Releases

Changelog

A record of every version — what's new, what's fixed, and what's changed.

V7.4.0 Latest July 2026

New

  • ClearPass deployment — Windows — certificate deployment to Aruba ClearPass now works end to end via the correct ClearPass REST endpoint. New controls let you choose the network interface used to serve the certificate, inspect the current certificate and its expiry on each server, and review per-server upload results (Windows)

Enhancement

  • ClearPass — no external dependencies (macOS) — the certificate is now served to ClearPass by a built-in, in-memory file server; Python and the Xcode Command Line Tools are no longer required, and nothing is written to disk (macOS)
  • Legacy encryption warning — PRISM now warns before upload if a selected PFX uses modern AES encryption that some appliances reject, and points you to Legacy Mode in the PFX Generator (macOS + Windows)

Bug Fix

  • ClearPass ECC (macOS) — fixed ECC certificate deployments so the HTTPS(ECC) service is targeted correctly (macOS)
  • Stability — SSH/ADFS, Cisco ISE, and PFX operations can no longer hang the app; the Chain Builder no longer stalls on unusual inputs; fixed several conditions that could crash the app; temporary certificate files are always cleaned up (macOS + Windows)
V7.3.0 April 2026

New

  • Deploy Hub — dedicated section grouping all certificate deployment tools in one place; navigate directly to ClearPass, Cisco ISE, or Windows ADFS from a single hub view (macOS)
  • Cisco ISE Deploy — import PFX certificates into Cisco Identity Services Engine via the Open API; supports Portal, Admin, EAP, RADIUS, pxGrid, SAML, and IMS certificate roles (macOS + Windows)
  • ADFS Certificate Deployment (Beta) — deploy PFX certificates to AD Federation Services locally or via SSH; auto-detects if ADFS is running on the same machine and deploys directly without SSH (macOS + Windows)

Enhancement

  • Chain Extractor — PFX/P12 support — enter the password to decrypt a PFX/P12 file and extract the full certificate chain into individual .pem files (macOS + Windows)

Bug Fix

  • Chain Builder — fixed bundle parsing to correctly identify only intermediate and root CA certificates (Windows)
V7.2.6 April 2026

New Tool

  • Chain Extractor — drop any PEM, CRT, or bundled chain file and PRISM splits it into individual files: server certificate, intermediate CA(s), and root CA; save each as a separate .pem with a single click (macOS + Windows)

Themes

  • Nothing OS theme — new card aesthetic inspired by Nothing OS: pure black panels, 3×3 dot-matrix brand mark, dashed borders, and clean monospaced typography (macOS)
V7.2.5 Windows April 2026

Bug Fix

  • PFX Generator — ClearPass compatibility — PFX files now default to legacy 3DES + SHA-1 MAC encryption, matching what Aruba ClearPass and other network appliances require; previously the modern AES-256 default caused silent import failures (Windows)
  • localKeyId attribute — PFX files now correctly embed the key-to-certificate linkage attribute, resolving import failures on ClearPass regardless of certificate or CA used (Windows)
V7.2.4 March 2026

Inventory

  • Import External CSR — import a .csr, .pem, or .req file generated outside PRISM into Inventory as a pending entry; vault storage and signed-cert promotion work identically to PRISM-generated CSRs (macOS + Windows)

Vault

  • Vault Backup Export/Import — export your entire vault and inventory as an encrypted .prismbackup file (AES-256-GCM ZIP); import on a fresh machine via Replace mode or merge into an existing vault via Merge mode with automatic per-entry key re-wrapping (macOS + Windows)

Licensing

  • License key stored in Keychain — activation is now persisted in the macOS Keychain instead of UserDefaults, so it survives app reinstalls and updates without requiring re-activation
  • Existing licenses are automatically migrated to the Keychain on first launch — no action required
  • Activation now includes a machine-specific identifier so each device is uniquely tracked in the licensing dashboard

Updates

  • Done & Close — the final step of the in-app updater now quits the running app when clicked, so the old version isn't holding files open while you drag the new one into Applications
V7.2.3 March 2026

Chain Builder

  • Unified Chain Builder — auto-detects cert type on selection: P7B bundle (sorts and validates), public CA (builds via system keychain), or private CA (provide intermediates and root manually). Replaces the separate Private CA Chain tool.
  • Append Root & Save — if the root CA is missing after a build, a warning banner and root CA picker appear inline to complete the chain without rebuilding
  • Bundle attach sheet now only appears after a fully verified chain — no premature prompts when the root CA is still missing

Vault

  • Master password required on every launch — vault keys are never cached between sessions
  • Full-screen cover during unlock — inventory content is hidden behind an opaque overlay while entering the master password

Inventory

  • CA nesting — Root CA and Intermediate CA entries are displayed nested under their associated server certificate, not as standalone rows
  • Root CA detection fixed — self-signed certs now correctly identified via DER byte comparison; previously all appeared as Intermediate CA
  • Private root CAs provided in Chain Builder are automatically tracked in Inventory with accurate expiry dates
  • Home inventory card shows only server certificate expiry — root and intermediate CAs excluded from the preview
  • CA entries with no matching parent server cert remain visible at the top level
V7.2.1 March 2026

Security

  • Server-side trial enforcement — trial state is now registered per device via a Cloudflare Worker; clearing local data can no longer reset the trial clock
  • Existing active trial users are automatically checked in on first launch of 7.2.1, anchoring their real start date server-side
V7.2.0 macOS March 2026

Certificate Lifecycle Tracking

  • CSR Generator creates an Inventory entry automatically — your certificate is tracked from the moment you generate the request, before a signed cert even exists
  • Vault integration at CSR generation time — optionally encrypt the private key into a password-protected vault as part of the CSR workflow
  • PFX Generator step-by-step workflow — guided flow walks you through the full lifecycle from CSR through signing and PFX creation in sequence
  • Inventory now tracks every file created (CSR, private key, signed cert, full chain, PFX) and lets you export any of them directly from the entry detail view

Updates

  • In-app update downloader — download the latest DMG directly without leaving PRISM; progress bar shows download status
  • Update alerts now appear in the main window instead of buried in Settings, so background checks surface correctly
  • What's New screen on first launch after each update — no more wondering what changed

Themes

  • New Amber theme — classic 1980s amber phosphor terminal aesthetic

Bug Fixes

  • Fixed app bundle identifier not being set correctly in SPM builds — preferences and vault data now stored under the correct tech.cmdlab.prism domain; existing data is migrated automatically on first launch
V7.1.1 March 2026

Vault Security Upgrade

  • Upgraded to two-layer envelope encryption: a single app-level Master Key is derived via PBKDF2-SHA256 at 600,000 iterations (up from 310,000); each bundle gets a random 256-bit Vault Key wrapped by the Master Key
  • One vault password now unlocks all certificate bundles in a session — no more per-entry prompts
  • Password changes are instant (O(1)) — only the wrapped key file is re-encrypted, certificate files are untouched
  • Fully backward-compatible: existing V1 bundles continue to work with their original per-entry passwords

Certificate Inventory

  • Renewal detection: importing a cert with the same Common Name but a new serial number now prompts to update the existing entry (preserving vault, bundle, notes, and tags) or add it as a separate entry
  • Tags moved to detail header: tag chips are now inline next to the certificate title; a tag icon button opens a compact popover for adding new tags
  • Bundle picker now shows expiry month/year (e.g. "Expires Mar 2026") for each entry so renewals with the same CN are distinguishable; expired entries highlighted in red

PFX Generator

  • Auto-loads FullChain.cer when navigating to the PFX Generator if one is available — no manual click required
  • Private key passphrase field is no longer pre-filled — must be re-entered each time for security
  • Generated PFX is now offered for attachment to an existing certificate bundle, matching the Full Chain Builder behavior

Legal & Compliance

  • Added Legal & Compliance section in Settings with ECCN 5D992.c export classification and scope disclosures
  • Added Security & Legal section in Help / Tutorial with the same disclosures and a link to the compliance page
  • README updated with a ⚖️ Legal & Export Controls section covering certificate scope, local-only processing, user responsibility, and export classification
  • Landing page footer now includes a one-line compliance disclaimer with a link to the Security page

Bug Fixes

  • Removed duplicate "Skip" button from the top-right corner of the Bundle Attach sheet
V7.1.0 macOS March 2026

Certificate Bundles

  • New Certificate Bundle system groups all lifecycle files (CSR, private key, signed cert, full chain, PFX) under one inventory entry
  • Three storage modes: Metadata Only (path references), Master Password Vault (AES-256-GCM + PBKDF2-SHA256 at 310K iterations), and Keychain Vault (private key in macOS Keychain)
  • Pending entries: bundle is created at CSR generation time before a signed cert exists; automatically promoted to a full X.509 entry when the signed cert is attached
  • Bundle Attach Sheet: after building a Full Chain or generating a PFX, PRISM offers to attach the file to an existing bundle in one click
  • Certificate Files section in the inventory detail view shows all attached files with per-file Export buttons
  • Session-level vault unlock prompt on launch when any master-password bundles are present; decrypted keys cached in memory only

License & Activation

  • Simplified to local-only license validation — no periodic network revalidation required after activation
  • License validation fires immediately on activation rather than on next app restart
  • Added multi-product license support to the Windows build

Windows

  • Added code signing to the Windows build pipeline
  • AppInfo.cs is now auto-patched with the correct version at build time via build.bat
  • Improved installer and update flow

Website

  • Legal pages (Privacy Policy, Terms of Service, License) are now self-hosted; broken footer links fixed
  • CMDLAB rebrand applied across all website pages
  • Updated landing page hero with brand image, refined icon sizing, and cleaned up glow effects
V7.0.4 March 2026

Bug Fixes

  • Fixed license activation not triggering validation immediately on macOS

Windows

  • Improved update flow and installer behavior
  • Fixed installer packaging issues affecting clean installs
V7.0.2 March 2026

Monetization

  • Switched to a new payment and license management provider
  • Updated checkout flow and license activation for both macOS and Windows

Website

  • Redesigned landing page with simpler layout and OS-aware download buttons
  • Downloads now served from a global CDN for improved reliability
V7.0.1 March 2026

Help & Tutorial

  • Added Help & Tutorial system on both macOS and Windows with per-tool documentation, keyboard shortcuts, and workflow guides
V7.0.0 March 2026

Major Release

  • Complete macOS rebuild as a native Swift/SwiftUI app (replacing prior Python-based version)
  • New v7 icon and visual identity
  • App Store build variant and direct-distribution DMG build
  • Paid licensing via in-app purchase — first paid release

Certificate Inventory

  • New persistent certificate library with expiry tracking, tags, notes, CSV export, and search/filter
  • Auto-import from CSR Generator
  • Expiry status badges (Valid, Expiring Soon, Expired)

Windows

  • Complete rewrite of the Windows app using C#/WinUI 3 (.NET 9)
  • Feature parity with macOS across CSR generation, Full Chain Builder, PFX Generator, and PFX Extractor