Certificates for global End-to-End Encryption
Exchange S/MIME e-mails with anybody
Business damages caused by industrial espionage or business e-mail compromise (CEO fraud) can cost millions per incident. You must reduce these risks by signing and encrypting e-mails appropriately!
Global End-to-End Encryption
Standard applications like Outlook or iOS mail provide seamless S/MIME end-to-end encryption directly on the user device. Eavesdropping of a message with end to end encryption is even not possible for intelligence agencies. At the same time a digital signature can prove the origin and authenticity of the message.
Alternative technologies like secure e-mail gateways undermine the end-to-end encryption at the expense of security because e-mails are decrypted and re-encrypted here on their route.
Challenges for End-to-End Encryption
Untrusted certificates
S/MIME certificates from an internal Microsoft CA will not be accepted by your partners for encryption nor for validating digital signatures. This leads also to internal rejection of using secure e-mails.
No encryption on mobiles
A user's S/MIME certificate is often only installed on his desktop computer. He will not ne able to decrypt and read incomning mails or send encrypted and sigend e-mails on his mobile devices.
Manual enrollment
Manual enrollment and renewal of trusted S/MIME certificates from a public CA will dissatisfy users and will cost time and money.
Retrieval of recipient certificates
For encryption the certificates of the recipients are needed. Acquiring and installing them manually is a barrier for most users.
The SECARDEO TOPKI Solution
Automation with public CA
Native Windows autoenrollment or central autoenrollment of S/MIME certificates from a public CA of your choice. Optional auto-revocation for retired users or changed addresses.
Mobile encryption
Secure automatic provisioning of S/MIME certificates and private keys to all MDM-managed or even unmanaged devices of a user.
Central key archival
Private user keys are securely archived and can be recovered for distribution purposes or in case of loss of keys. The organisation is able to decrypt data even from retired users in order to comply with regulations.
Certificate publishing and retrieval
Secure publishing of your user's S/MIME certificates to your partners and automatic discovery and retrieval of external recipient certificates for instant outbound encryption.
Implementation
Secardeo TOPKI provides software components that serve for specific management tasks for S/MIME certificates in end-to-end encryption scenarios. TOPKI enables a seamless adoption of managed PKI services from public CAs in the cloud. The public S/MIME certificates can be enrolled by using native Windows autoenrollment or by using a central autoenrollment. Certificates and private keys can automatically and securely be distributed to all devices of a user including managed or unmanaged mobile devices. The certificates of internal users can securely be published for inbound encryption by external partners. Recipient certificates will be retrieved automatically for outbound encryption with standard apps like Outlook or native mobile mail apps.
Certificate Directory Server for securely publishing internal S/MIME certificates and retrieving external certificates globally.
Certificate Enrollment Proxy for native Windows certificate autoenrollment from non-Microsoft CAs on-premise or in the Cloud.
EAS Proxy for retrieving recipient certificates from a global directory server to mobile devices for end-to-end S/MIME encryption.
Service for certificate lifecycle management, discovery, central autoenrollment, self-services, notifications and REST API.
Key Recovery and Distribution service for provisioning user keys from a central key archive to mobile or MDM-managed devices.
Service for automatic revocation of orphaned certificates from AD objects by certEP or a Microsoft CA.