LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
      • Scenarios
        • Certificate-based Network Authentication
        • Certificate-based Authentication for Entra ID
        • Certificate-based Authentication for RDP
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • TLS Inspection (Sub CA) Certificate
      • Code Signing Certificate
      • Device Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
      • cleverbridge
    • FAQs
      • General
      • Certificate Connector
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page

Was this helpful?

  1. Other
  2. FAQs

Certificate Connector

Comparing Microsoft Certificate Connector for Intune / Active Directory Certificate Services (ADCS) and SCEPman in terms of deployment and operational efforts.

Last updated 1 month ago

Was this helpful?

Category
SCEPman
Microsoft CA with PKCS
NDES with SCEP

Set-up Effort

< 30 minutes

  • for core functionality

> 2 - 3 days

  • CDP* design and implementation

  • Certificate Templates configuration

  • Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...

> + 2 days

In addition to PKCS:

  • Additional server(s) for NDES

  • One NDES server for each type of certificate

  • Two additional Certificate Templates

  • Difficult to debug

PKI Maintenance

  • Monitoring of the Certificate Connector

In addition to PKCS:

  • Manual Enrolment Agent certificate renewal

Server Maintenance

  • Operating system updates

  • Monitoring

In addition to PKCS:

  • Operating system updates and monitoring for at least one additional server

Certificate Management Issuance, renewal, revocation

  • Fully-automated enrolment and renewal

  • Manual revocation option

  • Fully-automated enrolment and renewal

  • Manual revocation (difficult to search the database)

Like PKCS.

Availability

Singular Design

  • App Service SLA: > 99.95 % Uptime

Redundant Design

  • Traffic Manager SLA: > 99.99 % Uptime

Multiple failure modes:

  • Virtualization platform

  • Operating system

  • CDP webserver

Redundant Design

  • Standby CA server

  • Additional CDP webservers

  • Standby server for backup Certificate Connector

Like PKCS.

Redundant Design

  • Additional NDES servers

Scalability

  • No autoscaling

  • Scaling requires CA cluster

Like PKCS.

  • Further effort for duplicating NDES servers

Backup

  • SCEPman is stateless for core functionality, i.e. no backup is required.

  • SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).

  • Optional Storage Account can be backed-up automatically.

  • Regular CA database backups

  • CA key and configuration backup (high compliance and security requirements)

Like PKCS.

Security

  • Designed based on Zero-Trust approach (cloud-native)

  • Use of state-of-the art authentication schemes

  • Automatic certificate revocation in real-time with OCSP (human error impossible)

  • Designed for on-premises use

  • Susceptible for ""

  • Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet

  • Increased attack surface due to usage of on-premises and cloud accounts

  • Actuality of CRL depends on refresh interval

  • OCSP is based on CRL and not realtime

Like PKCS.

  • Requires inbound access to NDES ()

Flexibility

  • Use of standardized interfaces (SCEP, OCSP, REST)

  • Support of multiple MDM solutions

  • Only Intune is supported

  • Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients

  • Support of multiple MDM solutions possible (additional NDES instance required)

*: CRL Distribution Point

3-step deployment procedure
Automatic health monitoring in Azure
CDP Monitoring
Automatic updates / patches
Fully-automated revocation
Autoscaling or manual scaling with a few clicks
Serve any number of clients with one SCEPman CA.
Complex manual scaling
certifried attack
tier 0 asset