# Certificate Connector | Category | SCEPman | Microsoft CA with PKCS | NDES with SCEP | | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Set-up Effort** |

< 30 minutes

3-step deployment procedure for core functionality

> 2 - 3 days

CDP\* design and implementation
Certificate Templates configuration
Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...

> + 2 days

In addition to PKCS:

Additional server(s) for NDES
One NDES server for each type of certificate
Two additional Certificate Templates
Difficult to debug

| | **PKI Maintenance** |

Automatic health monitoring in Azure

CDP Monitoring
Monitoring of the Certificate Connector

In addition to PKCS:

Manual Enrolment Agent certificate renewal

| | **Server Maintenance** |

Automatic updates / patches

Operating system updates
Monitoring

In addition to PKCS:

Operating system updates and monitoring for at least one additional server

| |

Certificate Management
Issuance, renewal, revocation

Fully-automated enrolment and renewal
Fully-automated revocation
Manual revocation option

Fully-automated enrolment and renewal
Manual revocation (difficult to search the database)

| *Like PKCS.* | | **Availability** |

Singular Design

App Service SLA: > 99.95 % Uptime

Redundant Design

Traffic Manager SLA: > 99.99 % Uptime

Multiple failure modes:

Virtualization platform
Operating system
CDP webserver

Redundant Design

Standby CA server
Additional CDP webservers
Standby server for backup Certificate Connector

Like PKCS.

Redundant Design

Additional NDES servers

| | **Scalability** |

No autoscaling
Scaling requires CA cluster
Complex manual scaling

Like PKCS.

Further effort for duplicating NDES servers

| | **Backup** |

SCEPman is stateless for core functionality, i.e. no backup is required.
SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).
Optional Storage Account can be backed-up automatically.

Regular CA database backups
CA key and configuration backup (high compliance and security requirements)

| *Like PKCS.* | | **Security** |

Designed based on Zero-Trust approach (cloud-native)
Use of state-of-the art authentication schemes
Automatic certificate revocation in real-time with OCSP (human error impossible)

Designed for on-premises use
Susceptible for "certifried attack"
Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet
Increased attack surface due to usage of on-premises and cloud accounts
Actuality of CRL depends on refresh interval
OCSP is based on CRL and not realtime

Like PKCS.

Requires inbound access to NDES (tier 0 asset)

| | **Flexibility** |

Use of standardized interfaces (SCEP, OCSP, REST)
Support of multiple MDM solutions

Only Intune is supported
Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients

Support of multiple MDM solutions possible (additional NDES instance required)

| \*: CRL Distribution Point --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scepman.com/other/faqs/certificate-connector.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.