Certificate Connector

This page compares SCEPman and the Microsoft Certificate Connector for Intune / Active Directory Certificate Services (ADCS) in terms of deployment and operational efforts.

Category	SCEPman	Microsoft CA with PKCS	NDES with SCEP
Set-up Effort	< 30 minutes 3-step deployment procedure for core functionality	> 2 - 3 days CDP* design and implementation Certificate Templates configuration Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...	> + 2 days In addition to PKCS: Additional server(s) for NDES One NDES server for each type of certificate Two additional Certificate Templates Difficult to debug
PKI Maintenance	Automatic health monitoring in Azure	CDP Monitoring Monitoring of the Certificate Connector	In addition to PKCS: Manual Enrolment Agent certificate renewal
Server Maintenance	Automatic updates / patches	Operating system updates Monitoring	In addition to PKCS: Operating system updates and monitoring for at least one additional server
Certificate Management Issuance, renewal, revocation	Fully-automated enrolment and renewal Fully-automated revocation Manual revocation option	Fully-automated enrolment and renewal Manual revocation (difficult to search the database)	Like PKCS.
Availability	Singular Design App Service SLA: > 99.95 % Uptime Redundant Design Traffic Manager SLA: > 99.99 % Uptime	Multiple failure modes: Virtualization platform Operating system CDP webserver Redundant Design Standby CA server Additional CDP webservers Standby server for backup Certificate Connector	Like PKCS. Redundant Design Additional NDES servers
Scalability	Autoscaling or manual scaling with a few clicks Serve any number of clients with one SCEPman CA.	No autoscaling Scaling requires CA cluster Complex manual scaling	Like PKCS. Further effort for duplicating NDES servers
Backup	SCEPman is stateless for core functionality, i.e. no backup is required. SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant). Optional Storage Account can be backed-up automatically.	Regular CA database backups CA key and configuration backup (high compliance and security requirements)	Like PKCS.
Security	Designed based on Zero-Trust approach (cloud-native) Use of state-of-the art authentication schemes Automatic certificate revocation in real-time with OCSP (human error impossible)	Designed for on-premises use Susceptible for "certifried attack" Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet Increased attack surface due to usage of on-premises and cloud accounts Actuality of CRL depends on refresh interval OCSP is based on CRL and not realtime	Like PKCS. Requires inbound access to NDES (tier 0 asset)
Flexibility	Use of standardized interfaces (SCEP, OCSP, REST) Support of multiple MDM solutions	Only Intune is supported Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients	Support of multiple MDM solutions possible (additional NDES instance required)

Category

SCEPman

Microsoft CA with PKCS

NDES with SCEP

Set-up Effort

< 30 minutes

3-step deployment procedure for core functionality

> 2 - 3 days

CDP* design and implementation
Certificate Templates configuration
Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...

> + 2 days

In addition to PKCS:

Additional server(s) for NDES
One NDES server for each type of certificate
Two additional Certificate Templates
Difficult to debug

PKI Maintenance

Automatic health monitoring in Azure

CDP Monitoring
Monitoring of the Certificate Connector

In addition to PKCS:

Manual Enrolment Agent certificate renewal

Server Maintenance

Automatic updates / patches

Operating system updates
Monitoring

In addition to PKCS:

Operating system updates and monitoring for at least one additional server

Certificate Management Issuance, renewal, revocation

Fully-automated enrolment and renewal
Fully-automated revocation
Manual revocation option

Fully-automated enrolment and renewal
Manual revocation (difficult to search the database)

Like PKCS.

Availability

Singular Design

App Service SLA: > 99.95 % Uptime

Redundant Design

Traffic Manager SLA: > 99.99 % Uptime

Multiple failure modes:

Virtualization platform
Operating system
CDP webserver

Redundant Design

Standby CA server
Additional CDP webservers
Standby server for backup Certificate Connector

Like PKCS.

Redundant Design

Additional NDES servers

Scalability

No autoscaling
Scaling requires CA cluster
Complex manual scaling

Like PKCS.

Further effort for duplicating NDES servers

Backup

SCEPman is stateless for core functionality, i.e. no backup is required.
SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).
Optional Storage Account can be backed-up automatically.

Regular CA database backups
CA key and configuration backup (high compliance and security requirements)

Like PKCS.

Security

Designed based on Zero-Trust approach (cloud-native)
Use of state-of-the art authentication schemes
Automatic certificate revocation in real-time with OCSP (human error impossible)

Designed for on-premises use
Susceptible for "certifried attack"
Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet
Increased attack surface due to usage of on-premises and cloud accounts
Actuality of CRL depends on refresh interval
OCSP is based on CRL and not realtime

Like PKCS.

Requires inbound access to NDES (tier 0 asset)

Flexibility

Use of standardized interfaces (SCEP, OCSP, REST)
Support of multiple MDM solutions

Only Intune is supported
Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients

Support of multiple MDM solutions possible (additional NDES instance required)

*: CRL Distribution Point

PreviousSecurity & Privacy NextIntune implementing strong mapping for SCEP and PKCS certificates

Last updated 7 months ago