OpenOTP Credential Provider 4.0.0 – Inline Enrollment, Client Cert / API key Requests & More!

[Yoann Traut (RCDevs)]

Dear Community,

We’re excited to announce the release of OpenOTP Credential Provider 4.0.0, a major update that brings powerful new features and solid improvements to your Windows authentication experience.

Here’s what’s new and shiny:

🔐 Inline Enrollment Is Here (OpenOTP ≥ 2.2.27)
No more juggling steps or separate devices—users can now enroll their first token right from the Windows logon screen!
A slick webview will launch directly in the CP, connecting to the Self Registration WebADM app.

✅ Supports soft tokens, hardware tokens, YubiKeys, and FIDO keys—with only minor limitations.
Just make sure the “Send Self-Registration Links” option is enabled in WebADM, and you're good to go.

🧾 Client Certificate/API Key Generation – Now One Click Away (WebADM ≥ 2.4.7)
The MSI installer now includes “Generate” buttons for requesting client certificates or API keys.
Requests are sent directly for admin approval via WebADM. Simple, secure, and built-in.

🖥️ Better handling for RemoteApp reconnections
We’ve improved how the Credential Provider behaves when a user reconnects to a RemoteApp session that was disconnected but not logged off. This ensures a smoother and more reliable login experience in remote environments.

🛠️ Fixes & Enhancements

• Fixed an issue where MSI change mode didn’t properly update selected/unselected features.

• Resolved a rare but nasty bug where OpenOTP login would succeed, but Windows login would fail, causing endless retries.

• The WebADM certificate authority is now automatically added to the Windows trusted root cert store.

🚀 Ready to take your Windows logins to the next level?
OpenOTP CP 4.0.0 makes it easier to roll out strong authentication across your organization. Setup is more straightforward, integration with WebADM is tighter, and users can get started with less friction—no more complicated first-time logins.

🎥 Enrollment walkthrough videos coming soon!

Download: https://www.rcdevs.com/downloads/download/?file=Plugins%2FOpenOTP_CredentialProvider-4.0.0.0-x64.zip
Documentation : https://docs.rcdevs.com/openotp-credential-provider-for-windows/

[Andrew Peterson]

Hi,

OpenOTP Plugin for Windows Login 4.0.0.0-x64 (2025-08-11) MSI has a critical bug:

CA_FILE arg on command line does not end up setting Cert_WebadmCa MSI variable internally, which means headless install with ca file always fails with these errors:
Action start 15:23:14: InstallCertificates. InstallCertificates: Error 0x8000ffff: Unexpected certificate type read from disk. InstallCertificates: Error 0x8000ffff: Failed to read certificate from file path. InstallCertificates: Error 0x8000ffff: Failed to resolve certificate: Cert_WebadmCa

GUI install works, because Cert_WebadmCa gets set to a correct pathname.

Run the installer with verbose logging and you'll see the issue - please do fix it.

Until then, please also make the 3.x versions available for download again.

[Yoann Traut (RCDevs)]

Hello, 

Thank you for the feedback, we reported the issue to our dev team and it will be fixed this week.
The version 3.0.15 is available for download at the following url:

https://www.rcdevs.com/downloads/download/?file=Plugins%2FOpenOTP_CredentialProvider-3.0.15.0-x64.zip

Regards

[Yoann Traut (RCDevs)]

Hello,

The CA issue in silent installation has been fixed in CP 4.0.1.0.
Please note that UNC paths for the CA_FILE are not supported in this version. We will check with the development team about adding this support in a future release.

[Yoann Traut (RCDevs)]

My bad, the UNC path is working for the CA_FILE in the 4.0.1 version.