Release v 12.0.0-beta.1 (#538)

elinohlsson · Elin Fokine · web-flow · commit f95e1ff87f7f · 2026-01-30T16:55:38.000+01:00
* Update version number.

* Documented breaking changes from version 12.0.0.

* Update the docs about overriding X509KeyStorageFlags.

* Added documentation about overriding X509KeyStorageFlags when loading client certificate from key vault.

* Add links to documentation from release notes.

---------

Co-authored-by: Elin Fokine &lt;ElinO@activesolution.se&gt;
diff --git a/BREAKINGCHANGES.md b/BREAKINGCHANGES.md
@@ -7,6 +7,7 @@ ___Note:___ We might, and will probably, miss to document some of this - if so -
 
 ## TOC
 
+* [Version 12.0.0](#version-1200)
 * [Version 11.0.0](#version-1100)
 * [Version 10.0.0](#version-1000)
 * [Version 9.0.0](#version-900)
@@ -17,8 +18,31 @@ ___Note:___ We might, and will probably, miss to document some of this - if so -
 * [Version 5.0.0](#version-500)
 * [Version 4.0.0](#version-400)
 
----
+------
+
+## Version 12.0.0
+
+Breaking changes between version 11.0.0 and 12.0.0
+
+### Upgrade to .NET 10
+
+Active Login now requires **.NET 10**.
+
+If you are upgrading from an earlier version, you must update any application or website using Active Login to target .NET 10.
+
+### Embedded BankID certificates
 
+When loading embedded BankID certificates (client test certificate and root certificates for both test and production), we now use `X509KeyStorageFlags.DefaultKeySet` by default.
+
+If this change causes issues in your environment, you can override the `X509KeyStorageFlags` used for the client test certificate. See [the documention](https://docs.activelogin.net/articles/bankid.html#test-environment) for information about how it is done.
+
+### Loading client BankID certificate from Azure Key Vault
+
+When loading the client BankID certificate from Azure Key Vault, we now use `X509KeyStorageFlags.DefaultKeySet` by default.
+
+If this causes issues in your environment, it is possible to override the `X509KeyStorageFlags` used when loading the certificate. See [the documention](https://docs.activelogin.net/articles/bankid.html#using-client-certificate-from-azure-keyvault) for information about how it is done.
+
+---
 
 ## Version 11.0.0
 
@@ -110,7 +134,7 @@ We have renamed these things as a result of that:
 * `AddCustomAppCallback` becomes `AddCustomBrowser`
 * `AddCustomAppCallbackByUserAgent` becomes `AddCustomBrowserByUserAgent`
 
-### Upgrade to .NET 7
+### Upgrade to .NET 8
 
 We now require .NET 8 - so this requires you to upgrade your website that uses Active Login.
 
diff --git a/docs/articles/bankid.md b/docs/articles/bankid.md
@@ -216,8 +216,6 @@ This will use the real REST API for BankID, connecting to the Test environment.
 
 It will automatically register both the root and client certificate, even though this behaviour can be disabled. A scenario might be that you want to use the same flow for both test and prod and therefore make sure that fetching the certificate from KeyVault works by trying that out for test. It could also be useful if you are running an older version of Active Login which contains an expired version of the test certificate. You can then disable using the embedded, expired certificate and provide the valid test certificate yourself.
 
-BankId provides the client certificate for the test environment in three different versions FPTestcert5_20240610.p12, FPTestcert5_20240610.pem and FPTestcert5_20240610-legacy.pfx. Use `FPTestcert5_20240610.p12` for newer applications and environments that support modern encryption methods. Use `FPTestcert5_20240610.pem` if your application requires PEM format. Use `FPTestcert5_20240610-legacy.pfx ` for older applications requiring older algorithms such as Windows Server earlier versions than 2022. The format of the client certificate can be configured. By default `FPTestcert5_20240610-legacy.pfx `is used.
-
 ```csharp
 services
     .AddBankId(bankId =>
@@ -226,7 +224,7 @@ services
     });
 ```
 
-Disable adding the certificates:
+#### Disable adding the certificates
 
 ```csharp
 services
@@ -236,7 +234,9 @@ services
     });
 ```
 
-Specify client certificate format:
+#### Specify client certificate format
+
+BankId provides the client certificate for the test environment in three different versions FPTestcert5_20240610.p12, FPTestcert5_20240610.pem and FPTestcert5_20240610-legacy.pfx. Use `FPTestcert5_20240610.p12` for newer applications and environments that support modern encryption methods. Use `FPTestcert5_20240610.pem` if your application requires PEM format. Use `FPTestcert5_20240610-legacy.pfx ` for older applications requiring older algorithms such as Windows Server earlier versions than 2022. The format of the client certificate can be configured. By default `FPTestcert5_20240610-legacy.pfx `is used.
 
 ```csharp
 services
@@ -246,6 +246,23 @@ services
     });
 ```
 
+#### Override default X509KeyStorageFlags
+
+By default, `X509KeyStorageFlags.DefaultKeySet` is used when loading the embedded client certificate for the test environment.
+
+If this default does not work in your environment, it is possible to override the `X509KeyStorageFlags` used when loading the certificate. This allows you to configure certificate handling in a way that is compatible with your specific hosting or security requirements.
+
+```csharp
+services
+    .AddBankId(bankId =>
+    {
+        bankId.UseTestEnvironment(
+            keyStorageFlags: X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable
+        );
+    });
+```
+
+
 ### Production environment
 
 This will use the real REST API for BankID, connecting to the Production environment. It requires you to have the client certificates described under _Preparation_ above.
@@ -513,6 +530,19 @@ services.AddBankId(bankId =>
     });
 ```
 
+By default, `X509KeyStorageFlags.DefaultKeySet` is used when loding the client Certificate from Azure Key Vault.
+
+If this does not work in your environment, it is possible to override the `X509KeyStorageFlags` used when loading the certificate. This allows you to configure certificate handling in a way that is compatible with your specific hosting or security requirements.
+
+```csharp
+services.AddBankId(bankId =>
+    {
+        bankId
+            .UseProductionEnvironment()
+            .UseClientCertificateFromAzureKeyVault(configuration.GetSection("ActiveLogin:BankId:ClientCertificate"), X509KeyStorageFlags.EphemeralKeySet)
+            ...
+    });
+```
 
 ### Using client certificate from custom source
 
diff --git a/src/Directory.Build.props b/src/Directory.Build.props
@@ -14,15 +14,15 @@
 
         <PackageId>$(AssemblyName)</PackageId>
 
-        <VersionPrefix>11.1.3</VersionPrefix>
-        <!--<VersionSuffix>rc-1</VersionSuffix>-->
-        <AssemblyVersion>10.0.0.0</AssemblyVersion>
+        <VersionPrefix>12.0.0</VersionPrefix>
+        <VersionSuffix>beta.1</VersionSuffix>
+        <AssemblyVersion>12.0.0.0</AssemblyVersion>
         <FileVersion Condition="'$(BUILD_BUILDNUMBER)' == ''">$(VersionPrefix).0</FileVersion>
         <FileVersion Condition="'$(BUILD_BUILDNUMBER)' != ''">$(VersionPrefix).$(BUILD_BUILDNUMBER)</FileVersion>
 
         <Authors>Active Solution;Peter Örneholm;Elin Fokine;Tobias Lolax;Marcus Abrahamsson</Authors>
         <Company>Active Solution</Company>
-        <Copyright>Copyright © 2018-2024 Active Solution</Copyright>
+        <Copyright>Copyright © 2018-2026 Active Solution</Copyright>
 
         <PackageProjectUrl>https://github.com/ActiveLogin/ActiveLogin.Authentication</PackageProjectUrl>
         <PackageIcon>icon.png</PackageIcon>
