You can compensate missing PKI expertise and limited resources by outsourcing central PKI tasks to a competent PKI SaaS provider like AWS ACM or SwissSign private MPKI. Appropriate connectors are required to use these cloud services from your IT infrastructure and internal tools will help to automate and govern the processes.
A managed PKI in the cloud is operated by established and audited service providers like official CAs or cloud providers like AWS. A CA hierachy will be set up individually for each customer consisting of a private root CA and one or more issuing CAs. Private keys and cryptographic operations are typically managed by a cloud HSM. Standard use cases cover internal SSL/TLS certificates and computer/device certificates.
The automation capabilities of managed CA providers are often limited to server enrollment via ACME. Enterprises will need further automation such as Windows autoenrollment, SCEP or even auto-revocation. For this, internal mechanisms are needed.
Private keys should never get under control of an external provider. They must be kept inside your systems. For the recovery of private decryption keys you need to store them in a local key archive that is under your sole control.
Managed CA providers offer web-based tools for the management of issued certificates. The focus is clearly on SSL/TLS certificates. Tools for managing user or computer certificates in Active Directory are completely missing.
Often contracts are settled with on CA provider who provides the tools to manage his certificates. When you want to change the CA, the complete certificate management infrastructure has to be set up from scratch and all processes have to be re-designed.
Autoenrollment and -renewal using standard protocols as Microsoft WCCE, ACME, REST and SCEP. Automatic provisioning of private keys to user devices via MDM or mail. Auto-revocation of changed or removed AD objects. Automated certificate discovery.
The TOPKI platform provides a central key archive in the TOPKI database. Private keys are encrypted using Key Recovery Agent (KRA) certificates. Only an authorized KRA inside the organization is able to recover private keys in case of loss or retired users.
The TOPKI components integrate well with your Active Directory and with MS Intune. AD users, groups, roles and permissions are used and also certificate templates. Integration with Intune is done using standard certificate connectors. Seamless management of all certificates of AD objects is possible.
You can connect with multiple CAs like public CAs, managed private CAs in the cloud like AWS or with your internal Microsoft CAs. Define and enhance AD certificate templates for different certificate types and processes. All certificates and archived private keys are managed in an on-premises database - not at your CA provider!
The Secardeo TOPKI platform provides connectors for public and private CAs in the cloud such as SwissSign, Digicert or AWS. All certificates and especially your private keys are kept in your on-premises database where you have full control on it. Native Windows autoenrollment can be used with these managed CAs for user and computer certificates using certEP. The Auto-revocation for orphaned certificates of AD objects is possible by using certRevoke. ACME can be used with advanced features of certACME for the automated enrollment of SSL/TLS server certificates. You can manage all these certificates centrally with certLife where you can also activate a self-service for users and administrators.
Certificate Enrollment Proxy for native Windows certificate autoenrollment from non-Microsoft CAs on-premise or in the Cloud.
Service for certificate lifecycle management, discovery, central autoenrollment, self-services, notifications and REST API.
© 2024 Secardeo GmbH.
All rights reserved.