Certificate Connector

This page provides a comparison between SCEPman and the Microsoft Certificate Connector for Intune / Active Directory Certificate Services (ADCS).

Category
SCEPman
Microsoft CA with PKCS
NDES with SCEP
Set-up Effort
< 30 minutes
​3-step deployment procedure for core functionality
> 2 - 3 days
CDP* design and implementation
Certificate Templates configuration
Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...
> + 2 days
In addition to PKCS:
Additional server(s) for NDES
One NDES server for each type of certificate
Two additional Certificate Templates
Difficult to debug
PKI Maintenance
​Automatic health monitoring in Azure​
​CDP Monitoring​
Monitoring of the Certificate Connector
In addition to PKCS:
Manual Enrolment Agent certificate renewal
Server Maintenance
​Automatic updates / patches​
Operating system updates
Monitoring
In addition to PKCS:
Operating system updates and monitoring for at least one additional server
Certificate Management
Issuance, renewal, revocation
Fully-automated enrolment and renewal
​Fully-automated revocation​
Manual revocation option
Fully-automated enrolment and renewal
Manual revocation (difficult to search the database)
Like PKCS.
Availability
Singular Design
App Service SLA: > 99.95 % Uptime
Redundant Design
Traffic Manager SLA: > 99.99 % Uptime
Multiple failure modes:
Virtualization platform
Operating system
CDP webserver
Redundant Design
Standby CA server
Additional CDP webservers
Standby server for backup Certificate Connector
Like PKCS.
Redundant Design
Additional NDES servers
Scalability
​Autoscaling or manual scaling with a few clicks​
​Serve any number of clients with one SCEPman CA.​
No autoscaling
Scaling requires CA cluster
​Complex manual scaling​
Like PKCS.
Further effort for duplicating NDES servers
Backup
SCEPman is stateless for core functionality, i.e. no backup is required.
SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).
Optional Storage Account can be backed-up automatically.
Regular CA database backups
CA key and configuration backup (high compliance and security requirements)
Like PKCS.
Security
Designed based on Zero-Trust approach (cloud-native)
Use of state-of-the art authentication schemes
Automatic certificate revocation in real-time with OCSP (human error impossible)
Designed for on-premises use
Susceptible for "certifried attack"
Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet
Increased attack surface due to usage of on-premises and cloud accounts
Actuality of CRL depends on refresh interval
OCSP is based on CRL and not realtime
Like PKCS.
Requires inbound access to NDES (tier 0 asset)
Flexibility
Use of standardized interfaces (SCEP, OCSP, REST)
Support of multiple MDM solutions
Only Intune is supported
Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients
Support of multiple MDM solutions possible (additional NDES instance required)
*: CRL Distribution Point

Category	SCEPman	Microsoft CA with PKCS	NDES with SCEP
Set-up Effort	< 30 minutes 3-step deployment procedure for core functionality	> 2 - 3 days CDP* design and implementation Certificate Templates configuration Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...	> + 2 days In addition to PKCS: Additional server(s) for NDES One NDES server for each type of certificate Two additional Certificate Templates Difficult to debug
PKI Maintenance	Automatic health monitoring in Azure	CDP Monitoring Monitoring of the Certificate Connector	In addition to PKCS: Manual Enrolment Agent certificate renewal
Server Maintenance	Automatic updates / patches	Operating system updates Monitoring	In addition to PKCS: Operating system updates and monitoring for at least one additional server
Certificate Management Issuance, renewal, revocation	Fully-automated enrolment and renewal Fully-automated revocation Manual revocation option	Fully-automated enrolment and renewal Manual revocation (difficult to search the database)	Like PKCS.
Availability	Singular Design App Service SLA: > 99.95 % Uptime Redundant Design Traffic Manager SLA: > 99.99 % Uptime	Multiple failure modes: Virtualization platform Operating system CDP webserver Redundant Design Standby CA server Additional CDP webservers Standby server for backup Certificate Connector	Like PKCS. Redundant Design Additional NDES servers
Scalability	Autoscaling or manual scaling with a few clicks Serve any number of clients with one SCEPman CA.	No autoscaling Scaling requires CA cluster Complex manual scaling	Like PKCS. Further effort for duplicating NDES servers
Backup	SCEPman is stateless for core functionality, i.e. no backup is required. SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant). Optional Storage Account can be backed-up automatically.	Regular CA database backups CA key and configuration backup (high compliance and security requirements)	Like PKCS.
Security	Designed based on Zero-Trust approach (cloud-native) Use of state-of-the art authentication schemes Automatic certificate revocation in real-time with OCSP (human error impossible)	Designed for on-premises use Susceptible for "certifried attack" Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet Increased attack surface due to usage of on-premises and cloud accounts Actuality of CRL depends on refresh interval OCSP is based on CRL and not realtime	Like PKCS. Requires inbound access to NDES (tier 0 asset)
Flexibility	Use of standardized interfaces (SCEP, OCSP, REST) Support of multiple MDM solutions	Only Intune is supported Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients	Support of multiple MDM solutions possible (additional NDES instance required)

Security & Privacy

Next - Other

Troubleshooting

Last modified 7mo ago