdlL2ZydWJFcXlUK3c0OTZGNDVWcWkzWTloYS82T3pnPT1cbi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS1cbgo="
}

Key features¶

New service account custom integration functionality

A new venctl iam service-accounts custom-integration createcommand has been added that allows you to create service accounts for custom integrations with Certificate Manager - SaaS. For more information, see the venctl iam service-accounts custom-integration create command reference documentation.
New service account authentication functionality

New --auth.client-id, --auth.key, and --auth.key-file flags have been added to the venctl iam service-account agent create command to support service account authentication to Certificate Manager - SaaS. This is useful for non-interactive sessions when service accounts for Discovery Agent are needed. For more information, see the venctl iam service-account agent create command reference documentation.
Support for global tolerations

This release includes a new flag, --global-tolerations-file, for the venctl components kubernetes manifest generate command. This flag points to a YAML file containing an array of Kubernetes corev1.Toleration objects. For more information, see Global tolerations.
Support for global affinities

This release includes a new flag, --global-affinities-file, for the venctl components kubernetes manifest generate command. This flag points to a YAML file containing an array of Kubernetes corev1.Affinity objects, which is validated in the same way that Kubernetes validates affinities in-cluster. For more information, see Global affinities.
Support for global topology spread constraints

This release includes a new flag, --global-topology-spread-constraints-file, for the venctl components kubernetes manifest generate command. This flag allows the configuration of global topology spread constraints which can be applied to all components for which topology spread constraints are configurable. For more information, see Global topology spread constraints.
Support for High Availability (HA)

This release includes a new flag, --ha-file-dir, for the venctl components kubernetes manifest generate command that allows you to set default values for HA deployments for the following CyberArk Kubernetes components:
- cert-manager
- Enterprise Approver Policy for CyberArk Certificate Manager
- CSI Driver
- Trust Manager
- Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments
- Enterprise Issuer for CyberArk Certificate Manager
For more information, see Setting default values for HA deployments using the CLI tool for CyberArk Certificate Manager, and the venctl components kubernetes manifest generate command reference documentation..

Default component versions for this release

The following is a full list of the component versions installable by default in release 1.8.0.

Component	Default version for this release
Approver Policy	v0.13.1
Enterprise Approver Policy for CyberArk Certificate Manager	v0.15.0
AWS Private CA Issuer	v1.2.7
cert-manager	v1.14.4
CSI Driver	v0.8.0
CyberArk Workload Identity Manager	v1.3.3
Trust Manager	v0.9.2
Connection for CyberArk Certificate Manager	v0.0.20
Enterprise Issuer for CyberArk Certificate Manager	v0.13.3
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v0.1.47

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.8.0	Linux	AMD64 / x86-64	c4a49eb57c337e93c33a004e8cda3e48d4ad27e3d6beb0d04c54c217b23b6768	Signature
CLI tool for CyberArk Certificate Manager 1.8.0	Linux	ARM64	e536fc37c3ed2339780a5f272a49d2fb5a1a5005c770c8c18ca0093dd57f866a	Signature
CLI tool for CyberArk Certificate Manager 1.8.0	macOS	AMD64 / x86-64	4692d780be197b47a94caac269dd3e3a248bcf3ae246cb9a9c23007d810c12a7	Signature
CLI tool for CyberArk Certificate Manager 1.8.0	macOS	ARM64, Apple Silicon	66a59e1fbe31ac941782f35588651a1f8e47555107d7e47a1d5afb70d678ae32	Signature
CLI tool for CyberArk Certificate Manager 1.8.0	Windows	AMD64 / x86-64	6c0fd3b677af768952a9fdec404ae0bb9f5dfb08cf6afd235042ea4298c3c40c	Signature
Checksums (SHA256)

Release 1.7.0¶

CLI tool for CyberArk Certificate Manager 1.7.0 was released on March 14, 2024.

Key features¶

New Manifest tool for CyberArk Certificate Manager commands

Two new manifest tool commands have been added:
- venctl components kubernetes manifest tool diff - Use this command as a convenient way to visualize the changes between the active deployment and the updated manifest.
- venctl components kubernetes manifest tool template - Use this command to template releases defined in the state file.
For more information, see the venafi components kubernetes manifest tool diff and venafi components kubernetes manifest tool template reference documentation.
Quick install/uninstall commands

This release introduces two new commands that allow you to set up and tear down a cert-manager environment quickly and easily. This installation method is not recommended for production environments. For more information, see the CLI tool for CyberArk Certificate Manager command reference documentation.
Custom registry support

You can now specify your own custom registry when connecting to CyberArk Certificate Manager - SaaS using the venctl installation cluster connect command.
Bug fixes

The current release includes fix for an issue with the venctl components kubernetes manifest generate command when the default version of a component was specified.

Default component versions for this release

Below is a full list of the component versions installable by default in release 1.7.0.

Component	Default version for this release
Approver Policy	v0.13.0
Enterprise Approver Policy for CyberArk Certificate Manager	v0.14.0
AWS Private CA Issuer	v1.2.7
cert-manager	v1.14.4
CSI Driver	v0.7.1
CyberArk Workload Identity Manager	v1.3.2
Trust Manager	v0.9.1
Connection for CyberArk Certificate Manager	v0.0.19
Enterprise Issuer for CyberArk Certificate Manager	v0.13.1
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v0.1.45

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.7.0	Linux	AMD64 / x86-64	3455b982fed40d80a40759c42bf8e5145bdc0ec3121744652f73a05d87c2b088	Signature
CLI tool for CyberArk Certificate Manager 1.7.0	Linux	ARM64	154ff31bebe9bf8019a94489cb80f34e4161eed3461312c9f6b805adaedefa53	Signature
CLI tool for CyberArk Certificate Manager 1.7.0	macOS	AMD64 / x86-64	86d4a11ecd582b94d45e35de66112fa90ee154a0c1c547f0389832a3c7453960	Signature
CLI tool for CyberArk Certificate Manager 1.7.0	macOS	ARM64, Apple Silicon	eb2fde0b9f45d9be0d4debb0d12ade9c8b956a61bcb2c0b65a677f38135b9d58	Signature
CLI tool for CyberArk Certificate Manager 1.7.0	Windows	AMD64 / x86-64	69cf65385955f2a20536fb4c3a7b19b33df3b76edf1f27b241290ab82b69a41a	Signature
Checksums (SHA256)

Release 1.6.0¶

CLI tool for CyberArk Certificate Manager 1.6.0 was released on February 23, 2024.

Key features¶

Service account creation for CyberArk Workload Identity Manager

Release 1.6.0 allows you to create services accounts that allow Workload Identity Manager to connect to CyberArk Certificate Manager - SaaS using the new venctl iam service-accounts firefly create command. For more information, see the CyberArk CLI command reference documentation.
FIPS support for CSI Driver

This release includes support for FIPS-compliant versions of Docker images for CSI Driver.
New positional arguments

Instead of having to use the --name flag with the following commands, you can now also use positional arguments:
- venctl iam service-accounts describe
- venctl iam service-accounts registry create
- venctl iam service-accounts delete
- venctl installation cluster connect
For example:
```
venctl iam service-accounts describe my-service-account
```
Logging and error messages improvements

Several updates have been made that improve error messages and logging in the CLI tool for CyberArk Certificate Manager.

Default component versions for this release

The venctl components kubernetes manifest generate command now installs Enterprise Issuer for CyberArk Certificate Manager v0.12.0 and Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments v0.1.45.

Below is a full list of the component versions installable by default in release 1.6.0.

Component	Default version for this release
Approver Policy	v0.12.1
Enterprise Approver Policy for CyberArk Certificate Manager	v0.13.0
AWS Private CA Issuer	v1.2.7
cert-manager	v1.14.3
CSI Driver	v0.7.1
CyberArk Workload Identity Manager	v1.3.1
Trust Manager	v0.8.0
Connection for CyberArk Certificate Manager	v0.0.19
Enterprise Issuer for CyberArk Certificate Manager	v0.12.0
Discovery Agent for CyberArk Certificate Manager in Kubernetes and OpenShift Environments	v0.1.45

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.6.0	Linux	AMD64 / x86-64	08ad637f5f3b55fe0ea232e1c9b2f318a1a388408db0d2f5e550fb39a6da9b57	Signature
CLI tool for CyberArk Certificate Manager 1.6.0	Linux	ARM64	d36ac9abe8df6f812d864442501217a7e369cb68a54f32582a3d711fdb314952	Signature
CLI tool for CyberArk Certificate Manager 1.6.0	macOS	AMD64 / x86-64	104086f856e2f7c69602029a38377a3efbd208595473233e3e5d78872b9fab1c	Signature
CLI tool for CyberArk Certificate Manager 1.6.0	macOS	ARM64, Apple Silicon	2ab8e11408297b3c1077112b899bae2c45cec6cc4351f316180dd7b38042ddc6	Signature
CLI tool for CyberArk Certificate Manager 1.6.0	Windows	AMD64 / x86-64	9753d92abcbacce0144b42ce075399f6d235e5265d1377e3d8eacbda1d8b9239	Signature
Checksums (SHA256)

Release 1.5.0¶

CLI tool for CyberArk Certificate Manager 1.5.0 was released on February 9, 2024.

Breaking Changes¶

Updated flags in venctl iam service-accounts registry create¶

As of this version, the CLI tool for CyberArk Certificate Manager introduces two critical flag changes that impact how you create service accounts for CyberArk OCI registry access:

Renamed Flag: --image-pull-secret-file is now --credential-file.
Renamed Flag: --image-pull-secret-format is now --credential-format.

This change aligns with broader terminology within the CLI tool for CyberArk Certificate Manager, and aims to simplify usage. Remember to update your commands accordingly to avoid errors.

Example:

CLI tool for CyberArk Certificate Manager 1.2.0 - 1.4.0:

venctl iam service-accounts registry create --name sa --image-pull-secret-file my-secret.yaml --image-pull-secret-format secret

CLI tool for CyberArk Certificate Manager 1.5.0:

venctl iam service-accounts registry create --name sa --credential-file my-credential.json --credential-format secret

Updated the output format of --credential-format secret for venctl iam service-accounts registry create¶

This update impacts how CLI tool for CyberArk Certificate Manager generates service accounts for registry access with the --credential-format secret flag.

Previously, only the Kubernetes secret (in YAML format) was included in the output. Now, both client_id and the Kubernetes secret for image pulling (in YAML format) are provided under a JSON structure.

Output details

Upon successful execution of venctl iam service-accounts registry create --name sa --credential-file my-credential.json --credential-format secret, the output will include:

client_id: The client identifier used for authentication with the registry.
image_pull_secret: The Kubernetes secret encoded in YAML format, granting access to CyberArk OCI registry artifacts.

Accessing the client ID and secret

To extract the image_pull_secret from the JSON output, use the following command:

jq -r '.image_pull_secret' < my-credential.json

To extract the client_id from the JSON output, use the following command:

jq -r '.client_id' < my-credential.json

Important

The commands above assume the output is saved in a file named my-credential.json. Replace it with the actual file path as necessary.

Key features¶

Service account creation for Discovery Agent

A venctl iam service-accounts agent create command was added. This command allows you to create service accounts in CyberArk Certificate Manager - SaaS for your CyberArk Kubernetes Agents.
Service account listing

A new venctl iam service-accounts list command was added. This command lists all service accounts in Certificate Manager - SaaS. For more information, see the venctl reference page.
Service account description

The venctl iam service-accounts show command has been renamed venctl iam service-accounts describe. It provides a description of a named service account in Certificate Manager - SaaS. For more information, see the venctl reference page.
CyberArk Improvements to the Manifest tool for CLI tool for CyberArk Certificate Manager

This release also sees updates to the way that the Manifest tool for CyberArk Certificate Manager deploys cert-manager, and adds support for cert-manager v1.14.1 and later.
Flag changes

The --image-pull-secret-file and --image-pull-secret-format flags for the venctl iam service-accounts registry create command have been renamed to --credential-file and --credential-format, respectively.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.5.0	Linux	AMD64 / x86-64	3f3b41b9808b4af71491a147d2d42e962780548ce4188d21bb3de7a98d547722	Signature
CLI tool for CyberArk Certificate Manager 1.5.0	Linux	ARM64	1984c6a5c6b8a4a2d5ad50b227bc006a6ec8e42792fb363ef594c2bc825cdaba	Signature
CLI tool for CyberArk Certificate Manager 1.5.0	macOS	AMD64 / x86-64	ba3dd02f21f99e5a75b32cd28ddd83478c578fc427d7158359af7fc7348182a9	Signature
CLI tool for CyberArk Certificate Manager 1.5.0	macOS	ARM64, Apple Silicon	37038c99e9b39e4c06b94124e139b6ade73ce87afaacba2b9e55441dc49a6611	Signature
CLI tool for CyberArk Certificate Manager 1.5.0	Windows	AMD64 / x86-64	e35546749dd395cdfde4969a5ec8853ebf71e528de3f6ecd46a64c9a38cb1bdf	Signature
Checksums (SHA256)

Release 1.4.0¶

CLI tool for CyberArk Certificate Manager 1.4.0 was released on January 25, 2024.

Known Issue

Versions 1.4.0 and earlier of the CLI tool for CyberArk Certificate Manager are not able to install cert-manager v1.14.0 or later from a generated manifest.

This issue is addressed in CLI tool for CyberArk Certificate Manager 1.5.0.

Key features¶

FIPS support

This release includes support for FIPS-compliant versions of Docker images for CyberArk components for Kubernetes. A --use-fips-images flag has been added to the venctl components kubernetes manifest generate command to install the desired component using the FIPS-compliant version of the component Docker image.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.4.0	Linux	AMD64 / x86-64	f913e9cce9d29f2bdd0d165d9829ace60e49075ed02139a42d761cfb5ef05d9d	Signature
CLI tool for CyberArk Certificate Manager 1.4.0	Linux	ARM64	8520421b39c09a2b8b56cd1e53e1b1df758ce92840f0778c7eed8a7cdc58f3af	Signature
CLI tool for CyberArk Certificate Manager 1.4.0	macOS	AMD64 / x86-64	50dae730b043d498ae16149be22a5c0edb57b1f12c68b4bb40f72b1ac58af171	Signature
CLI tool for CyberArk Certificate Manager 1.4.0	macOS	ARM64, Apple Silicon	7d41273e9e44e082d29cd5aa9e6cdb7a9d083cbb76b79699fd825075053d5279	Signature
CLI tool for CyberArk Certificate Manager 1.4.0	Windows	AMD64 / x86-64	739f1cca4445868c062c600acea3a9e9fc4f172883e07aed531329d191bb9ada	Signature
Checksums (SHA256)

Release 1.3.2¶

CLI tool for CyberArk Certificate Manager 1.3.2 was released on January 15, 2024.

Key features¶

Service accounts show command

A new venctl iam service-accounts show command was added. This command provides information on a named service account in Certificate Manager - SaaS. For more information, see the venctl reference page.
Logging improvements

This release sees improvements in logging to support the venctl iam service-accounts show command.
Miscellaneous minor bug fixes

Several minor bugs were also fixed in this release.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.3.2	Linux	AMD64 / x86-64	123641fad7fab857fedb739aa8386df92cae178c034d59ac2e71e1e868c1dd64	Signature
CLI tool for CyberArk Certificate Manager 1.3.2	Linux	ARM64	4677c8e8bbe2f28014b3f6cdee11651180a4c5b7ad83a5196fc8cf07b7c26958	Signature
CLI tool for CyberArk Certificate Manager 1.3.2	macOS	AMD64 / x86-64	87e6beba0f5241a9f88ddafb0f50c45b76934857725854bd473050312a710947	Signature
CLI tool for CyberArk Certificate Manager 1.3.2	macOS	ARM64, Apple Silicon	ff2283cbc9bd01f8f32975b6375c856ef4b8b151f3390194918cca9bb7cc20cc	Signature
CLI tool for CyberArk Certificate Manager 1.3.2	Windows	AMD64 / x86-64	0111fcc0013f619e895082bc1041a44086d07be4db3f49a686bba5adb4387006	Signature
Checksums (SHA256)

Release 1.3.1¶

CLI tool for CyberArk Certificate Manager 1.3.1 was released on December 20, 2023.

Key features¶

EU region service account deletion issue

Release 1.3.1 fixes an issue where the venctl iam service-accounts delete command didn't work for service accounts using the EU Certificate Manager - SaaS region.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.3.1	Linux	AMD64 / x86-64	2743d0ac27a515177c4351a8be70870922332058c2e443868a958ffc865b3cd4	Signature
CLI tool for CyberArk Certificate Manager 1.3.1	Linux	ARM64	c1379600daf9e5f1df0e7dbbb7e3b39e7672844fac98dd72f319259bc2f74596	Signature
CLI tool for CyberArk Certificate Manager 1.3.1	macOS	AMD64 / x86-64	eaf728c5824b9c317e033fd082a99222b9dcfba858d9b2af0867816273a9d926	Signature
CLI tool for CyberArk Certificate Manager 1.3.1	macOS	ARM64, Apple Silicon	9513f6d19afe697a8f04a46bdf0c65b1a34cda15cbcfd53e4b147914ce6f768f	Signature
CLI tool for CyberArk Certificate Manager 1.3.1	Windows	AMD64 / x86-64	fe3dbd642334bb4a30bb5ac78a7e67358b8629651b006a3ca540143044aabfe9	Signature
Checksums (SHA256)

Release 1.3.0¶

CLI tool for CyberArk Certificate Manager 1.3.0 was released on December 15, 2023.

Key features¶

Service account deletion

Release 1.3.0 adds a new venctl iam service-accounts delete command for deleting service accounts in Certificate Manager - SaaS.

For more information on how to use this feature, see CLI tool for CyberArk Certificate Manager reference page.
CyberArk Kubernetes manifest for Trust Manager

This release addresses an issue in the CyberArk Kubernetes manifest for the Trust Manager. Previously, the generated manifest pulled the open-source image for the default trust package, now the enterprise Trust Manager version is used unless another registry is configured.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.3.0	Linux	AMD64 / x86-64	c46cbb94a3db8d909fa2e079d0f64653ae328e21d4c150187d47a4703a6ec3e9	Signature
CLI tool for CyberArk Certificate Manager 1.3.0	Linux	ARM64	7c98800e69b18a688969700a02cea1b09946f001daa78c7324dec69e6a216fc5	Signature
CLI tool for CyberArk Certificate Manager 1.3.0	macOS	AMD64 / x86-64	4c454d7688f6989495583686a6395709b7b886c32d9c93243a4f8d824be26074	Signature
CLI tool for CyberArk Certificate Manager 1.3.0	macOS	ARM64, Apple Silicon	f0761d5edb7c1904ccf0641c4da9edac93d3f3c3217bcd7fa90202df7948217c	Signature
CLI tool for CyberArk Certificate Manager 1.3.0	Windows	AMD64 / x86-64	8b7e12a0deb9b988d00bb4994bea81cac94d6207957898cdc83ec25ae128122b	Signature
Checksums (SHA256)

Release 1.2.1¶

CLI tool for CyberArk Certificate Manager 1.2.1 was released on December 7, 2023.

Key features¶

macOS install script fix

This release fixes an issue with the Bash script used to install the utility on the macOS platform when no GPG tool is installed.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.2.1	Linux	64-bit	a09b716ac8699abb6106aaaab3785a7028b739b10f91c2d9df4020c017b71b4f	Signature
CLI tool for CyberArk Certificate Manager 1.2.1	Linux	ARM64	cca761d02e61bba83b15cd77e8fe51e59ebb69b2a216dc743cd09e2a015bef0f	Signature
CLI tool for CyberArk Certificate Manager 1.2.1	macOS	64-bit	352cb55fa351263a83258b4d17384ea71cdf80c6f92b76407887d4af97048a4e	Signature
CLI tool for CyberArk Certificate Manager 1.2.1	macOS	ARM64, Apple Silicon	bde09e185bf639ed8d635aa812f239c855ce5654f985a11d8c7e6dea45c8ef14	Signature
CLI tool for CyberArk Certificate Manager 1.2.1	Windows	64-bit	d1c1d8461bd78c0ae33c73edbdc3e9be4125d46be8567f5deea5bda7affa4aaa	Signature
Checksums (SHA256)

Release 1.2.0¶

CLI tool for CyberArk Certificate Manager 1.2.0 was released on December 6, 2023.

Key features¶

Manifest tool for CyberArk Certificate Manager functionality

This release sees the addition of Manifest tool functionality to the CLI tool for CyberArk Certificate Manager. You can now install CyberArk Kubernetes components using the CLI tool for CyberArk Certificate Manager utility.

For more information on how to use this feature, see CLI tool for CyberArk Certificate Manager reference page.
Service account creation

Release 1.2.0 adds a new venctl iam service-accounts registry create command for creating service accounts in Certificate Manager - SaaS for accessing container images from the private CyberArk OCI registry.

For more information on how to use this feature, see CLI tool for CyberArk Certificate Manager reference page.
Utility updates

The release adds the venctl update command to update the venctl binary to the latest available stable version.

For more information on how to use this feature, see CLI tool for CyberArk Certificate Manager reference page.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.2.0	Linux	64-bit	714666fab8a97e267bb0bd2529b363a56644d0d8617a597694d67a927ea6a90d	Signature
CLI tool for CyberArk Certificate Manager 1.2.0	Linux	ARM64	850708e36a7c308182f90e6fc86111138eeb2287dfaeef8a372292580b0eba4e	Signature
CLI tool for CyberArk Certificate Manager 1.2.0	macOS	64-bit	ee65e6a9ac17630761e97c237dae05b7eff488908d2c92288f53b83ab02a1ece	Signature
CLI tool for CyberArk Certificate Manager 1.2.0	macOS	ARM64, Apple Silicon	353573021ce33457be8f31216fa24863b8cf70b0b2f2d17596e91890ec1b807a	Signature
CLI tool for CyberArk Certificate Manager 1.2.0	Windows	64-bit	bdc2b91537cd1b293537c8fce1308bb80c72a5c57237cd64a290639c1a4ae0a7	Signature
Checksums (SHA256)

Release 1.1.0¶

CLI tool for CyberArk Certificate Manager 1.1.0 was released on November 3, 2023.

Key features¶

Code signing

This release introduces GPG code signing for the CLI tool for CyberArk Certificate Manager binaries, enabling them to be verified for authenticity.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum	GPG Signature
CLI tool for CyberArk Certificate Manager 1.1.0	Linux	64-bit	939547572ec4e91bc2e5916ec8c22ed544ec7df071b83cd0067b567eb8b1ab4a	Signature
CLI tool for CyberArk Certificate Manager 1.1.0	Linux	ARM64	cbd58f3f312d1eaed189350d9fc3762dbba5c149261bc64a5b1dbac7c23056ae	Signature
CLI tool for CyberArk Certificate Manager 1.1.0	macOS	64-bit	2a32444ffb2d935d8af0987fbf997c05224bae0af0caee44927e4d72ecc9fc48	Signature
CLI tool for CyberArk Certificate Manager 1.1.0	macOS	ARM64, Apple Silicon	529bbf3b98d6e3ae829c5210330fbe2aa682980a271d746a3b129a2ae4a94973	Signature
CLI tool for CyberArk Certificate Manager 1.1.0	Windows	64-bit	72a0a54b7aa755a3b0ea9238369c42c1605f3cdd043b29bcb9af5fe807d0ae3f	Signature
Checksums (SHA256)

Release 1.0.2¶

CLI tool for CyberArk Certificate Manager 1.0.2 was released on November 1, 2023.

Key features¶

Bug fixes and enhancements

This release of the CLI tool for CyberArk Certificate Manager contains some bug fixes, and some small under-the-hood enhancements.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum
CLI tool for CyberArk Certificate Manager 1.0.2	Linux	64-bit	18194c1dfadaedabb2d84f87f47917e1af06eeca8d334b11c16f7391c0cb7d1a
CLI tool for CyberArk Certificate Manager 1.0.2	Linux	ARM64	202e6d16672f52fa7b18228642dc22bff6d1ad509dec87840efd49057df4ddb5
CLI tool for CyberArk Certificate Manager 1.0.2	macOS	64-bit	5574c4bdc8b28b87b799d00f9372b2bcaa3d513e9e900cf9af84e1b9a98d9889
CLI tool for CyberArk Certificate Manager 1.0.2	macOS	ARM64, Apple Silicon	601bf1216ffffdca7ad2105abb3ae18fc7bb83e4ffc3df2747b72369228c88e4
CLI tool for CyberArk Certificate Manager 1.0.2	Windows	64-bit	f502d3f03cdc417e5c71f64c5a5dbd64eabe8dd4d7235e8d3440cc09b7b7e494
Checksums (SHA256)

Release 1.0.0¶

CLI tool for CyberArk Certificate Manager 1.0.0 was released on October 15, 2023.

Key features¶

Connect Kubernetes clusters to CyberArk Certificate Manager - SaaS

CLI tool for CyberArk Certificate Manager provides a convenient way to connect Kubernetes clusters to Certificate Manager - SaaS.

To learn more, use the venctl installation cluster connect --help command.

Downloads

Select the file appropriate for your platform:

Release	OS	Architecture	SHA256 Checksum
CLI tool for CyberArk Certificate Manager 1.0.0	Linux	64-bit	1c8dacade6857266c7cd6c02c6dad139d1f4f0f3fb6d6f14bef551eea8cd0457
CLI tool for CyberArk Certificate Manager 1.0.0	Linux	ARM64	7daad16d55d2aedbc8b6f21944cbaa23adc4ca1011cd6c9eac537b392d0654ee
CLI tool for CyberArk Certificate Manager 1.0.0	macOS	64-bit	fa0aa723eeb58aa85c0fd43419ccbba3080e0638c17d1fe01d77d66f5d9baec4
CLI tool for CyberArk Certificate Manager 1.0.0	macOS	ARM64, Apple Silicon	daae557f0fc73e42c2205bda3b5a2cd3d28bd021c0e97cb88b5db47811af071d
CLI tool for CyberArk Certificate Manager 1.0.0	Windows	64-bit	0f58ff27bd332b92b2cd49af81efd96f74f6336f68f767013dd36882ac20df38
Checksums (SHA256)

CLI tool for CyberArk Certificate Manager releases¶

Latest release¶

Verifying CLI tool for CyberArk Certificate Manager archives after download¶

Release 1.23.0¶

Key features¶

Release 1.22.0¶

Key features¶

Release 1.21.0¶

Key features¶

Release 1.20.0¶

Key features¶

Release 1.19.0¶

Key features¶

Release 1.18.1¶

Key features¶

Release 1.18.0¶

Key features¶

Release 1.17.0¶

Key features¶

Release 1.16.0¶

Key features¶

Release 1.15.4¶

Key features¶

Release 1.15.3¶

Key features¶

Release 1.15.2¶

Key features¶

Release 1.15.1¶

Key features¶

Release 1.15.0¶

Key features¶

Release 1.14.1¶

Key features¶

Release 1.14.0¶

Key features¶

Release 1.13.0¶

Key features¶

Release 1.12.0¶

Key features¶

Release 1.11.0¶

Key features¶

Release 1.10.0¶

Key features¶

Release 1.9.0¶

Breaking Changes¶

Key features¶

Release 1.8.0¶

Breaking changes¶

Key features¶

Release 1.7.0¶

Key features¶

Release 1.6.0¶

Key features¶

Release 1.5.0¶

Breaking Changes¶

Updated flags in venctl iam service-accounts registry create¶

Updated the output format of --credential-format secret for venctl iam service-accounts registry create¶

Key features¶

Release 1.4.0¶

Key features¶

Release 1.3.2¶

Key features¶

Release 1.3.1¶

Key features¶

Release 1.3.0¶

Key features¶

Release 1.2.1¶

Key features¶

Release 1.2.0¶

Key features¶

Release 1.1.0¶

Key features¶

Release 1.0.2¶

Key features¶

Release 1.0.0¶

Key features¶

Related links¶