Contact | Data protection | DE
Secardeo GmbH
certEP

certEP certLife |  certACME | certPushcertBox | certMode

certEP – Certificate autoenrollment from a non-Microsoft CA

The Secardeo certEP Certificate Enrollment Proxy supports manual certificate enrollment and certificate autoenrollment from a non-Microsoft CA. This is done by using standard protocols and native tools without the need for distributing proprietary client software. (Auto-) enrollment of X.509 security certificates can be performed for computers and users in a Windows Domain and for network and mobile devices. This can be done using an internal certificate authority, or an external trust center. certEP offers a sound basis for a managed PKI (MPKI).

Trusted certificates, e.g. digital signature certificates, may be enrolled automatically from a public CA in compliance with the CA certificate policy. By this, PKI security and its use for external communication will be increased significantly. S/MIME certificates and private PKI keys may be automatically and securely distributed to mobile devices using Secardeo certPush. Secardeo certEP supports manual and autoenrollment of certificates from

  • Open Source PKI servers like EJBCA, OpenXPKI, DogTag, OpenSSL,
  • Commercial CA servers like Nexus, IBM z/OS, Microsoft ADCS, Red Hat,
  • Cloud CA services like AWS ACM-PCA, SwissSign, QuoVadis or HydrantID.

For the support of further CAs please ask us.

The Secardeo Certificate Enrollment Proxy certEP is available as a setup for Windows Server or as a ready-to-start Amazon Machine Image (AMI) on the AWS Marketplace.

certEP offers you the following benefits:

  • Enroll certificates from a CA software or SaaS of your choice – independence from Microsoft CA
  • Isolation of CA server from production network – protect your PKI from advanced threats
  • Support for Microsoft PKI protocols – no PKI client software distribution
  • Use AD group policy mechanisms (GPO) – established configuration in Active Directory
  • High degree of CA automation – minimize PKI operational costs
  • Use established Managed PKI Services – perform PKI deployment within hours
  • Many CAs supported with customizable connectors – keep flexibility for a future migration to another CA
  • Local key archival and recovery by KRAs – keep full control and privacy for your private encryption keys
  • Autoenrollment gateway for a public CA – globally accepted S/MIME certificates for your users

Certificate Enrollment Proxy features

The certEP resides between the Windows Clients and the external CA. The certEP acts as a Windows enterprise CA towards the Windows clients. The client is triggered automatically by a group policy and generates a certificate request based on a certificate template in Active Directory. The certEP receives the certificate requests using the Windows protocols and processes and transforms them before it passes the certificate requests to the CA. This way it acts as a PKI registration authority or PKI autoenrollment gateway. Certificate data and keys are stored reliably in an SQL database.

certEP will offer you the following features:

  • Seamless Active Directory PKI integration
  • Usage of standard or custom certificate templates
  • Using group policies (GPO) for certificate autoenrollment
  • Use commercial CA product, Open Source CA or CA SaaS
  • Support for multiple CAs with  one certEP instance
  • Full support for Windows 7-10, no client software needed
  • Manual or auto enrollment of user certificates, machine and service certificates
  • Enrollment of trusted S/MIME certificates from a public CA with accepted certificate policy
  • Certificate auto enrollment for Network & Mobile Devices via SCEP
  • Web enrollment via IIS
  • HTTP enrollment for non-domain clients using CEP/CES
  • Cross-forest certificate enrollment
  • Certificate support for Windows, iOS, Android, Linux, web servers, etc.
  • Enables the integration with all major MDM systems
  • Automatically renew  Windows certificates (auto-renewal)
  • Key archival locally or remotely secured by Key Recovery Agents
  • Optional approval of pending certificate requests
  • Automatic distribution of private encryption keys to Mobile Devices with certPush
  • Certificate event audit and alerting
  • Synchronization of revocation data to AD
  • Support of Hardware Security Modules (HSM)
  • Optional auto-revocation and auto-modification using certRevoke

certRevoke – Auto-revocation

Secardeo certRevoke is an automatic certificate revocation Service for certEP or a Windows Enterprise CA (ADCS).

Digital certificates can be revoked before the end of their lifetime. Then the contained public key will no longer be accepted for encryption or authentication. For this, the certificate is put on a certificate revocation list that is signed by the CA or the returned status of an online responder (OCSP) will be “revoked”. However, common phenomenons like employee fluctuation or equipment replacement lead to situations where hundreds or thousands of valid certificates still exist but the contained subject or object has disappeared. Another typical scenario is that attributes of an AD object change. For example the surname and e-mail address of a user after marriage or computer or server network addresses and names.

If an Active Directory object is modified or deleted certRevoke sends a revocation request for all its associated certificates to the CA. The object attributes and organizational units which should be monitored can be configured. By this, automatic re-enrollment of certificates will be triggered through group policy, for example in case of name or address changes. certRevoke supports auto-revocation for multiple Windows CAs or certEP instances.