# Certificate Connector | Category | SCEPman | Microsoft CA with PKCS | NDES with SCEP | | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Set-up Effort** |

< 30 minutes

3-step deployment procedure for core functionality

> 2 - 3 days

CDP\* design and implementation
Certificate Templates configuration
Configuration compatibility – GPOs, Service Accounts, Connector Versions, ...

> + 2 days

In addition to PKCS:

Additional server(s) for NDES
One NDES server for each type of certificate
Two additional Certificate Templates
Difficult to debug

| | **PKI Maintenance** |

Automatic health monitoring in Azure

CDP Monitoring
Monitoring of the Certificate Connector

In addition to PKCS:

Manual Enrolment Agent certificate renewal

| | **Server Maintenance** |

Automatic updates / patches

Operating system updates
Monitoring

In addition to PKCS:

Operating system updates and monitoring for at least one additional server

| |

Certificate Management
Issuance, renewal, revocation

Fully-automated enrolment and renewal
Fully-automated revocation
Manual revocation option

Fully-automated enrolment and renewal
Manual revocation (difficult to search the database)

| *Like PKCS.* | | **Availability** |

Singular Design

App Service SLA: > 99.95 % Uptime

Redundant Design

Traffic Manager SLA: > 99.99 % Uptime

Multiple failure modes:

Virtualization platform
Operating system
CDP webserver

Redundant Design

Standby CA server
Additional CDP webservers
Standby server for backup Certificate Connector

Like PKCS.

Redundant Design

Additional NDES servers

| | **Scalability** |

No autoscaling
Scaling requires CA cluster
Complex manual scaling

Like PKCS.

Further effort for duplicating NDES servers

| | **Backup** |

SCEPman is stateless for core functionality, i.e. no backup is required.
SCEPman Root CA is implicitly backed-up by Azure KeyVault (region-redundant).
Optional Storage Account can be backed-up automatically.

Regular CA database backups
CA key and configuration backup (high compliance and security requirements)

| *Like PKCS.* | | **Security** |

Designed based on Zero-Trust approach (cloud-native)
Use of state-of-the art authentication schemes
Automatic certificate revocation in real-time with OCSP (human error impossible)

Designed for on-premises use
Susceptible for "certifried attack"
Increased attack surface due to additional communication channel between CA (tier 0 asset) and the internet
Increased attack surface due to usage of on-premises and cloud accounts
Actuality of CRL depends on refresh interval
OCSP is based on CRL and not realtime

Like PKCS.

Requires inbound access to NDES (tier 0 asset)

| | **Flexibility** |

Use of standardized interfaces (SCEP, OCSP, REST)
Support of multiple MDM solutions

Only Intune is supported
Proprietary RPC interface allows auto-enrolment of certificates on legacy domain-joined clients

Support of multiple MDM solutions possible (additional NDES instance required)

| \*: CRL Distribution Point