Certificate Connector

This page compares SCEPman and the Microsoft Certificate Connector for Intune / Active Directory Certificate Services (ADCS) in terms of deployment and operational efforts.

CategorySCEPmanMicrosoft CA with PKCSNDES with SCEP

Set-up Effort

< 30 minutes

> 2 - 3 days

  • CDP* design and implementation

  • Certificate Templates configuration

  • Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...

> + 2 days

In addition to PKCS:

  • Additional server(s) for NDES

  • One NDES server for each type of certificate

  • Two additional Certificate Templates

  • Difficult to debug

PKI Maintenance

In addition to PKCS:

  • Manual Enrolment Agent certificate renewal

Server Maintenance

  • Operating system updates

  • Monitoring

In addition to PKCS:

  • Operating system updates and monitoring for at least one additional server

Certificate Management Issuance, renewal, revocation

  • Fully-automated enrolment and renewal

  • Manual revocation (difficult to search the database)

Like PKCS.


Singular Design

  • App Service SLA: > 99.95 % Uptime

Redundant Design

  • Traffic Manager SLA: > 99.99 % Uptime

Multiple failure modes:

  • Virtualization platform

  • Operating system

  • CDP webserver

Redundant Design

  • Standby CA server

  • Additional CDP webservers

  • Standby server for backup Certificate Connector

Like PKCS.

Redundant Design

  • Additional NDES servers


Like PKCS.

  • Further effort for duplicating NDES servers


  • SCEPman is stateless for core functionality, i.e. no backup is required.

  • SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).

  • Optional Storage Account can be backed-up automatically.

  • Regular CA database backups

  • CA key and configuration backup (high compliance and security requirements)

Like PKCS.


  • Designed based on Zero-Trust approach (cloud-native)

  • Use of state-of-the art authentication schemes

  • Automatic certificate revocation in real-time with OCSP (human error impossible)

  • Designed for on-premises use

  • Susceptible for "certifried attack"

  • Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet

  • Increased attack surface due to usage of on-premises and cloud accounts

  • Actuality of CRL depends on refresh interval

  • OCSP is based on CRL and not realtime

Like PKCS.


  • Use of standardized interfaces (SCEP, OCSP, REST)

  • Support of multiple MDM solutions

  • Only Intune is supported

  • Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients

  • Support of multiple MDM solutions possible (additional NDES instance required)

*: CRL Distribution Point

Last updated