privacyIDEA 2.12 released. Event Handler, Certificates, PKCS12 / PKCS11 and much more…

Today we released privacyIDEA 2.12.

Certificates and Hardware Security Modules

wristwatch-407096_640The certificate handling in privacyIDEA was improved. Administrators can now enroll a certificate token for a user and also generate the RSA key pair. Users can download the certificate and the private key as a PKCS12/PFX container. This is useful in certain scenarios where a VPN client requires the local installation of a client certificate that stays on the machine.

In addition support for hardware security modules like the Nitrokey HSM was added. This was done by adding a PKCS11 security module.

Time Dependent Policies

It is now possible to restrict policies to certain times. Thus you can allow the login outside of the office hours only with a yubikey while allowing login with a Google Authenticator only during daylight. Or the token management of the C-level group tokens could only be allowed on mondays…

…do what you want!

Event Handler Framework

The event handler is a complete new concept of allowing new workflows in privacyIDEA. Depending on certain conditions each event (REST API calls) may trigger a new action. The administrator may configure the triggered actions in the most flexible manner.

E.g. if a token is enrolled or assigned, the user may be notified about this. The event handler framework allows for any kind of thinkable workflow. Please read our previous post on this topic.

…do what you want!


This is the complete changelog.


  • Event Handler Framework #360
  • local CA connector can enroll certificates for users. Users can download PKCS12 file. #383
  • Add and edit users in LDAP resolvers #372
  • Hardware Security Module support via PKCS11
  • Time dependent policies #358


  • Policy for web UI enrollment wizard #402
  • Realm dropdown box at login screen #400
  • Apply user policy settings #390
  • Improve QR Code for TOTP token enrollment #384
  • Add documentation for enrollment wizard #381
  • Improve pi-manage backup to use pymysql #375
  • Use X-Forwarded-For HTTP header as client IP #356
  • Add meta-package privacyidea-mysql #376



  • Adduser honors resolver setting in policy #403
  • Add documentation for SPASS token #399
  • Hide enrollment link (WebUI) is user can not enroll #398
  • Fix getSerial for TOTP tokens #393
  • Fix system config checkboxes #378
  • Allow a realm to be remove from a token #363
  • Improve the date handling in emails #352
  • Sending test emails #350
  • Authentication with active token not possible if the user has a disabled token #339

Leave a comment

One thought on “privacyIDEA 2.12 released. Event Handler, Certificates, PKCS12 / PKCS11 and much more…”