Certificate Connector

Set-up Effort

< 30 minutes

• 3-step deployment procedure for core functionality

> 2 - 3 days

• CDP* design and implementation

• Certificate Templates configuration

• Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...

> + 2 days

In addition to PKCS:

• Additional server(s) for NDES

• One NDES server for each type of certificate

• Two additional Certificate Templates

• Difficult to debug

PKI Maintenance

• Automatic health monitoring in Azure

• CDP Monitoring

• Monitoring of the Certificate Connector

In addition to PKCS:

• Manual Enrolment Agent certificate renewal

Server Maintenance

• Automatic updates / patches

• Operating system updates

• Monitoring

In addition to PKCS:

• Operating system updates and monitoring for at least one additional server

Certificate Management Issuance, renewal, revocation

• Fully-automated enrolment and renewal

• Fully-automated revocation

• Manual revocation option

• Fully-automated enrolment and renewal

• Manual revocation (difficult to search the database)

Like PKCS.

Availability

Singular Design

• App Service SLA: > 99.95 % Uptime

Redundant Design

• Traffic Manager SLA: > 99.99 % Uptime

Multiple failure modes:

• Virtualization platform

• Operating system

• CDP webserver

Redundant Design

• Standby CA server

• Additional CDP webservers

• Standby server for backup Certificate Connector

Like PKCS.

Redundant Design

• Additional NDES servers

Scalability

• Autoscaling or manual scaling with a few clicks

• Serve any number of clients with one SCEPman CA.

• No autoscaling

• Scaling requires CA cluster

• Complex manual scaling

Like PKCS.

• Further effort for duplicating NDES servers

Backup

• SCEPman is stateless for core functionality, i.e. no backup is required.

• SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).

• Optional Storage Account can be backed-up automatically.

• Regular CA database backups

• CA key and configuration backup (high compliance and security requirements)

Like PKCS.

Security

• Designed based on Zero-Trust approach (cloud-native)

• Use of state-of-the art authentication schemes

• Automatic certificate revocation in real-time with OCSP (human error impossible)

• Designed for on-premises use

• Susceptible for "certifried attack"

• Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet

• Increased attack surface due to usage of on-premises and cloud accounts

• Actuality of CRL depends on refresh interval

• OCSP is based on CRL and not realtime

Like PKCS.

• Requires inbound access to NDES (tier 0 asset)

Flexibility

• Use of standardized interfaces (SCEP, OCSP, REST)

• Support of multiple MDM solutions

• Only Intune is supported

• Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients

• Support of multiple MDM solutions possible (additional NDES instance required)