Managed Private PKI | Secardeo GmbH

Managed private PKI

Outsourcing complex PKI Tasks

You can compensate missing PKI expertise and limited resources by outsourcing central PKI tasks to a competent PKI SaaS provider like AWS ACM or SwissSign private MPKI. Appropriate connectors are required to use these cloud services from your IT infrastructure and internal tools will help to automate and govern the processes.

Managed PKI Services in the Cloud

A managed PKI in the cloud is operated by established and audited service providers like official CAs or cloud providers like AWS. A CA hierachy will be set up individually for each customer consisting of a private root CA and one or more issuing CAs. Private keys and cryptographic operations are typically managed by a cloud HSM. Standard use cases cover internal SSL/TLS certificates and computer/device certificates.

Challenges for PKI SaaS

Sparse automation

The automation capabilities of managed CA providers are often limited to server enrollment via ACME. Enterprises will need further automation such as Windows autoenrollment, SCEP or even auto-revocation. For this, internal mechanisms are needed.

Keep private keys inside

Private keys should never get under control of an external provider. They must be kept inside your systems. For the recovery of private decryption keys you need to store them in a local key archive that is under your sole control.

Limited management tools

Managed CA providers offer web-based tools for the management of issued certificates. The focus is clearly on SSL/TLS certificates. Tools for managing user or computer certificates in Active Directory are completely missing.

Locked to one provider

Often contracts are settled with on CA provider who provides the tools to manage his certificates. When you want to change the CA, the complete certificate management infrastructure has to be set up from scratch and all processes have to be re-designed.

The SECARDEO Solution

Complete certificate automation

Autoenrollment and -renewal using standard protocols as Microsoft WCCE, ACME, REST and SCEP. Automatic provisioning of private keys to user devices via MDM or mail. Auto-revocation of changed or removed AD objects. Automated certificate discovery.

Central key archive

The TOPKI platform provides a central key archive in the TOPKI database. Private keys are encrypted using Key Recovery Agent (KRA) certificates. Only an authorized KRA inside the organization is able to recover private keys in case of loss or retired users.

AD integrated management tools

The TOPKI components integrate well with your Active Directory and with MS Intune. AD users, groups, roles and permissions are used and also certificate templates. Integration with Intune is done using standard certificate connectors. Seamless management of all certificates of AD objects is possible.

Multi-CA support & CA migration

You can connect with multiple CAs like public CAs, managed private CAs in the cloud like AWS or with your internal Microsoft CAs. Define and enhance AD certificate templates for different certificate types and processes. All certificates and archived private keys are managed in an on-premises database - not at your CA provider!

Implementation

The Secardeo TOPKI platform provides connectors for public and private CAs in the cloud such as SwissSign, Digicert or AWS. All certificates and especially your private keys are kept in your on-premises database where you have full control on it. Native Windows autoenrollment can be used with these managed CAs for user and computer certificates using certEP. The Auto-revocation for orphaned certificates of AD objects is possible by using certRevoke. ACME can be used with advanced features of certACME for the automated enrollment of SSL/TLS server certificates. You can manage all these certificates centrally with certLife where you can also activate a self-service for users and administrators.