Enterprise Certificate Lifecycle Management




Serving all Certificate Use Cases


In an organisation multiple types of X.509 certificates are used for SSL/TLS, S/MIME, VPN, 802.1x, document signing and much more. Managing thousands of certificates and private keys from different CAs can only be handled efficiently by automating the certificate lifecycle processes at a maximum.




Digital Certificates in an Enterprise

More and more applications are using digital certificates for encryption, authentication or digital signatures. Dozens of certificate types for users, servers or devices with completely different characteristics have to be managed reliably and efficiently. Private decryption keys have to be archived carefully. Keys and certificates must be provisioned to the applications that will need them. A solution is needed that provides certificate lifecycle automation and convenient self-services for all types of certificates.

Challenges for Certificate Management

Lack of automation

Managing certificates manually based on Excel-sheets is time-consuming and error-prone. All lifecycle phases from enrollment to expiration have to be automated appropriately for all types of certificates.

Lost track

It is often unclear, which types of certificates and keys  exist and which CAs are used. Nobody knows, how many certificates are in use and by whom. Expiration of critical certificates is a nightmare.

Limited or monolithic tools

Tools for certificate management on the market are either limited to specific use cases like SSL/TLS or you can buy an expensive monolithic software. A modular tool platform is needed that serves for all certificate use cases and that integrates well with Active Directory & Intune.

Tied to one provider

Often contracts are settled with on CA provider who provides the tools to manage his certificates. When you want to change the CA, the complete certificate management infrastructure has to be set up from scratch and all processes have to be re-designed.

The SECARDEO solution

Complete certificate automation

Autoenrollment and -renewal using standard protocols as Microsoft WCCE, ACME, REST and SCEP. Automatic provisioning of private keys to user devices via MDM or mail. Automated publishing & retrieval of S/MIME certificates. Auto-revocation of changed or removed AD objects. Automated certificate discovery.

Multi-CA support & CA migration

You can connect with multiple CAs like public CAs, managed private CAs in the cloud like AWS or with your internal Microsoft CAs. Define and enhance AD certificate templates for different certificate types and processes. All certificates and archived private keys are managed in an on-premises database - not at your CA provider!

Microsoft infrastructure integration

The TOPKI components integrate well with your Active Directory and with MS Intune. AD users, groups, roles and permissions are used and also certificate templates. Integration with Intune is done using standard certificate connectors. Seamless management of all certificates from ADCS is possible.

Self-Services

With certLife a convenient self-service for server administrators or even ordinary users is provided. Here they can easily request, renew, recover or delegate certificates to other users or at last revoke own certificates. Group-sharing of certificates is also possible. Login is based on the AD credentials of the user.

Implementation

Secardeo TOPKI (Trusted Open PKI) is a PKI system platform for automated key distribution of X.509 certificates and private keys to all users and devices where they are required. For this, TOPKI provides components that serve for specific certificate lifecycle management tasks. The PKI software components of the TOPKI platform can be integrated with other PKI systems, Active Directory or Mobile Device Management systems. TOPKI enables a seamless adoption of managed PKI services. By this you can automatically request certificates from public or private CAs in the cloud. Or you can use open source CAs, for example to auto-enroll internal computer certificates. The TOPKI PKI products will also enhance your existing Microsoft PKI.

Proxy for the automatic registration of web server certificates using the standard ACME protocol. 

Certificate Directory Server for securely publishing internal S/MIME certificates and retrieving external certificates globally.

Certificate Enrollment Proxy for native Windows certificate autoenrollment from non-Microsoft CAs on-premise or in the Cloud.

EAS Proxy for retrieving recipient certificates from a global directory server to mobile devices for end-to-end S/MIME encryption.

Service for certificate lifecycle management, discovery, central autoenrollment, self-services, notifications and REST API. 

Key Recovery and Distribution service for provisioning user keys from a central key archive to mobile or MDM-managed devices.

Service for automatic revocation of orphaned certificates from AD objects by certEP or a Microsoft CA.

Service for the synchronization of Active Directory user certificates and CRLs with a certBox.

Resources

Share by: