The Secardeo certEP Certificate Enrollment Proxy supports manual certificate enrollment and certificate autoenrollment from a non-Microsoft CA. This is done by using standard protocols and native tools without the need for distributing proprietary client software. (Auto-) enrollment of X.509 security certificates can be performed for computers and users in a Windows Domain and for network and mobile devices. This can be done using an internal certificate authority, or an external trust center. certEP offers a sound basis for a managed PKI (MPKI).
Trusted certificates, e.g. digital signature certificates, may be enrolled automatically from a public CA in compliance with the CA certificate policy. By this, PKI security and its use for external communication will be increased significantly. S/MIME certificates and private PKI keys may be automatically and securely distributed to mobile devices using Secardeo certPush. Secardeo certEP supports manual and autoenrollment of certificates from
For the support of further CAs please ask us.
The Secardeo Certificate Enrollment Proxy certEP is available as a ready-to-start Amazon Machine Image (AMI) on the AWS Marketplace.
The certEP resides between the Windows Clients and the external CA. The certEP acts as a Windows enterprise CA towards the Windows clients. The client is triggered automatically by a group policy and generates a certificate request based on a certificate template in Active Directory. The certEP receives the certificate requests using the Windows protocols and processes and transforms them before it passes the certificate requests to the CA. This way it acts as a PKI registration authority or PKI autoenrollment gateway. Certificate data and keys are stored reliably in an SQL database.
certEP will offer you the following features:
Secardeo certRevoke is an automatic certificate revocation Service for certEP or a Windows Enterprise CA (ADCS).
Digital certificates can be revoked before the end of their lifetime. Then the contained public key will no longer be accepted for encryption or authentication. For this, the certificate is put on a certificate revocation list that is signed by the CA or the returned status of an online responder (OCSP) will be “revoked”. However, common phenomenons like employee fluctuation or equipment replacement lead to situations where hundreds or thousands of valid certificates still exist but the contained subject or object has disappeared. Another typical scenario is that attributes of an AD object change. For example the surname and e-mail address of a user after marriage or computer or server network addresses and names.
If an Active Directory object is modified or deleted certRevoke sends a revocation request for all its associated certificates to the CA. The object attributes and organizational units which should be monitored can be configured. By this, automatic re-enrollment of certificates will be triggered through group policy, for example in case of name or address changes. certRevoke supports auto-revocation for multiple Windows CAs or certEP instances.