Public Webservers
Provide trusted TLS certificates from a public CA to your external web servers automatically and centrally managed.
Apple Devices
Enroll ACME device certificates using Apple Device Attestation and MDM lookup for Intune. Provide higher security than SCEP!
Internal Servers & Clients
Auto-enroll Windows & Linux server or client certificates from an internal Microsoft CA or even from Let's Encrypt.
"Secardeo certACME automates the time-consuming enrollment and renewal of server certificates in an organization and helps to avoid downtimes."
Certificate enrollment secure & centralized.
The lifetime of public TLS certificates, typically one year, is decreasing rapidly, making automated certificate management urgently necessary. The unavailability of web servers due to expired certificates can result in massive financial losses. The ACME (Automatic Certificate Management Environment) protocol is used to automate interactions between certification authorities and IT systems. It was originally developed for the free CA service Let's Encrypt. It can be used to issue domain-validated DV certificates.
Secardeo certACME is a proxy for automatically enrolling certificates for servers, clients, or Apple devices using the ACME protocol from private or public CAs. All certificates are stored in the central TOPKI certificate database. This ensures complete control over the certificates and auditable certificate management processes.
Public web servers can, in principle, be connected directly to a public CA via ACME. However, this reduces IT management control and auditability. Connecting via certACME eliminates this problem and further increases security through approval processes, whitelisting, or external account binding. Organization-validated OV certificates can also be issued automatically within the framework of an MPKI contract.
Internal servers or Linux clients, for example, can be easily connected to an existing Microsoft CA (ADCS) or open source CAs such as EJBCA, OpenXPKI, or DogTag with certACME. The use of free CAs such as Let*s Encrypt or ZeroSSL is also possible for internal systems with certACME, as is connection to commercial CAs such as SwissSign, GlobalSign, or AWS.
Apple devices managed by an MDM system such as Intune can also be provided with device certificates via certACME. Apple Device Attestation is used for this purpose, and the device's Secure Enclave can be used for highly secure key pair generation. The device status is also checked by retrieving it from the MDM system or a whitelist. This achieves a significantly higher level of security than was possible using the old SCEP protocol.
certACME integrates seamlessly as a Microsoft IIS web application and acts as an ACME server for ACME clients. certACME uses local or AD certificate templates. It validates certificate requests using an HTTP, DNS, or TLS ALPN challenge and forwards the CSR to the connected public or private certification authority (CA), which can also include multiple CAs. Compliance with a defined crypto policy can be validated. Optionally, certACME extends a CSR with company attributes such as organization, country, and organizational unit. certACME stores all certificates in a local or central SQL database. certACME automatically sends configurable notifications to certificate managers and administrators.
© 2025 Secardeo GmbH.
All rights reserved.