Horizon 2.8.0 release notes

Here are the release notes for EverTrust Horizon v2.8.0, released on 2025-12-01.

For the installation and upgrade procedure, please refer to the Installation and Upgrade guide.

RPM deployments enforced constraints on all DNS values. This default constraint has been removed for compatibility reasons. To enable it again, the following configuration must be added:

horizon.default.constraints.allowed.domains = "^[a-zA-Z0-9\\.\\-\\*]*$"

In the Teams configuration, the manager email field has been removed and replaced with a list of managers who can manage team members. The previous manager email is not carried over into this new value. Any notifications that referenced the team manager may need to be reconfigured to use the team’s contact email instead.
Instance upgrade workflow has been altered, please refer to the relevant documentation

When upgrading from a version prior to 2.8.0, a new keyset must be created using Tinkey before running the migration. The migration tool will fail if the keyset is not generated.

Please refer to the specific upgrade instructions section in the upgrade guide for detailed instructions on how to create a keyset using PlainText, PKCS#11, AWS KMS, or GCP KMS.

1. New Features

  • [HRZ-3120] - Product update: Horizon now supports upgrading without downing all nodes (upgraded nodes will enter maintenance mode until the database schema is updated). Learn more…​

  • [HRZ-3199] - Requests: PKCS#12 availability time is now configurable in profile configuration

  • [HRZ-2961] - Teams: Added team managers who can add and remove team members

  • [HRZ-2776] - Configuration: Added support for exporting and importing configuration from one instance to another

  • [HRZ-2746] - Added monitored certificates to enable notification capabilities on non-manageable certificates

  • [HRZ-2737] - Switched to industry standard Tink for encryption management

  • [HRZ-2755] - Certificates and events can now be archived to Parquet files for cold storage

  • [HRZ-2767] - Reports: Emails can now contain a link to download the CSV instead of an attachment

2. Enhancements

  • [HRZ-3022] - Product update: Improved migration tool to allow for pre-migration checks

  • [HRZ-2066] - Third parties: Added the capability to retry all failed triggers on a connector

  • [HRZ-2957] - RA: Login popup now automatically redirects to the OIDC provider if only one OIDC provider is available

  • [HRZ-2270] - Email notification: Added test capability on the UI

  • [HRZ-2958] - RA: Identity provider can now be automatically selected using the selectedIdentityProviderName URL parameter on the /ui#/ra route

  • [HRZ-3021] - Bootstrap: Default Local Identity provider now enforces a secure password policy

  • [HRZ-3136] - Scheduled tasks: Added name field

  • [HRZ-3164] - OIDC: Added PKCE support

  • [HRZ-3219] - Template Strings: Added JSONArray helper function

  • [HRZ-3305] - F5 AS3: Added an option to not add the chain on a certificate renewal

  • [HRZ-3306] - F5 AS3: Certificate private keys will now keep the same encryption level on renewal

3. Bug Fixes

  • [HRZ-2255] - Fixed a bug where requests submitted on profiles without a contactEmailPolicy could not be approved

  • [HRZ-3193] - Fixed a bug where CRL database sync would take place every 15 minutes instead of the configured time in the CA configuration

4. Known Defects

None

5. API modifications

  • [HRZ-3136] - Scheduled task manipulation is now done using the name field instead of the _id field. The name field is now mandatory