From 003677c7db983f0cdd7f8dbb029ff3102927aeb6 Mon Sep 17 00:00:00 2001 From: Elin Fokine Date: Fri, 30 Jan 2026 15:18:31 +0100 Subject: [PATCH 1/5] Update version number. --- src/Directory.Build.props | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Directory.Build.props b/src/Directory.Build.props index 406cc41d..bf086af4 100644 --- a/src/Directory.Build.props +++ b/src/Directory.Build.props @@ -14,15 +14,15 @@ $(AssemblyName) - 11.1.3 - - 10.0.0.0 + 12.0.0 + beta.1 + 12.0.0.0 $(VersionPrefix).0 $(VersionPrefix).$(BUILD_BUILDNUMBER) Active Solution;Peter Örneholm;Elin Fokine;Tobias Lolax;Marcus Abrahamsson Active Solution - Copyright © 2018-2024 Active Solution + Copyright © 2018-2026 Active Solution https://github.com/ActiveLogin/ActiveLogin.Authentication icon.png From 2ac0861467e5d932ec92944e1f7de86ef61ffc0d Mon Sep 17 00:00:00 2001 From: Elin Fokine Date: Fri, 30 Jan 2026 15:46:31 +0100 Subject: [PATCH 2/5] Documented breaking changes from version 12.0.0. --- BREAKINGCHANGES.md | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/BREAKINGCHANGES.md b/BREAKINGCHANGES.md index 97af4318..4e806d79 100644 --- a/BREAKINGCHANGES.md +++ b/BREAKINGCHANGES.md @@ -7,6 +7,7 @@ ___Note:___ We might, and will probably, miss to document some of this - if so - ## TOC +* [Version 12.0.0](#version-1200) * [Version 11.0.0](#version-1100) * [Version 10.0.0](#version-1000) * [Version 9.0.0](#version-900) @@ -17,8 +18,31 @@ ___Note:___ We might, and will probably, miss to document some of this - if so - * [Version 5.0.0](#version-500) * [Version 4.0.0](#version-400) ---- +------ + +## Version 12.0.0 + +Breaking changes between version 11.0.0 and 12.0.0 + +### Upgrade to .NET 10 + +Active Login now requires **.NET 10**. + +If you are upgrading from an earlier version, you must update any application or website using Active Login to target .NET 10. + +### Embedded BankID certificates +When loading embedded BankID certificates (client test certificate and root certificates for both test and production), we now use `X509KeyStorageFlags.DefaultKeySet` by default. + +If this change causes issues in your environment, you can override the `X509KeyStorageFlags` used for the client test certificate. + +### Loading client BankID certificate from Azure Key Vault + +When loading the client BankID certificate from Azure Key Vault, we now use `X509KeyStorageFlags.DefaultKeySet` by default. + +If this causes issues in your environment, it is possible to override the `X509KeyStorageFlags` used when loading the certificate. + +--- ## Version 11.0.0 @@ -110,7 +134,7 @@ We have renamed these things as a result of that: * `AddCustomAppCallback` becomes `AddCustomBrowser` * `AddCustomAppCallbackByUserAgent` becomes `AddCustomBrowserByUserAgent` -### Upgrade to .NET 7 +### Upgrade to .NET 8 We now require .NET 8 - so this requires you to upgrade your website that uses Active Login. From bbad0178ceaf2f217679ae424847c299483efe7b Mon Sep 17 00:00:00 2001 From: Elin Fokine Date: Fri, 30 Jan 2026 16:10:48 +0100 Subject: [PATCH 3/5] Update the docs about overriding X509KeyStorageFlags. --- docs/articles/bankid.md | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/docs/articles/bankid.md b/docs/articles/bankid.md index 2487a14f..3d11a82b 100644 --- a/docs/articles/bankid.md +++ b/docs/articles/bankid.md @@ -216,8 +216,6 @@ This will use the real REST API for BankID, connecting to the Test environment. It will automatically register both the root and client certificate, even though this behaviour can be disabled. A scenario might be that you want to use the same flow for both test and prod and therefore make sure that fetching the certificate from KeyVault works by trying that out for test. It could also be useful if you are running an older version of Active Login which contains an expired version of the test certificate. You can then disable using the embedded, expired certificate and provide the valid test certificate yourself. -BankId provides the client certificate for the test environment in three different versions FPTestcert5_20240610.p12, FPTestcert5_20240610.pem and FPTestcert5_20240610-legacy.pfx. Use `FPTestcert5_20240610.p12` for newer applications and environments that support modern encryption methods. Use `FPTestcert5_20240610.pem` if your application requires PEM format. Use `FPTestcert5_20240610-legacy.pfx ` for older applications requiring older algorithms such as Windows Server earlier versions than 2022. The format of the client certificate can be configured. By default `FPTestcert5_20240610-legacy.pfx `is used. - ```csharp services .AddBankId(bankId => @@ -226,7 +224,7 @@ services }); ``` -Disable adding the certificates: +#### Disable adding the certificates ```csharp services @@ -236,7 +234,9 @@ services }); ``` -Specify client certificate format: +#### Specify client certificate format + +BankId provides the client certificate for the test environment in three different versions FPTestcert5_20240610.p12, FPTestcert5_20240610.pem and FPTestcert5_20240610-legacy.pfx. Use `FPTestcert5_20240610.p12` for newer applications and environments that support modern encryption methods. Use `FPTestcert5_20240610.pem` if your application requires PEM format. Use `FPTestcert5_20240610-legacy.pfx ` for older applications requiring older algorithms such as Windows Server earlier versions than 2022. The format of the client certificate can be configured. By default `FPTestcert5_20240610-legacy.pfx `is used. ```csharp services @@ -246,6 +246,23 @@ services }); ``` +#### Override default X509KeyStorageFlags + +By default, `X509KeyStorageFlags.DefaultKeySet` is used when loading the embedded client certificate for the test environment. + +If this default does not work in your environment, it is possible to override the `X509KeyStorageFlags` used when loading the certificate. This allows you to configure certificate handling in a way that is compatible with your specific hosting or security requirements. + +```csharp +services + .AddBankId(bankId => + { + bankId.UseTestEnvironment( + keyStorageFlags: X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable + ); + }); +``` + + ### Production environment This will use the real REST API for BankID, connecting to the Production environment. It requires you to have the client certificates described under _Preparation_ above. From fe4659e8fab4eb7dc7573378ae1a45e151c74bd3 Mon Sep 17 00:00:00 2001 From: Elin Fokine Date: Fri, 30 Jan 2026 16:17:09 +0100 Subject: [PATCH 4/5] Added documentation about overriding X509KeyStorageFlags when loading client certificate from key vault. --- docs/articles/bankid.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/articles/bankid.md b/docs/articles/bankid.md index 3d11a82b..b7b077f8 100644 --- a/docs/articles/bankid.md +++ b/docs/articles/bankid.md @@ -530,6 +530,19 @@ services.AddBankId(bankId => }); ``` +By default, `X509KeyStorageFlags.DefaultKeySet` is used when loding the client Certificate from Azure Key Vault. + +If this does not work in your environment, it is possible to override the `X509KeyStorageFlags` used when loading the certificate. This allows you to configure certificate handling in a way that is compatible with your specific hosting or security requirements. + +```csharp +services.AddBankId(bankId => + { + bankId + .UseProductionEnvironment() + .UseClientCertificateFromAzureKeyVault(configuration.GetSection("ActiveLogin:BankId:ClientCertificate"), X509KeyStorageFlags.EphemeralKeySet) + ... + }); +``` ### Using client certificate from custom source From 115a0ea4eb8bdfcca052f08f3b21fb0fc58a9efb Mon Sep 17 00:00:00 2001 From: Elin Fokine Date: Fri, 30 Jan 2026 16:42:32 +0100 Subject: [PATCH 5/5] Add links to documentation from release notes. --- BREAKINGCHANGES.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/BREAKINGCHANGES.md b/BREAKINGCHANGES.md index 4e806d79..6247a2fc 100644 --- a/BREAKINGCHANGES.md +++ b/BREAKINGCHANGES.md @@ -34,13 +34,13 @@ If you are upgrading from an earlier version, you must update any application or When loading embedded BankID certificates (client test certificate and root certificates for both test and production), we now use `X509KeyStorageFlags.DefaultKeySet` by default. -If this change causes issues in your environment, you can override the `X509KeyStorageFlags` used for the client test certificate. +If this change causes issues in your environment, you can override the `X509KeyStorageFlags` used for the client test certificate. See [the documention](https://docs.activelogin.net/articles/bankid.html#test-environment) for information about how it is done. ### Loading client BankID certificate from Azure Key Vault When loading the client BankID certificate from Azure Key Vault, we now use `X509KeyStorageFlags.DefaultKeySet` by default. -If this causes issues in your environment, it is possible to override the `X509KeyStorageFlags` used when loading the certificate. +If this causes issues in your environment, it is possible to override the `X509KeyStorageFlags` used when loading the certificate. See [the documention](https://docs.activelogin.net/articles/bankid.html#using-client-certificate-from-azure-keyvault) for information about how it is done. ---