SSL/TLS Autoenrollment



Central ACME autoenrollment for servers, clients and Apple devices with internal CAs like ADCS or public CAs such as Let’s Encrypt.


Public Webservers

Provide  trusted TLS certificates from a public CA to your external web servers automatically and centrally managed.


 

Apple Devices

Enroll ACME device certificates using Apple Device Attestation and MDM lookup for Intune. Provide higher security than SCEP!


Internal Servers & Clients

Auto-enroll Windows & Linux server or client certificates from an internal Microsoft CA or even from Let's Encrypt.



"Secardeo certACME automates the time-consuming enrollment and renewal of server certificates in an organization and helps to avoid downtimes."

Avoid downtime and lower costs!


  • Automatic certificate renewal prevents from outages due to expired certificates.
  • Constantly decreasing lifetimes of server TLS certificates need frequent renewals.
  • Each manual certificate renewal will cause internal costs.


Support of common web servers and CAs.


  • Support for IIS, Apache, NGINX with ACME modules.
  • Supports F5 Big-IP server pools, Ansible and Kubernetes.
  • Interoperates with popular ACME clients like certBot, acme.sh, WinAcme.
  • Use of internal CAs such as ADCS, EJBCA, and OpenXPKI.
  • Connection to commercial CAs such as SwissSign, DigiCert, GlobalSign, or AWS.
  • Use of free ACME CAs such as Let's Encrypt or ZeroSSL.


Certificate enrollment secure & centralized.



  • ACME challenge validation via HTTP, DNS, TLS ALPN.
  • Apple Device Attestation and MDM Lookup for Intune.
  • Whitelisting for DNS or device-IDs.
  • ACME approval workflow.
  • Validation of central crypto policies.
  • External Account Binding & AD enroll permission.
  • Certificate management in a central database.
  • Auditable certificate management processes.


How it works

The lifetime of public TLS certificates, typically one year, is decreasing rapidly, making automated certificate management urgently necessary. The unavailability of web servers due to expired certificates can result in massive financial losses. The ACME (Automatic Certificate Management Environment) protocol is used to automate interactions between certification authorities and IT systems. It was originally developed for the free CA service Let's Encrypt. It can be used to issue domain-validated DV certificates.


Secardeo certACME is a proxy for automatically enrolling certificates for servers, clients, or Apple devices using the ACME protocol from private or public CAs. All certificates are stored in the central TOPKI certificate database. This ensures complete control over the certificates and auditable certificate management processes.


Public web servers can, in principle, be connected directly to a public CA via ACME. However, this reduces IT management control and auditability. Connecting via certACME eliminates this problem and further increases security through approval processes, whitelisting, or external account binding. Organization-validated OV certificates can also be issued automatically within the framework of an MPKI contract.


Internal servers or Linux clients, for example, can be easily connected to an existing Microsoft CA (ADCS) or open source CAs such as EJBCA, OpenXPKI, or DogTag with certACME. The use of free CAs such as Let*s Encrypt or ZeroSSL is also possible for internal systems with certACME, as is connection to commercial CAs such as SwissSign, GlobalSign, or AWS.


Apple devices managed by an MDM system such as Intune can also be provided with device certificates via certACME. Apple Device Attestation is used for this purpose, and the device's Secure Enclave can be used for highly secure key pair generation. The device status is also checked by retrieving it from the MDM system or a whitelist. This achieves a significantly higher level of security than was possible using the old SCEP protocol.


certACME integrates seamlessly as a Microsoft IIS web application and acts as an ACME server for ACME clients. certACME uses local or AD certificate templates. It validates certificate requests using an HTTP, DNS, or TLS ALPN challenge and forwards the CSR to the connected public or private certification authority (CA), which can also include multiple CAs. Compliance with a defined crypto policy can be validated. Optionally, certACME extends a CSR with company attributes such as organization, country, and organizational unit. certACME stores all certificates in a local or central SQL database. certACME automatically sends configurable notifications to certificate managers and administrators.

  • Features

    • Acts as an ACME server for standard ACME clients
    • Supports common web servers, Kubernetes, Ansible and F5 Big-IP server pools
    • Validates a web server using a HTTP-, DNS- oder TLS-ALPN-challenge
    • Forwards CSR to a public or private CA
    • Optionally enhances CSR with corporate attributes like Organization, Country, OU
    • Stores certificates in a local or central SQL database
    • Automatically sends configurable notifications to certificate managers and administrators
    • Multiple Backend CAs
    • Multiple AD Certificate Templates with individual challenge configuration
    • Whitelist for authorization of domain names and device IDs
    • ACME acceptance by an approver in certLife
    • External Account Binding for authorization of a request through AD users und templates
    • ACME account management
    • Support for MS SQL, MySQL, SQLite

Resources

Whitepapers: 

Datasheets:

Videos:



Share by: