certEP | certLife | certACME | certPush | certBox | certMode
certEP – Certificate autoenrollment from a non-Microsoft CA
The Secardeo certEP Certificate Enrollment Proxy supports manual certificate enrollment and certificate autoenrollment from a non-Microsoft CA. This is done by using standard protocols and native tools without the need for distributing proprietary client software. (Auto-) enrollment of X.509 security certificates can be performed for computers and users in a Windows Domain and for network and mobile devices. This can be done using an internal certificate authority, or an external trust center. certEP offers a sound basis for a managed PKI (MPKI).
Trusted certificates, e.g. digital signature certificates, may be enrolled automatically from a public CA in compliance with the CA certificate policy. By this, PKI security and its use for external communication will be increased significantly. S/MIME certificates and private PKI keys may be automatically and securely distributed to mobile devices using Secardeo certPush. Secardeo certEP supports manual and autoenrollment of certificates from
Open Source PKI servers like EJBCA, OpenXPKI, DogTag, OpenSSL,
Commercial CA servers like Nexus, IBM z/OS, Microsoft ADCS, Red Hat,
Cloud CA services like AWS ACM-PCA, SwissSign, QuoVadis or HydrantID.
For the support of further CAs please ask us.
certEP offers you the following benefits:
Enroll certificates from a CA software or SaaS of your choice – independence from Microsoft CA
Isolation of CA server from production network – protect your PKI from advanced threats
Support for Microsoft PKI protocols – no PKI client software distribution
Use AD group policy mechanisms (GPO) – established configuration in Active Directory
High degree of CA automation – minimize PKI operational costs
Use established Managed PKI Services – perform PKI deployment within hours
Many CAs supported with customizable connectors – keep flexibility for a future migration to another CA
Local key archival and recovery by KRAs – keep full control and privacy for your private encryption keys
Autoenrollment gateway for a public CA – globally accepted S/MIME certificates for your users
Certificate Enrollment Proxy features
The certEP resides between the Windows Clients and the external CA. The certEP acts as a Windows enterprise CA towards the Windows clients. The client is triggered automatically by a group policy and generates a certificate request based on a certificate template in Active Directory. The certEP receives the certificate requests using the Windows protocols and processes and transforms them before it passes the certificate requests to the CA. This way it acts as a PKI registration authority or PKI autoenrollment gateway. Certificate data and keys are stored reliably in an SQL database.
certEP will offer you the following features:
Seamless Active Directory PKI integration
Usage of standard or custom certificate templates
Using group policies (GPO) for certificate autoenrollment
Use commercial CA product, Open Source CA or CA SaaS
Support for multiple CAs with one certEP instance
Full support for Windows 7-10, no client software needed
Manual or auto enrollment of user certificates, machine and service certificates
Enrollment of trusted S/MIME certificates from a public CA with accepted certificate policy
Certificate auto enrollment for Network & Mobile Devices via SCEP
Web enrollment via IIS
HTTP enrollment for non-domain clients using CEP/CES
Cross-forest certificate enrollment
Certificate support for Windows, iOS, Android, Linux, web servers, etc.
Enables the integration with all major MDM systems
Automatically renew Windows certificates (auto-renewal)
Key archival locally or remotely secured by Key Recovery Agents
Optional approval of pending certificate requests
Automatic distribution of private encryption keys to Mobile Devices with certPush
Certificate event audit and alerting
Synchronization of revocation data to AD
Support of Hardware Security Modules (HSM)
Optional auto-revocation and auto-modification using certRevoke
certRevoke – Auto-revocation
Secardeo certRevoke is an automatic certificate revocation Service for certEP or a Windows Enterprise CA (ADCS).
Digital certificates can be revoked before the end of their lifetime. Then the contained public key will no longer be accepted for encryption or authentication. For this, the certificate is put on a certificate revocation list that is signed by the CA or the returned status of an online responder (OCSP) will be “revoked”. However, common phenomenons like employee fluctuation or equipment replacement lead to situations where hundreds or thousands of valid certificates still exist but the contained subject or object has disappeared. Another typical scenario is that attributes of an AD object change. For example the surname and e-mail address of a user after marriage or computer or server network addresses and names.
If an Active Directory object is modified or deleted certRevoke sends a revocation request for all its associated certificates to the CA. The object attributes and organizational units which should be monitored can be configured. By this, automatic re-enrollment of certificates will be triggered through group policy, for example in case of name or address changes. certRevoke supports auto-revocation for multiple Windows CAs or certEP instances.