certBox certEP | certMode | certLife

certEP – Certificate autoenrollment from a non-Microsoft CA

The Secardeo certEP Certificate Enrollment Proxy supports manual certificate enrollment and certificate autoenrollment from a non-Microsoft CA. (Auto-) enrollment of X.509 security certificates can be performed for computers and users in a Windows Domain and for network and mobile devices. This can be done using an internal certificate authority, or an external trust center. certEP offers a sound basis for a managed PKI (MPKI).

Trusted certificates, e.g. digital signature certificates, may be enrolled automatically from a public CA in compliance with the CA certificate policy. By this, PKI security and its use for external communication will be increased significantly. S/MIME certificates and private PKI keys may be automatically and securely distributed to mobile devices using Secardeo certMode and certPush. Secardeo certEP supports manual and autoenrollment of certificates from

  • Open Source PKI servers like EJBCA, OpenXPKI, DogTag, OpenSSL,
  • Commercial CA servers like Nexus, IBM z/OS, Microsoft ADCS, Red Hat,
  • Cloud CA services like SwissSign, QuoVadis, D-Trust or HydrantID.

For the support of further CAs please ask us.

certEP offers you the following benefits:

  • Enroll certificates from a CA software or SaaS of your choice – independence from Microsoft CA
  • Isolation of CA server from production network – protect your PKI from advanced threats
  • Support for Microsoft PKI protocols – no PKI client software distribution
  • Use AD group policy mechanisms (GPO) – established configuration in Active Directory
  • High degree of CA automation – minimize PKI operational costs
  • Use established Managed PKI Services – perform PKI deployment within hours
  • Many CAs supported with customizable connectors – keep flexibility for a future migration to another CA
  • Local key archival and recovery by KRAs – keep full control and privacy for your private encryption keys
  • Autoenrollment gateway for a public CA – globally accepted S/MIME certificates for your users

Certificate Enrollment Proxy features

The certEP resides between the Windows Clients and the external CA. The certEP acts as a Windows enterprise CA towards the Windows clients. The client is triggered automatically by a group policy and generates a certificate request based on a certificate template in Active Directory. The certEP receives the certificate requests using the Windows protocols and processes and transforms them before it passes the certificate requests to the CA. This way it acts as a PKI registration authority or PKI autoenrollment gateway. Certificate data and keys are stored reliably in an SQL database.

certEP will offer you the following features:

  • Seamless Active Directory PKI integration
  • Usage of standard or custom certificate templates
  • Using group policies (GPO) for certificate autoenrollment
  • Use commercial CA product, Open Source CA or CA SaaS
  • Support for multiple CAs with  one certEP instance
  • Full support for Windows 7-10, no client software needed
  • Manual or auto enrollment of user certificates, machine and service certificates
  • Enrollment of trusted S/MIME certificates from a public CA with accepted certificate policy
  • Certificate auto enrollment for Network & Mobile Devices via SCEP
  • Web enrollment via IIS
  • HTTP enrollment for non-domain clients using CEP/CES
  • Cross-forest certificate enrollment
  • Certificate support for Windows, iOS, Android, Linux, web servers, etc.
  • Enables the integration with all major MDM systems
  • Automatically renew  Windows certificates (auto-renewal)
  • Key archival locally or remotely secured by Key Recovery Agents
  • Optional approval of pending certificate requests
  • Automatic distribution of private encryption keys to Mobile Devices with certMode/certPush
  • Certificate event audit and alerting
  • Synchronization of revocation data to AD
  • Support of Hardware Security Modules (HSM)
  • Optional auto-revocation and auto-modification using certRevoke

certPush – Key recovery and certificate distribution

Secardeo certPush is an extension for certEP or a Microsoft CA. With certPush, X.509 user certificates and PKI private keys can be simply recovered using standard Microsoft key recovery mechanisms and securely distributed to all devices of a user in a protected PFX (.P12) container. Certificate distribution can be done automatically via secure e-mail, e.g. for unmanaged devices, or via MDM system for managed devices.  The user certificates or S/MIME certificates may stem from an internal Microsoft CA or a public CA like SwissSign or QuoVadis using certEP. A user can for example then encrypt and decrypt his e-mails on his smartphone.

certPush supports the recovery of single private keys and batch recoveries of private keys of multiple users. Secardeo certPush can either recover only the current certificate and private key of a user or the whole key history into a .P12 container. certPush enables the automated user certificate distribution  to mobile devices in an enterprise running iOS, Android or Windows Phone.

For automatically distributing certificates to managed iOS devices using high security and end-to-end encrypted key containers, the Secardeo certMode MDM proxy can be used in addition. certPush will then serve as a secure key recovery service.

certRevoke – Auto-revocation

Secardeo certRevoke is an automatic certificate revocation Service for certEP or a Windows Enterprise CA. If an Active Directory object is modified or deleted cert-Revoke sends a revocation request for all its associated certificates to the CA. The object attributes and organizational units which should be monitored can be configured. By this, automatic re-enrollment of certificates will be triggered through group policy, for example in case of name or address changes.